-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive for Prototype-polluting function #18327
Comments
Hi @dbauszus-glx 👋🏻 Thanks for reporting this! Yes, that does look like a false positive. Fixing these isn't a current product priority, so I can't say when this might get fixed. However, we will be tracking this internally. Although I appreciate it is not ideal, it seems like you have a workaround for the minute. |
Hi @dbauszus-glx, In a prototype pollution attack, the payload will be crafted to have special properties like As specified in the query help shown on the alert, the recommendation is to check if it's an own property of the destination object (called As for the missed check of form |
@asgerf Thank you for providing more detail to the explanation. How does this work for new properties on the target? Let's say my target property is a prototype with no own properties. My source object has the 'foo' boolean [object] flag. How can I check whether the 'foo' property is safe to be assigned on the target property if the target does not have the ownProperty. let target = {}
let source = {foo:true}
for (const [key, value] of Object.entries(source)) {
console.log(target.hasOwnProperty(key)) //false
target[key] = value
} |
I check for prototype polluting property keys in a set of reserved keys which include
__proto__
andconstructor
.This shouldn't even be necessary since the key, value come from Object.entries which according to MDN will only iterate own enumerable string-keyd property. ie. never
__proto__
orconstructor
.https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/entries
Still the lookup in the set does not work.
CodeQL looks at the right place but ignores the check for the set.
https://github.com/GEOLYTIX/xyz/security/code-scanning/217
The only way I can make the issue go away is by doing a === check on the string value like so.
Even though I know that this issue can not happen I need to add this extra line to make the CodeQL warning go away.
The text was updated successfully, but these errors were encountered: