Skip to content

Commit 12d4747

Browse files
colincaseycolincasey
authored
Prevent prototype pollution in cookie memstore (#283)
All occurrences of new object creation in `memstore.js` have been changed from `{}` (i.e.; `Object.create(Object.prototype)` to `Object.create(null)` so that we are using object instances that do not have a prototype property that can be polluted. @fixes #282
1 parent f06b72d commit 12d4747

File tree

2 files changed

+33
-8
lines changed

2 files changed

+33
-8
lines changed

lib/memstore.js

+8-8
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ class MemoryCookieStore extends Store {
3939
constructor() {
4040
super();
4141
this.synchronous = true;
42-
this.idx = {};
42+
this.idx = Object.create(null);
4343
const customInspectSymbol = getCustomInspectSymbol();
4444
if (customInspectSymbol) {
4545
this[customInspectSymbol] = this.inspect;
@@ -111,10 +111,10 @@ class MemoryCookieStore extends Store {
111111

112112
putCookie(cookie, cb) {
113113
if (!this.idx[cookie.domain]) {
114-
this.idx[cookie.domain] = {};
114+
this.idx[cookie.domain] = Object.create(null);
115115
}
116116
if (!this.idx[cookie.domain][cookie.path]) {
117-
this.idx[cookie.domain][cookie.path] = {};
117+
this.idx[cookie.domain][cookie.path] = Object.create(null);
118118
}
119119
this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
120120
cb(null);
@@ -146,7 +146,7 @@ class MemoryCookieStore extends Store {
146146
return cb(null);
147147
}
148148
removeAllCookies(cb) {
149-
this.idx = {};
149+
this.idx = Object.create(null);
150150
return cb(null);
151151
}
152152
getAllCookies(cb) {
@@ -196,9 +196,9 @@ exports.MemoryCookieStore = MemoryCookieStore;
196196
function inspectFallback(val) {
197197
const domains = Object.keys(val);
198198
if (domains.length === 0) {
199-
return "{}";
199+
return "[Object: null prototype] {}";
200200
}
201-
let result = "{\n";
201+
let result = "[Object: null prototype] {\n";
202202
Object.keys(val).forEach((domain, i) => {
203203
result += formatDomain(domain, val[domain]);
204204
if (i < domains.length - 1) {
@@ -212,7 +212,7 @@ function inspectFallback(val) {
212212

213213
function formatDomain(domainName, domainValue) {
214214
const indent = " ";
215-
let result = `${indent}'${domainName}': {\n`;
215+
let result = `${indent}'${domainName}': [Object: null prototype] {\n`;
216216
Object.keys(domainValue).forEach((path, i, paths) => {
217217
result += formatPath(path, domainValue[path]);
218218
if (i < paths.length - 1) {
@@ -226,7 +226,7 @@ function formatDomain(domainName, domainValue) {
226226

227227
function formatPath(pathName, pathValue) {
228228
const indent = " ";
229-
let result = `${indent}'${pathName}': {\n`;
229+
let result = `${indent}'${pathName}': [Object: null prototype] {\n`;
230230
Object.keys(pathValue).forEach((cookieName, i, cookieNames) => {
231231
const cookie = pathValue[cookieName];
232232
result += ` ${cookieName}: ${cookie.inspect()}`;

test/cookie_jar_test.js

+25
Original file line numberDiff line numberDiff line change
@@ -809,4 +809,29 @@ vows
809809
}
810810
}
811811
})
812+
.addBatch({
813+
"Issue #282 - Prototype pollution": {
814+
"when setting a cookie with the domain __proto__": {
815+
topic: function() {
816+
const jar = new tough.CookieJar(undefined, {
817+
rejectPublicSuffixes: false
818+
});
819+
// try to pollute the prototype
820+
jar.setCookieSync(
821+
"Slonser=polluted; Domain=__proto__; Path=/notauth",
822+
"https://__proto__/admin"
823+
);
824+
jar.setCookieSync(
825+
"Auth=Lol; Domain=google.com; Path=/notauth",
826+
"https://google.com/"
827+
);
828+
this.callback();
829+
},
830+
"results in a cookie that is not affected by the attempted prototype pollution": function() {
831+
const pollutedObject = {};
832+
assert(pollutedObject["/notauth"] === undefined);
833+
}
834+
}
835+
}
836+
})
812837
.export(module);

0 commit comments

Comments
 (0)