snaps icon indicating copy to clipboard operation
snaps copied to clipboard
verified publisher icon MetaMask

chore: add prototype pollution guards to setState and SnapController

Open odaysec opened this issue 5 months ago • 1 comments

request strengthens security across multiple components of the MetaMask Snaps codebase by addressing potential prototype pollution vulnerabilities in recursive state assignment and object accumulation logic. these fixes prevent malicious user input from mutating JavaScript object prototypes or altering inherited behavior, thereby improving the overall safety and robustness of Snaps runtime operations.

Issue: #3718

Mitigate Prototype Pollution in setState (packages/snaps-rpc-methods/src/permitted/setState.ts) The recursive assignment function used in setState could inadvertently allow prototype pollution if untrusted keys such as __proto__, constructor, or prototype were used as property names during state updates. This issue could enable malicious payloads to modify global object prototypes, leading to unpredictable behavior or security compromises.

Secure Object Construction in SnapController Conversion Logic (packages/snaps-controllers/src/snaps/SnapController.ts#L3946)

Within the logic that constructs filteredConversionRates from requestedConversions, plain JavaScript objects were being used to store user-derived keys (conversion.from and conversion.to). Since object property keys can interact with the prototype chain, this pattern risked prototype pollution if untrusted input was introduced.

Prevent Pollution in Market Data Transformation (#transformOnAssetsMarketDataResult)

In the private method #transformOnAssetsMarketDataResult, user-derived asset and unit strings were used as keys during reduction to construct filteredMarketData. As with the previous issue, this pattern risked prototype pollution via implicit property inheritance.

[!NOTE] Adds explicit prototype pollution guards in setState and switches SnapController asset transform reducers to safe accumulators, preserving output shape.

  • Security hardening
    • packages/snaps-rpc-methods/src/permitted/setState.ts:
      • set(...): Rejects keys __proto__, constructor, prototype (in addition to existing forbidden keys); updates error message.
    • packages/snaps-controllers/src/snaps/SnapController.ts:
      • #transformOnAssetsConversionResult(...): Uses MapMap accumulator during reduction; converts nested Maps back to plain objects for return.
      • #transformOnAssetsMarketDataResult(...): Uses Object.create(null) for nested objects to avoid prototype inheritance.

Written by Cursor Bugbot for commit 700c6b66ab71b08eb968cd11564f41dc7d72dae4. This will update automatically on new commits. Configure here.

odaysec avatar Oct 31 '25 10:10 odaysec

/cc @FrederikBolding

odaysec avatar Nov 05 '25 11:11 odaysec