0

In many guides regarding prototype pollution, "merge" functions are listed as potentially vulnerable. But I'm somewhat confused on how this should actually work if a merge function is not recursive. For example this guide lists as a vulnerable function something like

function merge(target, source) { 
  var output = JSON.parse(target); 
  for (var key in source) { 
    output[key] = source[key]; 
  } 
  return output; 
}

However, I cannot see how this would be vulnerable.

Let's simplify a bit:

const output = {}
output[attackerControlledKey] = attackerControlledValue

I cannot find a payload which would actually modify the prototype here. __proto__.isAdmin as attackerControlledKey doesn't work as far as I see.

If it were like

const output = {}
output[attackerControlledFirstKey][attackerControlledSecondKey] = attackerControlledValue

then sure an attacker could set __proto__ as attackerControlledFirstKey and the common examle isAdmin as attackerControlledSecondKey and true as attackerControlledValue

I get that many such merge functions are in fact recursive, like the examples listed here.

But I think if an attacker can only set one key and value without being able to go deeper, then there's no problem. Is this right? Or am I overlooking something?

Improve this question
2
  • If the attacker controls source, they also control source[key], don't they? In your example (that is a slightly different scenario), the attacker could use attackerControlledKey=__proto__ and attackerControlledValue={isAdmin: true} Commented Nov 5, 2024 at 16:44
  • Was thinking about that too. But in my example file where output['__proto__']['isAdmin'] = true; works it does not work to do output['__proto__'] = { isAdmin:true }. Tested in Node v20.16.0. Commented Nov 6, 2024 at 5:28

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.