Comments (15)
Thanks for the quick release of 1.4.1, @alexander-akait 🎉
from loader-utils.
Is there a working PoC for this issue? This same pattern of dest[foo] = src[foo]
has been marked as prototype pollution on many different repositories recently. However, after much research, I have not found the pattern to be inherently vulnerable, and a good answer here shows that it is not.
If there is a way to exploit this I'd love to know, but I feel that this is very likely a false positive.
from loader-utils.
@JSMike Thank you, published https://github.com/webpack/loader-utils/releases/tag/v2.0.3
from loader-utils.
Please migrate to 3
version, 2
version is deprecated and doesn't supported, thank you
from loader-utils.
From the error report The issue is here:
https://github.com/webpack/loader-utils/blob/v2.0.2/lib/parseQuery.js#L29
Because of the following result[name]
assignments. This report seems to want const result = {};
to be const result = Object.create(null);
if you're going to manipulate an object the way you are to avoid a prototype pollution exploit.
Per the reporting tool this was reported to you in: #212
from loader-utils.
@JSMike Is this issue resolved in the new version or I have to overwrite pareQuery.js ?
from loader-utils.
@w3bdesign if Dependabot is still showing the vulnerability as open in your codebase but giving that message, then its because you've got multiple versions of loader-utils
in the dependency tree, some of which are vulnerable but currently dependabot only sees the "first" one.
@alexander-akait I'm sorry I have to ask, but any chance of getting this backported to 1.x? It looks like this is commonly pulled in by babel-loader
who have moved away from it as a dependency in v9 but that meant dropping webpack v4 support, and we're sadly still locked into v4 for a while longer due to setups like @rails/webpacker
that are no longer maintained but require enough time and budget to move off that we can't just do it for all of our apps (😢)
As always I'm happy to do anything I can to make it less work for you 🙂
Turns out babel-loader
was able to upgrade to v2 in a v8 patch before they released v9, so the v2 backport is sufficient 🎉
However resolve-url-loader
is currently on v1 for their v3, so a backport would be useful for that...
from loader-utils.
@alexander-akait this also affects us, the dependency tree is
There's no branch for 1.x else I'd have submitted a PR 😅 Hopefully the upstream issue vuejs/vue-cli#7323 is actioned soon 🤞
from loader-utils.
🎉
from loader-utils.
I also agree that this is most likely a false positive. I went into a little more details on a comment in the "fix" they did for this. The only thing I can come up that could lead to security issues is how the object created will be handled, but that is up to the apps/packages using this as a dependency to figure it out in their specific use case.
Also I checked the person who reported this and they are pretty much spamming a bunch of projects alleging these types of vulnerabilities but providing no context and wasting everybody's time. In this issue this person alleges he is using a static code analyzer to find this "vulnerabilities" from a research paper. I just reported this person for spam.
from loader-utils.
I agree, databases pay such people money not for quality but for quantity, but it has no value. I think that databases should be more stringent in exploit reporting. This is not the first time I've encountered this and I have to fix nothing a lot of time just to avoid "vulnerabilities messages".
from loader-utils.
A minimally reproducible example should be provided, firstly internally to fix a problem, then publicly
from loader-utils.
I actually just watched the presentation for the research paper on this and the presenter specially noted that their tool/analyzer does NOT take into account context, which that is the MAIN point of doing proper security research/disclosure. This is just so bad/annoying because you are getting reports of a CRITICAL in your apps, especially for such widely used dependencies, which you are forced to check. Oh well, time to move on.
from loader-utils.
After some research over the last few months I have found that the original research is correct in finding that dest[foo] = src[foo]
is inherently vulnerable to prototype pollution, though there is a push to call this variant "prototype poisoning". This vulnerability does not pollute the global object prototype. Rather, it poisons the prototype of the dest
object:
const src = JSON.parse('{"__proto__": {"polluted": true}}');
const dest = {};
Object.keys(src).forEach((key) => {dest[key] = src[key]})
window.polluted; // undefined
dest.polluted; // true
This can allow an attacker to bypass filters in some cases by adding hidden keys to the dest
object.
I am not sure what the original vulnerability was in this case, but I found that someone mentioned the the exploit code would be a query like {a:"1",__proto__:{"isPolluted":true}}
.
I looked into it and found that loader-utils
was vulnerable as the above payload resulted in prototype poisoning. However, loader-utils
simply passed such payloads to json5
. I investigated json5
and found that it was the cause of the prototype poisoning, and it was fixed as CVE-2022-46175 .
Whether or not the vulnerability was actually impactful given the context is another question.
from loader-utils.
I think we agree this "prototype poisoning" is not the same as prototype pollution. It requires the code using parseQuery.js to check iterable own keys on result
for "protected" keys then assume this check was thorough enough. It does increase the chance for vulnerabilities but should not be classified as "critical" IMO.
How do we go about adding a new common vulnerability called "prototype poisoning"?
from loader-utils.
Related Issues (20)
- loaderUtils.getOptions is not a function HOT 1
- Prettier show all files with error because of default HOT 3
- Missing getOptions.js in lib ? HOT 5
- CVE-2021-44906 HOT 4
- [CVE-2022-37599]/ReDos found in interpolateName.js HOT 8
- [CVE-2022-37603]/ReDoS found in interpolateName.js HOT 9
- CVE-2022-37599 - security vulnerability across all loader-utils HOT 13
- Known regex vuln HOT 5
- Security Vulnerabilities issue HOT 42
- Fix vulnerability in v1 of loader-utils HOT 2
- contenthash vs hash? HOT 1
- Does this don't need translation? `\[`
- is 2.0.4 in the NPM registry? HOT 4
- Create types package for loader-utils@3 HOT 2
- Error while installing vue-style-loader which uses loader-utils HOT 1
- loader-utils stable version is 3.2.1 which has dependency on JSON5 2.2.1 which has Published Vulnerabilities CVE-2022-46175 (OSSINDEX) HOT 4
- Failed to resolve entry for package "crypto" HOT 1
- Create a Security Policy HOT 1
- CVE-2022-46175 - High HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from loader-utils.