Prototype pollution

Description

Prototype pollution is a vulnerability in JavaScript applications where an attacker can inject or modify properties of the Object.prototype, the base object from which nearly all JavaScript objects inherit. By manipulating this fundamental object, attackers can alter the behavior of all objects throughout the application. This vulnerability commonly occurs when applications use unsafe recursive merge or extend functions to process untrusted user input without proper validation, allowing attackers to inject special properties like __proto__ or constructor.prototype.

Remediation

To prevent prototype pollution vulnerabilities, implement the following security measures:

1. Use safe object manipulation methods: Replace unsafe recursive merge/extend functions with secure alternatives that explicitly block prototype properties. Use Object.create(null) to create objects without prototype inheritance when handling untrusted data.

2. Validate and sanitize input: Implement strict input validation to reject or sanitize keys like __proto__, constructor, and prototype before processing user-supplied data.

3. Use secure coding patterns:

// Unsafe - vulnerable to prototype pollution
function merge(target, source) {
  for (let key in source) {
    if (typeof source[key] === 'object') {
      merge(target[key], source[key]);
    } else {
      target[key] = source[key];
    }
  }
}

// Safe - blocks prototype pollution
function safeMerge(target, source) {
  for (let key in source) {
    if (source.hasOwnProperty(key) && 
        key !== '__proto__' && 
        key !== 'constructor' && 
        key !== 'prototype') {
      if (typeof source[key] === 'object' && source[key] !== null) {
        target[key] = safeMerge(target[key] || {}, source[key]);
      } else {
        target[key] = source[key];
      }
    }
  }
  return target;
}

References

Related Vulnerabilities