New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit code and our deps for Prototype pollution #3879

Open

2 tasks

dapplion opened this issue Apr 3, 2022 · 1 comment

Labels

meta-investigate prio-medium scope-security

Contributor

dapplion commented Apr 3, 2022

For reference https://learn.snyk.io/lessons/prototype-pollution/javascript/

Prototype pollution is an injection attack that targets JavaScript runtimes. With prototype pollution, an attacker might control the default values of an object's properties. This allows the attacker to tamper with the logic of the application and can also lead to denial of service or, in extreme cases, remote code execution.

Review Lodestar for unsafe deep merges and parsing. First target is the REST API
Review dependent libraries, specially SSZ

dapplion added the prio-medium label

dapplion added the scope-security label

philknows added the meta-investigate label

Member

philknows commented Nov 5, 2023

We should investigate this more. Fastify should be handling this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment