fix(security): prevent prototype pollution in memory store (#397)

mhamann · web-flow · commit feaba562b812 · 2022-04-09T23:49:28.000-04:00
diff --git a/lib/nconf/stores/memory.js b/lib/nconf/stores/memory.js
@@ -92,7 +92,7 @@ Memory.prototype.set = function (key, value) {
   //
   while (path.length > 1) {
     key = path.shift();
-    if (!target[key] || typeof target[key] !== 'object') {
+    if (!target[key] || typeof target[key] !== 'object' || !Object.hasOwnProperty.call(target, key)) {
       target[key] = {};
     }
 
diff --git a/test/stores/memory-store-test.js b/test/stores/memory-store-test.js
@@ -121,5 +121,12 @@ vows.describe('nconf/stores/memory').addBatch({
         assert.equal(store.get('foo').bar.bazz, 'buzz');
       }
     }
+  },
+  "When attempting prototype pollution": {
+    topic: new nconf.Memory(),
+    "should not be able to pollute the prototype": function (store) {
+      store.set('__proto__:polluted', 'yes');
+      assert.equal({}.polluted, undefined);
+    }
   }
 }).export(module);

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ Memory.prototype.set = function (key, value) {`
`92`	`92`	`//`
`93`	`93`	`while (path.length > 1) {`
`94`	`94`	`key = path.shift();`
`95`		`- if (!target[key] \|\| typeof target[key] !== 'object') {`
	`95`	`+ if (!target[key] \|\| typeof target[key] !== 'object' \|\| !Object.hasOwnProperty.call(target, key)) {`
`96`	`96`	`target[key] = {};`
`97`	`97`	`}`
`98`	`98`
Original file line number	Diff line number	Diff line change
`@@ -121,5 +121,12 @@ vows.describe('nconf/stores/memory').addBatch({`
`121`	`121`	`assert.equal(store.get('foo').bar.bazz, 'buzz');`
`122`	`122`	`}`
`123`	`123`	`}`
	`124`	`+ },`
	`125`	`+ "When attempting prototype pollution": {`
	`126`	`+ topic: new nconf.Memory(),`
	`127`	`+ "should not be able to pollute the prototype": function (store) {`
	`128`	`+ store.set('__proto__:polluted', 'yes');`
	`129`	`+ assert.equal({}.polluted, undefined);`
	`130`	`+ }`
`124`	`131`	`}`
`125`	`132`	`}).export(module);`