-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Risk #282
Comments
All occurrences of new object creation in `memstore.js` have been changed from `{}` (i.e.; `Object.create(Object.prototype)` to `Object.create(null)` so that we are using object instances that do not have a prototype property that can be polluted. @fixes #282
All occurrences of new object creation in `memstore.js` have been changed from `{}` (i.e.; `Object.create(Object.prototype)` to `Object.create(null)` so that we are using object instances that do not have a prototype property that can be polluted. @fixes #282
Can this fix be back ported to version 2.x of |
We recommend upgrading to 4.1.3 to move out of exposure: https://status.salesforce.com/generalmessages/1155 |
I would upgrade if |
Same here. Would appreciate a back-port to 2.x and 3.x. Even though it'd be easy to achieve IMO I have little hope it'll materialize. I'm not seeing 2.x/3.x maintenance branches. |
Also, the same here. There are multiple npm packages locked to |
@marcelstoer @bhsdodo is the dependency on |
@colincasey Yes, it is |
@bhsdodo (or anyone, for that matter) can you confirm whether 4.1.3 is backwards compatible with |
I'm also interested in this, addressing similar security scans against I dug around a bit in this repo...
I had been planning to add a specific pnpm override, but considering the convo in #282 (comment) , I may just defer until a 2.x backport exists |
We currently have no plans to do a backport. We do recommend moving to 4.1.3 to move out of exposure. The work that is coming in 5 will be a large change from 4.x and previous versions, as the project has embraced typescript. |
No problem, thanks for the info! |
This is the reason why I hate Node.. the over dependence upon community and expecting someone else to fix my problems. I utilize many components which use tough-cookie and while the libraries are great but the maintainers are long gone.. thus now we are stuck with working code in production, that all of sudden has vulns and now way to fix them... or there it is, migrate to go/rust |
@vverma-gg I understand your frustration but the fact is The root issue for most in this thread is that they have projects that rely on unmaintained libraries that include But consider this from the maintainer's perspective:
In this case, we decided not to backport because:
The value of Open Source is that, everyday, well-intentioned developers are volunteering their time and effort so we all benefit. One downside is, as you stated, "it's unreasonable to expect someone else to fix my problems". But this isn't unique to the Node.js community. You could migrate to Rust or Go if you think that's your best option. Both are fine languages with vibrant communities. Just don't be surprised when you encounter the same maintenance problems if you rely on Open Source 😅 |
Overview
While researching a commercial product, I came across a vulnerability in their infrastructure caused by your library
Vulnerability occurs if you use CookieJar in
rejectPublicSuffixes=false
mode.You can do Prototype Pollution when pass Domain=
__proto__
It comes from this point in the code:
As you can see, this.idx - Object
If cookie.domain equals to
__proto__
then you override global object prototype.It seems to me that this is clearly non-obvious behavior. It also carries certain risks.
Fix
To fix this, you need to store cookies in Map, or you can use
this.idx = Object.create(null);
to create idx variablePoC
To reproduce vulnerability,
node PoC.js
, you will see the printed stringCookie="Slonser=polluted; Domain=__proto__; Path=/notauth; hostOnly=false; aAge=1117ms; cAge=1117ms"
in the terminalBut as you can see, script didn't set
["/notauth"]["Slonser"]
property by it self.The text was updated successfully, but these errors were encountered: