Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Prototype Pollution Vulnerability Affecting chartist module, versions >=1.0.0 <=1.3.0 #1427

Open
1 task
tariqhawis opened this issue Mar 29, 2024 · 2 comments · May be fixed by #1433
Open
1 task
Labels

Comments

@tariqhawis
Copy link

tariqhawis commented Mar 29, 2024

Would you like to work on a fix?

  • Check this if you would like to implement a PR, we are more than happy to help you go through the process.

Current and expected behavior

Overview

A Prototype Pollution vulnerability Affecting chartist , versions >=1.0.0 <=1.3.0, due to missing check if the argument resolves to the object prototype. This allow the attacker to inject malicious object property using the built-in Object property __proto__ which recursively assigned to all the objects in the program.

Reproduction

sent directly to the maintainer's email

Chartist version

1.3.0

Possible solution

  • Freeze the root prototype using Object.freeze
  • Require schema validation of JSON input.
  • Avoid using unsafe recursive merge functions.
  • Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
  • As a best practice use Map instead of Object
@andersk
Copy link

andersk commented Oct 2, 2024

@fmooreNS
Copy link

fmooreNS commented Oct 15, 2024

Is there any chance the PR will be accepted soon? And would a new release be forthcoming afterwards?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants