Headline
CVE-2020-28441: fix: prevent prototype pollution attack · loge5/conf-cfg-ini@3a88a6c
This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.
@@ -35,6 +35,7 @@ Config.prototype.decode = function(data){ throw new Error('expecting string but got '+typeof data); } } var protectedKeys = ['__defineGetter__’, '__defineSetter__’, '__lookupGetter__’, '__lookupSetter__’, ‘__proto__’]; var result = {}; var currentSection = undefined; var lines = data.split(this.options.lineEnding); @@ -51,7 +52,7 @@ Config.prototype.decode = function(data){ var newSection = line.match(sectionRegExp); if(newSection !== null){ currentSection = newSection[1]; if(typeof result[currentSection] === ‘undefined’){ if(typeof result[currentSection] === ‘undefined’ && !protectedKeys.includes(currentSection)){ result[currentSection] = {}; } continue; @@ -78,6 +79,9 @@ Config.prototype.decode = function(data){ if (typeof this.options.valueIdentifier === ‘string’) { value = this.valueTrim(value, this.options.valueIdentifier); } if (protectedKeys.includes(currentSection) || protectedKeys.includes(key)) { continue; } if(typeof currentSection === ‘undefined’){ result[key] = value; } else {
Related news
This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.