mike.sherov at gmail.com
Fri May 1 18:40:40 UTC 2020
I'll drop this thread for now, and come back when I've actually thought
this all through. Sorry for wasting your time!
On Fri, May 1, 2020 at 12:30 PM Mike Sherov <mike.sherov at gmail.com> wrote:
> So, I've firmed up my understanding here. The goal of a safeAssign would
> not be to prevent all prototype pollution, which seems impossible to solve
> generically at a library level. But rather to prevent the assignment
> specifically of `__proto__`, `constructor`, and `prototype` properties of
> the target. This mitigates a specific, well understood vulnerability:
> manipulating a prototype with a "src" object that can surive a
> JSON.parse(JSON.stringify(src)) roundtrip.
> > Can you explain or support your assertion of "increased prevalence"?
> I should probably have said visibility, not prevalence. MITRE shows 31
> CVEs for prototype pollution:
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=prototype+pollution including
> another new one in lodash today. https://snyk.io/vuln/npm:lodash:20180130
> On Fri, May 1, 2020 at 12:13 PM Isiah Meadows <contact at isiahmeadows.com>
>> Missed the list. Also, it apparently does trigger setters. Crossed it up
>> with spread properties (which don't).
>> On Fri, May 1, 2020 at 06:28 Isiah Meadows <contact at isiahmeadows.com>
>>> I thought `Object.assign`already used the `Object.keys` +
>>> `Object.defineProperty` algorithms under the hood and thus were immune to
>>> this. Am I misremembering or misunderstanding?
>>> On Fri, May 1, 2020 at 05:51 Mike Sherov <mike.sherov at gmail.com> wrote:
>>>> Given the increased prevalence of prototype pollution vulnerabilities
>>>> that Object.assign allows for prototype pollution by default?
>>>> I see two options:
>>>> 1. Change Object.assign to disallow PP by default. Look at real world
>>>> usages and see what would break if prototype pollution was disabled? Almost
>>>> certainly this is not a viable option, but wanted to raise it here just in
>>>> case there was appetite to do so.
>>>> 2. Introduce something like Object.safeAssign (bikeshedding aside),
>>>> that is the same as Object.assign except is safe from prototype pollution.
>>>> The reason I think this is important is that the common advice of
>>>> freezing Object.prototype is something only the end user can do, and not
>>>> something a library can do.
>>>> Yes, a library can also know to do its own PP fixes, but having a
>>>> reified way to avoid PP allows us to have a secure-by-default method in the
>>>> Mike Sherov
>>>> es-discuss mailing list
>>>> es-discuss at mozilla.org
>>> Isiah Meadows
>>> contact at isiahmeadows.com
>> Isiah Meadows
>> contact at isiahmeadows.com
> Mike Sherov
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss