Skip to content

fix(registry): Prevent prototype polluting #860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
susnux merged 1 commit into from
Feb 12, 2025
Merged

fix(registry): Prevent prototype polluting #860

susnux merged 1 commit into from
Feb 12, 2025

Conversation

@susnux
Copy link
Contributor

@susnux susnux commented Feb 12, 2025
edited
Loading

Potential fix for https://github.com/nextcloud-libraries/nextcloud-l10n/security/code-scanning/1

To fix the problem, we need to ensure that the appId cannot be used to modify the Object.prototype. This can be achieved by validating the appId before using it as a key in the object assignment. We will reject any appId that matches __proto__, constructor, or prototype.

@susnux susnux changed the title Potential fix for code scanning alert no. 1: Prototype-polluting assignment fix(registry): Prevent prototype polluting Feb 12, 2025
@susnux
Copy link
Contributor Author

susnux commented Feb 12, 2025

@ShGKme note that this is generated by copilot (I am testing their new security features).
But for me this code makes sense.

@susnux susnux marked this pull request as ready for review February 12, 2025 22:14
@susnux susnux added type: bug 🐛 Something isn't working 3. to review 3️⃣ Waiting for reviews labels Feb 12, 2025
@susnux @github-advanced-security
fix(registry): Prevent prototype polluting
8ebdc9e 
From CodeQL:
> Most JavaScript objects inherit the properties of the built-in Object.prototype object. Prototype pollution is a type of vulnerability in which an attacker is able to modify Object.prototype.
> Since most objects inherit from the compromised Object.prototype object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.

To fix the problem, we need to ensure that the `appId` cannot be used to modify the `Object.prototype`.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux susnux merged commit 876a316 into main Feb 12, 2025
16 checks passed
@susnux susnux deleted the alert-autofix-1 branch February 12, 2025 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShGKme ShGKme ShGKme approved these changes

Assignees

No one assigned

Labels

3. to review 3️⃣ Waiting for reviews type: bug 🐛 Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@susnux @ShGKme