fix: do not convert special array like objects to Array

NoNameProvided · NoNameProvided · commit 698984a3e94d · 2021-11-20T15:44:02.000+01:00
This commit fixes a security vulnerability.
diff --git a/src/TransformOperationExecutor.ts b/src/TransformOperationExecutor.ts
@@ -131,7 +131,15 @@ export class TransformOperationExecutor {
     } else if (typeof value === 'object' && value !== null) {
       // try to guess the type
       if (!targetType && value.constructor !== Object /* && TransformationType === TransformationType.CLASS_TO_PLAIN*/)
-        targetType = value.constructor;
+        if (!Array.isArray(value) && value.constructor === Array) {
+          // Somebody attempts to convert special Array like object to Array, eg:
+          // const evilObject = { '100000000': '100000000', __proto__: [] };
+          // This could be used to cause Denial-of-service attack so we don't allow it.
+          // See prevent-array-bomb.spec.ts for more details.
+        } else {
+          // We are good we can use the built-in constructor
+          targetType = value.constructor;
+        }
       if (!targetType && source) targetType = source.constructor;
 
       if (this.options.enableCircularCheck) {
diff --git a/test/functional/prevent-array-bomb.spec.ts b/test/functional/prevent-array-bomb.spec.ts
@@ -0,0 +1,49 @@
+import 'reflect-metadata';
+import { plainToInstance } from '../../src/index';
+import { defaultMetadataStorage } from '../../src/storage';
+
+describe('Prevent array bomb when used with other packages', () => {
+  it('should not convert specially crafted evil JS object to array', () => {
+    defaultMetadataStorage.clear();
+
+    class TestClass {
+      readonly categories!: string[];
+    }
+
+    /**
+     * We use the prototype of values to guess what is the type of the property. This behavior can be used
+     * to pass a specially crafted array like object what would be transformed into an array.
+     *
+     * Because arrays are numerically indexed, specifying a big enough numerical property as key
+     * would cause other libraries to iterate over each (undefined) element until the specified value is reached.
+     * This can be used to cause denial-of-service attacks.
+     *
+     * An example of such scenario is the following:
+     *
+     * ```ts
+     * class TestClass {
+     *   @IsArray()
+     *   @IsString({ each: true })
+     *   readonly categories!: string[];
+     * }
+     * ```
+     *
+     * Using the above class definition with class-validator and receiving the following specially crafted payload without
+     * the correct protection in place:
+     *
+     * `{ '9007199254740990': '9007199254740990', __proto__: [] };`
+     *
+     * would result in the creation of an array with length of 9007199254740991 (MAX_SAFE_INTEGER) looking like this:
+     *
+     * `[ <9007199254740989 empty elements>, 9007199254740990 ]`
+     *
+     * Iterating over this array would take significant time and cause the server to become unresponsive.
+     */
+
+    const evilObject = { '100000000': '100000000', __proto__: [] };
+    const result = plainToInstance(TestClass, { categories: evilObject });
+
+    expect(Array.isArray(result.categories)).toBe(false);
+    expect(result.categories).toEqual({ '100000000': '100000000' });
+  });
+});
