prototype pollution in lib/session.js

[chluo1997]

There is a prototype pollution in file lib/session.js, line 46.
data[key]=params[key];

The code uses key as the index for the data object. If key is "proto", prototype pollution occurs.

To reproduce, see it('5.test read and write session ', function(done) {}. Since the key of v is supplied by users, attackers can change the key of variable v to be __proto__ to conduct attacks.

Suggestions:
To fix this vulnerability, it is recommended to blacklist prototype pollution payloads in key

set(params){
        return new Promise( (resolve)=>{
            let data= _sessionData[this.sessionId];
            for(let key in params){
+                if (key === '__proto__' or key === 'constructor') {
+                     continue;
+               }
                data[key]=params[key];
            }
            resolve(data)
            
         });
            
         
    }