Fix: Prevent prototype pollution in memstore in v2.5.0 (issue salesfo…

…rce#282)
yuvaljacob · Dec 24, 2024 · 434e64e · 434e64e
1 parent 7c1fdf1
commit 434e64e
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 4 deletions.
diff --git a/lib/memstore.js b/lib/memstore.js
@@ -36,7 +36,7 @@ var util = require('util');
 
 function MemoryCookieStore() {
   Store.call(this);
-  this.idx = {};
+  this.idx = Object.create(null);
 }
 util.inherits(MemoryCookieStore, Store);
 exports.MemoryCookieStore = MemoryCookieStore;
@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies = function(domain, path, cb) {
 
 MemoryCookieStore.prototype.putCookie = function(cookie, cb) {
   if (!this.idx[cookie.domain]) {
-    this.idx[cookie.domain] = {};
+    this.idx[cookie.domain] = Object.create(null);
   }
   if (!this.idx[cookie.domain][cookie.path]) {
-    this.idx[cookie.domain][cookie.path] = {};
+    this.idx[cookie.domain][cookie.path] = Object.create(null);
   }
   this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
   cb(null);
@@ -150,7 +150,7 @@ MemoryCookieStore.prototype.removeCookies = function(domain, path, cb) {
 };
 
 MemoryCookieStore.prototype.removeAllCookies = function(cb) {
-  this.idx = {};
+  this.idx = Object.create(null);
   return cb(null);
 }
 

diff --git a/test/cookie_jar_test.js b/test/cookie_jar_test.js
@@ -541,4 +541,29 @@ vows
       }
     }
   })
+  .addBatch({
+    "Issue #282 - Prototype pollution": {
+      "when setting a cookie with the domain __proto__": {
+        topic: function() {
+          const jar = new tough.CookieJar(undefined, {
+            rejectPublicSuffixes: false
+          });
+          // try to pollute the prototype
+          jar.setCookieSync(
+            "Slonser=polluted; Domain=__proto__; Path=/notauth",
+            "https://__proto__/admin"
+          );
+          jar.setCookieSync(
+            "Auth=Lol; Domain=google.com; Path=/notauth",
+            "https://google.com/"
+          );
+          this.callback();
+        },
+        "results in a cookie that is not affected by the attempted prototype pollution": function() {
+          const pollutedObject = {};
+          assert(pollutedObject["/notauth"] === undefined);
+        }
+      }
+    }
+  })
   .export(module);