From 434e64e27aab0bc95f21f8febd2bf2563aabc06f Mon Sep 17 00:00:00 2001 From: Yuval Jacobson Date: Tue, 24 Dec 2024 18:32:14 +0200 Subject: [PATCH] Fix: Prevent prototype pollution in memstore in v2.5.0 (issue #282) --- lib/memstore.js | 8 ++++---- test/cookie_jar_test.js | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/lib/memstore.js b/lib/memstore.js index d2b915c9..6b0a0b1f 100644 --- a/lib/memstore.js +++ b/lib/memstore.js @@ -36,7 +36,7 @@ var util = require('util'); function MemoryCookieStore() { Store.call(this); - this.idx = {}; + this.idx = Object.create(null); } util.inherits(MemoryCookieStore, Store); exports.MemoryCookieStore = MemoryCookieStore; @@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies = function(domain, path, cb) { MemoryCookieStore.prototype.putCookie = function(cookie, cb) { if (!this.idx[cookie.domain]) { - this.idx[cookie.domain] = {}; + this.idx[cookie.domain] = Object.create(null); } if (!this.idx[cookie.domain][cookie.path]) { - this.idx[cookie.domain][cookie.path] = {}; + this.idx[cookie.domain][cookie.path] = Object.create(null); } this.idx[cookie.domain][cookie.path][cookie.key] = cookie; cb(null); @@ -150,7 +150,7 @@ MemoryCookieStore.prototype.removeCookies = function(domain, path, cb) { }; MemoryCookieStore.prototype.removeAllCookies = function(cb) { - this.idx = {}; + this.idx = Object.create(null); return cb(null); } diff --git a/test/cookie_jar_test.js b/test/cookie_jar_test.js index 67809b93..d9c83b9d 100644 --- a/test/cookie_jar_test.js +++ b/test/cookie_jar_test.js @@ -541,4 +541,29 @@ vows } } }) + .addBatch({ + "Issue #282 - Prototype pollution": { + "when setting a cookie with the domain __proto__": { + topic: function() { + const jar = new tough.CookieJar(undefined, { + rejectPublicSuffixes: false + }); + // try to pollute the prototype + jar.setCookieSync( + "Slonser=polluted; Domain=__proto__; Path=/notauth", + "https://__proto__/admin" + ); + jar.setCookieSync( + "Auth=Lol; Domain=google.com; Path=/notauth", + "https://google.com/" + ); + this.callback(); + }, + "results in a cookie that is not affected by the attempted prototype pollution": function() { + const pollutedObject = {}; + assert(pollutedObject["/notauth"] === undefined); + } + } + } + }) .export(module);