no-pollution

    1.0.2 • Public • Published

    no-pollution

    Prevent prototype pollution by sanitizing all string inputs to the JSON parser. This will prevent prototype pollution from happening even if you have a vulnerable library like hoek <4.2.1 merge operation or jQuery <3.4.0 extend operation.

    A much needed prototype pollution fix for projects that were stuck with the vulnerable package and unable to upgrade the patched version of the package such as this scenario

    Installation

    npm i -S no-pollution

    or

    yarn add no-pollution

    Usage

    To use the package, simply do a require on the entry point of your javascript project.

    require('no-pollution')

    Working

    // An object created with vulnerable merge operation and a payload from the attacker
    var someObject = merge({}, JSON.parse('{"foo": "bar", "__proto__": {"polluted": true}}'));
    console.log({}.polluted) // will print `true`
     
    // After importing the no-pollution package
    require('no-pollution');
    var someObject = merge({}, JSON.parse('{"foo": "bar", "__proto__": {"polluted": true}}'));
    console.log({}.polluted) // will print `undefined`
     
    // You can also retrieve the pollutants that were sent by the attacker
    console.log(someObject.__pollutants__); // will print { polluted: true }

    Usage with the browser

    Currently there is no CDN available yet. But you can directly load the javascript file in your browser before you load other js files

    <script src="./path-to-your-js-folder/no-pollution/index.js"></script>

    Important

    While no-pollution works with most of the known vulnerabilities, it will not work against vulnerabilities introduced by path-value assignment operations since the operation doesn't use a JSON parser. One such vulnerability is found in mpath (luckily it has been patched already). Do check what kind of vulnerability you are affected by using npm-audit before using no-pollution.

    TODO

    • Detailed documentation.
    • CDN for the js file

    Install

    npm i no-pollution

    DownloadsWeekly Downloads

    87

    Version

    1.0.2

    License

    MIT

    Unpacked Size

    4.12 kB

    Total Files

    5

    Last publish

    Collaborators

    • daniakash