From c571d800f58659692cddc51351b3d344396dd528 Mon Sep 17 00:00:00 2001 From: Mario Areias Date: Mon, 21 Mar 2022 15:03:23 +1100 Subject: [PATCH 1/2] Fix prototype pollution --- lib/parse.js | 6 ++++++ test/parse.js | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/lib/parse.js b/lib/parse.js index 731161e..807c4ae 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -153,6 +153,12 @@ function parsePlistXML (node) { if (isEmptyNode(node)) { return ''; } + + invariant( + node.childNodes[0].nodeValue !== '__proto__', + '__proto__ keys can lead to prototype pollution. More details on CVE-2022-22912' + ); + return node.childNodes[0].nodeValue; } else if (node.nodeName === 'string') { res = ''; diff --git a/test/parse.js b/test/parse.js index 0dd10ba..99be301 100644 --- a/test/parse.js +++ b/test/parse.js @@ -187,6 +187,13 @@ U= ); assert.deepEqual(parsed, { a: { a1: true } }); }); + + /* Test to protect against CVE-2022-22912 */ + it('should throw if key value is __proto__', function () { + assert.throws(function () { + parseFixture('__proto__lengthpolluted'); + }); + }); }); describe('integration', function () { From 5e86ee5ed7133fac94b8d7381b246bedf8f93853 Mon Sep 17 00:00:00 2001 From: Mario Areias Date: Mon, 21 Mar 2022 15:17:55 +1100 Subject: [PATCH 2/2] Added other variants of the __proto__ string --- test/parse.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/parse.js b/test/parse.js index 99be301..4e46e40 100644 --- a/test/parse.js +++ b/test/parse.js @@ -193,6 +193,11 @@ U= assert.throws(function () { parseFixture('__proto__lengthpolluted'); }); + + // adding backslash should still be protected. + assert.throws(function () { + parseFixture('_\_proto_\_lengthpolluted'); + }); }); });