Security Fix for Prototype Pollution - huntr.dev

[huntr-helper]

https://huntr.dev/users/d3m0n-r00t has fixed the Prototype Pollution vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/keypather/1/README.md

User Comments:

📊 Metadata *

Fixed Prototype Pollution in keypather.

Bounty URL: https://www.huntr.dev/bounties/1-npm-keypather

⚙️ Description *

keypather is vulnerable to Prototype Pollution.

💻 Technical Description *

The package is vulnerable to Prototype pollution in the set function. This vulnerability is fixed by filtering the keywords that causes pollution from the object.

🐛 Proof of Concept (PoC) *

// poc.js
const set = require('keypather/set')
var obj = {}
console.log("Before : " + {}.polluted);
set({}, '__proto__.polluted', 'Yes! Its Polluted');
console.log("After : " + {}.polluted);

Before : undefined
After : Yes! Its Polluted

🔥 Proof of Fix (PoF) *

👍 User Acceptance Testing (UAT)

All Ok.

[tjmehta]

maybe add an option to allow prototype modification?