Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype Pollution Bug Detector #452

Merged
merged 5 commits into from
Jul 18, 2023
Merged

Conversation

oetr
Copy link
Contributor

@oetr oetr commented May 25, 2023

This PR has two main additions:

  1. Add an API for writing and configuring bug detectors
  2. Add the Prototype Pollution bug detector that makes use of this new API

@bertschneider
Copy link
Contributor

This looks quite promising! The detection part should already work, but I wonder how we could guide the fuzzer to add properties to {}?

The paper "Prototype pollution attack in NodeJS application" describes two forms of vulnerable expressions:

  • obj[a][b] = value
  • obj[a][b][c] = value

We should be able to create a custom Babel transformer to detect this syntax and invoke appropriate guiding functions. Perhaps it could also invoke a function which could be hooked using the normal hooking framework.

The Babel AST explorer shows that the transformer would need to process nested member expressions: https://astexplorer.net/#/gist/0518da7634c3406b968f9ce9478d4b5a/e6629d9f54906e4272a3bf1943710a61a1a5f04e

@oetr
Copy link
Contributor Author

oetr commented May 31, 2023

Norbert, what a great idea, thanks!

@zgtm
Copy link
Member

zgtm commented Jun 27, 2023

I'm a bit confused, but the newest commit "bug detectors: add path traversal" actually belongs to #419, right? But that is already merged, so why is it still shown here? 🤔

@oetr oetr force-pushed the FUZZ-593_prototype_pollution branch 12 times, most recently from 42ccb07 to 4f54904 Compare July 4, 2023 09:14
@oetr
Copy link
Contributor Author

oetr commented Jul 4, 2023

Apologies for this giant PR

@oetr oetr closed this Jul 4, 2023
@oetr oetr reopened this Jul 4, 2023
@oetr oetr marked this pull request as ready for review July 4, 2023 10:03
@oetr oetr requested a review from a team July 4, 2023 10:03
Copy link

@fmeum fmeum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First comments, but I haven't gotten to the actual bug detector yet :-)

docs/fuzz-settings.md Outdated Show resolved Hide resolved
examples/bug-detectors/command-injection/custom-hooks.js Outdated Show resolved Hide resolved
packages/bug-detectors/DEVELOPMENT.md Outdated Show resolved Hide resolved
packages/bug-detectors/DEVELOPMENT.md Show resolved Hide resolved
packages/bug-detectors/configuration.ts Show resolved Hide resolved
packages/bug-detectors/index.ts Outdated Show resolved Hide resolved
packages/core/core.ts Outdated Show resolved Hide resolved
packages/hooking/manager.ts Outdated Show resolved Hide resolved
tests/bug-detectors/prototype-pollution.test.js Outdated Show resolved Hide resolved
packages/core/core.ts Outdated Show resolved Hide resolved
packages/bug-detectors/internal/prototype-pollution.ts Outdated Show resolved Hide resolved
packages/bug-detectors/internal/prototype-pollution.ts Outdated Show resolved Hide resolved
packages/bug-detectors/internal/prototype-pollution.ts Outdated Show resolved Hide resolved
packages/bug-detectors/internal/prototype-pollution.ts Outdated Show resolved Hide resolved
packages/bug-detectors/internal/prototype-pollution.ts Outdated Show resolved Hide resolved
@oetr oetr force-pushed the FUZZ-593_prototype_pollution branch 3 times, most recently from e126977 to a2c41d4 Compare July 10, 2023 23:35
oetr and others added 3 commits July 18, 2023 13:50
The bug-detector module should use the normal user-facing API to report
findings, register callbacks and the like to verify that those work
correctly and be able to be used as examples.
HookManager had too many responsibilities. Extract those out and move to
functionally more fitting modules to simplify the project
layout. Furthermore, hooks and bug detectors should only use the
publicly exposed API from core and not reach into internal modules.
@bertschneider bertschneider force-pushed the FUZZ-593_prototype_pollution branch 2 times, most recently from ee8429c to 40e0859 Compare July 18, 2023 11:52
The core source code file contained functions for varying topics and
with different abstraction levels. For better understanding and cohesion
these functions were extracted into topic specific files, only exporting
really necessary internals.
@bertschneider bertschneider enabled auto-merge (rebase) July 18, 2023 11:56
@bertschneider bertschneider merged commit cc10ef8 into main Jul 18, 2023
6 checks passed
@bertschneider bertschneider deleted the FUZZ-593_prototype_pollution branch July 18, 2023 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants