关联漏洞
标题:
tough-cookie 安全漏洞
(CVE-2023-26136)
描述:tough-cookie是Salesforce开源的一个库。 tough-cookie 4.1.3之前版本存在安全漏洞,该漏洞源于在rejectPublicSuffixes=false模式下使用CookieJar时对Cookie的处理不当,可能导致原型污染漏洞。
描述
Fix open source package uses tough-cookie 2.5.0 - CVE-2023-26136,
介绍
# SEAL SECURITY PROJECT : Open Source Engineer Task
# Create new version of package tough-cookie V2.5.0 ,for fix critical vulnerability CVE-2023-26136, project written in Node.js V20
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
https://nvd.nist.gov/vuln/detail/CVE-2023-26136
Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution
There are two main ways in which the pollution of prototypes occurs:
* Unsafe Object recursive merge
* Property definition by path
important not: https://github.com/salesforce/tough-cookie/issues/282
https://security.snyk.io/package/npm/tough-cookie/2.5.0
=> To fix the vulnerability in the MemoryCookieStore class, you need to modify the putCookie method to prevent prototype pollution when cookie.domain is set to __proto__.
https://github.com/salesforce/tough-cookie/pull/283
1.
a. Change tough_cookie_2.5.0\node_modules\tough-cookie\lib\memstore.js
All occurrences of new object creation in `memstore.js` have been changed from {} `Object.create(Object.prototype)` to `Object.create(null)`
so that we are using object instances that do not have a prototype property that can be polluted.
* Example : console.log(a = Object.create(null)); in object a - No properties(or __ proto __)
b. Created a new , /node_modules/tough-cookie/lib/test-unit.js
use in vanillajs for it found in tests folder file cookie_jar_test.js "Issue #282 - Prototype pollution"
Command: node test-unit.js
c. Created a new file,/node_modules/tough-cookie/lib/testVerifyVulnerable.js
verify the vulnerable behavior was fixed.
Command: node testVerifyVulnerable.js
2. change.diff : https://github.com/ronmadar/Open-Source-Seal-Security/blob/cf768f1932f087c30ebec7fe60c3fca323b4e54b/change.diff
3.
a. Regular package tough-cookie V 2.5.0
Command: npm install tough-cookie@2.5.0 && node index.js
b. Compress package tough-cookie V 2.5.0 tgz format with changes
Command: npm install ./tough-cookie-2.5.0-PATCHED.tgz && node index.js
c.
* Vulnerability: The vulnerability arises from directly modifying the Object.
prototype by adding a new property newProperty.
This means that every object in the JavaScript environment will inherit this property,
potentially altering their behavior unintentionally.
## Potential Damage -
* Prototype Pollution:
By adding properties directly to Object. prototype, there's a risk of polluting the entire prototype chain.
This can lead to unexpected behavior across the application, as any object that traverses the prototype chain may be affected.
* Security Risks: In a web application context, prototype pollution can be exploited by attackers to manipulate objects
and properties, potentially leading to security vulnerabilities such as privilege escalation, information leakage.
* Compatibility Issues: Modifying core prototypes like Object.
prototype can introduce compatibility issues with other libraries or frameworks that rely on standard behavior.
This can cause errors or unexpected behavior when integrating or updating dependencies.
d. wrote above.
4. A link to your forked GitHub repository of tough-cookie 2.5.0
https://github.com/ronmadar/tough-cookie
How to install this project
1. clone this project
文件快照
[4.0K] /data/pocs/bae490c2f87f8eb370791b3fa6b7181abf194d85
├── [4.4K] change.diff
├── [2.7K] index.js
├── [4.0K] node_modules
│ ├── [4.0K] psl
│ │ ├── [7.4K] browserstack-logo.svg
│ │ ├── [4.0K] data
│ │ │ └── [137K] rules.json
│ │ ├── [4.0K] dist
│ │ │ ├── [158K] psl.js
│ │ │ └── [134K] psl.min.js
│ │ ├── [5.9K] index.js
│ │ ├── [1.1K] LICENSE
│ │ ├── [1.3K] package.json
│ │ └── [6.3K] README.md
│ ├── [4.0K] punycode
│ │ ├── [1.1K] LICENSE-MIT.txt
│ │ ├── [1.2K] package.json
│ │ ├── [ 12K] punycode.es6.js
│ │ ├── [ 12K] punycode.js
│ │ └── [5.6K] README.md
│ └── [4.0K] tough-cookie
│ ├── [4.0K] lib
│ │ ├── [ 40K] cookie.js
│ │ ├── [6.6K] memstore.js
│ │ ├── [2.4K] pathMatch.js
│ │ ├── [2.2K] permuteDomain.js
│ │ ├── [1.7K] pubsuffix-psl.js
│ │ ├── [2.9K] store.js
│ │ ├── [2.4K] test-unit.js
│ │ ├── [2.4K] testVerifyVulnerable.js
│ │ └── [ 52] version.js
│ ├── [1.5K] LICENSE
│ ├── [1.7K] package.json
│ └── [ 27K] README.md
├── [ 57] package.json
├── [1.1K] package-lock.json
└── [4.1K] README.md
7 directories, 30 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。