From 3454e797137b1706b11ff2f6f7fb60263b39396b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Tue, 21 Dec 2021 18:03:15 +0000 Subject: console: fix prototype pollution via console.table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-ID: CVE-2022-21824 PR-URL: https://github.com/nodejs-private/node-private/pull/307 Refs: https://hackerone.com/reports/1431042 Reviewed-By: Matteo Collina Reviewed-By: Rich Trott Reviewed-By: Сковорода Никита Андреевич Reviewed-By: Michaël Zasso Reviewed-By: Richard Lau Reviewed-By: Michael Dawson Reviewed-By: Antoine du Hamel Reviewed-By: James M Snell Reviewed-By: Colin Ihrig --- lib/internal/console/constructor.js | 3 ++- test/parallel/test-console-table.js | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/internal/console/constructor.js b/lib/internal/console/constructor.js index 92c6d72933..695a56164b 100644 --- a/lib/internal/console/constructor.js +++ b/lib/internal/console/constructor.js @@ -15,6 +15,7 @@ const { MathFloor, Number, NumberPrototypeToFixed, + ObjectCreate, ObjectDefineProperties, ObjectDefineProperty, ObjectKeys, @@ -554,7 +555,7 @@ const consoleMethods = { return final([iterKey, valuesKey], [getIndexArray(length), values]); } - const map = {}; + const map = ObjectCreate(null); let hasPrimitives = false; const valuesKeyArray = []; const indexKeyArray = ObjectKeys(tabularData); diff --git a/test/parallel/test-console-table.js b/test/parallel/test-console-table.js index ac414918da..fb1de08323 100644 --- a/test/parallel/test-console-table.js +++ b/test/parallel/test-console-table.js @@ -276,3 +276,18 @@ test({ foo: '你好', bar: 'hello' }, ` │ bar │ 'hello' │ └─────────┴─────────┘ `); + +// Regression test for prototype pollution via console.table. Earlier versions +// of Node.js created an object with a non-null prototype within console.table +// and then wrote to object[column][index], which lead to an error as well as +// modifications to Object.prototype. +test([{ foo: 10 }, { foo: 20 }], ['__proto__'], ` +┌─────────┬───────────┐ +│ (index) │ __proto__ │ +├─────────┼───────────┤ +│ 0 │ │ +│ 1 │ │ +└─────────┴───────────┘ +`); +assert.strictEqual('0' in Object.prototype, false); +assert.strictEqual('1' in Object.prototype, false); -- cgit v1.2.1