Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
prototype pollution vulnearability due to hoek dependency
See original GitHub issueObserved following security vulnerability in the grpc node package (even on latest version 1.10.0)
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property. This can be demonstrated like so: javascript var Hoek = require('hoek'); var malicious_payload = '{"__proto__":{"oops":"It works !"}}'; var a = {}; console.log("Before : " + a.oops); Hoek.merge({}, JSON.parse(malicious_payload)); console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
This can be fixed by updating the dependency version to hoek@4.2.1
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
1.11.1 has been published with the newest version of node-pre-gyp, and we’re upmerging this to master, yes.
That is actually a transitive dependency through
node-pre-gyp, which will be updated in the next patch release. Until then, I don’t think there is any API surface for a malicious user to trigger this through gRPC.