Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

fix: default settings allows arbitrary bypass vulnerability

See original GitHub issue

With this vulnerability, an attacker can bypass any security checks enforced by class-validator.

When class-validator is used to validate user-input, the attributes in the user-input object will be transformed into the validation class instance. However, the transforming procedure will overwrite the internal attribute of validation class instance (e.g., constructor attribute) if the attacker injects an attribute with the same name into user-input. Once this internal attribute being overwritten, class-validator will be bypassed.

PoC


import {validate, validateOrReject, Contains, IsInt, Length, IsEmail, IsFQDN, IsDate, Min, Max} from "class-validator";
import {plainToClass} from "class-transformer";

class Post {

    @Length(10, 20)
    title: string;

    @Contains("hello")
    text: string;

    @IsInt()
    @Min(0)
    @Max(10)
    rating: number;

    @IsEmail()
    email: string;

    @IsFQDN()
    site: string;

    @IsDate()
    createDate: Date;

}

let userJson = JSON.parse('{"title":1233, "__proto__":{}}');  // a malformed input
let users = plainToClass(Post, userJson);

validate(users).then(errors => { // errors is an array of validation errors
    if (errors.length > 0) {
        console.log("validation failed. errors: ", errors);
    } else {
        console.log("validation succeed");
    }
});

Our suggestion is that class-validator should check the integrity of the constructor: if it is being corrupted, the validation should automatically fail.

Issue Analytics

State:
Created 4 years ago
Reactions:31
Comments:60 (10 by maintainers)

Top GitHub Comments

47reactions

AnandChowdharycommented, Oct 12, 2021

Lots of people are going to come here now that GitHub has opened this as a critical severity: https://github.com/advisories/GHSA-fj58-h2fr-3pp2.

What will a PR to fix this look like? Should we set forbidUnknownValues: true by default?

32reactions

eylonmalincommented, Jun 24, 2021

@NoNameProvided I don’t really understand why not set the default value of forbidUnknownValue to true by default. If it’s a breaking change you can release a major release. Running static security scans is a standard in the industry, and this vulnerability prevent using class-validator library.

Top Results From Across the Web

KB5008383—Active Directory permissions updates (CVE ...

CVE-2021-42291 addresses a security bypass vulnerability that allows certain users to set arbitrary values on security-sensitive attributes of specific ...

Cisco Bug: CSCvf11687 - ISC BIND TSIG Authentication Arbitrary ...

Cisco Bug: CSCvf11687 - ISC BIND TSIG Authentication Arbitrary Dynamic Update Bypass Vulnerability. ... Conditions: Device with default configuration.

NSAppTransportSecurity | Apple Developer Documentation

That sub-dictionary allows you to separately manage settings for individual ... ATS uses the NSAllowsArbitraryLoads value that you set, or NO by default, ......

BIG-IP iControl REST vulnerability CVE-2022-1388 - AskF5

To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you...

iOS 15.6.1—Apple Issues Fix For Two Serious iPhone Flaws

The first issue fixed in iOS 15.6.1 is a vulnerability in the iPhone Kernel ... CVE-2022-32893, that could allow arbitrary code execution.