Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notes for v17.8.3 and v18.0.1 Security Update #3916

Closed
hueniverse opened this issue Jan 31, 2019 · 1 comment
Closed

Notes for v17.8.3 and v18.0.1 Security Update #3916

hueniverse opened this issue Jan 31, 2019 · 1 comment
Assignees
@hueniverse
Labels
release notes Major release documentation security Issue with security impact

Comments

@hueniverse
Copy link
Contributor

Acknowledgements

The security issue was initially reported by the Lob engineering team to @Marsup as part of a joi security report. The Lob team reported the issue privately and responsibly with a proposed fix and tests to reproduce the issue. We are very grateful to them for the way it was reported and the extra mile in working with us to better understand it.

Triage was performed by @Marsup, @nlf, and @hueniverse.

The bourne module name was generously contributed by @andrew8088. The code was reviewed by @nlf and @mcollina. Benchmarking code was added by @mcollina.

Issue

A severe security threat has been identified related to prototype poisoning. The issue itself is not a bug in hapi but in the way JSON.parse() and Object.assign() (or similar local implementations) interact with each other.

> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'

> const b = JSON.parse(a);
{ __proto__: { b: 5 } }

> b.b;
undefined

> const c = Object.assign({}, b);
{}

> c.b
5

Specifically for hapi, if you manipulate request.payload in onCredentials or onPostAuth prior to validation, joi may fail to identify invalid user input as well as leak prototype methods into your runtime environment. This could result in a catastrophic outcome.

Because of the nature of this issue, we cannot pin it to any specific module. The threat itself comes from your own code and how you interact with incoming payload parsed with JSON.parse() (by hapi or manually). The security patches (for hapi v16, v17, and v18) address this by blocking potential threats at the source where the payload is processed.

However, even this protection is limited to content processed by hapi. If you allow payload data to stream through, you might still have to deal with this issue yourself.

In addition, query string processing may also suffer from this if you use a custom module for converting incoming query strings into objects. If you use node’s query string parser (used by hapi) or the QS module, you are safe.

Next Steps

To address this thread, a new module bourne is now available which provides a drop-in replacement for JSON.parse(). If you call JSON.parse() on any external or untrusted data source, consider switching to this new module.

If you use onCredentials or onPostAuth in your code, or if you use the base64json cookie encoding format, review your handling of request.payload and request.state objects to ensure your current (pre-patched) code is not at risk.
@hueniverse hueniverse added security Issue with security impact release notes Major release documentation labels Jan 31, 2019
@hueniverse hueniverse self-assigned this Jan 31, 2019
@kiding kiding mentioned this issue Nov 7, 2019
Closed
@lock
Copy link

lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hueniverse hueniverse

Labels
release notes Major release documentation security Issue with security impact
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hueniverse