Fix prototype pollution in stax-xml converter #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Replace all object literal `{}` usage with `Object.create(null)` in the
converter module to prevent prototype pollution attacks. This ensures that
created objects have no prototype chain and cannot be exploited through
properties like __proto__, constructor, or prototype.
Changes:
- XmlParserInternal.ts: Fixed 4 object creation sites (lines 205, 301, 1122, 1184)
- XmlObjectSchema.ts: Fixed 2 rootAttributes creation sites (lines 220, 338)
- XmlParsingStateMachine.ts: Fixed 2 result object creation sites (lines 861, 952)
All 796 existing tests pass, confirming backward compatibility.
Fix prototype pollution vulnerabilities in all XML parsers where user-controlled XML attribute names could pollute Object.prototype through properties like __proto__, constructor, or prototype. Attack vector example: <tag __proto__="polluted">...</tag> This would allow an attacker to inject properties into all objects, potentially leading to security issues in applications using the parser. Changes: - StaxXmlParserSync.ts: Use Object.create(null) for attributes objects (line 658-664) - StaxXmlParser.ts: Use Object.create(null) for attributes objects (line 1070-1071) - StaxXmlParser.baseline.ts: Use Object.create(null) for attributes objects (line 983-984) Test coverage: - Added comprehensive security test suite (security-prototype-pollution.test.ts) - 7 new tests verify protection against __proto__, constructor, and prototype pollution - All 803 tests pass (796 existing + 7 new security tests) Security impact: HIGH - prevents object injection attacks via XML attributes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Replace all object literal
{}usage withObject.create(null)in the converter module to prevent prototype pollution attacks. This ensures that created objects have no prototype chain and cannot be exploited through properties like proto, constructor, or prototype.Changes:
All 796 existing tests pass, confirming backward compatibility.