Security: Prototype Pollution via Extension ID Manipulation#1192
Security: Prototype Pollution via Extension ID Manipulation#1192tomaioo wants to merge 1 commit into
Conversation
The `Extensions.get()` method in both v2 and v3 modifies the input `id` parameter by prepending `x-` if not present. However, it uses `id = id.startsWith('x-') ? id : \`x-${id}\`;` which mutates the parameter. More critically, the `EXTENSION_REGEX` in constants.ts (`/^x-[\w\d.\-_]+$/`) allows dot characters, and the extension ID is used as a key in various object lookups. If untrusted input reaches this code with prototype pollution payloads like `__proto__`, `constructor`, or `prototype`, it could manipulate object prototypes. The regex does not prevent these special property names since `__proto__` would match after `x-` prefix is added.
Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
|
|
We require all PRs to follow Conventional Commits specification. |
There was a problem hiding this comment.
Welcome to AsyncAPI. Thanks a lot for creating your first pull request. Please check out our contributors guide useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.
|



Summary
Security: Prototype Pollution via Extension ID Manipulation
Problem
Severity:
High| File:packages/parser/src/models/v2/extensions.ts:L10The
Extensions.get()method in both v2 and v3 modifies the inputidparameter by prependingx-if not present. However, it usesid = id.startsWith('x-') ? id : \x-${id}`;which mutates the parameter. More critically, theEXTENSION_REGEXin constants.ts (/^x-[\w\d.-_]+$/) allows dot characters, and the extension ID is used as a key in various object lookups. If untrusted input reaches this code with prototype pollution payloads likeproto,constructor, orprototype, it could manipulate object prototypes. The regex does not prevent these special property names sinceprotowould match afterx-` prefix is added.Solution
Sanitize extension IDs to block prototype pollution by rejecting or escaping
__proto__,constructor, andprototypekeys. Consider usingObject.create(null)for maps that store extension data, or use aMapinstead of plain objects for extension storage.Changes
packages/parser/src/models/v2/extensions.ts(modified)