# Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. **Stack:** JavaScript - Prevalence: 中 1 言語をカバー - Impact: ハイ 1 件の重大度ハイのルール - Prevention: 文書化済み 2 件の修正例 **OWASP:** Injection (A03:2021-Injection) - #3 ## Description By modifying the prototype of base objects like Object.prototype, attackers can affect all objects that inherit from these prototypes, potentially leading to code execution or denial of service. ## Prevention 2 件の Shoulder 検出ルールに基づく Prototype Pollution の予防策。 ### JavaScript Filter dangerous keys (__proto__, constructor, prototype) or use schema validation before merging user input Use Object.hasOwn() to verify authorization properties are own properties, not inherited from a polluted prototype ## Warning Signs - [HIGH] user input flowing to object merge operations without filtering dangerous keys - [MEDIUM] authorization checks that trust properties without verifying they are own properties ## Consequences - 未承認コードの実行 - アプリケーションデータの変更 - DoS ## Mitigations - ルックアップ用オブジェクトには Object.create(null) を使用する - オブジェクトへ代入する前にキーを検証してサニタイズする - ユーザー制御のキーには通常のオブジェクトではなく Map を使用する ## Detection - Total rules: 2 - Languages: javascript, typescript ## Rules by Language ### Javascript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget ### Typescript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget