# Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. **Stack:** JavaScript - Prevalence: 보통 1개 언어 지원 - Impact: 높음 1개의 높은 심각도 규칙 - Prevention: 문서화됨 2개의 수정 예시 **OWASP:** Injection (A03:2021-Injection) - #3 ## Description By modifying the prototype of base objects like Object.prototype, attackers can affect all objects that inherit from these prototypes, potentially leading to code execution or denial of service. ## Prevention 2개의 Shoulder 탐지 규칙을 기반으로 한 Prototype Pollution 예방 전략. ### JavaScript Filter dangerous keys (__proto__, constructor, prototype) or use schema validation before merging user input Use Object.hasOwn() to verify authorization properties are own properties, not inherited from a polluted prototype ## Warning Signs - [HIGH] user input flowing to object merge operations without filtering dangerous keys - [MEDIUM] authorization checks that trust properties without verifying they are own properties ## Consequences - 승인되지 않은 코드 실행 - 애플리케이션 데이터 수정 - DoS ## Mitigations - 조회용 객체는 Object.create(null)로 생성하세요 - 객체에 할당하기 전에 키를 검증하고 정제하세요 - 사용자가 제어하는 키에는 일반 객체 대신 Map을 사용하세요 ## Detection - Total rules: 2 - Languages: javascript, typescript ## Rules by Language ### Javascript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget ### Typescript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget