# Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. - Prevalence: Średnia Pokryto 1 języków - Impact: Wysoki 1 reguł o wysokim poziomie - Prevention: Udokumentowane 2 przykładów poprawek **OWASP:** Injection (A03:2021-Injection) - #3 ## Description By modifying the prototype of base objects like Object.prototype, attackers can affect all objects that inherit from these prototypes, potentially leading to code execution or denial of service. ## Prevention Strategie zapobiegania dla Prototype Pollution oparte na 2 regułach detekcji Shoulder. ### JavaScript Filter dangerous keys (__proto__, constructor, prototype) or use schema validation before merging user input Use Object.hasOwn() to verify authorization properties are own properties, not inherited from a polluted prototype ## Warning Signs - [HIGH] user input flowing to object merge operations without filtering dangerous keys - [MEDIUM] authorization checks that trust properties without verifying they are own properties ## Consequences - Wykonanie nieautoryzowanego kodu - Modyfikacja danych aplikacji - DoS ## Mitigations - Do obiektów wyszukiwawczych stosuj Object.create(null) - Waliduj i sanitizuj klucze przed przypisaniem do obiektu - Do kluczy kontrolowanych przez użytkownika używaj Map zamiast zwykłych obiektów ## Detection - Total rules: 2 - Languages: javascript, typescript ## Rules by Language ### Javascript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget ### Typescript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget