Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate Potential Prototype Pollution Risk in Server Deletion Endpoint #8

Open
23 tasks
ihasTaco opened this issue Aug 1, 2023 · 0 comments
Open
23 tasks

Investigate Potential Prototype Pollution Risk in Server Deletion Endpoint #8

ihasTaco opened this issue Aug 1, 2023 · 0 comments
Assignees
@ihasTaco
Labels
issue This is an issue and needs to be fixed

Comments

@ihasTaco
Copy link
Owner

ihasTaco commented Aug 1, 2023

In the current implementation of the server deletion endpoint (/delete-server), the delete operation is used with potentially user-provided guild_id and server_uuid values. Although these values are retrieved from req.body and are not directly user-controlled, there is a theoretical risk of prototype pollution if they were manipulated by an attacker.

Prototype pollution is a type of vulnerability where an attacker can modify the prototype of a JavaScript object, potentially causing unexpected behavior in the application.

Steps to Reproduce:

This is a theoretical vulnerability and does not have specific reproduction steps in the current implementation.

Expected Outcome:

The application should not allow prototype pollution via user-provided guild_id and server_uuid values.

Actual Outcome:

The current implementation does not present a clear risk of prototype pollution, but further investigation and potential mitigation measures are warranted.

Suggested Fix:

Add input validation to ensure that guild_id and server_uuid are in the expected format before they are used. For example, if these IDs should only contain alphanumeric characters, reject any values that contain other characters.

Relevant Code Snippet:

See delete-server endpoint

router.delete('/delete-server', async (req, res) => {
    const { guild_id, server_uuid } = req.body;

    // ...

    // Delete server_uuid
    if (serverInfoData[guild_id]) {
        delete serverInfoData[guild_id][server_uuid];
    }

    // ...
});
@ihasTaco ihasTaco added the issue This is an issue and needs to be fixed label Aug 1, 2023
@ihasTaco ihasTaco self-assigned this Aug 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ihasTaco ihasTaco

Labels
issue This is an issue and needs to be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ihasTaco