Originally from: https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip
npm run hack
And you will see the any function's done property is changed to true.
The explanation of command line node index.js --_.concat.constructor.prototype.done true
:
--
is the hypen mark normally used in command line arguments._
is the built in key in minimist: https://github.com/minimistjs/minimist/blob/v1.2.5/index.js#L37.concat.constructor.prototype.done true
willset _.concat.constructor.prototype.done
totrue
. Because_.concat.constructor
is aFunction
type, allFunction
's prototype will be added by a property calleddone
.
The reason why the prototype chain is this long is that in the previous fixes, the developer banned __proto__
, Arrary.prototype
, Object.prototype
, Number.prototype
and String.prototype
. So we have to use constructor
who has prototype property and which is not blacklisted.
Another example is:
npm run hack2
However, in the above two example, we can only tamper values but not functions' definition.
In the fix for CVE-2020-7598 (1.2.2), and in 1.2.3 the developer already fixed some vulnerability by checking __proto__
, Arrary.prototype
, Object.prototype
, Number.prototype
, String.prototype
,
but they forgot to check Function.prototye
. This is why this exploit can only affect the property of Function
.
For the fix of this CVE, the developer checked the Function.prototype
as well as constructor
: https://github.com/minimistjs/minimist/blob/v1.2.6/index.js#L73