fix(security): 🔒 Prototype Pollution in cli-tableau

Correction to issue keymetrics#10
intmgroupe · Feb 3, 2023 · 89a3a63 · 89a3a63
1 parent a367ed7
commit 89a3a63
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 68 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,4 @@
 lib-cov
 node_modules
+.vscode
+package-lock.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.0.2
+
+- fix(security): :lock: Prototype Pollution in cli-tableau
+
 ## 2.0.0
 
 - add borders: false option
@@ -12,55 +16,54 @@
 0.3.1 / 2014-10-22
 ==================
 
- * fix example for new paths
- * Readme badges
- * Lighter production installs
- * Safe colors
- * In addition to 256-xterm ansi colors, handle 24-bit colors
- * set up .travis.yml
+- fix example for new paths
+- Readme badges
+- Lighter production installs
+- Safe colors
+- In addition to 256-xterm ansi colors, handle 24-bit colors
+- set up .travis.yml
 
 0.3.0 / 2014-02-02
 ==================
 
- * Switch version of colors to avoid npm broken-ness
- * Handle custom colored strings correctly
- * Removing var completely as return var width caused other problems.
- * Fixing global leak of width variable.
- * Omit horizontal decoration lines if empty
- * Add a test for the the compact mode
- * Make line() return the generated string instead of appending it to ret
- * Customize the vertical cell separator separately from the right one
- * Allow newer versions of colors to be used
- * Added test for bordercolor
- * Add bordercolor in style options and enable deepcopy of options
+- Switch version of colors to avoid npm broken-ness
+- Handle custom colored strings correctly
+- Removing var completely as return var width caused other problems.
+- Fixing global leak of width variable.
+- Omit horizontal decoration lines if empty
+- Add a test for the the compact mode
+- Make line() return the generated string instead of appending it to ret
+- Customize the vertical cell separator separately from the right one
+- Allow newer versions of colors to be used
+- Added test for bordercolor
+- Add bordercolor in style options and enable deepcopy of options
 
 0.2.0 / 2012-10-21
 ==================
 
-  * test: avoid module dep in tests
-  * fix type bug on integer vertical table value
-  * handle newlines in vertical and cross tables
-  * factor out common style setting function
-  * handle newlines in body cells
-  * fix render bug when no header provided
-  * correctly calculate width of cells with newlines
-  * handles newlines in header cells
-  * ability to create cross tables
-  * changing table chars to ones that windows supports
-  * allow empty arguments to Table constructor
-  * fix headless tables containing empty first row
-  * add vertical tables
-  * remove reference to require.paths
-  * compact style for dense tables
-  * fix toString without col widths by cloning array
-  * [api]: Added abiltity to strip out ANSI color escape codes when calculating cell padding
+- test: avoid module dep in tests
+- fix type bug on integer vertical table value
+- handle newlines in vertical and cross tables
+- factor out common style setting function
+- handle newlines in body cells
+- fix render bug when no header provided
+- correctly calculate width of cells with newlines
+- handles newlines in header cells
+- ability to create cross tables
+- changing table chars to ones that windows supports
+- allow empty arguments to Table constructor
+- fix headless tables containing empty first row
+- add vertical tables
+- remove reference to require.paths
+- compact style for dense tables
+- fix toString without col widths by cloning array
+- [api]: Added abiltity to strip out ANSI color escape codes when calculating cell padding
 
 0.0.1 / 2011-01-03
 ==================
 
 Initial release
 
-
 ## Jun 28, 2017
 
 Fork of `Automattic/cli-table`

diff --git a/README.md b/README.md
@@ -5,8 +5,8 @@
   <img src="https://travis-ci.org/keymetrics/cli-tableau.svg?branch=master" alt="Build Status"/>
 </a>
 
-
 ### Horizontal Tables
+
 ```javascript
 var Table = require('cli-tableau');
 
@@ -39,6 +39,7 @@ console.log(table.toString());
 ```
 
 ### Cross Tables
+
 Cross tables are very similar to vertical tables, with two key differences:
 
 1. They require a `head` setting when instantiated that has an empty string as the first header
@@ -59,6 +60,7 @@ console.log(table.toString());
 ### Custom styles
 
 The ```chars``` property controls how the table is drawn:
+
 ```javascript
 var table = new Table({
   chars: {
@@ -86,6 +88,7 @@ console.log(table.toString());
 
 Empty decoration lines will be skipped, to avoid vertical separator rows just
 set the 'mid', 'left-mid', 'mid-mid', 'right-mid' to the empty string:
+
 ```javascript
 var table = new Table({ chars: {'mid': '', 'left-mid': '', 'mid-mid': '', 'right-mid': ''} });
 table.push(
@@ -104,6 +107,7 @@ console.log(table.toString());
 By setting all chars to empty with the exception of 'middle' being set to a
 single space and by setting padding to zero, it's possible to get the most
 compact layout with no decorations:
+
 ```javascript
 var table = new Table({
   chars: {

diff --git a/examples/revs.js b/examples/revs.js
@@ -1,55 +1,80 @@
-
 /**
  * Module requirements.
  */
 
-var Table = require('../lib')
+var Table = require("../lib");
 
 /**
  * Example.
  */
 
 /* col widths */
 var table = new Table({
-  head: ['Rel', 'Change', 'By', 'When'],
-  colWidths: [6, 21, 25, 17]
-})
+  head: ["Rel", "Change", "By", "When"],
+  colWidths: [6, 21, 25, 17],
+});
 
 table.push(
-    ['v0.1', 'Testing something cool', 'rauchg@gmail.com', '7 minutes ago']
-  , ['v0.1', 'Testing something cool', 'rauchg@gmail.com', '8 minutes ago']
-)
+  ["v0.1", "Testing something cool", "rauchg@gmail.com", "7 minutes ago"],
+  ["v0.1", "Testing something cool", "rauchg@gmail.com", "8 minutes ago"]
+);
 
-console.log(table.toString())
+console.log(table.toString());
 
 /* compact */
 var table2 = new Table({
-  head: ['Rel', 'Change', 'By', 'When'],
+  head: ["Rel", "Change", "By", "When"],
   colWidths: [6, 21, 25, 17],
-  style: {compact: true, 'padding-left': 1}
-})
+  style: { compact: true, "padding-left": 1 },
+});
 
 table2.push(
-    ['v0.1', 'Testing something cool', 'rauchg@gmail.com', '7 minutes ago']
-  , ['v0.1', 'Testing something cool', 'rauchg@gmail.com', '8 minutes ago']
-  , []
-  , ['v0.1', 'Testing something cool', 'rauchg@gmail.com', '8 minutes ago']
-)
+  ["v0.1", "Testing something cool", "rauchg@gmail.com", "7 minutes ago"],
+  ["v0.1", "Testing something cool", "rauchg@gmail.com", "8 minutes ago"],
+  [],
+  ["v0.1", "Testing something cool", "rauchg@gmail.com", "8 minutes ago"]
+);
 
-console.log(table.toString())
+console.log(table.toString());
 
 /* headless */
-var headlessTable = new Table()
-headlessTable.push(['v0.1', 'Testing something cool', 'rauchg@gmail.com', '7 minutes ago'])
-console.log(headlessTable.toString())
+var headlessTable = new Table();
+headlessTable.push([
+  "v0.1",
+  "Testing something cool",
+  "rauchg@gmail.com",
+  "7 minutes ago",
+]);
+console.log(headlessTable.toString());
 
 /* vertical */
-var verticalTable = new Table()
-verticalTable.push({'Some Key': 'Some Value'}, {'Another much longer key': 'And its corresponding longer value'})
+var verticalTable = new Table();
+verticalTable.push(
+  { "Some Key": "Some Value" },
+  { "Another much longer key": "And its corresponding longer value" }
+);
 
-console.log(verticalTable.toString())
+console.log(verticalTable.toString());
 
 /* cross */
-var crossTable = new Table({head: ['', 'Header #1', 'Header #2']})
-crossTable.push({'Header #3': ['Value 1', 'Value 2']}, {'Header #4': ['Value 3', 'Value 4']})
-console.log(crossTable.toString())
+var crossTable = new Table({ head: ["", "Header #1", "Header #2"] });
+crossTable.push(
+  { "Header #3": ["Value 1", "Value 2"] },
+  { "Header #4": ["Value 3", "Value 4"] }
+);
+console.log(crossTable.toString());
+
+/* Prototype Pollution in cli-tableau */
+let attackerObject =
+  '{"__proto__":{"attackerControlledValue":"Attackers Payload"},"proto":{"attackPropFromProto":"changed"},"constructor":{"prototype":{"attackPropFromConstructorProto":"changed"}}}';
+
+let attackedTable = new Table(JSON.parse(attackerObject));
+
+attackedTable.push({
+  Vulnerability: [
+    "Prototype Pollution",
+    !!attackedTable.options.attackerControlledValue,
+  ],
+});
+
+console.log(attackedTable.toString());
diff --git a/lib/index.js b/lib/index.js
@@ -15,7 +15,7 @@ var truncate = utils.truncate
  * @api public
  */
 
-function Table (options) {
+function Table(options) {
   this.options = utils.options({
     chars: {
       'top': '─',
@@ -35,6 +35,7 @@ function Table (options) {
       'middle': '│'
     },
     truncate: '…',
+    borders: true,
     colWidths: [],
     colAligns: [],
     style: {
@@ -45,9 +46,9 @@ function Table (options) {
       compact: false
     },
     head: []
-  }, options)
+  }, options || {});
 
-  if (options.borders == false) {
+  if (!this.options.borders) {
     this.options.chars =  {
       'top': '',
       'top-mid': '',

diff --git a/lib/utils.js b/lib/utils.js
@@ -32,6 +32,9 @@ exports.truncate = function (str, length, chr) {
 
 function options (defaults, opts) {
   for (var p in opts) {
+    if (p === '__proto__' || p === 'constructor' || p === 'prototype') {
+        continue;
+    }
     if (opts[p] && opts[p].constructor && opts[p].constructor === Object) {
       defaults[p] = defaults[p] || {}
       options(defaults[p], opts[p])

diff --git a/package.json b/package.json
@@ -34,8 +34,8 @@
     "chalk": "3.0.0"
   },
   "devDependencies": {
-    "should": "~0.6",
-    "mocha": "^7.1.1"
+    "mocha": "^10.2.0",
+    "should": "~0.6"
   },
   "main": "lib",
   "files": [