How can I change this the object property assignment to avoid prototype pollution

Question

I have a line of code that looks like

  gMapping[userName] = gMapping[userName] || [];

I see Prototype pollution vulnerability raised by Snyk. How can this be resolved ?

Relevant code:

const gMapping: { [user_name: string]: string[] } = {};

// Map records to dictionaries
dbRecs.forEach(rec => {
    const userName = rec.user_name;
    const groupId = rec.group_id;
    gMapping[userName] = gMapping[userName] || [];
    gMapping[userName].push(groupId);
  }
});

What is `glMapping`? Where does `userName` come from? Can you be more specific about the Snyk warning message? — Bergi, May 19 '21 at 19:31
@Bergi : userName comes from the DB. added the details about gMapping in the question — systemdebt, May 19 '21 at 22:11

score 2 · Accepted Answer · answered May 19 '21 at 23:33

2

The problem is that userName could be "__proto__". I'm not certain this would be exploitable in your case, but it still causes an exception when trying to invoke .push() on Object.prototype.

To avoid this issue, either use Object.create(null) (which isn't easy with TypeScript, unfortunately) or switch to a proper ES6 Map<string, string[]>.

answered May 19 '21 at 23:33

Bergi

630,263
148
957
1,375

Okay, so if we change const gMapping: { [user_name: string]: string[] } = {}; to a map instead of an object, it would be okay, Is that correct? – systemdebt May 20 '21 at 00:04
@SKhurana yes . – Bergi May 20 '21 at 00:08

How can I change this the object property assignment to avoid prototype pollution

1 Answers1