Prevent prototype pollution security issues #67
Comments
jeanmachuca
added a commit
that referenced
this issue
Apr 30, 2021
jeanmachuca
added a commit
that referenced
this issue
Apr 30, 2021
[Solved] Issue #67 Prevent prototype pollution security risks
jeanmachuca
added a commit
that referenced
this issue
May 24, 2022
jeanmachuca
added a commit
that referenced
this issue
May 24, 2022
[Solved] Issue #67 Prevent prototype pollution security risks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
According to the paper published on May 15, 2018 by Oliver Arteau - A Prototype Pollution Attack in NodeJS there is a possibility to generate a security attack by exploiting the prototype object in several ways. This is often called Prototype Pollution.
Describe the solution you'd like
QCObjects could have some built-in feature that prevents this kind of attack, specially in the back-end as it is more susceptible to suffer attack attempts. I would like to make it in the core to give some relief to application developers that are coding safe using QCObjects features.
Describe alternatives you've considered
According to the same paper, one solution is to freeze the Object.prototype and use Map() instead of Object(). This solution is very useful but it requires an accurate testing before to release the version of QCObjects that contains these changes.
Additional context
This kind of attacks are becoming popular affecting other JavaScript server frameworks like Express. There is no evidence that these frameworks are addressing the issue from the core. What makes a huge advantage for developers to use QCObjects HTTP2 Built-In Server instead of Express in terms of security.
More info about the Express vulnerability here
The text was updated successfully, but these errors were encountered: