Severe Prototype Pollution Vulnerability found in gRPC Node JS codebase

Hey Hussein, slight clarification on the prototype object. Everything you said is absolutely true, but let's say that the attacker was trying to set __proto__.admin = true from any random object like you were in the video with the intention of overriding that property on user objects as well. If all user objects have a locally defined user property already, calling user.admin will never hit the __proto__.admin because the prototype chain starts at the local object and only if the property is not found does it proceed up to the parent. Still obviously dangerous, but a little unclear why from your specific example.

JoRyGu

I would like to note that the expected usage of the loadPackageDefinition function is to call it with objects defined locally based on trusted local files. Any application that uses it that way could only pollute the prototype with their own objects, so almost all existing applications using this library would not be vulnerable to remote exploitation of this bug.

MichaelLumish

Hey Hussein, really you are sharing useful topics/concepts. Am waiting for your Nodejs Project series and thanks in advance

nandhiniit

Thank you for this. I read a of news about node project having bugs, but only a few great guys like you make a video explaining the bug and its fix with example.

AbhinavKulshreshtha

Inheritance is one very powerful concept. :-)

autohmae

What if you define __proto__ as reserved in the proto file?

samferrer

With great power comes great responsibility

mthaha

Your fix isnt good, you must look into it because there is some bypass and in a more general way of patching, blacklist "words" is the worst thing to do...

trustedsecurity

Why the hell do people still use Node.js? Its BS. It was bs when it started and it will always be bs 🤣. I mean if your lazy and cheap, WEB ASSEMBLY WEB ASSEMBLY G.D.DAMN.IT.

musandlala