Prototype Pollution Prevention Cheat Sheet
Explanation
Prototype Pollution is a critical vulnerability that can allow attackers to manipulate an application’s JavaScript objects and properties, leading to serious security issues such as unauthorized access to data, privilege escalation, and even remote code execution.
For examples of why this is dangerous, see the links in the Other resources section below.
Suggested protection mechanisms
Use “new Set()” or “new Map()”
Developers should use new Set()
or new Map()
instead of using object literals:
let allowedTags = new Set();
allowedTags.add('b');
if(allowedTags.has('b')){
//...
}
let options = new Map();
options.set('spaces', 1);
let spaces = options.get('spaces')
If objects or object literals are required
If objects have to be used then they should be created using the Object.create(null)
API to ensure they don’t inherit from the Object prototype:
let obj = Object.create(null);
If object literals are required then as a last resort you could use the __proto__
property:
let obj = {__proto__:null};
Use object “freeze” and “seal” mechanisms
You can also use the Object.freeze()
and Object.seal()
APIs to prevent built-in prototypes from being modified however this can break the application if the libraries they use modify the built-in prototypes.
Node.js configuration flag
Node.js also offers the ability to remove the __proto__
property completely using the --disable-proto=delete
flag. Note this is a defense in depth measure.
Prototype pollution is still possible using constructor.prototype
properties but removing __proto__
helps reduce attack surface and prevent certain attacks.
Other resources
Credits
Credit to Gareth Hayes for providing the original protection guidance in this comment.