feat(NODE-6225): add property ownership check before referencing mongocryptdSpawnPath and mongocryptdSpawnArgs #4151
+21 −6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Member
| Hi @vuusale - thanks for opening this PR. We've discussed it and would a couple of changes made here if you don't mind. 1) We'd like to change this to use |
durran added the Primary Review durran changed the title 
To prevent prototype pollution gadget, added a check to ensure that 'mongocryptSpawnPath' and 'mongocryptSpawnArgs' properties exist in 'extraOptions' object before assigning them to 'this.spawnPath' and 'this.spawnArgs', which are passed to 'spawn' function in line 53. HackerOne report: https://hackerone.com/bugs?subject=user&report_id=2522466
durran added Team Review durran changed the title durran changed the title 
nbbeeken approved these changes Jul 1, 2024
nbbeeken changed the title mongocryptdSpawnPath and mongocryptdSpawnArgs nbbeeken changed the title mongocryptdSpawnPath and mongocryptdSpawnArgsmongocryptdSpawnPath and mongocryptdSpawnArgs nbbeeken changed the title mongocryptdSpawnPath and mongocryptdSpawnArgsmongocryptdSpawnPath and mongocryptdSpawnArgs 
Contributor Author
| Dear mongodb team, thanks for approving my change! |
This was referenced Oct 3, 2024
This was referenced Oct 5, 2024
This was referenced Nov 13, 2024
Contributor Author
| Hi dear mongodb team, I’m in the process of requesting a CVE for this prototype pollution issue and just wanted to learn how I should proceed with this and which CNA I should contact with. Best regards, |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
To prevent prototype pollution gadget, added a check to ensure that 'mongocryptSpawnPath' and 'mongocryptSpawnArgs' properties exist in 'extraOptions' object before assigning them to 'this.spawnPath' and 'this.spawnArgs', which are passed to 'spawn' function in line 53.
HackerOne report: https://hackerone.com/bugs?subject=user&report_id=2522466
Description
What is changing?
Is there new documentation needed for these changes?
What is the motivation for this change?
Release Highlight
Only permit mongocryptd spawn path and arguments to be own properties
We have added some defensive programming to the options that specify spawn path and spawn arguments for
mongocryptddue to the sensitivity of the system resource they control, namely, launching a process. Now,mongocryptdSpawnPathandmongocryptdSpawnArgsmust be own properties ofautoEncryption.extraOptions. This makes it more difficult for a global prototype pollution bug related to these options to occur.Double check the following
npm run check:lintscripttype(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript