Skip to content

Commit

Permalink
[ML] Various fixes for possible prototype pollution vulnerabilities (e…
Browse files Browse the repository at this point in the history
…lastic#194529)

Fixes potential prototype pollution vulnerability in `setNestedProperty`
function.
Fixes incomplete string escaping issue in ML's saved object service.
  • Loading branch information
jgowdyelastic authored Oct 2, 2024
1 parent 616c6e8 commit d1f24b0
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 2 deletions.
10 changes: 10 additions & 0 deletions x-pack/packages/ml/nested_property/src/set_nested_property.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -68,5 +68,15 @@ describe('object_utils', () => {

const test11 = setNestedProperty(getFalseyObject(), 'the.other_nested.value', 'update');
expect(test11.the.other_nested.value).toBe('update');

expect(() => {
setNestedProperty(getTestObj(), 'the.__proto__', 'update');
}).toThrow('Invalid accessor');
expect(() => {
setNestedProperty(getTestObj(), 'the.prototype', 'update');
}).toThrow('Invalid accessor');
expect(() => {
setNestedProperty(getTestObj(), 'the.constructor', 'update');
}).toThrow('Invalid accessor');
});
});
6 changes: 6 additions & 0 deletions x-pack/packages/ml/nested_property/src/set_nested_property.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,15 @@
* 2.0.
*/

const INVALID_ACCESSORS = ['__proto__', 'prototype', 'constructor'];

export const setNestedProperty = (obj: Record<string, any>, accessor: string, value: any) => {
let ref = obj;
const accessors = accessor.split('.');
if (accessors.some((a) => INVALID_ACCESSORS.includes(a))) {
throw new Error('Invalid accessor');
}

const len = accessors.length;
for (let i = 0; i < len - 1; i++) {
const attribute = accessors[i];
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/ml/server/saved_objects/service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@ export function mlSavedObjectServiceFactory(
if (id.match('\\*') === null) {
return jobIds.includes(id);
}
const regex = new RegExp(id.replace('*', '.*'));
const regex = new RegExp(id.replaceAll('*', '.*'));
return jobIds.some((jId) => typeof jId === 'string' && regex.exec(jId));
});
}
Expand Down Expand Up @@ -640,7 +640,7 @@ export function mlSavedObjectServiceFactory(
if (id.match('\\*') === null) {
return modelIds.includes(id);
}
const regex = new RegExp(id.replace('*', '.*'));
const regex = new RegExp(id.replaceAll('*', '.*'));
return modelIds.some((jId) => typeof jId === 'string' && regex.exec(jId));
});
}
Expand Down

0 comments on commit d1f24b0

Please sign in to comment.