We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source
        Avoid vulnerable dependencies
      • Snyk Code
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
https://res.cloudinary.com/snyk/image/upload/v1645713086/snyk-marketingwp/snyk-default-blog-hero.jpg
Vulnerabilities

Fixing a Prototype Override Protection Bypass Vulnerability in qs

Tim Kadlec
Tim KadlecMarch 14, 2017

Last month, we added a high-severity Prototype Override Protection Bypass vulnerability in the qs package to our database. The fix was released in updated versions of the library about a week ago. This post explains the vulnerability and how to mitigate it.

qs is a popular npm package—just under 40 million downloads over the past month—used to parse querystring parameters into objects. For example:

qs.parse('a=b&c=d');
// {a:'b', c: 'd'}

While that’s certainly helpful, where qs really shines is with the advanced functionality it enables. Using qs, you can even create nested objects within you query strings by using brackes ([ or ]).

qs.parse('a[b]=c');
// {
//   a: {
//     b: "c"
//   }
// }

The Vulnerability

The functionality to create nested objects within your querystring parameters brings some risk along with it. If not properly vetted, you could potentially overwrite properties in the object’s prototype. For example, you could attempt to overwrite the object’s hasOwnProperty method:

qs.parse('a[hasOwnProperty]=b');

Thankfully, the above wouldn’t work. By default, qs ignores any parameters (such as hasOwnProperty) that would overwrite properties of the object prototype. It accomplishes this by checking for the presence of opening and closing brackets in the parameter, grabbing the chunk inside and then comparing to the object prototype to see if it’s a native property. There is an option to allow prototype overrides, but qs strongly advises against it.

Unfortunately, a gap in the validation meant that you could still override a property in the object prototype by prefixing the parameter with an unmatched [ or ] character.

For example, the following would override the object’s hasOwnProperty method even though we’ve explicitly told qs to disallow prototype overrides:

var paramData = qs.parse("]=hasOwnProperty", { allowPrototypes: false });
// {hasOwnProperty = true}

paramData.hasOwnProperty('toString');
// Results in Type Error: paramData.hasOwnProperty is not a function

The most likely outcome of this would be breakage and unexpected fragility in your application, but depending on your application logic, it could be much more severe: even in some cases allowing attackers to change the execution flow of your application.

The fix

Our security research team discovered the issue on February 13th and reported it to package owner. Moving quickly, the package owner released a fix three days later in versions 6.0.3, 6.1.1, 6.2.2, 6.3.1.

The fix solved the issue if the parameter began with ]= but it wasn’t enough—it turns out qs was still vulnerable if the attacker used [=. As a result, the package owner updated their logic and released the more robust fix in versions 6.4.0, 6.3.2, 6.2.3, 6.1.2 and 6.0.4.

To address the issue, you’ll need to update to one of these versions of the package. If you’re using Snyk to monitor your project, you’ve probably already been prompted to perform the update either using an automatically generated pull-request or by running snyk wizard using the CLI.

Otherwise, you’ll need to check your application to see if you’re using the qs package—whether as a direct dependency listed in your package.json file or as an unlisted dependency that one of your direct dependency pulls in—and update to the latest version.

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom