Forum Discussion

Luis Valencia's avatar
Luis Valencia
Copper Contributor
Aug 25, 2021

New SPFx project, Prototype Pollution Vulnerability in the set-getter library

I have a new SPFx project, basically empty, and my company requires that the code is scaned for vulnerabilities using veracode.

 

The only High Finding I could find is this one:

 

https://sca.analysiscenter.veracode.com/vulnerability-database/security/prototype-pollution/javascript/sid-30901

 

set-getter and set-getter are vulnerable to Prototype Pollution.

set-getter is vulnerable to prototype pollution. An attacker is able to exploit the vulnerability to inject arbitrary properties into existing construct prototypes and modify attributes such as `__proto__`, `constructor` and `prototype`.

 

 

I checked and there are no new versions of this, so I have to provide a valid reason to the security team in order to be able to ignore this flaw.

 

 

Is there something I can do in a new SPFx project? Can this dependency be removed somehow or will it break something?

  • Luis Valencia's avatar
    Luis Valencia
    Copper Contributor
    I found the problem myself, maybe for future reference for the readers.

    I created an empty project and started to use the modern search webpart dependencies, so I copied the package,json and left the project empty.

    the problem is on handlebars, through the dependency chain I could find that very deep handlebars uses this npm package with vulnerabilities.

    I created an issue in github for the modern search community team, I wonder if it can be solved.
    https://github.com/microsoft-search/pnp-modern-search/issues/1235

    Or if we have to explain to our global security team that this is by design or whatever

  • This vulnerable code is not used in runtime, it's only used in the developer box when solution is scaffolded, so it's not a runtime security issue.

Resources