cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New SPFx project, Prototype Pollution Vulnerability in the set-getter library

Luis Valencia
Copper Contributor

‎Aug 25 2021 05:19 AM

‎Aug 25 2021 05:19 AM

New SPFx project, Prototype Pollution Vulnerability in the set-getter library

I have a new SPFx project, basically empty, and my company requires that the code is scaned for vulnerabilities using veracode.

 

The only High Finding I could find is this one:

 

https://sca.analysiscenter.veracode.com/vulnerability-database/security/prototype-pollution/javascri...

 

set-getter and set-getter are vulnerable to Prototype Pollution.

set-getter is vulnerable to prototype pollution. An attacker is able to exploit the vulnerability to inject arbitrary properties into existing construct prototypes and modify attributes such as `__proto__`, `constructor` and `prototype`.

 

 

I checked and there are no new versions of this, so I have to provide a valid reason to the security team in order to be able to ignore this flaw.

 

 

Is there something I can do in a new SPFx project? Can this dependency be removed somehow or will it break something?

1,442 Views
0 Likes
2 Replies
Reply
2 Replies
Luis Valencia

‎Aug 25 2021 07:36 AM

‎Aug 25 2021 07:36 AM

Re: New SPFx project, Prototype Pollution Vulnerability in the set-getter library

I found the problem myself, maybe for future reference for the readers.

I created an empty project and started to use the modern search webpart dependencies, so I copied the package,json and left the project empty.

the problem is on handlebars, through the dependency chain I could find that very deep handlebars uses this npm package with vulnerabilities.

I created an issue in github for the modern search community team, I wonder if it can be solved.
https://github.com/microsoft-search/pnp-modern-search/issues/1235

Or if we have to explain to our global security team that this is by design or whatever

0 Likes
Reply
Vesa Juvonen

‎Aug 25 2021 12:01 PM

‎Aug 25 2021 12:01 PM

Re: New SPFx project, Prototype Pollution Vulnerability in the set-getter library

This vulnerable code is not used in runtime, it's only used in the developer box when solution is scaffolded, so it's not a runtime security issue.
0 Likes
Reply