New SPFx project, Prototype Pollution Vulnerability in the set-getter library

%3CLINGO-SUB%20id%3D%22lingo-sub-2683174%22%20slang%3D%22en-US%22%3ENew%20SPFx%20project%2C%20Prototype%20Pollution%20Vulnerability%20in%20the%20set-getter%20library%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2683174%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20new%20SPFx%20project%2C%20basically%20empty%2C%20and%20my%20company%20requires%20that%20the%20code%20is%20scaned%20for%20vulnerabilities%20using%20veracode.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20High%20Finding%20I%20could%20find%20is%20this%20one%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsca.analysiscenter.veracode.com%2Fvulnerability-database%2Fsecurity%2Fprototype-pollution%2Fjavascript%2Fsid-30901%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fsca.analysiscenter.veracode.com%2Fvulnerability-database%2Fsecurity%2Fprototype-pollution%2Fjavascript%2Fsid-30901%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsca.analysiscenter.veracode.com%2Fvulnerability-database%2Flibraries%2Fset-getter%2Fjava%2Fmaven%2Flid-1918237%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSTRONG%3Eset-getter%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsca.analysiscenter.veracode.com%2Fvulnerability-database%2Flibraries%2Fset-getter%2Fjavascript%2Fnpm%2Flid-452893%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSTRONG%3Eset-getter%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eare%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bvulnerable%20to%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EPrototype%20Pollution%3C%2FSTRONG%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22pt-%22%3Eset-getter%20is%20vulnerable%20to%20prototype%20pollution.%20An%20attacker%20is%20able%20to%20exploit%20the%20vulnerability%20to%20inject%20arbitrary%20properties%20into%20existing%20construct%20prototypes%20and%20modify%20attributes%20such%20as%20%60__proto__%60%2C%20%60constructor%60%20and%20%60prototype%60.%3C%2FP%3E%3CP%20class%3D%22pt-%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22pt-%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22pt-%22%3EI%20checked%20and%20there%20are%20no%20new%20versions%20of%20this%2C%20so%20I%20have%20to%20provide%20a%20valid%20reason%20to%20the%20security%20team%20in%20order%20to%20be%20able%20to%20ignore%20this%20flaw.%3C%2FP%3E%3CP%20class%3D%22pt-%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22pt-%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22pt-%22%3EIs%20there%20something%20I%20can%20do%20in%20a%20new%20SPFx%20project%3F%20Can%20this%20dependency%20be%20removed%20somehow%20or%20will%20it%20break%20something%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2683727%22%20slang%3D%22en-US%22%3ERe%3A%20New%20SPFx%20project%2C%20Prototype%20Pollution%20Vulnerability%20in%20the%20set-getter%20library%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2683727%22%20slang%3D%22en-US%22%3EI%20found%20the%20problem%20myself%2C%20maybe%20for%20future%20reference%20for%20the%20readers.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20created%20an%20empty%20project%20and%20started%20to%20use%20the%20modern%20search%20webpart%20dependencies%2C%20so%20I%20copied%20the%20package%2Cjson%20and%20left%20the%20project%20empty.%3CBR%20%2F%3E%3CBR%20%2F%3Ethe%20problem%20is%20on%20handlebars%2C%20through%20the%20dependency%20chain%20I%20could%20find%20that%20very%20deep%20handlebars%20uses%20this%20npm%20package%20with%20vulnerabilities.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20created%20an%20issue%20in%20github%20for%20the%20modern%20search%20community%20team%2C%20I%20wonder%20if%20it%20can%20be%20solved.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft-search%2Fpnp-modern-search%2Fissues%2F1235%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fmicrosoft-search%2Fpnp-modern-search%2Fissues%2F1235%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20if%20we%20have%20to%20explain%20to%20our%20global%20security%20team%20that%20this%20is%20by%20design%20or%20whatever%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I have a new SPFx project, basically empty, and my company requires that the code is scaned for vulnerabilities using veracode.

 

The only High Finding I could find is this one:

 

https://sca.analysiscenter.veracode.com/vulnerability-database/security/prototype-pollution/javascri...

 

set-getter and set-getter are vulnerable to Prototype Pollution.

set-getter is vulnerable to prototype pollution. An attacker is able to exploit the vulnerability to inject arbitrary properties into existing construct prototypes and modify attributes such as `__proto__`, `constructor` and `prototype`.

 

 

I checked and there are no new versions of this, so I have to provide a valid reason to the security team in order to be able to ignore this flaw.

 

 

Is there something I can do in a new SPFx project? Can this dependency be removed somehow or will it break something?

2 Replies
I found the problem myself, maybe for future reference for the readers.

I created an empty project and started to use the modern search webpart dependencies, so I copied the package,json and left the project empty.

the problem is on handlebars, through the dependency chain I could find that very deep handlebars uses this npm package with vulnerabilities.

I created an issue in github for the modern search community team, I wonder if it can be solved.
https://github.com/microsoft-search/pnp-modern-search/issues/1235

Or if we have to explain to our global security team that this is by design or whatever

This vulnerable code is not used in runtime, it's only used in the developer box when solution is scaffolded, so it's not a runtime security issue.