-
Notifications
You must be signed in to change notification settings - Fork 645
Description
There appears to be a prototype-pollution source in the snaps codebase where user-controlled keys may be assigned directly into objects/state without filtering or sanitization. The vulnerable code paths are in the SnapController and the setState RPC handler. An attacker controlling a key such as __proto__ can modify Object.prototype and thus influence many objects across the runtime.
snaps/packages/snaps-controllers/src/snaps/SnapController.ts
Lines 3983 to 3987 in 5a10086
snaps/packages/snaps-controllers/src/snaps/SnapController.ts
Lines 3946 to 3952 in 5a10086
snaps/packages/snaps-rpc-methods/src/permitted/setState.ts
Lines 263 to 265 in 5a10086
Prototype pollution allows to add or modify properties on Object.prototype. Because most objects inherit from Object.prototype, those newly added properties can change application logic, enable gadget chains, or lead to client-side XSS or server-side RCE in some contexts. and then merges/assigns state into an internal object without sanitizing keys, the __proto__ setter will pollute Object.prototype so every object {} .isAdmin === true which can be abused if later code checks obj.isAdmin before privileged operations.