alt Hacker NewsGiven that the fix appears to be to look for own properties, the attack was likely to reference prototype level module properties or the gift-that-keeps-giving the that is __proto__.
Replies
mirashii • yesterday at 10:27 PM
This comment from a dupe thread is worth considering: https://news.ycombinator.com/item?id=46137352
I see this type of vulnerability all the time. Seen it in Java, Lua, JavaScript, Python and so on.
I think deserialization that relying on blacklists of properties is a dangerous game.
I think rolling your own object deserialization in a library that isn’t fully dedicated to deserialization is about as dangerous as writing your own encryption code.