Prevent prototype pollution (CVE-2023-26136) in cookie memstore (salesforce#283)

Shahar · Shahar · commit 0ffa7f269d98 · 2025-06-21T14:02:57.000+03:00
diff --git a/lib/memstore.js b/lib/memstore.js
@@ -36,7 +36,7 @@ var util = require('util');
 
 function MemoryCookieStore() {
   Store.call(this);
-  this.idx = {};
+  this.idx = Object.create(null);
 }
 util.inherits(MemoryCookieStore, Store);
 exports.MemoryCookieStore = MemoryCookieStore;
@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies = function(domain, path, cb) {
 
 MemoryCookieStore.prototype.putCookie = function(cookie, cb) {
   if (!this.idx[cookie.domain]) {
-    this.idx[cookie.domain] = {};
+    this.idx[cookie.domain] = Object.create(null);
   }
   if (!this.idx[cookie.domain][cookie.path]) {
-    this.idx[cookie.domain][cookie.path] = {};
+    this.idx[cookie.domain][cookie.path] = Object.create(null);
   }
   this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
   cb(null);
diff --git a/test/cookie_jar_test.js b/test/cookie_jar_test.js
@@ -541,4 +541,32 @@ vows
       }
     }
   })
+  .addBatch({
+    // CVE-2023-26136: Prototype pollution via Domain=__proto__
+    "Issue #282 - Prototype pollution (CVE-2023-26136)": {
+      "when setting a cookie with the domain __proto__": {
+        topic: function () {
+          const jar = new tough.CookieJar(undefined, {
+            rejectPublicSuffixes: false
+          });
+          // Attempt prototype pollution via cookie domain '__proto__'
+          jar.setCookieSync(
+            "Slonser=polluted; Domain=__proto__; Path=/notauth",
+            "https://__proto__/admin"
+          );
+          // Set a normal cookie for control
+          jar.setCookieSync(
+            "Auth=Lol; Domain=google.com; Path=/notauth",
+            "https://google.com/"
+          );
+          this.callback();
+        },
+        "results in a cookie that is not affected by the attempted prototype pollution": function () {
+          const pollutedObject = {};
+          // If prototype is polluted, this would return an object
+          assert.strictEqual(pollutedObject["/notauth"], undefined);
+        }
+      }
+    }
+  })  
   .export(module);

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ var util = require('util');`
`36`	`36`
`37`	`37`	`function MemoryCookieStore() {`
`38`	`38`	`Store.call(this);`
`39`		`- this.idx = {};`
	`39`	`+ this.idx = Object.create(null);`
`40`	`40`	`}`
`41`	`41`	`util.inherits(MemoryCookieStore, Store);`
`42`	`42`	`exports.MemoryCookieStore = MemoryCookieStore;`
`@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies = function(domain, path, cb) {`
`115`	`115`
`116`	`116`	`MemoryCookieStore.prototype.putCookie = function(cookie, cb) {`
`117`	`117`	`if (!this.idx[cookie.domain]) {`
`118`		`- this.idx[cookie.domain] = {};`
	`118`	`+ this.idx[cookie.domain] = Object.create(null);`
`119`	`119`	`}`
`120`	`120`	`if (!this.idx[cookie.domain][cookie.path]) {`
`121`		`- this.idx[cookie.domain][cookie.path] = {};`
	`121`	`+ this.idx[cookie.domain][cookie.path] = Object.create(null);`
`122`	`122`	`}`
`123`	`123`	`this.idx[cookie.domain][cookie.path][cookie.key] = cookie;`
`124`	`124`	`cb(null);`