Skip to content

fix: prevent authentication bypass via prototype pollution#10761

Merged
jasonsaayman merged 2 commits intov1.xfrom
fix/axi-207-authentication-bypass-via-prototype-pollution-gadget
Apr 19, 2026
Merged

fix: prevent authentication bypass via prototype pollution#10761
jasonsaayman merged 2 commits intov1.xfrom
fix/axi-207-authentication-bypass-via-prototype-pollution-gadget

Conversation

@jasonsaayman
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman commented Apr 19, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Prevents authentication bypass via prototype pollution by replacing in checks in mergeConfig with utils.hasOwnProp, so validateStatus cannot be inherited from Object.prototype. Adds targeted tests to ensure 4xx/5xx responses are still rejected under polluted Object.prototype.validateStatus (AXI-207, GHSA-w9j2-pvgh-6h63).

Description

  • Summary of changes: Swapped in for utils.hasOwnProp in mergeConfig direct key merging; added focused tests for validateStatus inheritance and behavior.
  • Reasoning: in traverses the prototype chain, letting a polluted validateStatus override config and accept all responses.
  • Additional context: Addresses AXI-207 and aligns with GHSA-w9j2-pvgh-6h63.

Docs

  • Suggest updating /docs/ to state mergeConfig only merges own properties and note protection against prototype pollution (e.g., validateStatus cannot be inherited).

Testing

  • Added tests in tests/unit/prototypePollution.test.js:
    • Ensures merged validateStatus comes from defaults when Object.prototype.validateStatus is set.
    • End-to-end check that 4xx/5xx responses remain rejected even if Object.prototype.validateStatus is polluted.
    • Test teardown now cleans up Object.prototype.validateStatus to avoid cross-test leakage.
  • No other tests changed; coverage is sufficient for the fix.

Semantic version impact

  • Patch: security bug fix; no API changes or behavior changes for valid inputs.

Written for commit 2f1f96a. Summary will update on new commits.

@jasonsaayman jasonsaayman self-assigned this Apr 19, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix type::security The PR is a secuirty related changed normally from a CVE labels Apr 19, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@jasonsaayman jasonsaayman changed the title fix: replace in with has own prop util fix: prevent authentication bypass via prototype pollution Apr 19, 2026
@jasonsaayman jasonsaayman merged commit 42eb721 into v1.x Apr 19, 2026
25 checks passed
@jasonsaayman jasonsaayman deleted the fix/axi-207-authentication-bypass-via-prototype-pollution-gadget branch April 19, 2026 14:04
@github-actions github-actions Bot mentioned this pull request Apr 19, 2026
Open
@rtibblesbot rtibblesbot mentioned this pull request May 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jasonsaayman jasonsaayman

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority type::security The PR is a secuirty related changed normally from a CVE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonsaayman