A vulnerability in pomelo

A vulnerability in pomelo #1149

 

 

We found that pomelo allows external control of critical state data. A malicious user-input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can launch attacks by adding additional attributes to user-input. A detailed discussion of the vulnerability can be found here. https://github.com/cl0udz/vulnerabilities/tree/master/pomelo-critical-state-manipulation

 

 

whtiehack commented 1 hour ago

It seems to be a serious problem. I'll test it.

 

 

whtiehack commented 1 hour ago

This problem does exist and can be simplified to understand and test as this: var Handler = function (app) { this.app = app; if (!this.app) console.log("error") }; Handler.prototype.entry = function () { console.log('entry', this.app.rpc.auth) } let h = new Handler({rpc: {auth: {}}}) console.log('h') h.entry() h.constructor({get: {}}) h.entry()

 

 

whtiehack commented 35 minutes ago

The temporary solution is to check routeRecord.method in lib/server/server.js globalHandle. if(routeRecord.method =="constructor"){ return cb(new Error("unknow method")) } There is no need to worry about using pinus, pinus does not have this problem. class PinusHandler { constructor(app) { this.app = app; if (!this.app) console.log("error") } entry() { console.log('entry', this.app.rpc.auth) } } let ph = new PinusHandler({rpc: {auth: {}}}) console.log('ph') ph.entry() ph.constructor({get: {}}) ph.entry() thanks for @xiaofen9

whtiehack added a commit to node-pinus/pinus that referenced this issue 28 minutes ago

Prevent calls constructor. because NetEase/pomelo#1149

839f8dd

whtiehack added a commit to whtiehack/pomelo that referenced this issue 15 minutes ago 

temporary fix NetEase#1149

Verified

5b999c5

 whtiehack referenced this issue 15 minutes ago

temporary fix #1149 #1150