fix: session.ts Prototype-polluting assignment (#377)

This change fixes the CodeQL alerts: * https://github.com/opentdf/web-sdk/security/code-scanning/6 * https://github.com/opentdf/web-sdk/security/code-scanning/7 Fixed by adding validation to ensure that the user supplied `response.state` can not be interpreted in a way that would result in unexpected invocation.
opentdf · Nov 18, 2024 · 94993bc · 94993bc
1 parent 75ca10c
commit 94993bc
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/web-app/src/session.ts b/web-app/src/session.ts
@@ -284,6 +284,13 @@ export class OidcClient implements AuthProvider {
     if (response._ === 'FAIL') {
       throw new Error(`OIDC auth ${response.error || 'error'}: [${response.error_description}]`);
     }
+    if (
+      response.state === '__proto__' ||
+      response.state === 'constructor' ||
+      response.state === 'prototype'
+    ) {
+      throw new Error('Invalid state value');
+    }
     const currentSession = sessions.requests[response.state];
     if (!currentSession) {
       throw new Error(`OIDC auth error: session storage missing state for ${response}`);