Security Fix for Insufficient Input Validation - huntr.dev

[huntr-helper]

https://huntr.dev/app/users/bbeale has fixed the Insufficient Input Validation vulnerability 🔨. bbeale has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
GitHub Issue URL | #30
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/bson-objectid/1/README.md

User Comments:

📊 Metadata *

Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.

Bounty URL: https://www.huntr.dev/app/bounties/open/1-npm-bson-objectid

⚙️ Description *

Added methods for creating new ObjectID from JSON after removing unwanted properties from it.

💻 Technical Description *

• Checks that were previously at the beginning of the constructor moved into ObjectID.hasRequiredProps.
• ObjectID.sanitizeObject then removes unwanted properties from the JSON.
• ObjectID.createFromObject then creates an ObjectID from the scrubbed JSON.

🐛 Proof of Concept (PoC) *

Provide the vulnerability exploit to show the security issue you're fixing.

🔥 Proof of Fix (PoF) *

Replay the vulnerability exploit to show the successful fix and mitigation of the vulnerability.

👍 User Acceptance Testing (UAT)

Run the following unit test

it('should not allow insertion of an arbitrary property', function() {
    var json = {
      "mal_formkey": {
        "payload": "xxxx"
      },
      "_bsontype": "ObjectID",
      "id": "5eecccdc951ca34d04e3ff65",
    };

    var obj = ObjectID(json);
    obj.should.be.instanceof(ObjectID);
    obj.toString().should.eql("5eecccdc951ca34d04e3ff65");
  });

[JamieSlome]

@williamkapke - let me know your thoughts! 🍰

[niftylettuce]

Re-opened this as we should probably merge it, but there are conflicts at the moment. I also don't write TypeScript.