attack-surface.md

Attack Surface Analysis for juliangruber/isarray

Attack Surface: Prototype Pollution leading to Denial of Service or Incorrect Logic

• Description: An attacker modifies built-in JavaScript prototypes (like Array.prototype or Object.prototype.toString) before isarray is called, causing it to malfunction.
  • How isarray Contributes: isarray directly relies on these built-in methods (Array.isArray and Object.prototype.toString.call). If these are altered, isarray's behavior becomes unpredictable. This is the core vulnerability related to isarray.
  • Example:

    // Attacker's code (executed before isarray is used)
    Array.isArray = function() { return true; }; // Always return true
    
    // Application code
    const myVar = "not an array";
    if (require('isarray')(myVar)) { // isarray is now compromised
        console.log(myVar.length); // This will likely throw an error or produce unexpected results
    }

  • Impact:
    • Denial of Service (DoS): The application may crash or enter an unstable state.
    • Incorrect Logic: The application may make incorrect decisions, leading to data corruption, unexpected behavior, or security bypasses.
  • Risk Severity: High (Potentially Critical if isarray is used in security-critical logic). The severity depends on how the application uses the result.
  • Mitigation Strategies:
    • Object Freezing/Sealing: Object.freeze(Array.prototype); Object.freeze(Object.prototype); early in the application's lifecycle.
    • Defensive Copying: Create local, immutable copies of Array.isArray and Object.prototype.toString.call before using isarray, and use those copies.
    • Input Validation: Strictly validate and sanitize all external input to prevent attacker-controlled code execution.
    • Security Sandboxes (where applicable): Leverage browser/runtime environment protections, but don't rely solely on them.
    • Avoid Global Scope Modification: Minimize modifications to the global scope.

Attack Surface: Supply Chain Attack

• Description: A malicious actor compromises the isarray package on the npm registry and publishes a backdoored version.
  • How isarray Contributes: The application directly depends on the isarray package. A compromised package directly compromises the application.
  • Example: An attacker publishes a version of isarray that exfiltrates data or executes arbitrary code.
  • Impact:
    • Data Exfiltration.
    • Arbitrary Code Execution.
    • Full Application Compromise.
  • Risk Severity: Critical.
  • Mitigation Strategies:
    • Dependency Pinning: Use package-lock.json (npm) or yarn.lock (Yarn).
    • Integrity Checks: Ensure integrity checks are enabled in your package manager.
    • Software Composition Analysis (SCA) Tools: Use tools like Snyk, Dependabot, or OWASP Dependency-Check.
    • Regular Audits: Audit your dependencies.
    • Vendor Security Notifications: Subscribe to security notifications.
    • Consider Alternatives (for this specific case): Inline the isarray code directly into your project (after review and testing) to eliminate the external dependency:

      function isArray(arr) {
        return Object.prototype.toString.call(arr) === '[object Array]';
      }