attack-surface.md

Attack Surface Analysis for minimistjs/minimist

Attack Surface: Prototype Pollution

• Description: Injection of properties into the global Object.prototype, leading to unexpected behavior, denial of service, or potentially remote code execution.
• How Minimist Contributes: Older versions of minimist (before 1.2.6) were vulnerable to prototype pollution through specially crafted command-line arguments using properties like __proto__, constructor, and prototype. minimist's parsing logic did not prevent these properties from being assigned, directly enabling the attack.
• Example:

  node vulnerable-app.js --__proto__.polluted=true
  node vulnerable-app.js --a.__proto__.polluted=true
  node vulnerable-app.js --constructor.prototype.polluted=true
  

• Impact:
  • Denial of Service (DoS): Application crashes or becomes unresponsive.
  • Remote Code Execution (RCE): Attacker executes arbitrary code on the server.
  • Data Tampering: Modification of application data or behavior.
• Risk Severity: Critical (in vulnerable versions)
• Mitigation Strategies:
  • Update Minimist (Essential): Use minimist version 1.2.6 or later. This is the primary and most effective mitigation, directly addressing the vulnerability within minimist.
  • Input Sanitization (Defense in Depth): Validate and sanitize all command-line arguments. Whitelist allowed arguments and their expected types. Reject any input that doesn't conform to the whitelist. While this is a good practice, it's secondary to updating minimist.
  • Avoid Dangerous Properties: Do not directly access or rely on properties like __proto__, constructor, or prototype in application logic. This is a general good practice, but updating minimist is the core mitigation.
  • Code Review: Regularly review code for potential prototype pollution vulnerabilities. Again, this is a good practice but secondary to the direct fix of updating.