Investigate Detection for Prototype Pollution #95
Description
Description
Prototype pollution is a critical JavaScript vulnerability where an attacker can modify the prototype of a base object. This can lead to application-wide logic tampering, cross-site scripting (XSS), denial of service (DoS), or even remote code execution.
We need to ensure our security extension can effectively identify these vulnerabilities in code changes e.g. see #90. This investigation will involve curating a dataset of real-world examples, baselining our current detection capabilities, enhancing our prompt, and updating our benchmark dataset to prevent regressions.
Action Items
- 1. Data Curation & Analysis
- Systematically search the OSSF CVE Benchmark dataset for clear examples of prototype pollution vulnerabilities (e.g., CVEs related to unsafe object merges).
- 2. Vulnerability Introduction Analysis
- For a curated subset (5-10) of the best examples, use archeogit or manual git history inspection to find the specific commit that introduced the vulnerability.
- Save these "vulnerable diffs" for testing.
- 3. Baseline Current Capabilities
- Run the current security extension (/security:analyze) against the collection of vulnerable diffs.
- Document the detection rate (e.g., "Detected 1/10"). This is our baseline.
- 4. Enhance Detection Prompt (If Necessary)
- Based on the results from step 3, update the GEMINI.md prompt.
- Add "Prototype Pollution" as a new item, likely under the "Injection Vulnerabilities" category.
- The new prompt instruction should guide the model to look for the specific patterns identified in step 1 (e.g., "Analyze for prototype pollution vulnerabilities, such as unsafe recursive object merges or direct modification of __proto__ or constructor.prototype from user-controlled input.").
- 5. Validate and Update Benchmark
- Re-run the security extension (with the updated prompt) against the vulnerable diffs and confirm the detection rate has improved significantly.
- Select the 3-5 clearest examples and add them to our official internal benchmark dataset to ensure we continue to catch this vulnerability class in the future.