Is there an existing issue for this?
Current Behavior
The @npmcli/git package contains a prototype pollution vulnerability in the revs() function. When the function executes git ls-remote on a provided repository path and parses the output via lines-to-revs.js, it uses git ref names (e.g., branch/tag names) from the output as keys in the revs.refs object. If the repository contains a ref named proto, the assignment revs.refs['proto'] = sha pollutes Object.prototype, leading to prototype pollution.
Expected Behavior
The revs() function should sanitize or validate git ref names used as dynamic property keys in the revs.refs object to prevent prototype pollution. Specifically, it should block or escape special keys like proto to avoid unintended modification of Object.prototype.
Steps To Reproduce
- Create a malicious git repository:
Initialize a new git repository (e.g., mkdir malicious-repo && cd malicious-repo && git init).
Create a branch or tag named proto (e.g., git checkout -b proto or git tag proto).
- Call the revs() function from @npmcli/git with the path to the malicious repository:
const lib = require('@npmcli/git');
await lib.revs('/path/to/malicious-repo');
- Observe that Object.prototype is polluted with the proto key assigned to the SHA value of the malicious ref.
Environment
- npm:Not specified
- Node:Not specified
- OS:Any
- platform:Any
Is there an existing issue for this?
Current Behavior
The @npmcli/git package contains a prototype pollution vulnerability in the revs() function. When the function executes git ls-remote on a provided repository path and parses the output via lines-to-revs.js, it uses git ref names (e.g., branch/tag names) from the output as keys in the revs.refs object. If the repository contains a ref named proto, the assignment revs.refs['proto'] = sha pollutes Object.prototype, leading to prototype pollution.
Expected Behavior
The revs() function should sanitize or validate git ref names used as dynamic property keys in the revs.refs object to prevent prototype pollution. Specifically, it should block or escape special keys like proto to avoid unintended modification of Object.prototype.
Steps To Reproduce
Initialize a new git repository (e.g., mkdir malicious-repo && cd malicious-repo && git init).
Create a branch or tag named proto (e.g., git checkout -b proto or git tag proto).
Environment