Config Defaults Pollution

Easy+50 XPA08:2021 Software and Data Integrity FailuresCWE-1321

Prototype Pollution

Scenario

Your service exposes an `applyDefaults` helper that fills missing config fields from a defaults object.

Because it iterates over `Object.keys(defaults)` without filtering, an attacker who controls the defaults object can pass `{constructor: {x: 1}}` and silently mutate built-in constructors.

Config-merge utilities are ubiquitous. A single unguarded key lets attackers inject properties onto every object in the runtime, enabling authentication bypass without any DB query.

Your Tasks

Add a validation step that inspects every key in `defaults` before applying it.
Throw `'Prototype pollution detected'` if any key equals `__proto__`, `constructor`, or `prototype`.
Ensure legitimate defaults are still applied when keys are safe.

Examples

Example 1 — Exploit — constructor in defaults

applyDefaults({}, {"constructor": {"x": 1}})
// throws: 'Prototype pollution detected'

Example 2 — Safe — normal defaults

applyDefaults({}, {timeout: 3000, retries: 3})
// returns: {timeout: 3000, retries: 3}

Constraints

›Throw exactly `'Prototype pollution detected'` on any forbidden key.
›Use a nullish-coalescing assignment so existing config values are not overwritten.
›Return the mutated config object on success.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/1321.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run