Gadget Chain via Config

Hard+200 XPA08:2021 Software and Data Integrity FailuresCWE-1321

Prototype PollutionRCE

Scenario

Your build tool reads an external `rawConfig` JSON file and merges it into a fresh object to extract settings like `outputDir`.

The merge uses the same unsafe recursive approach as a popular lodash-era pattern. An attacker who can write `rawConfig` can inject `__proto__.outputDir` to point output at `/etc`, or chain through `constructor.prototype` for a full gadget-chain RCE primitive.

Gadget chains turn prototype pollution from a nuisance into full RCE. Build tools that accept external config files are especially dangerous because they run with elevated privileges and access to the file system.

Your Tasks

Sanitize `rawConfig` before merging: throw `'Prototype pollution detected'` if any key (at any nesting level) is `__proto__`, `constructor`, or `prototype`.
Return `{outputDir: rawConfig.outputDir || '/tmp/output'}` for safe configs.
Ensure empty configs default to `/tmp/output`.

Examples

Example 1 — Exploit — gadget chain via constructor.prototype

processConfig({"constructor":{"prototype":{"outputDir":"/etc"}}})
// throws: 'Prototype pollution detected'

Example 2 — Safe — explicit outputDir

processConfig({outputDir: '/app/dist'})
// returns: {outputDir: '/app/dist'}

Constraints

›Throw exactly `'Prototype pollution detected'` on any forbidden key at any depth.
›Do not mutate `rawConfig` — work on a sanitised copy or check before merging.
›Return only the `outputDir` field in the result object.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/1321.html https://github.com/nicolo-ribaudo/tc39-proposal-symbol-proto

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run