Exfiltration of Data
"Exfiltration" happens when an attacker causes a response to include data that it should not have. Web applications and services may produce response bodies that include too much information.
- it serializes unintended information and no one notices or
- an attacker controls what is serialized.
If the attacker controls
str then they may be able to pick any field
this or possibly any global field.
This problem is not new to Node.js but we consider this higher frequency for Node.js for these reasons:
- There is no equivalent to
Object.assignin most backend languages. It's possible in Python and Java via reflective operators but security auditors can narrow down code that might suffer this vulnerability to those that use reflection.
- In most backend languages,
obj[...]does not allow aliasing of all properties. For example, Python allows
obj[...]on types that implement
__getitem__which is not the case for user-defined classes. Java has generic collections and maps, but for user-defined classes the equivalent code pattern requires reflection and possibly calls to
Object.assign and related copy operators are also potential
mass assignment vectors as in: