HIGH prototype pollutionadonisjs

Prototype Pollution in Adonisjs

Scan for prototype pollution in adonisjs

How Prototype Pollution Manifests in Adonisjs

Prototype pollution in Adonisjs occurs when untrusted user input can modify JavaScript object prototypes, particularly through the framework's request body parsing and query parameter handling. Adonisjs uses the qs library for parsing query strings, which is vulnerable to prototype pollution when the allowPrototypes option is enabled or when nested objects are improperly handled.

The most common attack vector in Adonisjs applications is through request bodies that contain nested objects with special keys like __proto__, constructor, or prototype. When Adonisjs parses these requests without proper safeguards, an attacker can inject properties into Object.prototype that affect all objects in the application.

Here's a vulnerable Adonisjs controller pattern:

class UserController {
  async create({ request }) {
    const userData = request.post()
    const user = new User()
    Object.assign(user, userData) // Vulnerable if userData contains prototype pollution
    await user.save()
  }
}

An attacker could send a request with a body like:

{
  "name": "John Doe",
  "__proto__": {
    "isAdmin": true
  }
}

This would add an isAdmin property to Object.prototype, making all objects in the application appear as administrators. In Adonisjs, this is particularly dangerous because the framework's Lucid ORM models inherit from base classes, so prototype pollution can affect database queries, authentication checks, and authorization logic.

Another Adonisjs-specific vector is through the framework's validation system. When using validateAll with user-provided schemas or when dynamically constructing validation rules based on request parameters, prototype pollution can bypass security checks:

class ProductController {
  async update({ request }) {
    const rules = request.input('rules', {}) // User controls validation rules!
    const data = await request.validate({
      rules
    })
    // Proceed with potentially malicious data
  }
}

The framework's middleware system can also be affected. If middleware properties are dynamically set based on request parameters, prototype pollution can modify middleware behavior across the entire application.

Adonisjs-Specific Detection

Detecting prototype pollution in Adonisjs requires both static analysis and runtime scanning. middleBrick's API security scanner specifically targets this vulnerability through its Property Authorization check, which examines how your Adonisjs application handles nested object properties and special keys.

For manual detection in Adonisjs applications, start by examining your route handlers and controller methods. Look for patterns where request data is directly assigned to objects without sanitization:

grep -r "request\.\(post\|all\|only\|except\)" app/Controllers/Http

Then check if these handlers use Object.assign, spread operators, or direct property assignment with the parsed data. Adonisjs's request.post() method returns a plain JavaScript object that's vulnerable if not properly handled.

middleBrick scans for prototype pollution by sending specially crafted payloads to your Adonisjs endpoints. The scanner tests for:

  • Modification of Object.prototype through __proto__ keys
  • Prototype chain manipulation via constructor and prototype properties
  • Symbol-based prototype pollution attempts
  • Nested object traversal that could affect prototype properties

The scanner's Input Validation check specifically looks for Adonisjs's use of the qs library and whether your application properly configures it. By default, qs.parse() in Adonisjs can be vulnerable if not configured with allowPrototypes: false.

To test locally, you can use middleBrick's CLI tool:

npx middlebrick scan https://your-adonisjs-app.com/api/users

This will test your Adonisjs API endpoints for prototype pollution vulnerabilities and provide a security score with specific findings about property authorization issues.

Adonisjs-Specific Remediation

Remediating prototype pollution in Adonisjs requires a multi-layered approach. The most effective solution is to use Adonisjs's built-in sanitization and validation features to prevent malicious data from reaching your application logic.

First, configure Adonisjs to use safe parsing by default. In your config/app.js, ensure that request parsing is configured securely:

module.exports = {
  http: {
    allowMethodOverride: true,
    generateRequestId: true,
    trustProxy: false
  }
}

Then, in your controllers, always use Adonisjs's validation system before processing request data:

class UserController {
  async create({ request }) {
    const validatedData = await request.validate({
      schema: schema.create({
        name: schema.string(),
        email: schema.string({}, [rules.email()]),
        role: schema.enum.optional(['user', 'admin', 'moderator'])
      }),
      messages: {
        'role.enum': 'Invalid role value'
      }
    })
    
    // Safe to use validatedData - prototype pollution prevented
    const user = new User(validatedData)
    await user.save()
  }
}

For cases where you need to merge user data with existing objects, use a safe merge function that prevents prototype pollution:

const safeMerge = (target, source) => {
  const result = { ...target }
  for (const [key, value] of Object.entries(source)) {
    if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
      continue // Skip dangerous keys
    }
    if (typeof value === 'object' && value !== null) {
      result[key] = safeMerge(result[key] || {}, value)
    } else {
      result[key] = value
    }
  }
  return result
}

// Usage in Adonisjs controller
const userData = request.post()
const safeData = safeMerge({}, userData)

Adonisjs's HttpContext provides additional protection through its request.clean() method, which removes potentially dangerous properties:

const cleanData = request.clean()
// cleanData has dangerous properties removed

For maximum security, implement a global middleware that sanitizes all incoming requests:

class PrototypePollutionProtection {
  async handle({ request }, next) {
    const originalPost = request.post.bind(request)
    request.post = () => {
      const data = originalPost()
      return this.sanitizeObject(data)
    }
    await next()
  }

  sanitizeObject(obj) {
    if (typeof obj !== 'object' || obj === null) return obj
    
    const sanitized = Array.isArray(obj) ? [] : {}
    for (const [key, value] of Object.entries(obj)) {
      if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
        continue
      }
      sanitized[key] = this.sanitizeObject(value)
    }
    return sanitized
  }
}

// Register in start/kernel.js
const globalMiddleware = [
  'Adonis/Core/BodyParser',
  'App/Middleware/PrototypePollutionProtection'
]

Finally, use middleBrick's continuous monitoring in your Pro plan to automatically scan your Adonisjs API endpoints on a schedule, ensuring that any new prototype pollution vulnerabilities introduced during development are caught before production deployment.

Scan for prototype pollution in adonisjs Free API security scan

Frequently Asked Questions

Can prototype pollution in Adonisjs affect my database queries?
Yes, prototype pollution can modify Object.prototype properties that affect all objects, including Lucid ORM models. This can cause authorization bypass, data leakage, or even SQL injection if prototype properties interfere with query building. Always validate and sanitize request data before using it with your database models.
Does Adonisjs protect against prototype pollution by default?
No, Adonisjs does not provide built-in protection against prototype pollution. The framework's request parsing and validation systems can be vulnerable if not properly configured. You need to implement additional safeguards like input validation, safe object merging, and potentially global middleware to protect against these attacks.

Related Pages

Prototype Pollution in Adonisjs on NetlifyPrototype pollution in AdonisJS on Netlify: how serverless functions expose the risk and concrete remediation with allowPrototype Pollution in Adonisjs on Fly IoExplore prototype pollution risks in Adonisjs with Fly Io, with code examples for safe merging, validation, and middlewaPrototype Pollution in Adonisjs on DigitaloceanPrototype pollution in AdonisJS on DigitalOcean: causes, secure validation patterns, and remediation guidance. Learn detIso 27001: Prototype Pollution in AdonisjsExplore ISO 27001 controls applied to Prototype Pollution in AdonisJS, with concrete remediation code examples and securHipaa: Prototype Pollution in AdonisjsExplore HIPAA risks from prototype pollution in AdonisJS, with concrete code examples and secure remediation patterns usCis: Prototype Pollution in AdonisjsExplore prototype pollution risks in Adonisjs, understand CIS surface exposure, and apply schema-based validation and saGdpr: Prototype Pollution in AdonisjsGDPR risks from prototype pollution in Adonisjs: how unsafe object merging exposes personal data and concrete Adonisjs vPrototype Pollution in Adonisjs with Jwt TokensExplore prototype pollution risks in AdonisJS with JWT tokens, including detection and concrete secure coding fixes.Prototype Pollution in Adonisjs with Basic AuthPrototype pollution in Adonisjs with Basic Auth: how the combo exposes risks and concrete code fixes using strict validaPrototype Pollution in Adonisjs with Api KeysPrototype pollution in AdonisJS with API keys: how injection via config merging bypasses validation, and code fixes to iPrototype Pollution in Adonisjs with Mutual TlsPrototype pollution in AdonisJS with mTLS: risks, secure validation, and remediation examples using strict schemas and sPrototype Pollution in Adonisjs with CockroachdbExplore prototype pollution risks in Adonisjs with Cockroachdb, understand how they manifest, and apply concrete code fi