Prototype Pollution in Fiber

Prototype Pollution in Fiber applications typically occurs through unsafe handling of request data that flows into object creation or configuration. The vulnerability arises when user-controlled input can modify JavaScript object prototypes, allowing attackers to inject arbitrary properties that affect application behavior.

In Fiber applications, this often manifests through JSON body parsing where request payloads are directly merged into objects without proper validation. Consider this common Fiber pattern:

app.Post("/api/config", func(c *fiber.Ctx) error {
    var config map[string]interface{}
    if err := c.BodyParser(&config); err != nil {
        return err
    }
    
    // Unsafe: user input directly modifies object
    for k, v := range config {
        app.Config().Set(k, v)
    }
    
    return c.JSON(fiber.Map{"status": "updated"})
})

An attacker could send a JSON payload with __proto__ properties to pollute the prototype chain:

{
  "__proto__": {
    "isAdmin": true,
    "secretKey": "exposed"
  }
}

Once polluted, every object in the application inherits these properties, potentially escalating privileges or exposing sensitive data.

Another Fiber-specific manifestation occurs in query parameter handling. Fiber's query parsing doesn't automatically sanitize __proto__ keys:

app.Get("/api/search", func(c *fiber.Ctx) error {
    query := c.Query()
    
    // Unsafe: query parameters directly used
    results := searchDatabase(query)
    return c.JSON(results)
})

An attacker could craft URLs like:

/api/search?__proto__[isAdmin]=true&__proto__[secretKey]=exposed

This pollutes the prototype chain affecting all subsequent object operations.

Fiber's middleware chain also creates opportunities for prototype pollution. Consider middleware that merges user data:

func authMiddleware(c *fiber.Ctx) error {
    user := c.Locals("user").(map[string]interface{})
    
    // Unsafe: merging without validation
    c.Locals("context", mergeMaps(user, c.Query()))
    return c.Next()
}

The merge operation becomes dangerous when user input contains __proto__ keys, polluting the prototype chain that affects all subsequent request handling.

Detecting Prototype Pollution in Fiber applications requires both static analysis and runtime scanning. For static detection, examine all code paths where request data flows into object creation or merging operations.

Code review patterns to identify:

// Dangerous patterns to flag:
1. Direct use of c.BodyParser() into objects without validation
2. c.Query() results used in object operations
3. c.Params() merged without sanitization
4. JSON unmarshaling of user input into structs with unexported fields
5. Object.assign() or spread operators on user data

// Safe patterns to verify:
1. Input validation before object operations
2. Use of Object.create(null) for clean objects
3. Property existence checks before assignment
4. Type validation on all user inputs

Runtime detection with middleBrick scanner specifically tests for Prototype Pollution by sending crafted payloads that attempt to modify object prototypes. The scanner sends requests with __proto__ properties and analyzes responses for evidence of prototype chain modification.

middleBrick's Prototype Pollution detection includes:

• Automated testing of all API endpoints with malicious payloads
• Analysis of response data for leaked prototype properties
• Detection of unsafe object merging patterns in your API responses
• Identification of endpoints vulnerable to prototype chain pollution
• Specific checks for Fiber's query parsing and body handling

The scanner reports findings with severity levels and provides the exact payloads that triggered the vulnerability, making remediation straightforward.

For comprehensive coverage, integrate middleBrick into your CI/CD pipeline using the GitHub Action. This ensures every code change is automatically scanned for Prototype Pollution before deployment:

name: API Security Scan
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run middleBrick Scan
        run: |
          npm install -g middlebrick
          middlebrick scan http://localhost:3000 --output json
        continue-on-error: true
      - name: Fail on High Risk
        if: failure() && steps.scan.outputs.severity == 'high'
        run: exit 1

This setup catches Prototype Pollution regressions early in development.

Remediating Prototype Pollution in Fiber applications requires a defense-in-depth approach. Start with input validation and sanitization before any object operations.

Safe body parsing pattern:

app.Post("/api/config", func(c *fiber.Ctx) error {
    var config map[string]interface{}
    if err := c.BodyParser(&config); err != nil {
        return err
    }
    
    // Sanitize input - remove dangerous keys
    sanitized := make(map[string]interface{})
    for k, v := range config {
        if k == "__proto__" || k == "constructor" {
            continue // block prototype pollution
        }
        sanitized[k] = v
    }
    
    // Validate types and values
    if err := validateConfig(sanitized); err != nil {
        return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": err.Error()})
    }
    
    // Safe: use sanitized data
    applyConfig(sanitized)
    return c.JSON(fiber.Map{"status": "updated"})
})

For query parameter handling, use Fiber's built-in validation or create a sanitization middleware:

func sanitizeQuery(c *fiber.Ctx) error {
    query := c.Query()
    
    // Create clean object without prototype pollution risk
    cleanQuery := make(map[string]string)
    for k, v := range query {
        if k == "__proto__" || k == "constructor" {
            continue
        }
        cleanQuery[k] = v
    }
    
    c.Locals("cleanQuery", cleanQuery)
    return c.Next()
}

app.Get("/api/search", sanitizeQuery, func(c *fiber.Ctx) error {
    cleanQuery := c.Locals("cleanQuery").(map[string]string)
    results := searchDatabase(cleanQuery)
    return c.JSON(results)
})

For object merging operations, use safe patterns:

func safeMerge(target, source map[string]interface{}) map[string]interface{} {
    result := make(map[string]interface{})
    
    // Copy target
    for k, v := range target {
        result[k] = v
    }
    
    // Copy source with validation
    for k, v := range source {
        if k == "__proto__" || k == "constructor" {
            continue
        }
        result[k] = v
    }
    
    return result
}

// Usage in middleware
func authMiddleware(c *fiber.Ctx) error {
    user := c.Locals("user").(map[string]interface{})
    query := c.Locals("cleanQuery").(map[string]string)
    
    context := safeMerge(user, query)
    c.Locals("context", context)
    return c.Next()
}

Additional defensive measures:

• Use Object.create(null) for objects that don't need prototype inheritance
• Implement comprehensive input validation with type checking
• Use TypeScript or static analysis to catch unsafe patterns
• Regularly scan with middleBrick to detect new vulnerabilities

The middleBrick CLI tool can help verify your remediation:

middlebrick scan http://localhost:3000 --focus prototype-pollution --output json

This targeted scan focuses specifically on Prototype Pollution detection, providing detailed feedback on whether your fixes are effective.