JavaScript原型链污染详解<\/h1>

一、基本概念<\/h2>

1.1
__proto__<\/code>与prototype<\/code>的区别<\/h3>


__proto__<\/code><\/strong>:<\/p>

每个对象都有的隐藏属性<\/li>
指向创建该对象的构造函数的原型对象(prototype<\/code>)<\/li>
是对象用于继承属性和方法的机制<\/li>
所有对象都可以通过__proto__<\/code>访问其原型，实现原型链查找<\/li>
<\/ul>
<\/li>

prototype<\/code><\/strong>:<\/p>

是函数(特别是构造函数)特有的属性<\/li>
用于定义由该构造函数创建的实例共享的属性和方法<\/li>
通常用来定义构造函数的实例方法<\/li>
新创建的对象会继承其构造函数prototype<\/code>上的属性和方法<\/li>
<\/ul>
<\/li>
<\/ul>
const<\/span> obj<\/span> =<\/span> {};
<\/span><\/span>console<\/span>.log<\/span>(obj<\/span>.__proto__<\/span> ===<\/span> Object.prototype<\/span>); \/\/ true
<\/span><\/span><\/span><\/code><\/pre>1.2 原型链机制<\/h3>
JavaScript中的继承是通过原型链实现的：<\/p>

每个对象都有一个指向其原型的内部链接(__proto__<\/code>)<\/li>
原型本身也是一个对象，通常还有自己的原型<\/li>
形成一条原型链<\/li>
访问对象属性时，JavaScript会沿着原型链逐级查找<\/li>
<\/ul>
二、原型链示例<\/h2>
function<\/span> Animal<\/span>(name<\/span>) {
<\/span><\/span>  this<\/span>.name<\/span> =<\/span> name<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> Something<\/span>() {
<\/span><\/span>  this<\/span>.speak<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    console<\/span>.log<\/span>(this<\/span>.name<\/span> +<\/span> ' makes a beautiful sound.'<\/span>);
<\/span><\/span>  };
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>const<\/span> dog<\/span> =<\/span> new<\/span> Animal<\/span>('Dog'<\/span>);
<\/span><\/span>dog<\/span>.speak<\/span>(); \/\/ 输出: 'Dog makes a beautiful sound.'
<\/span><\/span><\/span><\/code><\/pre>原型链关系：<\/p>
dog -> Animal.prototype -> Something.prototype -> Object.prototype -> null
<\/code><\/pre>
三、原型链污染原理<\/h2>
通过修改对象的原型(__proto__<\/code>)，可以影响所有与该对象来自同一个类、父类直到Object类的对象。<\/p>
3.1 污染示例<\/h3>
function<\/span> Animal<\/span>(name<\/span>) {
<\/span><\/span>  this<\/span>.name<\/span> =<\/span> name<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> Something<\/span>() {
<\/span><\/span>  this<\/span>.speak<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    console<\/span>.log<\/span>(this<\/span>.name<\/span> +<\/span> ' makes a beautiful sound.'<\/span>);
<\/span><\/span>  };
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>const<\/span> dog<\/span> =<\/span> new<\/span> Animal<\/span>('Dog'<\/span>);
<\/span><\/span>dog<\/span>.__proto__<\/span>.speak<\/span> =<\/span> function<\/span>() {
<\/span><\/span>  console<\/span>.log<\/span>('修改成功'<\/span>);
<\/span><\/span>};
<\/span><\/span>dog<\/span>.speak<\/span>(); \/\/ 输出: '修改成功'
<\/span><\/span><\/span><\/code><\/pre>3.2 典型污染场景：merge操作<\/h3>
function<\/span> merge<\/span>(target<\/span>, source<\/span>) {
<\/span><\/span>  for<\/span> (let<\/span> key<\/span> in<\/span> source<\/span>) {
<\/span><\/span>    if<\/span> (key<\/span> in<\/span> source<\/span> &&<\/span> key<\/span> in<\/span> target<\/span>) {
<\/span><\/span>      merge<\/span>(target<\/span>[key<\/span>], source<\/span>[key<\/span>])
<\/span><\/span>    } else<\/span> {
<\/span><\/span>      target<\/span>[key<\/span>] =<\/span> source<\/span>[key<\/span>]
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>当攻击者可以控制source<\/code>对象时，可以通过设置__proto__<\/code>属性来污染原型链：<\/p>
let<\/span> obj<\/span> =<\/span> {};
<\/span><\/span>merge<\/span>(obj<\/span>, {
<\/span><\/span>  __proto__<\/span>:<\/span> {
<\/span><\/span>    polluted<\/span>:<\/span> true<\/span>
<\/span><\/span>  }
<\/span><\/span>});
<\/span><\/span>\/\/ 现在所有对象的原型都被污染了
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>({}.polluted<\/span>); \/\/ true
<\/span><\/span><\/span><\/code><\/pre>四、防御措施<\/h2>


避免使用__proto__<\/code><\/strong>:<\/p>

使用Object.getPrototypeOf()<\/code>和Object.setPrototypeOf()<\/code>替代<\/li>
<\/ul>
<\/li>

安全的对象合并<\/strong>:<\/p>

检查属性名是否为__proto__<\/code>或constructor<\/code>等敏感属性<\/li>
使用Object.hasOwnProperty()<\/code>确保只处理对象自身的属性<\/li>
<\/ul>
<\/li>

冻结原型<\/strong>:<\/p>

使用Object.freeze(Object.prototype)<\/code>防止原型被修改<\/li>
<\/ul>
<\/li>

使用Map代替Object<\/strong>:<\/p>

Map不会受到原型链污染的影响<\/li>
<\/ul>
<\/li>

输入验证<\/strong>:<\/p>

严格验证用户输入，特别是用于构建对象的JSON数据<\/li>
<\/ul>
<\/li>
<\/ol>
五、实际应用场景<\/h2>


Node.js应用<\/strong>:<\/p>

污染全局对象原型可能导致所有模块受到影响<\/li>
<\/ul>
<\/li>

前端框架<\/strong>:<\/p>

污染可能导致不可预测的行为或XSS漏洞<\/li>
<\/ul>
<\/li>

API处理<\/strong>:<\/p>

不安全的JSON解析可能导致原型链污染<\/li>
<\/ul>
<\/li>
<\/ol>
六、检测方法<\/h2>


检查对象原型<\/strong>:<\/p>
console<\/span>.log<\/span>(Object.prototype<\/span>.polluted<\/span>); \/\/ 检查是否被污染
<\/span><\/span><\/span><\/code><\/pre><\/li>

使用安全模式<\/strong>:<\/p>

启用严格模式('use strict'<\/code>)可以帮助发现一些问题<\/li>
<\/ul>
<\/li>

代码审计<\/strong>:<\/p>

检查所有对象合并、复制操作的安全性<\/li>
<\/ul>
<\/li>
<\/ol>
理解原型链污染对于JavaScript开发者至关重要，特别是在构建需要处理不可信输入的应用程序时。通过遵循安全实践和防御措施，可以有效防止这类安全问题。<\/p>
JavaScript原型链污染详解<\/h1>

一、基本概念<\/h2>

三、原型链污染原理<\/h2> 通过修改对象的原型(__proto__<\/code>)，可以影响所有与该对象来自同一个类、父类直到Object类的对象。<\/p>

三、原型链污染原理<\/h2>
通过修改对象的原型(`proto<\/code>)，可以影响所有与该对象来自同一个类、父类直到Object类的对象。<\/p>`
