Investigate Detection for Prototype Pollution

[capachino]

Description

Prototype pollution is a critical JavaScript vulnerability where an attacker can modify the prototype of a base object. This can lead to application-wide logic tampering, cross-site scripting (XSS), denial of service (DoS), or even remote code execution.

We need to ensure our security extension can effectively identify these vulnerabilities in code changes e.g. see #90. This investigation will involve curating a dataset of real-world examples, baselining our current detection capabilities, enhancing our prompt, and updating our benchmark dataset to prevent regressions.

Action Items

• 1. Data Curation & Analysis
  • Systematically search the OSSF CVE Benchmark dataset for clear examples of prototype pollution vulnerabilities (e.g., CVEs related to unsafe object merges).
• 2. Vulnerability Introduction Analysis
  • For a curated subset (5-10) of the best examples, use archeogit or manual git history inspection to find the specific commit that introduced the vulnerability.
  • Save these "vulnerable diffs" for testing.
• 3. Baseline Current Capabilities
  • Run the current security extension (/security:analyze) against the collection of vulnerable diffs.
  • Document the detection rate (e.g., "Detected 1/10"). This is our baseline.
• 4. Enhance Detection Prompt (If Necessary)
  • Based on the results from step 3, update the GEMINI.md prompt.
  • Add "Prototype Pollution" as a new item, likely under the "Injection Vulnerabilities" category.
  • The new prompt instruction should guide the model to look for the specific patterns identified in step 1 (e.g., "Analyze for prototype pollution vulnerabilities, such as unsafe recursive object merges or direct modification of __proto__ or constructor.prototype from user-controlled input.").
• 5. Validate and Update Benchmark
  • Re-run the security extension (with the updated prompt) against the vulnerable diffs and confirm the detection rate has improved significantly.
  • Select the 3-5 clearest examples and add them to our official internal benchmark dataset to ensure we continue to catch this vulnerability class in the future.