Skip to content

🛡️ Sentinel: [HIGH] Fix Path Traversal and Prototype Pollution vulnbts#5

Open
harrydbarnes wants to merge 1 commit into
tonypest0:mainfrom
harrydbarnes:sentinel-fix-path-traversal-and-proto-pollution-4841963968894924581
Open

🛡️ Sentinel: [HIGH] Fix Path Traversal and Prototype Pollution vulnbts#5
harrydbarnes wants to merge 1 commit into
tonypest0:mainfrom
harrydbarnes:sentinel-fix-path-traversal-and-proto-pollution-4841963968894924581

Conversation

@harrydbarnes
Copy link
Copy Markdown

@harrydbarnes harrydbarnes commented Apr 13, 2026

🚨 Severity: HIGH
💡 Vulnerability:

  1. The static file server did not decode URI components before validating path traversal, allowing directory escape via encoded payloads (e.g., %2e%2e).
  2. The JSON persistence mechanism merged config using the spread operator without sanitization, leaving a defensive gap for Prototype Pollution.

🎯 Impact:

  1. Path Traversal: Attackers could read arbitrary files on the host filesystem (like /etc/passwd).
  2. Prototype Pollution: While object spread has mitigation, it is unsafe to merge unsanitized parsed JSON structures.

🔧 Fix:

  1. Applied decodeURIComponent and path.resolve bound checks to the serveStatic router in server.js.
  2. Converted the spread merge to a manual loop that ignores __proto__, constructor, and prototype in server.js and vite.config.js.

✅ Verification:

  • Server accurately restricts /%2e%2e/%2e%2e/etc/passwd to a 403 Forbidden.
  • The React App serves normally.
  • Prototype pollution JSON payloads ignore __proto__ entirely on persistence.

@harrydbarnes
🛡️ Sentinel: [HIGH] Fix Path Traversal and Prototype Pollution vulner…
c85ba24 
…abilities

- Resolved a Path Traversal issue in `server.js` static file server. The endpoint could be bypassed by using URL encoded paths (`%2e%2e`). The path is now properly decoded and resolved against `DIST_DIR`.
- Resolved a Prototype Pollution issue in the `/sonos-store` endpoint in `server.js` and `vite.config.js`. Incoming JSON updates were merged via object spread `{ ...existing, ...updates }`. It now explicitly filters `__proto__`, `constructor`, and `prototype` keys from untrusted configurations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@harrydbarnes