feat: 🎸 check for client side prototype pollution on pages

The user is able to feed the tool with multiple pages to check for
client-side prototype pollution

app.config.js

@@ -2,6 +2,6 @@ export default {
     cdnjs: {
         api: {
             url: 'https://api.cdnjs.com',
-        }
-    }
+        },
+    },
 };

index.js

@@ -8,7 +8,7 @@ import check from './services/check.service.js';
 const rl = readline.createInterface({
     input: process.stdin,
     output: process.stdout,
-    terminal: false
+    terminal: false,
 });
 
 const program = new Command();
@@ -38,7 +38,7 @@ Happy hunting!
 program
     .name('ppfang')
     .usage('[command] [option]')
-    .description('A tool which helps identifying client-side prototype polluting libraries')
+    .description('A tool which helps identifying client-side prototype polluting libraries');
 
 program
     .command('cdnjs')
@@ -49,7 +49,8 @@ program
         process.exit(0);
     });
 
-program.command('pipe')
+program
+    .command('pipe')
     .description('Checks a list of urls provided through stdin for client-side prototype polluting functions')
     .action(async (options) => {
         const concurrency = Number.parseInt(options.concurrency);

sandbox/js/check.payload.js

@@ -0,0 +1,25 @@
+const types = [Object, String, Number, Array, Function, Boolean];
+
+const prototypesPropertiesReducer = (acc, type) => ({
+    ...acc,
+    [type.name]: Object.getOwnPropertyNames(type.prototype),
+});
+
+const prototypePropertyNames = types.reduce(prototypesPropertiesReducer, {});
+
+const probe = () =>
+    Object.keys(prototypePropertyNames).reduce((acc, key) => {
+        for (let propKey of prototypePropertyNames[key]) {
+            const payload = `${key}.prototype.${propKey}`;
+            try {
+                if (typeof eval(payload) === 'function' && eval(payload).call() === window) {
+                    acc.push(payload);
+                }
+            } catch (e) {
+                // Nothing to catch now.
+            }
+        }
+        return acc;
+    }, []);
+
+probe();

services/check.service.js

@@ -0,0 +1,32 @@
+import { load, log } from '../utils/file.utils.js';
+import puppeteer from 'puppeteer';
+import { PromisePool } from '@supercharge/promise-pool';
+
+const browser = await puppeteer.launch({ headless: true });
+
+const payload = load('../sandbox/js/check.payload.js');
+
+const probe = async (pageUrl) => {
+    const page = await browser.newPage();
+
+    await page.goto(pageUrl, { waitUntil: 'networkidle0' });
+
+    const results = await page.evaluate(payload);
+
+    await page.close();
+
+    return { url: pageUrl, findings: results };
+};
+
+const probeAll = async (urls, concurrency = 10) => {
+    const { results } = await PromisePool.for(urls)
+        .withConcurrency(concurrency)
+        .onTaskFinished((url, pool) => console.log(`[${pool.processedPercentage().toFixed(2)}%] Processed ${url} ...`))
+        .process(probe);
+
+    log(results);
+    browser.close();
+    return results;
+};
+
+export default { probeAll };

utils/file.utils.js

@@ -11,4 +11,4 @@ export const load = (filePath) => fs.readFileSync(resolvedPath(filePath), { enco
 export const log = (results) => {
     const findings = results.filter((result) => result.findings.length);
     console.log(JSON.stringify(findings, null, 4));
-};
+};