From d2ded0292f543c06f4c9638ac0e995606d55a433 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 7 Jul 2026 05:21:45 -0700 Subject: [PATCH] fix(security): unsafe deserialization in kb-store.ts via json.par The `KbStore._load()` method reads a JSON file and parses it with `JSON.parse()` without any schema validation or sanitization. While this is a local file, if an attacker can modify the state.json file (e.g., via another compromised process or symlink attack), they could inject malicious data. More critically, the spread operator `{ ...DEFAULTS, ...JSON.parse(...) }` only does shallow merging, which could lead to prototype pollution if the JSON contains `__proto__` or `constructor` keys, potentially affecting downstream code that iterates over objects. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- desktop/src/main/kb-store.ts | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/desktop/src/main/kb-store.ts b/desktop/src/main/kb-store.ts index 17fe445e..2b388e1f 100644 --- a/desktop/src/main/kb-store.ts +++ b/desktop/src/main/kb-store.ts @@ -33,7 +33,17 @@ class KbStore { private _load(): StoreData { try { - return { ...DEFAULTS, ...JSON.parse(fs.readFileSync(this.file, "utf8")) }; + const raw = JSON.parse(fs.readFileSync(this.file, "utf8")); + if (raw == null || typeof raw !== "object" || Array.isArray(raw)) { + return JSON.parse(JSON.stringify(DEFAULTS)); + } + const safe: Record = {}; + for (const key of Object.keys(raw)) { + if (key !== "__proto__" && key !== "constructor") { + safe[key] = raw[key]; + } + } + return { ...DEFAULTS, ...safe }; } catch { return JSON.parse(JSON.stringify(DEFAULTS)); }