Prototype pollution vulnerability in source-map SourceNode#setSourceContent

[Vincebye]

Hi, we are a security team. We found a prototype pollution vulnerability in your project.

The issue affects source-map in SourceNode#setSourceContent.

The vulnerable behavior happens when the attacker-controlled source file name is used as a dynamic property key in sourceContents. If the source file name is __proto__, prototype pollution may occur.

Impact

An attacker may be able to change the prototype of the internal sourceContents object in the affected runtime.

Proof of concept

const { SourceNode } = require('source-map');

const node = new SourceNode(null, null, null, null, null);
node.setSourceContent('__proto__', { polluted: true });

console.log(node.sourceContents.polluted); // true

Details

We confirmed the following case:

• sink: ./lib/source-node.js:304

The root cause is that untrusted source file names can flow into dynamic property writes without blocking special prototype-related keys.