security(hooks): block prototype-chain traversal in webhook template getByPath (#22213)

* security(hooks): block prototype-chain traversal in webhook template getByPath The getByPath() function in hooks-mapping.ts traverses attacker-controlled webhook payload data using arbitrary property path expressions, but does not filter dangerous property names (__proto__, constructor, prototype). The config-paths module (config-paths.ts) already blocks these exact keys for config path traversal via a BLOCKED_KEYS set, but the hooks template system was not protected with the same guard. Add a BLOCKED_PATH_KEYS set mirroring config-paths.ts and reject traversal into __proto__, prototype, or constructor in getByPath(). Add three test cases covering all three blocked keys. Signed-off-by: Alan Ross <alan@sleuthco.ai> * test(gateway): narrow hook action type in prototype-pollution tests * changelog: credit hooks prototype-path guard in PR 22213 * changelog: move hooks prototype-path fix into security section --------- Signed-off-by: Alan Ross <alan@sleuthco.ai> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-05-08 10:51:23 +00:00 · 2026-02-21 03:01:03 -05:00
parent 0bee3f337a
commit fe609c0c77
3 changed files with 83 additions and 0 deletions
--- a/src/gateway/hooks-mapping.test.ts
+++ b/src/gateway/hooks-mapping.test.ts
@@ -372,4 +372,78 @@ describe("hooks mapping", () => {
    });
    expect(result?.ok).toBe(false);
  });
+
+  describe("prototype pollution protection", () => {
+    it("blocks __proto__ traversal in webhook payload", async () => {
+      const mappings = resolveHookMappings({
+        mappings: [
+          createGmailAgentMapping({
+            id: "proto-test",
+            messageTemplate: "value: {{__proto__}}",
+          }),
+        ],
+      });
+      const result = await applyHookMappings(mappings, {
+        payload: { __proto__: { polluted: true } } as Record<string, unknown>,
+        headers: {},
+        url: baseUrl,
+        path: "gmail",
+      });
+      expect(result?.ok).toBe(true);
+      if (result?.ok) {
+        const action = result.action;
+        if (action?.kind === "agent") {
+          expect(action.message).toBe("value: ");
+        }
+      }
+    });
+
+    it("blocks constructor traversal in webhook payload", async () => {
+      const mappings = resolveHookMappings({
+        mappings: [
+          createGmailAgentMapping({
+            id: "constructor-test",
+            messageTemplate: "type: {{constructor.name}}",
+          }),
+        ],
+      });
+      const result = await applyHookMappings(mappings, {
+        payload: { constructor: { name: "INJECTED" } } as Record<string, unknown>,
+        headers: {},
+        url: baseUrl,
+        path: "gmail",
+      });
+      expect(result?.ok).toBe(true);
+      if (result?.ok) {
+        const action = result.action;
+        if (action?.kind === "agent") {
+          expect(action.message).toBe("type: ");
+        }
+      }
+    });
+
+    it("blocks prototype traversal in webhook payload", async () => {
+      const mappings = resolveHookMappings({
+        mappings: [
+          createGmailAgentMapping({
+            id: "prototype-test",
+            messageTemplate: "val: {{prototype}}",
+          }),
+        ],
+      });
+      const result = await applyHookMappings(mappings, {
+        payload: { prototype: "leaked" } as Record<string, unknown>,
+        headers: {},
+        url: baseUrl,
+        path: "gmail",
+      });
+      expect(result?.ok).toBe(true);
+      if (result?.ok) {
+        const action = result.action;
+        if (action?.kind === "agent") {
+          expect(action.message).toBe("val: ");
+        }
+      }
+    });
+  });
 });