prototype-pollutionlisted
Install: claude install-skill Liaabnormal676/find-cve-agent
# Prototype Pollution Detection
## When to Use
Audit merge/clone/deep-assign utilities, query string parsers, JSON parsers, config mergers, and any package that recursively sets object properties from untrusted input.
**Key insight**: Only ~50% acceptance rate. Must demonstrate REAL impact beyond just polluting prototype.
## Process
### Step 1: Find Object Manipulation Sinks
```
grep -rn "Object\.assign\|Object\.defineProperty\|Object\.create" .
grep -rn "merge\|extend\|deepMerge\|deepExtend\|deepAssign\|mixin" .
grep -rn "clone\|deepClone\|cloneDeep\|deepCopy" .
grep -rn "set\|setPath\|setValue\|lodash\.set\|_.set" .
grep -rn "\[.*\]\s*=" . --include="*.js" # Bracket notation assignment
```
### Step 2: Check for Recursive Property Setting
Look for patterns where object keys from user input are used as property paths:
```js
// VULNERABLE: recursive merge without key filtering
function merge(target, source) {
for (const key in source) {
if (typeof source[key] === 'object') {
target[key] = merge(target[key] || {}, source[key]);
} else {
target[key] = source[key];
}
}
}
```
### Step 3: Check Key Filtering
```
grep -rn "__proto__\|constructor\|prototype" . | grep -i "filter\|block\|skip\|ignore\|reject"
grep -rn "Object\.create(null)" . # Null prototype objects are safe
grep -rn "hasOwnProperty\|Object\.keys\|Object\.entries" .
```
### Step 4: Assess Impact
Prototype pollution alone is often not enough. Look for impact:
- **DoS**: Pollute