TaffyDB security vulnerability

WebSteve · January 18, 2023, 8:50pm

I read of a security vulnerability with TaffyDB: https://snyk.io/vuln/search?q=taffy&type=npm

Quote:

taffydb is an open source JavaScript library that provides in-memory database capabilities

Affected versions of this package are vulnerable to Internal Property Tampering. taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If an index is found in the query, taffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g. T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB.

What does this mean? The TaffyDB page I use simply displays a list of products that are also listed on our website. There is nothing secret on the page. Would my use case be hurt by this vulnerability? If so, what would be an alternative?

James_Hibbard · January 19, 2023, 7:34am

Snyc actually includes some code to replicate the vulnerability on its website (section titled “PoC”):

If we alter this slightly, it might make the issue clearer:

const products = TAFFY([
  {
    name: 'TV',
    price: 1000,
    inStock: true,
  },
  {
    name: 'stereo',
    price: 2000,
    inStock: true,
  },
]);

console.log(products({ name: 'TV' }).first());

const json = {
  randomKey: 'nonsense',
  ___id: 'T000002R000003',
  ___s: true,
};

console.log(products(json).first());

The first query is a regular query and, as expected, returns the first product with a name of “TV”.

The second query shouldn’t return anything, as there is no randomKey key. However by appending the easy-to-guess internal ___id and ____s properties to the query, it actually returns the second record.

As Snyk say:

If an index is found in the query, taffyDB will ignore other query conditions and directly return the indexed data item.

So is this a problem?

I would say that in your case it’s not a problem. If you are fetching a list of products from a public endpoint and using Taffy to query and manage those products in the browser, then I don’t see how this vulnerability would impact that.

But, saying that I’m not a security professional.

If anyone else can think of a scenario or reason where this would be problematic, I’d be very interested to hear it.

Edit: I just clicked through to the Taffy GitHub page (probably should have done that sooner) and see:

TaffyDB is an open source JavaScript library that provides powerful in-memory database capabilities to both browser and server applications.

Of course, if Taffy is running on the server and I can send a crafted query to return records that I shouldn’t have access to, then the problem is considerably more serious.

rpg_digital · January 19, 2023, 8:12am

I had a play with TaffyDB for you a while ago.

I never dug deep into TaffyDB, but it seems to me that it’s reasonably straight forward to replace common TaffyDb tasks with vanillaJS.

For instance Taffy’s collection in the above example.

const friends = TAFFY([
	{"id":1,"gender":"M","first":"John","last":"Smith","city":"Seattle, WA"},
	{"id":2,"gender":"F","first":"Kelly","last":"Ruth","city":"Dallas, TX"},
	{"id":3,"gender":"M","first":"Jeff","last":"Stevenson","city":"Washington, D.C."},
	{"id":4,"gender":"F","first":"Jennifer","last":"Gill","city":"Seattle, WA"}	
]);

can be replaced with just an array

const friends = [
    {"id":1,"gender":"M","first":"John","last":"Smith","city":"Seattle, WA"},
    ...
];

The taffy query

const femaleFriends = createTable(friends({gender: 'F'}))
document.querySelector('#friends').innerHTML = femaleFriends

can be replaced with Array.filter

const femaleFriends = friends.filter(({gender}) => gender === 'F')
document.querySelector('#friends').innerHTML = createTable(femaleFriends)

As far as I gather TaffyDB is no longer maintained, last update appears to be Jan 21. If you are considering another option Vanilla JS has plenty of tools for you or alternatively you could look at a functional library like ramdaJS

WebSteve · January 19, 2023, 4:25pm

The records are not secret, so your information helps me.

TaffyDB is running only on the page that is accessed, not on the server. It has no direct access to any DB on the server, which has been hardened.

WebSteve · January 19, 2023, 4:26pm

This is good information. I’ll see how I can port the current DB to this format.

usamaererer · January 21, 2023, 6:02pm

The security vulnerability described in the article you referenced relates to the way that TaffyDB handles internal indexes for data items in its in-memory database. The vulnerability allows an attacker to forge an internal index for a data item in the database, and then use that forged index to retrieve any data item from the database, regardless of any other query conditions.

In your case, if your TaffyDB page simply displays a list of products that are also listed on your website, and there is no sensitive information on the page, then the vulnerability is unlikely to be a concern for your use case. The main risk of this vulnerability is that an attacker could use it to gain unauthorized access to sensitive data stored in the TaffyDB database.

However, if you are concerned about this vulnerability or would like to use an alternative, there are several other in-memory databases libraries you can use, such as JSON-DB, LokiJS, NeDB, etc.
You may also consider using a different type of database altogether, such as a NoSQL or SQL database, depending on your specific needs.

It’s always a good idea to check the security vulnerabilities of any library you are going to use and to keep your libraries updated.

system · April 23, 2023, 1:02am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.