[🐸 Frogbot] Update version of protobufjs to 6.11.4

[github-actions]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	Not Applicable	protobufjs:6.11.2	protobufjs 6.11.2	[6.11.4] [7.2.5]	CVE-2023-36665

🔬 Research Details

Description:
Protocol Buffers or "protobufs" are a language-neutral, platform-neutral, extensible way of serializing structured data. protobuf.js is a JavaScript library that allows creating and consuming protobufs.
An incomplete fix for CVE-2022-25878 has been reported as CVE-2023-36665.

Multiple prototype pollution vulnerabilities were detected in the protobuf.js library. Namely these can occur when:

1. util.setProperty receives untrusted input in arguments 2 & 3 -

protobuf.util.setProperty({}, "constructor.prototype.verified", true);

2. ReflectionObject.setParsedOption receives untrusted input in arguments 2 & 3

let obj = new protobuf.ReflectionObject("Test");
obj.setParsedOption("unimportant!", attackerFunc, "constructor.prototype.testFn");

3. parse receives untrusted input (an untrusted .proto definition) -

protobuf.parse('option(a).constructor.prototype.verified = true;');

4. load receives an untrusted .proto file -

protobuf.loadSync("poc.proto");

an example malicious .proto file -
option(foo).constructor.prototype.verified = true;

While most prototype pollution attacks lead to denial of service, it has been reported that code execution is possible when unsanitized user input is provided to the functions util.setProperty or ReflectionObject.setParsedOption.

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

---

🐸 JFrog Frogbot