-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deserialize() can be abused to achieve arbitrary code injection with an IIFE #1
Comments
Thanks for rising. A patch is on its way. Would be nice if you could do some review on the changes. |
Happy to help. I will take a look on the fix and keep you updated. |
This doesn't really have anything to do with an IIFE. Simply the fact that the Function constructor works like an eval. str = 'console.log(`exploited`)';
var res = deserialize(str); The line in deserialize will invoke it for you.. return (new Function('"use strict"; return ' + str))()
} |
the tokenizer will allow for things like: '{str: global["eval"]("console.log(/exploited/)")}'; constructors of function to get Function class refs '{str: unescape.constructor()("console.log(/exploited/)")()()}' I think esprima is the right move, but I would consider using if for parsing then building rules on top of that instead of the tokenizer. |
Hi @matt- , thanks for you comments so far. You are right with the fact that this has nothing to do with IIFE, its just that |
@commenthol Your safer-eval projects has many similarities with Caja. Among other things, some people involved in Caja have been involved in evolving ECMAScript; their involvement led to the creation of strict mode, Object.freeze & friends, WeakMap and Proxies. edit : better link to the caja project : https://developers.google.com/caja/ |
@DavidBruant Thanks for the notice. Caja is indeed an interesting project, I did not know so far. Unfortunately there is no chance to run the compiler in a browser. |
Yeah... they're a bit behind in communication. Caja started as a compiler that transformed JS code into a safer version. Since then, they shared their findings and influenced ECMAScript. I probably should have shared ses directly, sorry. This is a bit off-topic, but I'm happy to continue this discussion elsewhere (safer-eval repo?) |
v1.1.0 now uses safer-eval for deserialization. |
I don't know if this is a functionality as you are using
new Function()
internally, but the module should not execute code on deserialization.The text was updated successfully, but these errors were encountered: