New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added more checks #3428
base: master
Are you sure you want to change the base?
Added more checks #3428
Conversation
There is no change log for this pull request yet. |
if (debug && node.debug !== false && node.type !== 'Block') { | ||
if (typeof node.line !== 'number') { | ||
throw new Error( | ||
'node.line is not a valid number.' | ||
); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if (debug && node.debug !== false && node.type !== 'Block') { | |
if (typeof node.line !== 'number') { | |
throw new Error( | |
'node.line is not a valid number.' | |
); | |
} | |
if (debug && node.debug !== false && node.type !== 'Block' && typeof node.line === 'number') { |
isnt should better?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would, but that meant that it’s checking for all three instead of checking for the required two and failing silently. Throwing an error is better as it can alert the user that there may be a pollution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm i understand
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
If templateName gets injected attackers can inject arbitrary code.
Example payload:
templateName="a(){}; function template (locals) {var pug_html = process.mainModule.require('fs').readFileSync('/etc/passwd').toString(), pug_mixins = {}, pug_interp;var pug_debug_filename, pug_debug_line;try {;//"
Checks are added to restrict template names to
0-9, a-z, A-Z, -, _
Special conditions are needed for this to happen and proper circumstances are needed for this vulnerability to be triggered.
Additionally, if node.line get affected due to prototype pollution code is also injectable
Example payload:
Object.prototype.block = {"type": "Text", "line": "console.log(process.mainModule.require('child_process').execSync('id').toString())"};
Reference: https://po6ix.github.io/AST-Injection/
A check is added to to ensure the line number is really a line.
#3414 is also worth a follow up, and maps could be used for options to prevent prototype pollution but changing all of those may break some things so I did not touch those.