Affected by this project netflix/consoleme is vulnerable to Incomplete List of Unallowed Inputs when using plugins that rely on internal Babel path.evaluate() or path.evaluateTruthy() methods.
Of course, the payload can be adapted to do anything, such as exfiltrate data or spawn a reverse shell. The source code of babel-traverse/src/path/evaluation.ts prior to the fix is archived here
/**
* Walk the input `node` and statically evaluate it.
*
* Returns an object in the form `{ confident, value, deopt }`. `confident`
* indicates whether or not we had to drop out of evaluating the expression
* because of hitting an unknown node that we couldn't confidently find the
* value of, in which case `deopt` is the path of said node.
*
* Example:
*
* t.evaluate(parse("5 + 5")) // { confident: true, value: 10 }
* t.evaluate(parse("!true")) // { confident: true, value: false }
* t.evaluate(parse("foo + foo")) // { confident: false, value: undefined, deopt: NodePath }
*
*/
export function evaluate(this: NodePath): {
confident: boolean;
value: any;
deopt?: NodePath;
} {
const state: State = {
confident: true,
deoptPath: null,
seen: new Map(),
};
let value = evaluateCached(this, state);
if (!state.confident) value = undefined;
return {
confident: state.confident,
deopt: state.deoptPath,
value: value,
};
}
Affected by this project
netflix/consoleme
is vulnerable to Incomplete List of Unallowed Inputs when using plugins that rely on internal Babelpath.evaluate()
orpath.evaluateTruthy()
methods.Proof of Concept
Of course, the payload can be adapted to do anything, such as exfiltrate data or spawn a reverse shell. The source code of
babel-traverse/src/path/evaluation.ts
prior to the fix is archived hereCWE-184 CWE-697