Closed Zombiehelp54 closed 1 year ago
Expected output should return a parsing error.
escodegen is not assuming an invalid AST. It is not checking input is right or wrong. So, out of scope.
Agreed with @Constellation. Additionally, there is no risk to escodegen users here since the generated program is not evaluated in any way.
This issue was found during blackhat middle east CTF, the bug lies in the expression parser for statement expressions of type "Identifier".
Here is an example ECMAScript AST object that will break out of a "CatchClause" statement:
Output:
Expected output should return a parsing error. If an application is vulnerable to prototype pollution this bug can lead to RCE.