Risk of remote code execution for untrusted schemas

[koorchik]

Code

import FastestValidator from 'fastest-validator';
const v = new FastestValidator();

const check = v.compile({
  id: { type: 'number', max: 'console.log("ALERT")' }
});

check({id:123});

will print 'ALERT'.

Ajv validator has similar architecture but is secure for such types of attacks.

It is possible to guard against such type of attack with quoting of parameters which can be done in compile-time "Ajv Safe code generation" - https://ajv.js.org/codegen.html#safe-code-generation

[icebob]

The validation schema is not a user input data, so it's not a real issue and we also don't recommend to do it

[koorchik]

Yes, but the risk of remote code execution for untrusted does exist as it was with ajv before (now it is fixed)

Moreover, according to this library docs: "This is as safe as writing code normally and having it compiled by V8 in the usual way.". But it is half true. For example, with Joi validator, you write code but it is safer.

Joi example with code (code is safe):

function prepareValidator(maxId) {
  return Joi.object({
    id: Joi.number().max(maxId),
  });
}

Code is potentially vulnerable with maxId coming from database, for example

function prepareValidator(maxId) {
  return fastestValidator.compile({ 
    id: {type: 'number', max: maxId} 
  });
}

So, compared to code you expect that data is data (string is string, number is number), and code is code. But here is string data can be a code.

[intech]

@icebob I think this is a real security problem. Possible attack by merging two vectors: Prototype pollution (very popular in many packages) + eval injection (this issue).

@koorchik Thx for this report!

[FerX]

without losing performance we could insert a sanitization during compilation