Security issue - underscore-min.js Lodash Script?

[AlAyoub]

Hi,

My scanner is picking up a vulnerability from underscore It appears the issue is that underscore is using a lodash script in underscore-min.js. Is that correct? Can anyone confirm?

There was a PR that fixed the issue in 4.17.21. https://github.com/lodash/lodash/pull/5085/files

[jgonggrijp]

Hi @AlAyoub, thanks for reaching out. Underscore does not depend on Lodash; to the contrary, Lodash is a fork of Underscore. You are probably dealing with a file named underscore-min.js that actually contains an old version of Lodash.

I'll close this ticket now, but please feel free to continue discussion if you feel the need.

[jgonggrijp]

@AlAyoub thanks for getting back here.

This appears to be a security vulnerability that Lodash inherited from Underscore, and for some reason the vulnerability was only reported to Lodash and not to Underscore. That's what you get with forks.

Anyway, it appears the issue does indeed also apply to Underscore. I'll fix this with high priority.

[jgonggrijp]

Hang on. _.template allows arbitrary code injection anyway, since that's how the template function is implemented. The first argument (the template itself) is supposed to contain JavaScript code. Validating the second argument is not going to prevent code injection, since whoever submits the second argument is also submitting the first argument (the template and the variable name have to be coordinated). I'll investigate further.

[jgonggrijp]

@AlAyoub I was able to confirm that the vulnerability does not, in fact, apply to Underscore. See #2912.

Underscore will pass the variable option to the Function constructor as an argument name. This ensures that the name is validated. Lodash doesn't do this, so they needed a fix.

Could you tell me the name of your scanner, preferably with a link to their website, so I can contact the maintainers about this false alarm?

[jgonggrijp]

@AlAyoub thank you for bringing this to our attention. Had it been a true alarm, we wouldn't have known about it without you (or at least not as soon).

[AlAyoub]

@jgonggrijp - confirmed that this is a false alarm. Thank you again for acting fast, I appreciate it!

[jgonggrijp]

Thanks for wrapping up, @AlAyoub !

[jgonggrijp]

@AlAyoub While the Lodash CVE doesn't apply to Underscore, it turns out that there was in fact a security leak in _.template. I just published versions 1.12.1 and 1.13.0-2, which fix it. See also #2915.