Patch 2

[ndelangen]

📊 Metadata *

The telejson.reviver() which is used to parse string data back to json structure can be abused to execute arbitrary code when the lazyEval option is set to false (i.e., disabled). The root cause is the attackers can purposely inject a bracket at the end of the function property (invoking IIFE), that may be stringified by telejson.replacer() or telejson.stringify(). Even worse, despite the default value of lazyEval option is set to true for telejson.parse(), the telejson.reviver() have that vaule as false by default.

Bounty URL: https://www.huntr.dev/bounties/1-npm-telejson/

⚙️ Description *

Sanitize the brackets at the end of the function property for the input string to telejson.reviver(), since the normal use of telejson.replacer() and telejson.stringify() cannot make brackets at the end of the function property for the json objects.

💻 Technical Description *

const sourceSanitized = source.replace(/[(\(\))|\\| |\]]*$/,''); This fix has considered the bypass possibility such as multiple ( ) \ ] ` and spaces, in case they apper at the end. Any more?

🐛 Proof of Concept (PoC) *

// PoC.js
telejson=require('telejson');
str = '{"fn":"_function_fn|function () {require(\'child_process\').exec(\'touch HACKED\');}()"}';
JSON.parse(str, telejson.reviver({}), 2);

After running node PoC.js, the file HACKED can be illegally created.

🔥 Proof of Fix (PoF) *

// PoF.js
telejson=require('telejson');
str = '{"fn":"_function_fn|function () {require(\'child_process\').exec(\'touch HACKED\');}()"}';
JSON.parse(str, telejson.reviver({}), 2);

After running node PoC.js, the file HACKED cannot be created.

👍 User Acceptance Testing (UAT)