@zpbrent (https://huntr.dev/users/zpbrent) has fixed a potential Arbitrary Code Execution vulnerability in your repository π¨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...
If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @zpbrent, the discloser found in the bounty URL (below) and @huntr-helper.
User Comments:
π Metadata *
The telejson.reviver() which is used to parse string data back to json structure can be abused to execute arbitrary code when the lazyEval option is set to false (i.e., disabled). The root cause is the attackers can purposely inject a bracket at the end of the function property (invoking IIFE), that may be stringified by telejson.replacer() or telejson.stringify(). Even worse, despite the default value of lazyEval option is set to true for telejson.parse(), the telejson.reviver() have that vaule as false by default.
Sanitize the brackets at the end of the function property for the input string to telejson.reviver(), since the normal use of telejson.replacer() and telejson.stringify() cannot make brackets at the end of the function property for the json objects.
π» Technical Description *
const sourceSanitized = source.replace(/[(\(\))|\\| |\]]*$/,'');
This fix has considered the bypass possibility such as multiple ( ) \ ] ` and spaces, in case they apper at the end. Any more?
@zpbrent (https://huntr.dev/users/zpbrent) has fixed a potential Arbitrary Code Execution vulnerability in your repository π¨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...
Q | A Version Affected | 5.1.0 Bug Fix | YES Original Pull Request | https://github.com/418sec/telejson/pull/2
If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @zpbrent, the discloser found in the bounty URL (below) and @huntr-helper.
User Comments:
π Metadata *
The
telejson.reviver()which is used to parse string data back to json structure can be abused to execute arbitrary code when thelazyEvaloption is set tofalse(i.e., disabled). The root cause is the attackers can purposely inject a bracket at the end of the function property (invoking IIFE), that may be stringified bytelejson.replacer()ortelejson.stringify(). Even worse, despite the default value oflazyEvaloption is set totruefortelejson.parse(), thetelejson.reviver()have that vaule asfalseby default.Bounty URL: https://www.huntr.dev/bounties/1-npm-telejson/
βοΈ Description *
Sanitize the brackets at the end of the function property for the input string to
telejson.reviver(), since the normal use oftelejson.replacer()andtelejson.stringify()cannot make brackets at the end of the function property for the json objects.π» Technical Description *
const sourceSanitized = source.replace(/[(\(\))|\\| |\]]*$/,'');This fix has considered the bypass possibility such as multiple( ) \ ] `and spaces, in case they apper at the end. Any more?π Proof of Concept (PoC) *
After running
node PoC.js, the file HACKED can be illegally created.π₯ Proof of Fix (PoF) *
After running
node PoC.js, the file HACKED cannot be created.π User Acceptance Testing (UAT)