Patched Fix vulnerable to arbitrary code execution when compiling specifically crafted malicious code #1433
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary Description :
The Project of
join.tts.gsa.gov
has vulnerable to Incomplete List of Disallowed Inputs when using plugins that rely on thepath.evaluate()
orpath.evaluateTruthy()
internal Babel methods.The Exploit (Proof of Concept)
Before delving into the details, let’s take a look at the proof of concept I came up with:
Exploit Breakdown
To understand why this vulnerability works, we need to understand the source code of the culprit function,
evaluate
. The source code ofbabel-traverse/src/path/evaluation.ts
prior to the fix is archived hereWhen
evaluate
is called on a NodePath, it goes through theevaluatedCached
wrapper, before reaching the_evaluate
function which does all the heavy lifting. The_evaluate
function is where the vulnerability lies.This function is responsible for recursively breaking down AST nodes until it reaches an atomic operation that can be evaluated confidently. The majority of the base cases are evaluated for atomic operations only (such as for binary expressions between two literals). However, there are a few exceptions to this rule.
The two pieces of the source code we care about are the handling of call expressions and object expressions, as shown below
Vulnerable Source Code
The first thing to understand is that while call expressions can indeed be evaluated, they are subject to a whitelist check, relying on the
VALID_OBJECT_CALLEES
orVALID_IDENTIFIER_CALLEES
arrays.The most interesting one is the second case:
The only blacklisted method is
random
, which is a method of theMath
object. This means that any other method of either the whitelistedNumber
,String
, orMath
objects can be directly referenced. In JavaScript, all classes are functions. Since Number and String are global JavaScript classes, their constructor property points to the Function constructor.Therefore, the two expressions below are equivalent:
Impact
CWE-184
CWE-697
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fixes issue(s) # .
😎 PREVIEW
Changes proposed in this pull request:
Fix
orPatched
vulnerable code executions/cc @relevant-people @imhunterand @18F