core: update vm2 to fix security issue

jsreport · Apr 20, 2023 · 846a394 · 846a394
1 parent a16daf6
commit 846a394
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 6 deletions.
diff --git a/packages/jsreport-core/package.json b/packages/jsreport-core/package.json
@@ -71,7 +71,7 @@
     "triple-beam": "1.3.0",
     "unset-value": "1.0.0",
     "uuid": "8.3.2",
-    "vm2": "3.9.11",
+    "vm2": "3.9.17",
     "winston": "3.8.1",
     "winston-transport": "4.5.0",
     "yieldable-json": "2.0.1"
@@ -91,4 +91,4 @@
       "mocha": true
     }
   }
-}
+}
diff --git a/packages/jsreport-core/test/render/runInSandboxTest.js b/packages/jsreport-core/test/render/runInSandboxTest.js
@@ -630,6 +630,37 @@ describe('sandbox', () => {
           }
         }).should.be.rejectedWith(/process is not defined/)
       })
+
+      it('should prevent constructor hacks #3', async () => {
+        reporter.tests.afterRenderEval(async (req, res, { reporter }) => {
+          const r = await reporter.runInSandbox({
+            context: {},
+            userCode: `
+              function getRandom() {
+                Error.prepareStackTrace = (e, frames) => {
+                  frames.constructor.constructor('return process')().mainModule.require('child_process').execSync('testing');
+                };
+                (async() => {}).constructor('return process')()
+                return Math.random()
+              }
+
+              getRandom()
+            `,
+            executionFn: ({ context }) => {
+              return JSON.stringify(context)
+            }
+          }, req)
+          res.content = Buffer.from(r)
+        })
+
+        return reporter.render({
+          template: {
+            engine: 'none',
+            content: ' ',
+            recipe: 'html'
+          }
+        }).should.be.rejectedWith(/called on incompatible receiver/)
+      })
     }
 
     it('should allow top level await in sandbox eval', async () => {

diff --git a/yarn.lock b/yarn.lock
@@ -19096,10 +19096,10 @@ vm-browserify@^1.0.1:
   resolved "https://registry.npmjs.org/vm-browserify/-/vm-browserify-1.1.2.tgz"
   integrity sha512-2ham8XPWTONajOR0ohOKOHXkm3+gaBmGut3SRuu75xLd/RRaY6vqgh8NBYYk7+RW3u5AtzPQZG8F10LHkl0lAQ==
 
-vm2@3.9.11:
-  version "3.9.11"
-  resolved "https://registry.npmjs.org/vm2/-/vm2-3.9.11.tgz"
-  integrity sha512-PFG8iJRSjvvBdisowQ7iVF580DXb1uCIiGaXgm7tynMR1uTBlv7UJlB1zdv5KJ+Tmq1f0Upnj3fayoEOPpCBKg==
+vm2@3.9.17:
+  version "3.9.17"
+  resolved "https://registry.yarnpkg.com/vm2/-/vm2-3.9.17.tgz#251b165ff8a0e034942b5181057305e39570aeab"
+  integrity sha512-AqwtCnZ/ERcX+AVj9vUsphY56YANXxRuqMb7GsDtAr0m0PcQX3u0Aj3KWiXM0YAHy7i6JEeHrwOnwXbGYgRpAw==
   dependencies:
     acorn "^8.7.0"
     acorn-walk "^8.2.0"