-
Notifications
You must be signed in to change notification settings - Fork 847
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Security Issue #604
Comments
I receive numerous messages about purported vulnerabilities in EJS that are, in fact, not vulnerabilities at all. EJS is effectively a JavaScript runtime, and the its |
But we've worked together through #601, merged it, and agreed there that mitigating the effects of (outside) prototype pollution in EJS would be worth it, right? |
As your intent is to fix the issue that @nicdumz has disclosed, you'll both be eligible to receive bounties via our platform. If you have any questions, my door is open! |
If this is the same issue, then yes. |
Yep, exactly the issue! Are you able to sign up, confirm the report and the fix, and the bounty is yours! |
Also, because we love that your GitHub ID is only three numbers long, we are giving you an exclusive badge on your profile. Cheers! ❤️ |
@JamieSlome I'd generally appreciate a second look on the initial advisory and classification. As you can see what's happening is that in the presence of prototype pollution in another library, the AST for EJS can be polluted and gets attackers RCE. "AST injection" is not yet an official CVE type so I've settled for Code Injection. Does that feel reasonable? As a note, that vector is well-known so worth fixing, the actual severity / classification matters little to me :-) |
I'm not sure what y'all are asking me to weigh in on here. I think it made sense to merge this in the interest of being a good citizen of the ecosystem, but there's no EJS vulnerability here, and I get quite a number of similar "security issue reports" from self-described security experts, who fundamentally don't understand how EJS works. |
We merged fixes in now, which is great. Do you think you could cut a minor release out, which would contain those fixes? For me my goal is essentially to get a patched version out, flag a minor vulnerability of sorts, and next leverage automatic package scanners (snyk, etc) so that they go around and force version bumps to get rid of that vector. I understand how we could say that there is no "EJS vulnerability on itself". However EJS used to provide an easy, well-documented way to escalate prototype pollution into Remote Code Execution. Because of the number of users, this was a very yummy hop to target for attackers. Mitigating this pathway is worth it, and worth an advisory so that automated scanner can upgrade your users. Makes sense? |
Hello,
We recently received a vulnerability disclosure against your repository from @nicdumz. I couldn't find an e-mail to contact or a security process to follow, so created this issue instead.
If you would like me to e-mail over the details or put them on the GitHub Issue, I'm more than happy to facilitate this for you. Otherwise, you can access the advisory here.
It is private to you and the discloser of the report.
If you have any questions, let me know.
-- Jamie from huntr.dev
The text was updated successfully, but these errors were encountered: