Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security bug about prototype pollution #1330

Merged
merged 1 commit into from
Nov 25, 2020
Merged

Fix security bug about prototype pollution #1330

merged 1 commit into from
Nov 25, 2020

Conversation

ChenKS12138
Copy link
Contributor

@ChenKS12138 ChenKS12138 commented Nov 24, 2020
edited
Loading

Summary

Proposed change:

Add check in function Frame.prototype.lookup to ensure name is own property of this.variables.

This is a security bug. The current version of nunjucks can be attacked by prototype pollution.
What I expected isthis is payload2 content is function(){ return global.process.mainModule.require('child_process').execSync('ls') }() , but the function returns this is payload2 content is main.js node_modules package.json yarn.lock.

Closes #1331.

The sample code is as follows.

const nunjucks = require("nunjucks");

nunjucks.configure({
  autoescape: true,
});

const template = nunjucks.compile(" content is {{ content }} ");

const payload = { };

payload.__proto__.content =
  " function(){ return global.process.mainModule.require('child_process').execSync('whoami') }() ";

console.log("this is payload2 ", template.render(payload));

image

Checklist

I've completed the checklist below to ensure I didn't forget anything. This makes reviewing this PR as easy as possible for the maintainers. And it gets this change released as soon as possible.

  • Proposed change helps towards purpose of this project.
  • Documentation is added / updated to describe proposed change. No documentation to update; this is a bug fix only
  • Tests are added / updated to cover proposed change.
  • Changelog has an entry for proposed change (if user-facing fix or feature).

@ChenKS12138 ChenKS12138 mentioned this pull request Nov 25, 2020
Closed
@fdintino fdintino merged commit aa9e5b9 into mozilla:master Nov 25, 2020
@fdintino
Copy link
Collaborator

Thanks! I'll put out a new release tomorrow morning (EST time)

@ChenKS12138
Copy link
Contributor Author

My pleasure!

@DevRCRun
Copy link

Thanks! I'll put out a new release tomorrow morning (EST time)

Apologies for the noise, however I've only just come across this while browsing for something else but does a new release still need to be made? Or would the path to exploit this be non trivial?

This was referenced Mar 11, 2021
Merged
Merged
@RafalSladek RafalSladek mentioned this pull request May 14, 2022
Open
This was referenced Jul 16, 2024
Open
Open
Open
@WontonSam WontonSam mentioned this pull request Aug 1, 2024
Open
@AliceSof AliceSof mentioned this pull request Aug 6, 2024
Open
@BitcoinOutput BitcoinOutput mentioned this pull request Sep 12, 2024
Open
@Roseymr Roseymr mentioned this pull request Sep 17, 2024
Open
@GodsonLeigh GodsonLeigh mentioned this pull request Sep 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security bug about prototype pollution
3 participants
@ChenKS12138 @fdintino @DevRCRun