Skip to content

JS: add model for the gray-matter library to js/code-injection #9756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 1, 2022
Merged

JS: add model for the gray-matter library to js/code-injection #9756

merged 3 commits into from
Jul 1, 2022

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Jun 29, 2022
edited
Loading

Adds the sink for CVE-2022-25863.

The below function is basically equivalent to eval().

const greyMatter = require("gray-matter");

function myEval(code) {
  return greyMatter("---js\n" + code + "\n---").data;
}

console.log(myEval("1+3")); // prints 4

That seems to be a feature, so I've added a model.

If you set the option engines.js to some safe interpreter of JavaScript, then the library is safe from code-injection.
But that is hard to detect in a nice way if the options object comes from somewhere else.

Evaluation was uneventful

@erik-krogh erik-krogh added the JS label Jun 29, 2022
@erik-krogh erik-krogh marked this pull request as ready for review July 1, 2022 08:45
@erik-krogh erik-krogh requested a review from a team as a code owner July 1, 2022 08:45
@erik-krogh erik-krogh merged commit 7dd095c into github:main Jul 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esbena esbena esbena approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erik-krogh @esbena