Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved fix for CVE-2023-0842 #674

Closed
wants to merge 5 commits into from
Closed

Improved fix for CVE-2023-0842 #674

wants to merge 5 commits into from

Conversation

markwhitfeld
Copy link
Contributor

This is potentially a better fix for CVE-2023-0842 that does not have the regressions mentioned in issue #672

The idea here is that the CVE (slightly more details here ) is specifically referring to the modification of the base object prototype through the merging of objects.

I think that this is the type of modification it is referring to:

// simulated exploit
({}).__proto__.foo = 1;
({})['constructor'].prototype.bar = 2;
// now any javascript object will contain these properties and values!
console.log({}.foo); // outputs 1
console.log({}.bar); // outputs 2

So, the solution in this PR is to explicitly block the properties __proto__ and constructor.
I don't think it is necessary to block prototype because that is only destructive through access via constructor.

I tried to cover all locations in the code that seemed to be merging objects, but I may have missed a location or two in this codebase which is quite unfamiliar to me, and written in a language I don't know.

PS. I was not able to verify if this fix covers all possibilities through tests because it doesn't seem like there are any explicit tests for the CVE. CoffeeScript is very foreign to me, so I wouldn't even know where to look for these!

guimard
guimard suggested changes Apr 27, 2023
View reviewed changes
src/parser.coffee Outdated Show resolved Hide resolved
@markwhitfeld
Copy link
Contributor Author

@guimard Are there any other places in the code that should be guarded against bad property names?

@guimard
Copy link

guimard commented Apr 27, 2023

@guimard Are there any other places in the code that should be guarded against bad property names?

Hi @markwhitfeld, I'm not the author, but AKAIK it's enough now

@Leonidas-from-XIV
Copy link
Owner

Thanks @markwhitfeld, I'll take a look!

@markwhitfeld
Copy link
Contributor Author

@Leonidas-from-XIV Thank you for taking a look.
It would really be ideal to have tests that attempt to exploit the vulnerability, and then showcase how it doesn't exist anymore, but I am not familiar with CoffeeScript, so I wasn't able to do this.

@beckyconning
Copy link

This needs to be merged.

We don't need to test the CVE here as it was already resolved and there weren't tests for that.

The package is currently next-to-unusable.

Please merge this.

@beckyconning
Copy link

This is a simple and straightforward change that corrects undesired and unspecified behaviour of the package.

@Leonidas-from-XIV
Copy link
Owner

Leonidas-from-XIV commented May 18, 2023 via email

@Leonidas-from-XIV
Copy link
Owner

I'm currently on vacation but will try to take a look afterwards. If someone wants to submit a regression test, that would be appreciated :-)

@knolleary knolleary mentioned this pull request May 22, 2023
Merged
@Leonidas-from-XIV Leonidas-from-XIV mentioned this pull request May 25, 2023
Merged
@markwhitfeld
Copy link
Contributor Author

Changes were included in PR #681 by @Leonidas-from-XIV
I see that this fix is included in the v0.6.0 release.
Thank you! 🎉

@github-actions github-actions bot mentioned this pull request Jun 2, 2023
Closed
rmagrin added a commit to rmagrin/body-parser-xml that referenced this pull request Jul 12, 2023
@rmagrin
Update xml2js to version 0.6.0
cfff064 
The original change to fix CVE-2023-0842 in xml2js that was released
with xml2js version 0.5.0 introduced some breaking changes.

A second fix was made that was released with xml2js version 0.6.0.

This change updates xml2js to version 0.6.0 in order to avoid problems
caused by the breaking changes introduced in xml2js version 0.5.0.

Reference: Leonidas-from-XIV/node-xml2js#674
@rmagrin rmagrin mentioned this pull request Jul 12, 2023
Open
@github-actions github-actions bot mentioned this pull request Jan 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guimard guimard guimard requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@markwhitfeld @guimard @Leonidas-from-XIV @beckyconning