Fix security bug about prototype pollution #1330
Merged
+21
−1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Proposed change:
Add check in function Frame.prototype.lookup to ensure
name
is own property ofthis.variables
.This is a security bug. The current version of nunjucks can be attacked by prototype pollution.
What I expected is
this is payload2 content is function(){ return global.process.mainModule.require('child_process').execSync('ls') }()
, but the function returnsthis is payload2 content is main.js node_modules package.json yarn.lock
.Closes #1331.
The sample code is as follows.
Checklist
I've completed the checklist below to ensure I didn't forget anything. This makes reviewing this PR as easy as possible for the maintainers. And it gets this change released as soon as possible.