Don't replace escaped regex / function placeholders in strings

[JordanMilne]

Previously we weren't checking if the quote that started the placeholder
was escaped or not, meaning an object like

{"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"}

Would be serialized as

{"foo": /1"/, "bar": "a\/1"/}

meaning an attacker could escape out of bar if they controlled both
foo and bar and were able to guess the value of <UID>.

UID is generated once on startup, is chosen using Math.random() and
has a keyspace of roughly 4 billion, so within the realm of an online
attack.

Here's a simple example that will cause console.log() to be called when
the serialize()d version is eval()d

eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

Where <UID> is the guessed UID.

This fixes the issue by ensuring that placeholders are not preceded by
a backslash.

[yahoocla]

Thank you for submitting this pull request, however I do not see a valid CLA on file for you. Before we can merge this request please visit https://yahoocla.herokuapp.com/ and agree to the terms. Thanks! 😄

[JordanMilne]

CLA signed

[ericf]

@JordanMilne thanks for digging into this! Do you think it also makes sense to generate a UID with a larger set of possible values?

[JordanMilne]

@ericf Yeah, I think that would be sensible. As long as UID is still guessable you could still do things like have

{"foo": /1/, "bar":"@__R-<UID>-0__@"}

serialize as

{"foo": /1/, "bar": /1/}

Far less useful in an attack IMO but might still be a problem.

Math.random() isn't a great source of entropy if you want to prevent attacks like that since it's generally not backed by a CSPRNG, though. I'll add a commit to use a CSPRNG where available and add more entropy to UID.

[yahoocla]

CLA is valid!

[ericf]

@JordanMilne thanks for updating this to add a better source of entropy! I added a few comments…

[ericf]

Curious why you chose this package over the built-in crypto.randomBytes()?

[JordanMilne]

I used that so as not to break the serializer when run in a browser. If the serializer intended to be node-only I'll just use crypto.randomBytes()

[ericf]

My intention is node-only. But it's true that I don't know if people are bundling it for the browser. So let's stick with what you have using randombytes.

[ericf]

I don't think it's a good idea to allow options.uid. But curious why you added it?

[JordanMilne]

I need a deterministic value for UID for the regression test I added, the other option is to monkeypatch crypto.randomBytes() in the tests like I was doing with Math.random(), but that felt a little brittle. I'm fine with whichever you prefer

[ericf]

I'd prefer the monkey patch for the tests because I don't want people setting options.uid and getting pwned.

[ericf]

Now with a better source of entropy, is the backslash escape still required, or did you want to leave it for extra protection?

[JordanMilne]

I don't think there's any harm in having it. I'm more confident that this will correctly prevent user input from escaping strings than I am in my knowledge of CSPRNGs :)

[ericf]

@JordanMilne if you don't mind replacing options.uid which monkey patching randombytes in the test, then I'll merge this and get a release out. Thanks!

[JordanMilne]

switched to monkeypatching crypto.randomBytes in the test and squashed

[okuryu]

new Buffer() is deprecated. I think we should use Buffer.from() instead.

[okuryu]

please resolve the conflicts.

[eugef]

@JordanMilne @okuryu this issue is still reported as a security vulnerability of the serialize-javascript package.

Are there any plans to merge the fix?

[JordanMilne]

I'm not sure if a fix was merged, you should be able to check by seeing if the testcase in the PR repros.

I'm not likely to update this to work with the new serialization code if it turns out this does still repro, as I no longer work on any code that has serialize-javascript as a dependency. Feel free to use this code as the basis for another PR if you like though, I've already signed the CLA.