This repository has been archived by the owner on Apr 12, 2024. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix($parse): disallow passing Function to Array.sort
Fix the following exploit: hasOwnProperty.constructor.prototype.valueOf = valueOf.call; ["a", "alert(1)"].sort(hasOwnProperty.constructor); The exploit: • 1. Array.sort takes a comparison function and passes it 2 parameters to compare. 2. It then calls .valueOf() if the result is not a primitive. • The Function object conveniently accepts two string arguments so we can use this to construct a function. However, this doesn't do much unless we can execute it. • We set the valueOf function on Function.prototype to Function.prototype.call. This causes the function that we constructed to be executed when sort calls .valueOf() on the result of the comparison. The fix is in two parts. • Disallow passing unsafe objects to function calls as parameters. • Do not traverse the Function object when setting a path.
- Loading branch information
Showing
2 changed files
with
41 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters