Prototype pollution in LoadActionModules() CVE-2021-44908

[Marynk]

Node version: 12.13.0
Sails version (sails): 1.4.0

else-if statement in lines 134-165 https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L163) is vulnerable to prototype pollution.
The object assignment on line 163 may lead to denial of service or property injection if SailsJS based application dynamically controls the value of variable “filePath”.

Proof of concept case is demonstrated here: https://github.com/Marynk/JavaScript-vulnerability-detection/tree/main/sailsJS_PoC

The CVE Program has assigned the ID CVE-2021-44908 to this issue. This is a record on the CVE List, which standardizes names for security problems.

[sailsbot]

@Marynk Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

• look for a workaround. (Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)
• tell us why this issue is important to you and your team. What are you trying to accomplish? (Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)
• make sure you've provided clear instructions on how to reproduce the bug from a clean install.
• double-check that you've provided all of the requested version and dependency information. (Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)
• read the code of conduct.
• if appropriate, ask your business to sponsor your issue. (Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)
• let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. (Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)

---

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

[mikermcneil]

Hi @Marynk, thanks for reading through the code!

I took a look at your .zip file and video. Here is the provided code that demonstrates how it is possible for a developer to code a Sails.js request handler that creates a javascript string, compiling in untrusted, unescaped data from the request, then deliberately overwrites an action file in the api/controllers/ folder. If a developer was to build that, it would be insecure, and not recommended.

if SailsJS based application dynamically controls the value of variable “filePath”.

The userland app code then calls reloadActions(), an experimental function in Sails that should never be used to dynamically load JavaScript files with untrusted, unescaped strings injected into them.

We've updated the docs to clarify this, just in case, and linked to this issue. Thanks!

[mike-usa]

@Marynk nice to see security given consideration! Could you unzip the contents of your zip file into your repository https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS_PoC/sailsJS%20PoC.zip?

Your readme says there is screen capture video and commentary, which I don't see. I can only assume it is in the zip. It doesn't make sense to compress already compressed video and I don't trust your account enough to be downloading unkown executable/zip files.