Change B2B deserializer from safeEval to notevil

(probably invalidates #437)
juice-shop · Jan 23, 2018 · 62b905b · 62b905b
1 parent 55592f3
commit 62b905b
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 12 deletions.
diff --git a/.nsprc b/.nsprc
@@ -21,7 +21,6 @@
     "https://nodesecurity.io/advisories/17",
     "https://nodesecurity.io/advisories/88",
     "https://nodesecurity.io/advisories/532",
-    "https://nodesecurity.io/advisories/548",
-    "https://nodesecurity.io/advisories/337"
+    "https://nodesecurity.io/advisories/548"
   ]
 }
diff --git a/package.json b/package.json
@@ -79,7 +79,7 @@
     "pdfkit": "~0.8",
     "replace": "~0.3",
     "request": "~2",
-    "safe-eval": "~0.3",
+    "notevil": "~1.1",
     "sanitize-html": "1.4.2",
     "sequelize": "~4",
     "serve-favicon": "~2.4",

diff --git a/routes/b2bOrder.js b/routes/b2bOrder.js
@@ -1,19 +1,16 @@
 const utils = require('../lib/utils')
 const insecurity = require('../lib/insecurity')
-const safeEval = require('safe-eval')
+const safeEval = require('notevil')
 const challenges = require('../data/datacache').challenges
 
 exports = module.exports = function b2bOrder () {
-  return (req, res, next) => {
+  return (req, res) => {
     const orderLinesData = req.body.orderLinesData || []
     orderLinesData.forEach(orderLineData => {
-      if (utils.contains(orderLineData, '.exit()')) { // circuit breaker to prevent sandbox breakout attack
-        next(new Error('Blocked illegal activity by ' + req.connection.remoteAddress))
-      }
       try {
-        safeEval(orderLineData, {}, { timeout: 2000 })
+        safeEval(orderLineData)
       } catch (err) {
-        if (utils.notSolved(challenges.rceChallenge) && err.message === 'Script execution timed out.') {
+        if (utils.notSolved(challenges.rceChallenge) && err.message === 'Infinite loop detected - reached max iterations') {
           utils.solve(challenges.rceChallenge)
         }
       }

diff --git a/test/api/b2bOrderSpec.js b/test/api/b2bOrderSpec.js
@@ -18,14 +18,14 @@ describe('/b2b/v2/orders', () => {
       .done(done)
   })
 
-  it('POST sandbox breakout vulnerability (https://nodesecurity.io/advisories/337) does not kill the server', done => {
+  it('POST sandbox breakout attack does not kill the server', done => {
     frisby.post(API_URL, {
       headers: authHeader,
       body: {
         orderLinesData: ['this.constructor.constructor("return process")().exit()']
       }
     })
-      .expect('status', 500)
+      .expect('status', 200)
       .done(done)
   })