Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security(encoding/yaml): disable functions #1275

Merged
merged 1 commit into from Sep 14, 2021
Merged

Conversation

AaronO
Copy link
Contributor

@AaronO AaronO commented Sep 14, 2021

Which could allow arbitrary code execution when parsing YAML files with the extended schema, e.g:

Example of misuse

import { parse, EXTENDED_SCHEMA } from "https://deno.land/std/encoding/yaml.ts";

const data = parse(`
fun: !!js/function >
  console.log(Deno.core);
`, {schema: EXTENDED_SCHEMA});
console.log(data);

Will log Deno.core

Proof of fix

import { parse, EXTENDED_SCHEMA } from "https://raw.githubusercontent.com/denoland/deno_std/security/yaml-func-exec/encoding/yaml.ts";

const data = parse(`
fun: !!js/function >
  console.log(Deno.core);
`, {schema: EXTENDED_SCHEMA});
console.log(data);

Will throw with Uncaught YAMLError: unknown tag !<tag:yaml.org,2002:js/function> at line 4, column 1:

Notes

  • Reported by @Ry0taK
  • Impact: high (allows arbitrary JS execution)
  • Probability: low (requires using EXTENDED_SCHEMA which is uncommon) and parsing untrusted YAML files

Which could allow arbitrary code execution when parsing YAML files with the extended schema, e.g:

```js
import { parse, EXTENDED_SCHEMA } from "https://deno.land/std/encoding/yaml.ts";

const data = parse(`
fun: !!js/function >
  console.log(Deno.core);
`, {schema: EXTENDED_SCHEMA});
console.log(data);
```
@CLAassistant
Copy link

CLAassistant commented Sep 14, 2021

CLA assistant check
All committers have signed the CLA.

@AaronO AaronO merged commit d5abd74 into main Sep 14, 2021
3 of 9 checks passed
@AaronO AaronO deleted the security/yaml-func-exec branch September 14, 2021 12:03
AaronO added a commit that referenced this pull request Sep 14, 2021
AaronO added a commit that referenced this pull request Sep 14, 2021
* fix(tests/yaml): expect !!js/function parse/stringify to throw

Following #1275
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants