-
Notifications
You must be signed in to change notification settings - Fork 243
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JS]: New command execution sinks(Execa, shelljs and dynamic import) #788
Comments
Your submission is now in status Test run. For information, the evaluation workflow is the following: |
Hi, as suggested by Erik Krogh Kristensen, I made three separate pull requests for each package change. |
Thanks for yet another submission @amammad ! My understanding is that the dynamic import will only be vulnerable if an attacker controls the entire path passed to the Here is an example used by the DOM XSS query |
@pwntester thanks for the previous bounties and Also thanks for your help. I'm trying to implement this but idk how to work with |
Hi, You dont need to use FlowLabels for this query. You can write a regular sanitizer that do not uses flow labels and then use the |
Hi @pwntester I created a new experimental query file for |
Your submission is now in status Query review. For information, the evaluation workflow is the following: |
Your submission is now in status Final decision. For information, the evaluation workflow is the following: |
Your submission is now in status Pay. For information, the evaluation workflow is the following: |
Created Hackerone report 2513300 for bounty 579597 : [788] [JS]: New command execution sinks(Execa, shelljs and dynamic import) |
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
Query PR
github/codeql#14291
github/codeql#14293
github/codeql#14294
Language
Javascript
CVE(s) ID list
CWE
CWE-078
Report
Execa package before version 5 has already been modeled but newer versions up to 8 have many new APIs that I've implemented now.
Shelljs package also has a piping feature which I've updated the current shelljs module to support piping too.
Also, dynamic import in nodejs support URLs starts with
data:
which is dangerous.There is another nodejs API that accepts the
data:
URL which is:but it needs to be a URL Type as input, not any string value that starts with
data:
, I'm not sure what is the best way to implement it.Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response
The text was updated successfully, but these errors were encountered: