Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue - underscore-min.js Lodash Script? #2911

Closed
AlAyoub opened this issue Feb 26, 2021 · 8 comments
Closed

Security issue - underscore-min.js Lodash Script? #2911

AlAyoub opened this issue Feb 26, 2021 · 8 comments
Assignees
Labels

Comments

@AlAyoub
Copy link

@AlAyoub AlAyoub commented Feb 26, 2021

Hi,

My scanner is picking up a vulnerability from underscore It appears the issue is that underscore is using a lodash script in underscore-min.js. Is that correct? Can anyone confirm?

There was a PR that fixed the issue in 4.17.21.
https://github.com/lodash/lodash/pull/5085/files

@jgonggrijp
Copy link
Collaborator

@jgonggrijp jgonggrijp commented Feb 27, 2021

Hi @AlAyoub, thanks for reaching out. Underscore does not depend on Lodash; to the contrary, Lodash is a fork of Underscore. You are probably dealing with a file named underscore-min.js that actually contains an old version of Lodash.

I'll close this ticket now, but please feel free to continue discussion if you feel the need.

@jgonggrijp
Copy link
Collaborator

@jgonggrijp jgonggrijp commented Feb 28, 2021

@AlAyoub thanks for getting back here.

This appears to be a security vulnerability that Lodash inherited from Underscore, and for some reason the vulnerability was only reported to Lodash and not to Underscore. That's what you get with forks.

Anyway, it appears the issue does indeed also apply to Underscore. I'll fix this with high priority.

@jgonggrijp jgonggrijp reopened this Feb 28, 2021
@jgonggrijp jgonggrijp added bug and removed invalid labels Feb 28, 2021
@jgonggrijp jgonggrijp self-assigned this Feb 28, 2021
@jgonggrijp
Copy link
Collaborator

@jgonggrijp jgonggrijp commented Feb 28, 2021

Hang on. _.template allows arbitrary code injection anyway, since that's how the template function is implemented. The first argument (the template itself) is supposed to contain JavaScript code. Validating the second argument is not going to prevent code injection, since whoever submits the second argument is also submitting the first argument (the template and the variable name have to be coordinated). I'll investigate further.

@jgonggrijp jgonggrijp added question and removed bug labels Feb 28, 2021
jgonggrijp added a commit to jgonggrijp/underscore that referenced this issue Feb 28, 2021
@jgonggrijp
Copy link
Collaborator

@jgonggrijp jgonggrijp commented Feb 28, 2021

@AlAyoub I was able to confirm that the vulnerability does not, in fact, apply to Underscore. See #2912.

Underscore will pass the variable option to the Function constructor as an argument name. This ensures that the name is validated. Lodash doesn't do this, so they needed a fix.

Could you tell me the name of your scanner, preferably with a link to their website, so I can contact the maintainers about this false alarm?

@jgonggrijp
Copy link
Collaborator

@jgonggrijp jgonggrijp commented Mar 1, 2021

@AlAyoub thank you for bringing this to our attention. Had it been a true alarm, we wouldn't have known about it without you (or at least not as soon).

@AlAyoub
Copy link
Author

@AlAyoub AlAyoub commented Mar 3, 2021

@jgonggrijp - confirmed that this is a false alarm. Thank you again for acting fast, I appreciate it!

@jgonggrijp
Copy link
Collaborator

@jgonggrijp jgonggrijp commented Mar 3, 2021

Thanks for wrapping up, @AlAyoub !

@jgonggrijp
Copy link
Collaborator

@jgonggrijp jgonggrijp commented Mar 15, 2021

@AlAyoub While the Lodash CVE doesn't apply to Underscore, it turns out that there was in fact a security leak in _.template. I just published versions 1.12.1 and 1.13.0-2, which fix it. See also #2915.

jgonggrijp added a commit to jgonggrijp/underscore that referenced this issue Mar 29, 2021
jgonggrijp added a commit to jgonggrijp/underscore that referenced this issue Mar 29, 2021
jgonggrijp added a commit to jgonggrijp/underscore that referenced this issue Mar 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants