Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize sourceURL so it cannot affect evaled code #4518

Merged

Conversation

alexbrasetvik
Copy link
Contributor

Wherever it comes from, sourceURL should not be allowed to contain code that gets eval()-ed.

/\s/ should cover all the bases as far as I know, including the various unicode-y ways of encoding newlines.

> sourceURL = '\u2028\u2029\nconsole.log("o hai")'
'

\nconsole.log("o hai")'
> eval('//# sourceURL=' + sourceURL)
o hai
undefined
> eval('//# sourceURL=' + sourceURL.replace(/\s/g, ' '))
undefined

@alexbrasetvik
Copy link
Contributor Author

@jdalton @falsyvalues It seems that the zipObjectDeep prototype pollution warrants an imminent release. Can I ask that you please consider including this change as well in a 4.17.16? :)

@jdalton
Copy link
Member

jdalton commented Jun 4, 2020

Thanks @alexbrasetvik!

@jdalton jdalton merged commit e7b28ea into lodash:4.17.15-post Jun 4, 2020
@alexbrasetvik alexbrasetvik deleted the stop-sourceurl-code-injection branch June 4, 2020 12:39
@mistic
Copy link

mistic commented Jun 29, 2020

@jdalton could you please update us about how distant are we from having a lodash patch release with that fix on it?

@lodash lodash locked and limited conversation to collaborators Nov 16, 2021
@lodash lodash deleted a comment from rghose Nov 16, 2021
@lodash lodash deleted a comment from nareshbogathi Nov 16, 2021
@lodash lodash deleted a comment from nareshbogathi Nov 16, 2021
@lodash lodash deleted a comment from Ivaylo-Lafchiev Nov 16, 2021
@lodash lodash deleted a comment from arnoldtaocy Nov 16, 2021
@lodash lodash deleted a comment from nickswope Nov 16, 2021
@lodash lodash deleted a comment from alexbrasetvik Nov 16, 2021
@lodash lodash deleted a comment from alexbrasetvik Nov 16, 2021
@lodash lodash deleted a comment from alexbrasetvik Nov 16, 2021
@lodash lodash deleted a comment from LacikIgor Nov 16, 2021
@lodash lodash deleted a comment from tsve7kov Nov 16, 2021
@lodash lodash deleted a comment from AlAyoub Nov 16, 2021
@lodash lodash deleted a comment from alexbrasetvik Nov 16, 2021
@lodash lodash deleted a comment from sdalonzo Nov 16, 2021
@lodash lodash deleted a comment from elliotblackburn Nov 16, 2021
@lodash lodash deleted a comment from franktopel Nov 16, 2021
@lodash lodash deleted a comment from nickswope Nov 16, 2021
@lodash lodash deleted a comment from franktopel Nov 16, 2021
@lodash lodash deleted a comment from elliotblackburn Nov 16, 2021
@lodash lodash deleted a comment from nickswope Nov 16, 2021
@lodash lodash deleted a comment from alexbrasetvik Nov 16, 2021
@lodash lodash deleted a comment from nickswope Nov 16, 2021
@lodash lodash deleted a comment from nickswope Nov 16, 2021
@lodash lodash deleted a comment from alexbrasetvik Nov 16, 2021
@jdalton jdalton added issue bankruptcy Closing the issue/PR to start fresh and removed issue bankruptcy Closing the issue/PR to start fresh labels Sep 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

Successfully merging this pull request may close these issues.

3 participants