Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent arbitrary js code execution #16

Closed
wants to merge 9 commits into from
Closed

Prevent arbitrary js code execution #16

wants to merge 9 commits into from

Conversation

tshemsedinov
Copy link
Member

@tshemsedinov tshemsedinov commented May 16, 2022
edited
Loading

Thank to @primeare for reporting this security issue

  • tests and linter show no problems (npm t)
  • tests are added/updated for bug fixes and new features
  • code is properly formatted (npm run fmt)
  • description of changes is added in CHANGELOG.md

@tshemsedinov tshemsedinov self-assigned this May 16, 2022
@tshemsedinov tshemsedinov added the bug Something isn't working label May 16, 2022
primeare
primeare reviewed May 16, 2022
View reviewed changes
lib/sheet.js Outdated
@@ -2,8 +2,15 @@

const metavm = require('metavm');

const math = new Proxy(Math, {
get: (target, prop) => {
if (prop === 'constructor') return null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, it is still possible to do such a thing:

sheet.cells['A1'] = '=Math.ceil.constructor("console.log(process)")()';
console.log(sheet.values['A1']);

And even this:

sheet.cells['A1'] = '=Math.ceil.constructor("console.log(process.mainModule.require(\'fs\').readFileSync(\'./metacalc.js\', \'utf-8\'))")()';

I will take a closer look today at what we can do to overcome this issue.

primeare
primeare reviewed May 16, 2022
View reviewed changes
Copy link
Member

@primeare primeare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One pitfall of the implemented fix I can see now is that constant values such as Math.PI are no longer available. Accessing them leads to an exception. I don't know if they need to be exposed.

Moreover, I would suggest that fields data, expressions and context of class Sheet should be private and not accessible from the user-land.

primeare
primeare approved these changes May 16, 2022
View reviewed changes
Copy link
Member

@primeare primeare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, the fix looks good! ✅
I will let you know if I find anything later on.
Thank you for the quick response 🙏🏻

tshemsedinov added a commit that referenced this pull request May 17, 2022
@tshemsedinov
Prevent arbitrary js code execution
625c23d 
PR-URL: #16
tshemsedinov added a commit that referenced this pull request May 17, 2022
@tshemsedinov
Improve tests for security
2a757ea 
PR-URL: #16
@tshemsedinov
Copy link
Member Author

Landed in 625c23d and 2a757ea

Thanks, @primeare !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@primeare primeare primeare approved these changes

Assignees

@tshemsedinov tshemsedinov

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tshemsedinov @primeare