New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate to vm2 instead of safer-eval #16
Comments
|
That would be very much appreciated! I'll finish #17 tmrw for all of the other issues |
|
Hi @dozoisch, we're taking a slightly different direction with this, as vm2 is not available in the browser context and there could be potential security implications as well. Instead, we have created a new package ejson-shell-parser which creates an AST from the query string, validates every node in the syntax tree against a whitelist of specifically allowed javascript features, and then constructs the query by walking the tree. This is a safer option and works both for node and the browser. We have just released a release candidate 1.6.0-rc.0 to collect feedback on this approach from downstream teams. Please see the PR #22 with some limitations that we are going to impose on the query parser, and feel free to comment with any feedback on that PR as well. |
|
@rueckstiess that's awesome! I'll try it in mongo-express. |
|
@rueckstiess you may need a CVE given that using CC:
@rueckstiess please let me know if I'm misunderstanding something. |
|
Hi @JLLeitschuh there is already an existing CVE for the safer-eval module describing this issue: https://nvd.nist.gov/vuln/detail/CVE-2019-10769 Also, since the new parser behaves slightly differently in certain cases (i.e. we disallow the use of function definitions and other "risky" Javascript expressions in the query language) this constitutes a backwards breaking change, so we decided to release this as a new major version 2.0.0. We also wrote a migration guide explaining the breaking changes in more detail. |
Hi!
safer-eval is now considered unsafe.
A safer option would be vm2. This only requires changes in
executeJavascriptwhich shouldn't be too bad.I'm trying to get a PR up in the next two weeks.
The text was updated successfully, but these errors were encountered: