Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix security bug about prototype pollution #1330

merged 1 commit into from Nov 25, 2020


Copy link

@ChenKS12138 ChenKS12138 commented Nov 24, 2020


Proposed change:

Add check in function Frame.prototype.lookup to ensure name is own property of this.variables.

This is a security bug. The current version of nunjucks can be attacked by prototype pollution.
What I expected isthis is payload2 content is function(){ return global.process.mainModule.require('child_process').execSync('ls') }() , but the function returns this is payload2 content is main.js node_modules package.json yarn.lock.

Closes #1331.

The sample code is as follows.

const nunjucks = require("nunjucks");

  autoescape: true,

const template = nunjucks.compile(" content is {{ content }} ");

const payload = { };

payload.__proto__.content =
  " function(){ return global.process.mainModule.require('child_process').execSync('whoami') }() ";

console.log("this is payload2 ", template.render(payload));



I've completed the checklist below to ensure I didn't forget anything. This makes reviewing this PR as easy as possible for the maintainers. And it gets this change released as soon as possible.

  • Proposed change helps towards purpose of this project.
  • Documentation is added / updated to describe proposed change. No documentation to update; this is a bug fix only
  • Tests are added / updated to cover proposed change.
  • Changelog has an entry for proposed change (if user-facing fix or feature).

@fdintino fdintino merged commit aa9e5b9 into mozilla:master Nov 25, 2020
Copy link

Thanks! I'll put out a new release tomorrow morning (EST time)

Copy link
Contributor Author

My pleasure!

Copy link

Thanks! I'll put out a new release tomorrow morning (EST time)

Apologies for the noise, however I've only just come across this while browsing for something else but does a new release still need to be made? Or would the path to exploit this be non trivial?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

Security bug about prototype pollution
3 participants