Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix possible code execution in (already unsafe) load() #480

Merged
merged 1 commit into from Apr 5, 2019
Merged

Conversation

@rlidwka
Copy link
Member

@rlidwka rlidwka commented Apr 5, 2019

Object with executable toString() property when used as a map key will execute that function.

This happens only for load(), which should not be used with untrusted data anyway. safeLoad() is not affected because it can't parse functions.

Example:

$ cat test.yaml
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1

$ ./bin/js-yaml.js ./test.yaml 
{
  "1553107949161": 1
}

After this PR it would return [object Object] as if toString wasn't there.

Dates are not affected, and if you for whatever reason are using custom types as keys (which is not supported very well), you can change internal class with Symbol.toStringTag bypassing added validation check.

... when object with executable toString() property is used as a map key
@rlidwka rlidwka marked this pull request as ready for review Apr 5, 2019
@puzrin puzrin merged commit b2f9e88 into master Apr 5, 2019
3 checks passed
Loading
@ddillard
Copy link

@ddillard ddillard commented Apr 8, 2019

Is anyone getting a CVE for this issue? If not, I can do it.

Loading

HDVinnie added a commit to HDInnovations/UNIT3D-Community-Edition that referenced this issue Apr 16, 2019
Copy link

@viccastro0916 viccastro0916 left a comment

Address this

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants