You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A few minutes ago, CVE-2020-5219 got released which impacts users of the "angular-expressions" module. The issue was in the "angular-expressions" code and allows Remote Code Execution.
Here is some docxtemplater specific information about the vulnerability :
Impact
The vulnerability allows Remote Code Execution.
You are impacted if you have the angular parser enabled AND the docx templates are written by untrusted people.
To check if you use the angular-parser, look whether you are calling doc.setOptions({parser: func}) and the function func uses the angular-expressions package.
The vulnerability was reported by GoSecure, Inc.
Patches
The vulnerability comes from "angular-expressions" and has been patched in version 1.0.1.
You are vulnerable if you use angular-expressions 1.0.0 or below.
To apply the patch, do :
npm install --save angular-expressions@1.0.1
Workarounds
It is possible to fix the issue without upgrading by either :
deactivating angular-parser, i.e. remove the parser option in doc.setOptions({parser: ...})
allow only a subset of characters in the expressions :
function angularParser(tag) {
if (tag === ".") {
return {
get(s) {
return s;
},
};
}
tag = tag.replace(/(’|“|”|‘)/g, "'");
if (! /^[|a-zA-Z.0-9 :"'+-?]+$/.test(tag)) {
// Allow only trusted characters inside angular expressions
return {
get(s) {
return undefined;
},
};
}
const expr = expressions.compile();
return {
get(scope, context) {
let obj = {};
const scopeList = context.scopeList;
const num = context.num;
for (let i = 0, len = num + 1; i < len; i++) {
obj = merge(obj, scopeList[i]);
}
return expr(scope, obj);
},
};
}
doc.setOptions({parser: angularParser})
The docxtemplater-docker (https://docxtemplater.com/docker/) paid package was vulnerable and versions before 3.10.1 are vulnerable, please upgrade to version 3.10.1
If you have any questions or comments about this advisory:
A few minutes ago, CVE-2020-5219 got released which impacts users of the "angular-expressions" module. The issue was in the "angular-expressions" code and allows Remote Code Execution.
Here is some docxtemplater specific information about the vulnerability :
Impact
The vulnerability allows Remote Code Execution.
You are impacted if you have the angular parser enabled AND the docx templates are written by untrusted people.
To check if you use the angular-parser, look whether you are calling
doc.setOptions({parser: func})
and the functionfunc
uses theangular-expressions
package.The vulnerability was reported by GoSecure, Inc.
Patches
The vulnerability comes from "angular-expressions" and has been patched in version 1.0.1.
You are vulnerable if you use angular-expressions 1.0.0 or below.
To apply the patch, do :
Workarounds
It is possible to fix the issue without upgrading by either :
deactivating angular-parser, i.e. remove the
parser
option indoc.setOptions({parser: ...})
allow only a subset of characters in the expressions :
References
Angular Expressions advisory
For more information
If you have any questions or comments about this advisory:
Credits
The vulnerability was found and reported by Maxime Nadeau from GoSecure, Inc.
The text was updated successfully, but these errors were encountered: