Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docxtemplater vulnerability with angular parser - Remote Code Execution #488

Closed
edi9999 opened this issue Jan 23, 2020 · 0 comments
Closed

Docxtemplater vulnerability with angular parser - Remote Code Execution #488

edi9999 opened this issue Jan 23, 2020 · 0 comments
Labels

Comments

@edi9999
Copy link
Member

@edi9999 edi9999 commented Jan 23, 2020

A few minutes ago, CVE-2020-5219 got released which impacts users of the "angular-expressions" module. The issue was in the "angular-expressions" code and allows Remote Code Execution.

Here is some docxtemplater specific information about the vulnerability :

Impact

The vulnerability allows Remote Code Execution.

You are impacted if you have the angular parser enabled AND the docx templates are written by untrusted people.

To check if you use the angular-parser, look whether you are calling doc.setOptions({parser: func}) and the function func uses the angular-expressions package.

The vulnerability was reported by GoSecure, Inc.

Patches

The vulnerability comes from "angular-expressions" and has been patched in version 1.0.1.
You are vulnerable if you use angular-expressions 1.0.0 or below.

To apply the patch, do :

npm install --save angular-expressions@1.0.1

Workarounds

It is possible to fix the issue without upgrading by either :

  • deactivating angular-parser, i.e. remove the parser option in doc.setOptions({parser: ...})

  • allow only a subset of characters in the expressions :

   function angularParser(tag) {
      if (tag === ".") {
         return {
            get(s) {
               return s;
            },
         };
      }
      tag = tag.replace(/(’|“|”|‘)/g, "'");
      if (! /^[|a-zA-Z.0-9 :"'+-?]+$/.test(tag)) {
          // Allow  only trusted characters inside angular expressions
          return {
            get(s) {
               return undefined;
            },
         };
      }
      const expr = expressions.compile();
      return {
         get(scope, context) {
            let obj = {};
            const scopeList = context.scopeList;
            const num = context.num;
            for (let i = 0, len = num + 1; i < len; i++) {
                obj = merge(obj, scopeList[i]);
            }
            return expr(scope, obj);
         },
      };
   }

   doc.setOptions({parser: angularParser})

References

Angular Expressions advisory

For more information

If you have any questions or comments about this advisory:

Credits

The vulnerability was found and reported by Maxime Nadeau from GoSecure, Inc.

yeln4ts pushed a commit to pwndoc/pwndoc that referenced this issue Feb 6, 2020
@edi9999 edi9999 added the security label Feb 26, 2020
@edi9999 edi9999 closed this Mar 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.