A few minutes ago, CVE-2020-5219 got released which impacts users of the "angular-expressions" module. The issue was in the "angular-expressions" code and allows Remote Code Execution.
Here is some docxtemplater specific information about the vulnerability :
Impact
The vulnerability allows Remote Code Execution.
You are impacted if you have the angular parser enabled AND the docx templates are written by untrusted people.
To check if you use the angular-parser, look whether you are calling doc.setOptions({parser: func}) and the function func uses the angular-expressions package.
The vulnerability was reported by GoSecure, Inc.
Patches
The vulnerability comes from "angular-expressions" and has been patched in version 1.0.1.
You are vulnerable if you use angular-expressions 1.0.0 or below.
To apply the patch, do :
npm install --save angular-expressions@1.0.1
Workarounds
It is possible to fix the issue without upgrading by either :
-
deactivating angular-parser, i.e. remove the parser option in doc.setOptions({parser: ...})
-
allow only a subset of characters in the expressions :
function angularParser(tag) {
if (tag === ".") {
return {
get(s) {
return s;
},
};
}
tag = tag.replace(/(’|“|”|‘)/g, "'");
if (! /^[|a-zA-Z.0-9 :"'+-?]+$/.test(tag)) {
// Allow only trusted characters inside angular expressions
return {
get(s) {
return undefined;
},
};
}
const expr = expressions.compile();
return {
get(scope, context) {
let obj = {};
const scopeList = context.scopeList;
const num = context.num;
for (let i = 0, len = num + 1; i < len; i++) {
obj = merge(obj, scopeList[i]);
}
return expr(scope, obj);
},
};
}
doc.setOptions({parser: angularParser})
References
Angular Expressions advisory
For more information
If you have any questions or comments about this advisory:
Credits
The vulnerability was found and reported by Maxime Nadeau from GoSecure, Inc.
A few minutes ago, CVE-2020-5219 got released which impacts users of the "angular-expressions" module. The issue was in the "angular-expressions" code and allows Remote Code Execution.
Here is some docxtemplater specific information about the vulnerability :
Impact
The vulnerability allows Remote Code Execution.
You are impacted if you have the angular parser enabled AND the docx templates are written by untrusted people.
To check if you use the angular-parser, look whether you are calling
doc.setOptions({parser: func})and the functionfuncuses theangular-expressionspackage.The vulnerability was reported by GoSecure, Inc.
Patches
The vulnerability comes from "angular-expressions" and has been patched in version 1.0.1.
You are vulnerable if you use angular-expressions 1.0.0 or below.
To apply the patch, do :
Workarounds
It is possible to fix the issue without upgrading by either :
deactivating angular-parser, i.e. remove the
parseroption indoc.setOptions({parser: ...})allow only a subset of characters in the expressions :
References
Angular Expressions advisory
For more information
If you have any questions or comments about this advisory:
Credits
The vulnerability was found and reported by Maxime Nadeau from GoSecure, Inc.