Impact
The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input.
- If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput).
- If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.
Patches
Users should upgrade to version 1.0.1 of angular-expressions
Workarounds
A temporary workaround might be either to :
- disable user-controlled input that will be fed into angular-expressions in your application
OR
- allow only following characters in the userControlledInput :
if (/^[|a-zA-Z.0-9 :"'+-?]+$/.test(userControlledInput)) {
var result = expressions.compile(userControlledInput);
}
else {
result = undefined;
}References
Removal of angular-expression sandbox
For more information
If you have any questions or comments about this advisory:
Credits
The issue was reported by Maxime Nadeau from GoSecure, Inc.
Impact
The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call
expressions.compile(userControlledInput)whereuserControlledInputis text that comes from user input.Patches
Users should upgrade to version 1.0.1 of angular-expressions
Workarounds
A temporary workaround might be either to :
OR
References
Removal of angular-expression sandbox
For more information
If you have any questions or comments about this advisory:
Credits
The issue was reported by Maxime Nadeau from GoSecure, Inc.