arbitrary code execution when formating json #63

hundan2020 · 2019-06-26T03:36:43Z

poc:

(function(){confirm(1)})()

when the web with single js content, it may result code execution. (it shouldn't be executed when broswe a single js file without any html tag).

I discovered the insecure code in https://github.com/zxlie/FeHelper/blob/master/apps/json-format/automatic.js , line 199 to line 206

additionally, I understand the code is compatibilized for bad json content like {a:1}, but as a result, it's insecure.

The text was updated successfully, but these errors were encountered:

zxlie · 2019-06-26T03:44:33Z

非常感谢你的反馈！不过，这个工具是用来进行JSON格式化的，如果本身就不是一个JSON，再好的工具其实也没法格式化出来。如果工具需要升级的话，也是在格式化之前，做一个JSON合法性校验。

hundan2020 · 2019-06-26T06:19:32Z

i got your point, and there is some supplementary explanation

the first poc i sent was executed manually, in fact, i mean, the code will execute automaticly , look at this new poc

{
    "a":(function(){
        confirm(1)
    })()
}

now i open the chrome extension, you can see the source code, and the code was executed.

zxlie · 2019-06-26T06:39:59Z

Got ~ 我做个兼容吧

zxlie · 2019-06-26T06:45:08Z

Btw：这种情况，应该用这个工具更加合适：https://www.baidufe.com/fehelper/codebeautify.html

OS-WS · 2021-01-03T08:14:10Z

Hi, is there a fix for CVE-2019-12966?
If so, in what commit?

thanks in advance!

Provide feedback