-
-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix type checking vul in ctorName #31
Conversation
I think this check could still be defeated by doing:
The problem is the reliance on the constructor.name variable. It's not trusted. |
Thanks for the comments. |
@stephengcox, I'm open to recommendations and pull requests. I also appreciate the thinking and look forward to hearing your solution. However, I'm having a hard time seeing how this qualifies as a "vulnerability", and I think you're taking some creative license with the word "trusted". This seems hyperbolic. No user-defined value should ever be trusted. Potential "bug waiting to happen" seems more appropriate. Could someone cause an error? Sure, but that's a far stretch from allowing malicious code to be executed, and there are much easier and more malicious ways to cause errors. Perhaps you can clear things up for me. What is the specific scenario in which an end-user would be able to:
I am fully prepared to learn. I suppose I could just merge the PR and say "thanks", but given that this library is downloaded 200 million times every month, I tend to overanalyze every minor change, and I want to understand the types of scenarios you're describing. |
Hey Jon, thanks for the note. Perhaps "trusted" isn't the right word. What I meant was is basically what you are saying: it's a user-definable value and not a "trusted" part of the language that prevents user control. The mozilla docs on javascript mention that very point, it's not always safe to rely on it. Probably because OOP was an afterthought for Javascript much like it was in PHP and Python, but that's another discussion. 😊 I'm not an expert in javascript internals so I don't have a better suggestion. Perhaps you could develop signatures of the object types you want to match rather than relying on constructor.name but that may be brittle (although perhaps manageable with regular regression testing). Also somewhat more of an invasive change. I agree with the assessment that this could be used to bypass type checks or in information hiding style attacks where the attacker is trying to hide a payload in order to execute something like SQL injection. Also agree that @xiaofen9's fix addresses the 90% case (and it looks like your competing libraries have this issue). But given the "low level" nature of this library and it's wide usage, can't rule out cases where it could be abused in the way I described. |
@stephengcox thanks for the additional detail and for discussing with me. Ideally (for performance) we would just directly check the Perhaps we would be better off just moving up the toString.call() to this line, and get rid of the constructor check. There would be a tiny performance cost, but it might be worth it in this case. Thoughts? |
Could you override toString() in a similar way as my example, so that a malicious input object can provide whatever it wants? @xiaofen9's commit is probably fine, honestly. It covers the 90% case without a large rethink of the object matching logic. |
A lot of this is limitations of the language and not of this library, if you think about it. Should make a change that is safe and covers the vast majority of use cases. |
@jonschlinkert @stephengcox - do you have an idea when or even if, you will be able to resolve this PR for the CVE finding? |
I suggest that @jonschlinkert merge this PR and consider additional improvements on a future major release. |
Agreed, I’ll merge ASAP. Or @doowb can merge if he gets to it before me.
…Sent from my iPhone
On Jan 15, 2020, at 8:57 AM, Stephen Cox ***@***.***> wrote:
I suggest that @jonschlinkert merge this PR and consider additional improvements on a future major release.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Thanks @jonschlinkert ! |
Merged... I'll get this published shortly. |
This repo's dependencies currently use [older versions](https://github.com/paritytech/parity-signer/blob/97651dcc2f78027aa83c3dc7834f6941e084c8a7/yarn.lock#L5138) of kind-of which have a possibly exploitable vulnerability ([original issue](jonschlinkert/kind-of#30), [PR](jonschlinkert/kind-of#31)).
This repo's dependencies currently use [older versions](https://github.com/paritytech/operationsproxy/blob/1e42f36ab60f6368f673211d53e9b887227dc11d/yarn.lock#L3521) of kind-of which have a possibly exploitable vulnerability ([original issue](jonschlinkert/kind-of#30), [PR](jonschlinkert/kind-of#31)).
This repo's dependencies currently use [older versions](https://github.com/paritytech/substrate-ui/blob/b185aad6174ee6bf2f2a68eadd84801ec2efe39d/yarn.lock#L3362) of kind-of which have a possibly exploitable vulnerability ([original issue](jonschlinkert/kind-of#30), [PR](jonschlinkert/kind-of#31)).
This repo's dependencies currently use [older versions](https://github.com/paritytech/fether/blob/3c0363079e1148ae0dc0595523905f9bee7b9a84/yarn.lock#L10218) of kind-of which have a possibly exploitable vulnerability ([original issue](jonschlinkert/kind-of#30), [PR](jonschlinkert/kind-of#31)).
* Use kind-of >=6.0.3 everywhere This repo's dependencies currently use [older versions](https://github.com/paritytech/operationsproxy/blob/1e42f36ab60f6368f673211d53e9b887227dc11d/yarn.lock#L3521) of kind-of which have a possibly exploitable vulnerability ([original issue](jonschlinkert/kind-of#30), [PR](jonschlinkert/kind-of#31)). * Update yarn.lock
* Use kind-of >=6.0.3 everywhere This repo's dependencies currently use [older versions](https://github.com/paritytech/fether/blob/3c0363079e1148ae0dc0595523905f9bee7b9a84/yarn.lock#L10218) of kind-of which have a possibly exploitable vulnerability ([original issue](jonschlinkert/kind-of#30), [PR](jonschlinkert/kind-of#31)). * Update yarn.lock
This repo's dependencies currently use [older versions](https://github.com/paritytech/parity-signer/blob/97651dcc2f78027aa83c3dc7834f6941e084c8a7/yarn.lock#L5138) of kind-of which have a possibly exploitable vulnerability ([original issue](jonschlinkert/kind-of#30), [PR](jonschlinkert/kind-of#31)).
CVE-2019-20149 jonschlinkert/kind-of#31 Signed-off-by: Jeroen Claassens <j.claassens@cgi.com>
Hmm. Interesting. GitHub just put out a warning for this package. This seems more like a bug than a vulnerability though from my point of view... |
Thanks for the response. Here is the PR that fixes the issue.
Discussion about how this might be used maliciously:
Kind-of is widely used for type checking. If developers use kind-of to check whether user-input object is in string format, the attacker can cheat kind-of into recognizing an arbitrary plain object into str type. As a result, all the built-in attributes (e.g., length) of str type can be manipulated. For example, if the manipulated user_obj.length is inserted into the DB, SQL Injection can be introduced.