🔒 security(util): XSS vulnerability

Author: kazupon

package.json

@@ -10,11 +10,10 @@
     "url": "https://github.com/kazupon/vue-i18n-extensions/issues"
   },
   "dependencies": {
-    "vm2": "^3.5.0"
   },
   "devDependencies": {
-    "@vue/server-test-utils": "^1.0.0-beta.21",
-    "@vue/test-utils": "^1.0.0-beta.21",
+    "@vue/server-test-utils": "^1.0.0-beta.29",
+    "@vue/test-utils": "^1.0.0-beta.29",
     "babel-eslint": "^8.2.5",
     "conventional-changelog-cli": "^1.2.0",
     "conventional-github-releaser": "^1.1.3",
@@ -23,11 +22,11 @@
     "git-commit-message-convention": "git://github.com/kazupon/git-commit-message-convention.git",
     "jest": "^23.4.1",
     "jest-serializer-vue": "^2.0.2",
-    "vue": "^2.4.2",
-    "vue-i18n": "^8.0.0",
+    "vue": "^2.6.8",
+    "vue-i18n": "^8.9.0",
     "vue-jest": "^2.6.0",
-    "vue-server-renderer": "^2.4.2",
-    "vue-template-compiler": "^2.4.2"
+    "vue-server-renderer": "^2.6.8",
+    "vue-template-compiler": "^2.6.8"
   },
   "engines": {
     "node": ">= 8.0"

src/index.js

@@ -44,7 +44,7 @@ function compilerModule (i18n) {
 
       const { status, value } = evaluateValue(exp)
       if (status === 'ng') {
-        warn('pre-localization with v-t support only static params')
+        warn('not support params in pre-localization')
         return
       }
 

src/util.js

@@ -1,6 +1,9 @@
-const { VM } = require('vm2')
-
-const vm = new VM()
+const stringRE = /'(?:[^'\\]|\\.)*'|"(?:[^"\\]|\\.)*"|`(?:[^`\\]|\\.)*\$\{|\}(?:[^`\\]|\\.)*`|`(?:[^`\\]|\\.)*`/g
+const ecmaKeywordsRE = new RegExp('\\b' + (
+  'delete,typeof,instanceof,void,do,if,for,let,new,try,var,case,else,with,await,break,catch,class,const,' +
+  'alert,eval,super,throw,while,yield,delete,export,import,return,switch,default,' +
+  'extends,finally,continue,debugger,function,arguments'
+).split(',').join('\\b|\\b') + '\\b')
 
 function warn (msg, err) {
   if (typeof console !== 'undefined') {
@@ -40,11 +43,16 @@ function removeAttr (el, name) {
 
 function evaluateValue (expression) {
   const ret = { status: 'ng', value: undefined }
+
+  if (expression.match(ecmaKeywordsRE)) { return ret }
+  if (!expression.match(stringRE)) { return ret }
+
   try {
-    const val = vm.run(`(new Function('return ' + ${JSON.stringify(expression)}))()`)
+    const val = (new Function(`return ${expression}`))()
     ret.status = 'ok'
     ret.value = val
   } catch (e) { }
+  
   return ret
 }
 

test/module.test.js

@@ -44,7 +44,20 @@ it('not transform with dynamic params', () => {
   expect(ast.i18n).toBeFalsy()
   expect(render).toEqual(`with(this){return _c('p',{directives:[{name:"t",rawName:"v-t",value:(hello),expression:"hello"}]})}`)
   expect(errors).toEqual([])
-  expect(spy.mock.calls[0][0]).toEqual('[vue-i18n-extensions] pre-localization with v-t support only static params')
+  expect(spy.mock.calls[0][0]).toEqual('[vue-i18n-extensions] not support params in pre-localization')
+  spy.mockReset()
+  spy.mockRestore()
+})
+
+it('not support ecmascript keywords', () => {
+  const spy = jest.spyOn(global.console, 'warn')
+  spy.mockImplementation(x => x)
+  const { ast, render, errors } = compile(`<p v-t="while(true){alert('!');"></p>`, { modules: [i18nModule] })
+  expect(ast.i18n).toBeFalsy()
+  expect(render).toEqual(`with(this){return _c('p',{directives:[{name:"t",rawName:"v-t",value:(while(true){alert('!');),expression:"while(true){alert('!');"}]})}`)
+  expect(errors).toEqual([`avoid using JavaScript keyword as property name: \"while\"
+  Raw expression: v-t=\"while(true){alert('!');\"`])
+  expect(spy.mock.calls[0][0]).toEqual('[vue-i18n-extensions] not support params in pre-localization')
   spy.mockReset()
   spy.mockRestore()
 })
@@ -56,7 +69,7 @@ it('not support value warning', () => {
   expect(ast.i18n).toBeFalsy()
   expect(render).toEqual(`with(this){return _c('p',{directives:[{name:"t",rawName:"v-t",value:([1]),expression:"[1]"}]})}`)
   expect(errors).toEqual([])
-  expect(spy.mock.calls[0][0]).toEqual('[vue-i18n-extensions] not support value type')
+  expect(spy.mock.calls[0][0]).toEqual('[vue-i18n-extensions] not support params in pre-localization')
   spy.mockReset()
   spy.mockRestore()
 })
@@ -77,6 +90,6 @@ it('detect missing translation', done => {
 it('fallback custom directive', () => {
   const { ast, render, errors } = compile(`<p v-t="'foo.bar'"></p>`)
   expect(ast.i18n).toBeFalsy()
-  expect(ast.directives[0]).toEqual({ name: 't', rawName: 'v-t', value: '\'foo.bar\'', arg: null, modifiers: undefined })
+  expect(ast.directives[0]).toEqual({ "arg": null, "isDynamicArg": false, "modifiers": undefined, "name": "t", "rawName": "v-t", "value": "'foo.bar'" })
   expect(errors).toEqual([])
 })

test/utils.test.js

@@ -0,0 +1,25 @@
+const { evaluateValue } = require('../src/util')
+
+it('string literal should be evaluate', () => {
+  const { status, value } = evaluateValue(`'hello'`)
+  expect(status).toEqual('ok')
+  expect(value).toEqual('hello')
+})
+
+it('json should be evaluate', () => {
+  const { status, value } = evaluateValue(`{ path: 'named', locale: 'ja', args: { name: 'kazupon' } }`)
+  expect(status).toEqual('ok')
+  expect(value).toEqual({ path: 'named', locale: 'ja', args: { name: 'kazupon' } })
+})
+
+it('identifier should not be evaluate', () => {
+  const { status, value } = evaluateValue(`hello`)
+  expect(status).toEqual('ng')
+  expect(value).toEqual(undefined)
+})
+
+it('ecmascript keyword should not be evaluate', () => {
+  const { status, value } = evaluateValue(`'while(true){alert('!');}'`)
+  expect(status).toEqual('ng')
+  expect(value).toEqual(undefined)
+})