Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

safe-eval critical vulnerability is fixed? #10

Open
jasonkhanlar opened this issue Aug 15, 2018 · 14 comments
Open

safe-eval critical vulnerability is fixed? #10

jasonkhanlar opened this issue Aug 15, 2018 · 14 comments

Comments

@jasonkhanlar
Copy link

https://www.npmjs.com/package/safe-eval

safe-eval 0.3.0 and below are affected by a sandbox breakout vulnerability - NSP 337, CVE-2017-16088.

Version 0.4.0 fixes this vulnerability. It is highly recommended to upgrade to the latest version if you are using safe-eval for executing code not generated by yourself. Thanks @kauegimenes for the patch.

However, after installing safe-eval 0.4.1 I see this in npm audit:

+ [email protected]
added 1 package from 1 contributor and audited 513 packages in 1.604s
found 2 vulnerabilities (1 low, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details
[ryzen@ryzen cafe_loco_bot]$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Sandbox Breakout                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ safe-eval                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ safe-eval [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ safe-eval                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/337                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

https://nodesecurity.io/advisories/337
@kaue
Copy link
Contributor

kaue commented Aug 15, 2018

We problably need to notify npm about that

@CesarLanderos
Copy link

@kauegimenes is there any progress on notifying npm? we are still getting the vulnerability warning, can anyone let them know?

@CesarLanderos
Copy link

@hacksparrow ?

@hacksparrow
Copy link
Owner

@CesarLanderos there are still ways to circumvent the safety measures in safe-eval. Unfortunately, I don't have the time to come up with a solution, at the moment.

The package is very much safe to be used for evaluation code generated by yourself. It can be dangerous where the input is user-submitted/manipulated by a user.

@xinaesthete
Copy link

Hmm, seems to limit its usefulness...

@kaue
Copy link
Contributor

kaue commented Nov 16, 2018

#13

@evilpacket
Copy link

We have updated the advisory to state that 0.4.0 and later are safe related to this advisory.

@kaue
Copy link
Contributor

kaue commented Nov 16, 2018

Thanks @evilpacket =)

@ChrisCinelli
Copy link

ChrisCinelli commented Dec 29, 2018
edited
Loading

It is not fixed anymore. Why was the #13 revered and 0.4.2 never published? @hacksparrow please.

@ChrisCinelli
Copy link

It has never been fixed and will likely never been. See #16.

@xinaesthete
Copy link

I think @hacksparrow just needs to be very much clearer on what use-cases this is able to make safer, and flag very clearly in the description that user-submitted code is not one of them.

The package is very much safe to be used for evaluation code generated by yourself. It can be dangerous where the input is user-submitted/manipulated by a user.

@FINDarkside
Copy link

FINDarkside commented Jan 7, 2019
edited
Loading

I think @hacksparrow just needs to be very much clearer on what use-cases this is able to make safer, and flag very clearly in the description that user-submitted code is not one of them.

To me, it seems like there is no use case at the moment. If I can assume that the input isn't malicious, I could just feed it to eval.

@xinaesthete
Copy link

I guess if you're making something like a live-coding or visual programming app or something like that, then you could be generating code from user input with certain constraints such that you believe it is impossible to generate something unsafe and use this as a bit of an extra measure or something... but I'm clutching at straws.

@mgttt
Copy link

mgttt commented Nov 15, 2019

have you tried this damn case:

(
delete(this.constructor.constructor),delete(this.constructor),
this.constructor.constructor("return process")()
)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@evilpacket @ChrisCinelli @jasonkhanlar @xinaesthete @CesarLanderos @hacksparrow @mgttt @kaue @FINDarkside