mongo-parse
mongo-parse copied to clipboard
fresheneesz
Unsafe use of eval
In file mongoParse.js the following use of eval is dangerous:
var normalizedFunction = eval('(function() {var obj=this; return ' + query + '})');
An attacker may craft a query that may lead to code execution. I suggest either refactoring out eval, use some regular expression for validation or use a sanitization package like: https://www.npmjs.com/package/eval-sanitizer
What I should really do is switch this to use new Function, which is much safer. Really tho, if you're using this on the front end, and attacker already has full access to modifying the code, so it would only be a problem if you're running queries on the backend from external sources. Is that your use case?
I'd accept a push request for changing to new Function tho.
Ok I changed to using new Function with this: https://github.com/fresheneesz/mongo-parse/commit/155d4ae3e2cf4411779f3c3c89f0fffc2f91d275
Does this prevent the danger you were worried about?
Thanks for the fast response! I am a researcher investigating possible server side command injections. Unfortunately, your commit did not solve the problem. :( Try passing something like this:
var query = "} + eval(\'console.log(\"my ver evil stuff here\");\')//"
JavaScript is pretty crazy I know! :| I guess you need some kind of validation on the query parameter.
I see. Well adding any sort of function sanitizer directly into mongo-parse is pretty out of scope. What could make sense is adding the ability to pass in a function validator/sanitizer. I'd be willing to accept a pull request for that. Something with an API like queryObject.matches(document, validateDocument, sanitizeWhereFunctions) and parser.search(documents, query, sort, validateDocuments, sanitizeWhereFunctions).
🛠️ A fix has been provided for this issue. Please reference: https://github.com/418sec/mongo-parse/pull/1
🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.
