Skip to content

Commit

Permalink
Merge pull request #19 from m93a/patch-quotes
Browse files Browse the repository at this point in the history 
Fix security holes
  • Loading branch information
@joewalnes
joewalnes authored May 8, 2018
2 parents 218c5be + b93f3dd commit 309f37f
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 9 deletions.
44 changes: 35 additions & 9 deletions filtrex.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,17 @@ function compileExpression(expression, extraFunctions /* optional */) {
function unknown(funcName) {
throw 'Unknown function: ' + funcName + '()';
}
var func = new Function('functions', 'data', 'unknown', js.join(''));

function prop(obj, name) {
return Object.prototype.hasOwnProperty.call(obj||{}, name) ? obj[name] : undefined;
}

console.log(js.join(''));

var func = new Function('functions', 'data', 'unknown', 'prop', js.join(''));

return function(data) {
return func(functions, data, unknown);
return func(functions, data, unknown, prop);
};
}

Expand Down Expand Up @@ -103,9 +111,25 @@ function filtrexParser() {

['\\s+', ''], // skip whitespace
['[0-9]+(?:\\.[0-9]+)?\\b', 'return "NUMBER";'], // 212.321
['[a-zA-Z][\\.a-zA-Z0-9_]*', 'return "SYMBOL";'], // some.Symbol22
['\'(?:[^\'])*\'', 'yytext = yytext.substr(1, yyleng-2); return "SYMBOL";'], // 'some-symbol'
['"(?:[^"])*"', 'yytext = yytext.substr(1, yyleng-2); return "STRING";'], // "foo"

['[a-zA-Z][\\.a-zA-Z0-9_]*',
`yytext = JSON.stringify(yytext);
return "SYMBOL";`
], // some.Symbol22

[`'(?:[^\'])*'`,
`yytext = JSON.stringify(
yytext.substr(1, yyleng-2)
);
return "SYMBOL";`
], // 'some-symbol'

['"(?:[^"])*"',
`yytext = JSON.stringify(
yytext.substr(1, yyleng-2)
);
return "STRING";`
], // "foo"

// End
['$', 'return "EOF";'],
Expand Down Expand Up @@ -154,11 +178,13 @@ function filtrexParser() {
['e >= e' , code(['Number(', 1, '>=', 3, ')'])],
['e ? e : e', code([1, '?', 3, ':', 5])],
['( e )' , code([2])],
['( array , e )', code(['[', 2, ',', 4, ']'])],
['NUMBER' , code([1])],
['STRING' , code(['"', 1, '"'])],
['SYMBOL' , code(['data["', 1, '"]'])],
['SYMBOL ( )', code(['(functions.hasOwnProperty("', 1, '") ? functions.', 1, '() : unknown("', 1, '"))'])],
['SYMBOL ( argsList )', code(['(functions.hasOwnProperty("', 1, '") ? functions.', 1, '(', 3, ') : unknown("', 1, '"))'])],
['STRING' , code([1])],
['SYMBOL' , code(['prop(data, ', 1, ')'])],
['SYMBOL of e', code(['prop(', 3, ',', 1, ')'])],
['SYMBOL ( )', code(['(functions.hasOwnProperty(', 1, ') ? functions[', 1, ']() : unknown(', 1, '))'])],
['SYMBOL ( argsList )', code(['(functions.hasOwnProperty(', 1, ') ? functions[', 1, '](', 3, ') : unknown(', 1, '))'])],
['e in ( inSet )', code([1, ' in (function(o) { ', 4, 'return o; })({})'])],
['e not in ( inSet )', code(['!(', 1, ' in (function(o) { ', 5, 'return o; })({}))'])],
],
Expand Down
22 changes: 22 additions & 0 deletions test/filtrex-test.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,28 @@
eq(false, window.p0wned);
},

'cannot access properties of the data prototype': function() {
eq(undefined, compileExpression('a')(Object.create({a: 42})));
},

'cannot inject single-quoted names with double quotes': function() {
window.p0wned = false;
let evil = compileExpression(`'"+(window.p0wned = true)+"'`);

eq(31, evil({'"+(window.p0wned = true)+"': 31}));
eq(false, window.p0wned);

eq(42, compileExpression(
"'undefined:(window.p0wned=true)));((true?(x=>x)'()",
{'undefined:(window.p0wned=true)));((true?(x=>x)': ()=>42}
)());
eq(false, window.p0wned);
},

'backslash escaping': function() {
eq('\\good', compileExpression(`"\\" + '\\'`)({'\\':'good'}));
},

});

</script>

0 comments on commit 309f37f

Please sign in to comment.