-
Notifications
You must be signed in to change notification settings - Fork 430
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harden against prototype pollution #274
Comments
Hello, I don't believe this is an RCE (Remote Code Execution). These lines are local code, right?
If you could explain more, or link to the Handlebars / Pug issues, that would help. |
Hey @sayrer what you said it correct it just lead to RCE when there exist a prototype pollution something similar to |
I do not think it can lead to RCE (I also read that post). I did see this: but this was adjusting the constructor from the template itself, not lines of code above it (how do you execute those lines remotely?) |
Let say you have a application like this const express = require('express');
var hogan = require("hogan.js");
const { unflatten } = require('flat');
const bodyParser = require('body-parser');
const app = express()
const port = 3000
app.use(bodyParser.json())
var template = "my {{>example}} template.";
app.get('/', (req, res) => {
var compiled = hogan.compile(template);
res.send(compiled.render({example: 'twitterer' }))
})
app.post('/prototype',(req,res)=> {
console.log("yes")
let object = unflatten(req.body);
console.log(indent)
res.json(object);
})
app.listen(port, () => {
console.log(`Example app listening at http://localhost:${port}`)
}) package.json {
"name": "real_world",
"version": "1.0.0",
"description": "real world exploit",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.17.1",
"hogan.js": "^3.0.2",
"flat": "5.0.0"
}
} where "flat": "5.0.0" is vulnerable to Prototype Pollution exploit.py
In normally case Prototype Pollution wont make such effects but when it combines with Hogan.js this could lead to RCE. |
Prototype pollution is hard to completely eradicate. What's happening here is when Hogan.js combines with any other Prototype Pollution vulnerable library/piece of code it just allow attacker to gain RCE. |
I believe this analysis is flawed. The title says "leads to RCE", but the RCE is in the |
Well Flat is only vulnerable to prototype pollution and in normal case prototype pollution doesn't leads to RCE but prototype pollution are capable of pollution objects. In this case when prototype pollution combines with Hogan.js it leads to RCE by polluting |
Well @sayrer you interpreted this in wrong way. Looking into the example I shared when there is a post request to The issue is something similar to these gadget chains examples where client side prototype pollution cause XSS when used with certain library https://github.com/BlackFan/client-side-prototype-pollution#script-gadgets |
I tried this example and I'm a little confused. I can see that there's an RCE in I don't think this could be said to be an RCE in Hogan (it doesn't execute remote code, although it may execute local code put there by an RCE in another library). I am willing to harden this, but it is not an RCE in Hogan, so I'm changing the title. This will be a breaking change, since I suppose someone out there could be relying on their ability to manipulate the prototype chain with their own code, although I doubt anyone does this in actively maintained code. |
Not similar. Those libraries are vulnerable because of the way they themselves parse |
Its not like we have RCE at the first and then manipulate Hogan.js it's like we have PP and then chain with Hogan.js to gain RCE |
I think you have an incorrect definition of RCE in mind. R -> the python script All Hogan does is look up a property on the prototype chain. By your definition, any code that resolves a property up to Object.prototype is an RCE, and that does not make sense. |
Let me ask a question @sayrer who executes the code here ,Flat ? If you say it's Flat then there is no need of writing long explanation and yeah my tittle was perfect |
Hogan just don't resolves property it also execute them :) |
Concluding now Thank you |
Incorrect. It assigns to Happy to harden against this, but calling it an RCE is sensationalist nonsense. |
RCE is Remote Code Execution if you pollute some |
|
I agree with them. It's not an RCE /in Hogan/, but it can be hardened against vulnerabilities in other libraries. See: mde/ejs#601 (comment) and the following comment. |
It looks to me like calling |
Hogan.js can be chained with prototype pollution to gain Remote Code Execution as Hogan.js objects can be easily controlled.
Description:
This vulnerability is regarding https://github.com/twitter/hogan.js
The function createPartials is called whenever '<' exists in tokens .In function createPartials code generated are getting concatenated and then evaluated later.
When Prototype pollution bug exist in a application it could pollute certain variables in complier.js and hence the code generated can be controlled.In this case node.indent and context.prefix can be polluted and can be used to gain rce.
POC
To Reproduce
Steps to reproduce the behavior:
Screenshots
Additional context
For more information refer here
https://sayoojbkumar.me/blog/2021/12/15/PP-Hogan-js/
The text was updated successfully, but these errors were encountered: