Skip to content

Commit 3094289

Browse files
80avin80avin
committed
fix(eval): rce using non-string prop names
ref: https://gist.github.com/nickcopi/11ba3cb4fdee6f89e02e6afae8db6456
1 parent 8e4acf8 commit 3094289

27 files changed

+166
-87
lines changed

badges/tests-badge.svg

Lines changed: 1 addition & 1 deletion
Loading

dist/index-browser-esm.js

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1297,8 +1297,13 @@ const SafeEval = {
12971297
return ast.value;
12981298
},
12991299
evalMemberExpression(ast, subs) {
1300-
const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
1301-
: ast.property.name; // `object.property` property is Identifier
1300+
const prop = String(
1301+
// NOTE: `String(value)` throws error when
1302+
// value has overwritten the toString method to return non-string
1303+
// i.e. `value = {toString: () => []}`
1304+
ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
1305+
: ast.property.name // `object.property` property is Identifier
1306+
);
13021307
const obj = SafeEval.evalAst(ast.object, subs);
13031308
if (obj === undefined || obj === null) {
13041309
throw TypeError(`Cannot read properties of ${obj} (reading '${prop}')`);

dist/index-browser-esm.min.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/index-browser-esm.min.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/index-browser-umd.cjs

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1303,8 +1303,13 @@
13031303
return ast.value;
13041304
},
13051305
evalMemberExpression(ast, subs) {
1306-
const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
1307-
: ast.property.name; // `object.property` property is Identifier
1306+
const prop = String(
1307+
// NOTE: `String(value)` throws error when
1308+
// value has overwritten the toString method to return non-string
1309+
// i.e. `value = {toString: () => []}`
1310+
ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
1311+
: ast.property.name // `object.property` property is Identifier
1312+
);
13081313
const obj = SafeEval.evalAst(ast.object, subs);
13091314
if (obj === undefined || obj === null) {
13101315
throw TypeError(`Cannot read properties of ${obj} (reading '${prop}')`);

dist/index-browser-umd.min.cjs

Lines changed: 1 addition & 1 deletion
Large diffs are not rendered by default.

dist/index-browser-umd.min.cjs.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/index-node-cjs.cjs

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1298,8 +1298,13 @@ const SafeEval = {
12981298
return ast.value;
12991299
},
13001300
evalMemberExpression(ast, subs) {
1301-
const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
1302-
: ast.property.name; // `object.property` property is Identifier
1301+
const prop = String(
1302+
// NOTE: `String(value)` throws error when
1303+
// value has overwritten the toString method to return non-string
1304+
// i.e. `value = {toString: () => []}`
1305+
ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
1306+
: ast.property.name // `object.property` property is Identifier
1307+
);
13031308
const obj = SafeEval.evalAst(ast.object, subs);
13041309
if (obj === undefined || obj === null) {
13051310
throw TypeError(`Cannot read properties of ${obj} (reading '${prop}')`);

dist/index-node-esm.js

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1296,8 +1296,13 @@ const SafeEval = {
12961296
return ast.value;
12971297
},
12981298
evalMemberExpression(ast, subs) {
1299-
const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
1300-
: ast.property.name; // `object.property` property is Identifier
1299+
const prop = String(
1300+
// NOTE: `String(value)` throws error when
1301+
// value has overwritten the toString method to return non-string
1302+
// i.e. `value = {toString: () => []}`
1303+
ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
1304+
: ast.property.name // `object.property` property is Identifier
1305+
);
13011306
const obj = SafeEval.evalAst(ast.object, subs);
13021307
if (obj === undefined || obj === null) {
13031308
throw TypeError(`Cannot read properties of ${obj} (reading '${prop}')`);

docs/ts/assets/icons.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/ts/assets/icons.svg

Lines changed: 1 addition & 1 deletion
Loading

docs/ts/assets/main.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/ts/assets/style.css

Lines changed: 66 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,17 @@
44
--light-color-background-secondary: #eff0f1;
55
--light-color-warning-text: #222;
66
--light-color-background-warning: #e6e600;
7-
--light-color-icon-background: var(--light-color-background);
87
--light-color-accent: #c5c7c9;
98
--light-color-active-menu-item: var(--light-color-accent);
109
--light-color-text: #222;
1110
--light-color-text-aside: #6e6e6e;
11+
12+
--light-color-icon-background: var(--light-color-background);
13+
--light-color-icon-text: var(--light-color-text);
14+
15+
--light-color-comment-tag-text: var(--light-color-text);
16+
--light-color-comment-tag: var(--light-color-background);
17+
1218
--light-color-link: #1f70c2;
1319
--light-color-focus-outline: #3584e4;
1420

@@ -22,16 +28,17 @@
2228
--light-color-ts-function: #572be7;
2329
--light-color-ts-class: #1f70c2;
2430
--light-color-ts-interface: #108024;
25-
--light-color-ts-constructor: var(--light-color-ts-class);
26-
--light-color-ts-property: var(--light-color-ts-variable);
27-
--light-color-ts-method: var(--light-color-ts-function);
31+
--light-color-ts-constructor: #4d7fff;
32+
--light-color-ts-property: #ff984d;
33+
--light-color-ts-method: #ff4db8;
34+
--light-color-ts-reference: #ff4d82;
2835
--light-color-ts-call-signature: var(--light-color-ts-method);
2936
--light-color-ts-index-signature: var(--light-color-ts-property);
3037
--light-color-ts-constructor-signature: var(--light-color-ts-constructor);
3138
--light-color-ts-parameter: var(--light-color-ts-variable);
3239
/* type literal not included as links will never be generated to it */
3340
--light-color-ts-type-parameter: #a55c0e;
34-
--light-color-ts-accessor: var(--light-color-ts-property);
41+
--light-color-ts-accessor: #ff4d4d;
3542
--light-color-ts-get-signature: var(--light-color-ts-accessor);
3643
--light-color-ts-set-signature: var(--light-color-ts-accessor);
3744
--light-color-ts-type-alias: #d51270;
@@ -46,11 +53,17 @@
4653
--dark-color-background-secondary: #1e2024;
4754
--dark-color-background-warning: #bebe00;
4855
--dark-color-warning-text: #222;
49-
--dark-color-icon-background: var(--dark-color-background-secondary);
5056
--dark-color-accent: #9096a2;
5157
--dark-color-active-menu-item: #5d5d6a;
5258
--dark-color-text: #f5f5f5;
5359
--dark-color-text-aside: #dddddd;
60+
61+
--dark-color-icon-background: var(--dark-color-background-secondary);
62+
--dark-color-icon-text: var(--dark-color-text);
63+
64+
--dark-color-comment-tag-text: var(--dark-color-text);
65+
--dark-color-comment-tag: var(--dark-color-background);
66+
5467
--dark-color-link: #00aff4;
5568
--dark-color-focus-outline: #4c97f2;
5669

@@ -64,16 +77,17 @@
6477
--dark-color-ts-function: #a280ff;
6578
--dark-color-ts-class: #8ac4ff;
6679
--dark-color-ts-interface: #6cff87;
67-
--dark-color-ts-constructor: var(--dark-color-ts-class);
68-
--dark-color-ts-property: var(--dark-color-ts-variable);
69-
--dark-color-ts-method: var(--dark-color-ts-function);
80+
--dark-color-ts-constructor: #4d7fff;
81+
--dark-color-ts-property: #ff984d;
82+
--dark-color-ts-method: #ff4db8;
83+
--dark-color-ts-reference: #ff4d82;
7084
--dark-color-ts-call-signature: var(--dark-color-ts-method);
7185
--dark-color-ts-index-signature: var(--dark-color-ts-property);
7286
--dark-color-ts-constructor-signature: var(--dark-color-ts-constructor);
7387
--dark-color-ts-parameter: var(--dark-color-ts-variable);
7488
/* type literal not included as links will never be generated to it */
7589
--dark-color-ts-type-parameter: #e07d13;
76-
--dark-color-ts-accessor: var(--dark-color-ts-property);
90+
--dark-color-ts-accessor: #ff4d4d;
7791
--dark-color-ts-get-signature: var(--dark-color-ts-accessor);
7892
--dark-color-ts-set-signature: var(--dark-color-ts-accessor);
7993
--dark-color-ts-type-alias: #ff6492;
@@ -90,15 +104,22 @@
90104
--color-background-secondary: var(--light-color-background-secondary);
91105
--color-background-warning: var(--light-color-background-warning);
92106
--color-warning-text: var(--light-color-warning-text);
93-
--color-icon-background: var(--light-color-icon-background);
94107
--color-accent: var(--light-color-accent);
95108
--color-active-menu-item: var(--light-color-active-menu-item);
96109
--color-text: var(--light-color-text);
97110
--color-text-aside: var(--light-color-text-aside);
111+
112+
--color-icon-background: var(--light-color-icon-background);
113+
--color-icon-text: var(--light-color-icon-text);
114+
115+
--color-comment-tag-text: var(--light-color-text);
116+
--color-comment-tag: var(--light-color-background);
117+
98118
--color-link: var(--light-color-link);
99119
--color-focus-outline: var(--light-color-focus-outline);
100120

101121
--color-ts-keyword: var(--light-color-ts-keyword);
122+
--color-ts-project: var(--light-color-ts-project);
102123
--color-ts-module: var(--light-color-ts-module);
103124
--color-ts-namespace: var(--light-color-ts-namespace);
104125
--color-ts-enum: var(--light-color-ts-enum);
@@ -110,6 +131,7 @@
110131
--color-ts-constructor: var(--light-color-ts-constructor);
111132
--color-ts-property: var(--light-color-ts-property);
112133
--color-ts-method: var(--light-color-ts-method);
134+
--color-ts-reference: var(--light-color-ts-reference);
113135
--color-ts-call-signature: var(--light-color-ts-call-signature);
114136
--color-ts-index-signature: var(--light-color-ts-index-signature);
115137
--color-ts-constructor-signature: var(
@@ -134,15 +156,22 @@
134156
--color-background-secondary: var(--dark-color-background-secondary);
135157
--color-background-warning: var(--dark-color-background-warning);
136158
--color-warning-text: var(--dark-color-warning-text);
137-
--color-icon-background: var(--dark-color-icon-background);
138159
--color-accent: var(--dark-color-accent);
139160
--color-active-menu-item: var(--dark-color-active-menu-item);
140161
--color-text: var(--dark-color-text);
141162
--color-text-aside: var(--dark-color-text-aside);
163+
164+
--color-icon-background: var(--dark-color-icon-background);
165+
--color-icon-text: var(--dark-color-icon-text);
166+
167+
--color-comment-tag-text: var(--dark-color-text);
168+
--color-comment-tag: var(--dark-color-background);
169+
142170
--color-link: var(--dark-color-link);
143171
--color-focus-outline: var(--dark-color-focus-outline);
144172

145173
--color-ts-keyword: var(--dark-color-ts-keyword);
174+
--color-ts-project: var(--dark-color-ts-project);
146175
--color-ts-module: var(--dark-color-ts-module);
147176
--color-ts-namespace: var(--dark-color-ts-namespace);
148177
--color-ts-enum: var(--dark-color-ts-enum);
@@ -154,6 +183,7 @@
154183
--color-ts-constructor: var(--dark-color-ts-constructor);
155184
--color-ts-property: var(--dark-color-ts-property);
156185
--color-ts-method: var(--dark-color-ts-method);
186+
--color-ts-reference: var(--dark-color-ts-reference);
157187
--color-ts-call-signature: var(--dark-color-ts-call-signature);
158188
--color-ts-index-signature: var(--dark-color-ts-index-signature);
159189
--color-ts-constructor-signature: var(
@@ -190,10 +220,16 @@ body {
190220
--color-active-menu-item: var(--light-color-active-menu-item);
191221
--color-text: var(--light-color-text);
192222
--color-text-aside: var(--light-color-text-aside);
223+
--color-icon-text: var(--light-color-icon-text);
224+
225+
--color-comment-tag-text: var(--light-color-text);
226+
--color-comment-tag: var(--light-color-background);
227+
193228
--color-link: var(--light-color-link);
194229
--color-focus-outline: var(--light-color-focus-outline);
195230

196231
--color-ts-keyword: var(--light-color-ts-keyword);
232+
--color-ts-project: var(--light-color-ts-project);
197233
--color-ts-module: var(--light-color-ts-module);
198234
--color-ts-namespace: var(--light-color-ts-namespace);
199235
--color-ts-enum: var(--light-color-ts-enum);
@@ -205,6 +241,7 @@ body {
205241
--color-ts-constructor: var(--light-color-ts-constructor);
206242
--color-ts-property: var(--light-color-ts-property);
207243
--color-ts-method: var(--light-color-ts-method);
244+
--color-ts-reference: var(--light-color-ts-reference);
208245
--color-ts-call-signature: var(--light-color-ts-call-signature);
209246
--color-ts-index-signature: var(--light-color-ts-index-signature);
210247
--color-ts-constructor-signature: var(
@@ -232,10 +269,16 @@ body {
232269
--color-active-menu-item: var(--dark-color-active-menu-item);
233270
--color-text: var(--dark-color-text);
234271
--color-text-aside: var(--dark-color-text-aside);
272+
--color-icon-text: var(--dark-color-icon-text);
273+
274+
--color-comment-tag-text: var(--dark-color-text);
275+
--color-comment-tag: var(--dark-color-background);
276+
235277
--color-link: var(--dark-color-link);
236278
--color-focus-outline: var(--dark-color-focus-outline);
237279

238280
--color-ts-keyword: var(--dark-color-ts-keyword);
281+
--color-ts-project: var(--dark-color-ts-project);
239282
--color-ts-module: var(--dark-color-ts-module);
240283
--color-ts-namespace: var(--dark-color-ts-namespace);
241284
--color-ts-enum: var(--dark-color-ts-enum);
@@ -247,6 +290,7 @@ body {
247290
--color-ts-constructor: var(--dark-color-ts-constructor);
248291
--color-ts-property: var(--dark-color-ts-property);
249292
--color-ts-method: var(--dark-color-ts-method);
293+
--color-ts-reference: var(--dark-color-ts-reference);
250294
--color-ts-call-signature: var(--dark-color-ts-call-signature);
251295
--color-ts-index-signature: var(--dark-color-ts-index-signature);
252296
--color-ts-constructor-signature: var(
@@ -439,7 +483,6 @@ pre {
439483

440484
pre {
441485
position: relative;
442-
white-space: pre;
443486
white-space: pre-wrap;
444487
word-wrap: break-word;
445488
padding: 10px;
@@ -860,17 +903,19 @@ a.tsd-index-link {
860903
margin-bottom: 0.75rem;
861904
}
862905

906+
.tsd-no-select {
907+
-webkit-user-select: none;
908+
-moz-user-select: none;
909+
-ms-user-select: none;
910+
user-select: none;
911+
}
863912
.tsd-kind-icon {
864913
margin-right: 0.5rem;
865914
width: 1.25rem;
866915
height: 1.25rem;
867916
min-width: 1.25rem;
868917
min-height: 1.25rem;
869918
}
870-
.tsd-kind-icon path {
871-
transform-origin: center;
872-
transform: scale(1.1);
873-
}
874919
.tsd-signature > .tsd-kind-icon {
875920
margin-right: 0.8rem;
876921
}
@@ -1242,6 +1287,9 @@ img {
12421287
.tsd-kind-method {
12431288
color: var(--color-ts-method);
12441289
}
1290+
.tsd-kind-reference {
1291+
color: var(--color-ts-reference);
1292+
}
12451293
.tsd-kind-call-signature {
12461294
color: var(--color-ts-call-signature);
12471295
}
@@ -1254,9 +1302,6 @@ img {
12541302
.tsd-kind-parameter {
12551303
color: var(--color-ts-parameter);
12561304
}
1257-
.tsd-kind-type-literal {
1258-
color: var(--color-ts-type-literal);
1259-
}
12601305
.tsd-kind-type-parameter {
12611306
color: var(--color-ts-type-parameter);
12621307
}
@@ -1435,7 +1480,7 @@ img {
14351480
}
14361481

14371482
.site-menu {
1438-
margin-top: 1rem 0;
1483+
margin-top: 1rem;
14391484
}
14401485

14411486
.page-menu,

0 commit comments

Comments
 (0)