Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[🐸 Frogbot] Upgrade express-fileupload to 1.1.9 #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[🐸 Frogbot] Upgrade express-fileupload to 1.1.9 #4

wants to merge 1 commit into from

Conversation

github-actions[bot]
Copy link

🚨 This automated pull request was created by Frogbot and fixes the below:

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Critical		 Applicable express-fileupload:1.1.7-alpha.4 express-fileupload 1.1.7-alpha.4 [1.1.9] CVE-2020-7699

🔬 Research Details

Description:
express-fileupload is a popular Node.js express middleware package which enables high-level file upload processing in Node.js server-side code.

Attackers can exploit the package by sending a crafted file upload packet with a filename that pollutes the Object prototype. If the fileUpload() function is called with the parseNested option set, the processNested() function is invoked. This function breaks the submitted data into key-value pairs and performs assignment based on the resulting values. The code does not check for assignment to values outside of the intended scope. The attacker can exploit this by passing keys under the __proto__ namespace, for example passing __proto__.toString as the key and a random string as the value will cause a denial of service due to unexpected object type (string instead of function). The public exploit uses the ejs package to elevate the impact to code execution, by polluting the outputFunctionName option, which is evaluated as code and allows for JS code injection.

The original exploit was published in a blog. The package's maintainers issued two patches: the first addressed the precise issue as reported in the blog, and the second addressed a wider possibility for exploitation.

Remediation:

Development mitigations

Do not use express-fileupload with the parseNested option set.

Development mitigations

Call Object.freeze(Object.prototype) before using express-fileupload.

Development mitigations

Strictly validate the schema of any JSON used as input to this package to prevent possible attacks:

const Ajv = require('ajv');

const schema = {
  type: 'object',
  properties: {
    name: { type: 'string' },
    age: { type: 'number', minimum: 18 },
    email: { type: 'string', format: 'email' },
  },
  required: ['name', 'age', 'email'],
};

const ajv = new Ajv({ strict: true });
const validate = ajv.compile(schema);

const jsonData = '{ "name": "John Doe", "age": 25, "email": "[email protected]" }';
const json = JSON.parse(jsonData);

const valid = validate(json);

if (valid) {
  console.log('JSON input is valid according to the schema');
} else {
  console.log('JSON input is invalid according to the schema');
  console.log(validate.errors);
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@JFrog-Frogbot