Security: Potential RCE in Actions Codegen via untrusted template evaluation

[RinZ27]

Version Information

Server Version: Latest (Master)
CLI Version: Latest (Master)

Environment

OSS

What is the current behaviour?

The actions-codegen service in cli-ext uses eval() to execute template logic fetched from remote URLs or local file systems. Specifically, in cli-ext/src/services/actions-codegen/template.js, the functions resolveCodegeneratorFromUrl and resolveCodegeneratorFromFs fetch code and execute it directly.

const resolveCodegeneratorFromUrl = async (url) => {
  // ...
  const codegeneratorText = await fetchResp.text();
  eval(`${codegeneratorText} codegenerator = templater`);
  return codegenerator;
};

What is the expected behaviour?

Code execution should be performed in a secure, sandboxed environment to prevent arbitrary code execution on the user's machine. Untrusted input from external URLs should never be passed directly to eval().

How to reproduce the issue?

1. Use a Hasura CLI version that utilizes cli-ext.
2. Configure an action codegen traling to a malicious URL in codegenConfig.uri.
3. Run the codegen command.
4. The malicious code from the URL will be executed on the developer's local machine via eval().

Any possible solutions/workarounds you're aware of?

Consider replacing eval() with a more secure alternative:

1. Use Node.js built-in vm module to create a restricted sandbox for executing the template logic.
2. Implement a non-executable template format (like Mustache or Handlebars) if full JS flexibility isn't strictly required.
3. If JS is necessary, use a library like vm2 (though it has its own history of vulnerabilities) or better, the newer isolated-vm for stronger isolation.

Keywords

RCE, Security, eval, actions-codegen