Skip to content

Fix possible code execution in (already unsafe) load() #480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 5, 2019
Merged

Fix possible code execution in (already unsafe) load() #480

merged 1 commit into from
Apr 5, 2019
+58 −2

Conversation

@rlidwka
Copy link
Member

@rlidwka rlidwka commented Apr 5, 2019

Object with executable toString() property when used as a map key will execute that function.

This happens only for load(), which should not be used with untrusted data anyway. safeLoad() is not affected because it can't parse functions.

Example:

$ cat test.yaml
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1

$ ./bin/js-yaml.js ./test.yaml 
{
  "1553107949161": 1
}

After this PR it would return [object Object] as if toString wasn't there.

Dates are not affected, and if you for whatever reason are using custom types as keys (which is not supported very well), you can change internal class with Symbol.toStringTag bypassing added validation check.

@rlidwka
Fix possible code execution in (already unsafe) load()
e18afbf 
... when object with executable toString() property is used as a map key
@rlidwka rlidwka marked this pull request as ready for review April 5, 2019 15:55
@puzrin puzrin merged commit b2f9e88 into master Apr 5, 2019
@ddillard
Copy link

ddillard commented Apr 8, 2019

Is anyone getting a CVE for this issue? If not, I can do it.

HDVinnie added a commit to HDInnovations/UNIT3D that referenced this pull request Apr 16, 2019
@HDVinnie
(Security Fix) js-yaml npm audit 🔐
b4e49c5 
- https://www.npmjs.com/advisories/813
- nodeca/js-yaml#480
- no CVE at time of publish
This was referenced Apr 30, 2019
Closed
Closed
This was referenced May 4, 2019
Closed
Closed
Open
Open
Open
Open
Open
@greenkeeper greenkeeper bot mentioned this pull request May 5, 2019
Closed
This was referenced May 5, 2019
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced May 31, 2024
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Jun 16, 2024
Open
Open
Open
This was referenced Nov 15, 2024
Closed
Open
Closed
Open
Closed
Open
This was referenced Dec 3, 2024
Closed
Closed
This was referenced Jan 12, 2025
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Jan 29, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@danklut danklut danklut left review comments

@viccastro0916 viccastro0916 viccastro0916 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rlidwka @ddillard @danklut @viccastro0916 @puzrin