Fixed code execution vulnerability due to Object coercion

refs GHSA-jqv5-7xpx-qj74 fixes TryGhost/Toolbox#491 - when you call `ToString()` on `Napi::Value`, it calls `napi_coerce_to_string` underneath, which has the ability to run arbitrary JS code if the passed in value is a crafted object - both remote code execution or denial-of-service are possible via this vulnerability - `toString()` on an Object returns `[object Object]` so instead of calling the function, we're going to hardcode it to prevent this issue Credits: Dave McDaniel of Cisco Talos
TryGhost · Mar 13, 2023 · edb1934 · edb1934 · cesarkohl · Mar 16, 2023
1 parent 3a48888
commit edb1934
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/src/statement.cc b/src/statement.cc
@@ -208,7 +208,7 @@ template <class T> Values::Field*
         return new Values::Float(pos, source.ToNumber().DoubleValue());
     }
     else if (source.IsObject()) {
-        Napi::String napiVal = source.ToString();
+        Napi::String napiVal = Napi::String::New(source.Env(), "[object Object]");
         // Check whether toString returned a value that is not undefined.
         if(napiVal.Type() == 0) {
             return NULL;

diff --git a/test/other_objects.test.js b/test/other_objects.test.js
@@ -95,4 +95,20 @@ describe('data types', function() {
         });
     });
 
+    it('should ignore faulty toString in array', function(done) {
+        const faulty = [[{toString: null}], 1];
+        db.all('SELECT * FROM txt_table WHERE txt = ? LIMIT ?', faulty, function (err) {
+            assert.equal(err, null);
+            done();
+        });
+    });
+
+    it('should ignore faulty toString set to function', function(done) {
+        const faulty = [[{toString: function () {console.log('oh no');}}], 1];
+        db.all('SELECT * FROM txt_table WHERE txt = ? LIMIT ?', faulty, function (err) {
+            assert.equal(err, undefined);
+            done();
+        });
+    });
+
 });