GHSA-4jg2-84c2-pj95

Source

https://github.com/advisories/GHSA-4jg2-84c2-pj95

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-4jg2-84c2-pj95/GHSA-4jg2-84c2-pj95.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4jg2-84c2-pj95

Aliases

CVE-2023-23619

Related

CVE-2023-23619

Published

2021-09-21T18:41:59Z

Modified

2023-11-08T04:11:41.364862Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina

Details

Impact

Anyone who is using the default presets and/or does not handle the functionality themself.

Patches

It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue.

Further similar situations are NOT seen as a security issue, but intended behavior.

Workarounds

Fully custom presets that change the entire rendering process which can then escape the user input.

For more information

Even though that I changed all the presets here, the vulnerability is still present throughout. I am using a JSON Schema here for simplicity.

const jsonSchemaDoc = {
  $id: 'CustomClass',
  type: 'object',
  properties: {
      'property: any; \n constructor(){console.log("injected")} \n private _temp': { type: 'string' },
  }
};
generator = new TypeScriptGenerator(
  { 
    presets: [
      {
        class: {
            property({ propertyName, content }) {
              return `private ${propertyName}: any;`;
            },
            ctor() {
              return '';
            },
            getter() {
              return '';
            },
            setter() {
              return '';
            }
        }
      }
    ]
  }
);
const inputModel = await generator.process(jsonSchemaDoc);

This would render

export class CustomClass {
  private property: any; 
   constructor(){console.log("injected")} 
   private _temp: any;
  private additionalProperties: any;
}

Database specific

{
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "github_reviewed_at": "2021-09-21T16:14:04Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

npm / @asyncapi/modelina

Package

Name: @asyncapi/modelina; View open source insights on deps.dev
Purl: pkg:npm/%40asyncapi/modelina

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.0