vulnerability in merge-options
lddubeau opened this issue · 0 comments
wed 2.x and earlier use a version of merge-options which allows modifying the prototype of Object.
That's a problem for scenarios where options passed to wed come from an untrusted source. The untrusted source could inject malicious code.
However, by default, wed does not include options from untrusted sources and none of its usage examples do. A few observations:
-
If the settings come from the same source as wed itself, then merge-options is not a additional vector. If the source that serves wed is evil then whatever it could do through merge-options, it could also do by serving an altered wed.
-
Modes do set options on wed but, again, merge-options is not a additional vector here. If you do not trust a mode or the source providing it, then you cannot use it safely. If the mode or its source are evil, then whatever they could do through merge-options, they could also do without it.
Assuming Alice trusts Bob but not Charlie, the security issues arise when Alice loads any part of wed or wed's configuration from Charlie's server.
(For us at Mangalam, all our deployments get all of wed, modes, configurations from the same server. No issue there.)
wed 3.x won't suffer from this vulnerability. It is being developed now and was already using a newer version of merge-options, that does not have this vulnerability, even before this issue came to my attention.