Example vulnerable code (but there are more):
>> Function("function foo(){ return 1}; ()=>{}breakhere")
Thrown:
SyntaxError: Unexpected token "breakhere" in runtime:1
at Function.prototype.constructor (native)
at main (shell:1)
>> foo
[Function]
>> foo()
Segmentation fault
This Segmentation fault happen because parser is not reverting to old-state when SyntaxError happening.
Line causing problems:
https://github.com/nginx/njs/blob/master/src/njs_function.c#L936
@patryk4815
Thanks for the report, it will be fixed.
As I said earlier, we do not consider such bugs as vulnerabilities.
As I said earlier, we do not consider such bugs as vulnerabilities.
This may not fall under your threat model, but even though its unlikely, users may write code that would make this bug triggerable and so may impose security risk.
While this is not a real world example, @patryk4815 created a CTF (security competion) challenge based on the previous bug from #367 on https://2020.justctf.team/challenges/7 (writeups can be found at https://ctftime.org/task/14643).
Since we don't expect users doing something, I think it would be great to describe it in the documentation, so at least there is a warning to it.
Most helpful comment
@patryk4815
Thanks for the report, it will be fixed.
As I said earlier, we do not consider such bugs as vulnerabilities.