Security issue - underscore-min.js Lodash Script?

Question

Security issue - underscore-min.js Lodash Script?

AlAyoub opened this issue 3 years ago · comments

Hi,

My scanner is picking up a vulnerability from underscore It appears the issue is that underscore is using a lodash script in underscore-min.js. Is that correct? Can anyone confirm?

There was a PR that fixed the issue in 4.17.21.
https://github.com/lodash/lodash/pull/5085/files

Julian Gonggrijp · Answer 1 · Sat Feb 27 2021 19:13:33 GMT+0800 (China Standard Time)

Hi @AlAyoub, thanks for reaching out. Underscore does not depend on Lodash; to the contrary, Lodash is a fork of Underscore. You are probably dealing with a file named underscore-min.js that actually contains an old version of Lodash.

I'll close this ticket now, but please feel free to continue discussion if you feel the need.

Julian Gonggrijp · Answer 2 · Mon Mar 01 2021 03:25:21 GMT+0800 (China Standard Time)

@AlAyoub thanks for getting back here.

This appears to be a security vulnerability that Lodash inherited from Underscore, and for some reason the vulnerability was only reported to Lodash and not to Underscore. That's what you get with forks.

Anyway, it appears the issue does indeed also apply to Underscore. I'll fix this with high priority.

Julian Gonggrijp · Answer 3 · Mon Mar 01 2021 03:53:36 GMT+0800 (China Standard Time)

Hang on. _.template allows arbitrary code injection anyway, since that's how the template function is implemented. The first argument (the template itself) is supposed to contain JavaScript code. Validating the second argument is not going to prevent code injection, since whoever submits the second argument is also submitting the first argument (the template and the variable name have to be coordinated). I'll investigate further.

Julian Gonggrijp · Answer 4 · Mon Mar 01 2021 04:51:41 GMT+0800 (China Standard Time)

@AlAyoub I was able to confirm that the vulnerability does not, in fact, apply to Underscore. See #2912.

Underscore will pass the variable option to the Function constructor as an argument name. This ensures that the name is validated. Lodash doesn't do this, so they needed a fix.

Could you tell me the name of your scanner, preferably with a link to their website, so I can contact the maintainers about this false alarm?

Julian Gonggrijp · Answer 5 · Tue Mar 02 2021 01:03:29 GMT+0800 (China Standard Time)

@AlAyoub thank you for bringing this to our attention. Had it been a true alarm, we wouldn't have known about it without you (or at least not as soon).

Alan Ayoub · Answer 6 · Wed Mar 03 2021 23:18:35 GMT+0800 (China Standard Time)

@jgonggrijp - confirmed that this is a false alarm. Thank you again for acting fast, I appreciate it!

Julian Gonggrijp · Answer 7 · Thu Mar 04 2021 02:00:23 GMT+0800 (China Standard Time)

Thanks for wrapping up, @AlAyoub !

Julian Gonggrijp · Answer 8 · Mon Mar 15 2021 18:17:04 GMT+0800 (China Standard Time)

@AlAyoub While the Lodash CVE doesn't apply to Underscore, it turns out that there was in fact a security leak in _.template. I just published versions 1.12.1 and 1.13.0-2, which fix it. See also #2915.