Remove RCE-vulnerable JavaScript engine (CWE-94)#182
Conversation
|
FYI, there's a maintained fork here: https://github.com/11ty/gray-matter Already adopted by Eleventy and Docusaurus (see facebook/docusaurus#12181) v2 removed the js engine by default, see also facebook/docusaurus#12181 (comment) |
Thanks for the update, @slorber! I'm glad to see that the community took this RCE vulnerability seriously and acted so quickly to mitigate it. It's awesome that Eleventy and Docusaurus are already adopting the secure v2 fork to protect millions of users. Thanks again for keeping me in the loop and for driving the adoption of the secure version across major projects! 🚀 |
Description:
This PR removes the javascript engine from lib/engines.js. The current implementation uses eval(), allowing for Remote Code Execution (RCE) by default.
The Vulnerability:
gray-matter automatically identifies the engine from the delimiter (e.g., ---javascript). Since the javascript engine is registered in the core library, an attacker can execute arbitrary system commands simply by providing a malicious string to the matter() function—even with zero configuration from the developer.
Proof of Concept (PoC):
Impact:
Any application using gray-matter to parse user-supplied content is vulnerable to full system compromise. This is a critical security flaw (CWE-94: Improper Control of Generation of Code).
Proposed Changes: