Comments (9)
I've reported the vulnerability to Snyk that can also assign CVE numbers.
from escodegen.
GitHub only accept[s] security advisories from the repo maintainers themselves, but you can file for a CVE which [they] will pick up on after publication.
https://www.cve.org/ResourcesSupport/ReportRequest
from escodegen.
That said, if this is a documented feature, please think through what you're proposing.
There's a library we use which supports a thing like this and it's documented as such, we're now stuck explaining that it's totally reasonable for a library to have a function that allows executing code and it's up to consumers to be intelligent about whether or not they allow users (or attackers) to send content to such functions.
from escodegen.
@jsoref This is not a documentation issue. This can have potential security implications for people that use the library. Since if they don't know about this it can lead to vulnerability.
And as for AST, this is broken AST, you should not be allowed to put JavaScript code as a string in any way. raw is one place where this is problematic but the library should handle this.
In my library, I've had a similar issue, and I've marked the version as vulnerable because the user could not know that he need to sanitize the input before processing it by the library. And this is not a documentation issue, in my library I've disabled the feature that enabled the same thing by the attacker and now I have a section about security that to enable one feature the user needs to sanitize his input.
from escodegen.
And about applying for CVE, I once wanted to report CVE and it was a complex process, that's why it's great that GitHub help with creating one. My last vulnerability in my own library I needed to report to NPM and because there was no CVE often I didn't get credit as the person that found it.
from escodegen.
That said, if this is a documented feature, please think through what you're proposing.
So you don't know if this is documented or not? I've never found documentation that explains this. Also, this project has no documentation for AST. It doesn't even say what AST it is, I personally use Esprima syntax, which is never mentioned in the project.
from escodegen.
I'm not affiliated with any of this. I ran across your help request on github.community.
The repository README clearly says
Line 75 in 7a48a21
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
The code seems to be quite related to esprima
, https://github.com/estools/escodegen/search?q=esprima
Offhand, it feels like https://docs.esprima.org/en/3.1/syntax-tree-format.html is "documentation" for the tree format.
Anyway, based on what I see, minus the lack of documentation, the raw
appears to be a way to raw include things. If you want something else, it feels like this isn't what you want to use.
(it doesn't look like a <pre>
html tag.)
from escodegen.
AFIK Every open-source license is provided as is without any warranties.
And raw
is the only way to use template literals. It seems it's documented:
https://docs.esprima.org/en/3.1/syntax-tree-format.html#tagged-template-expression
I usually just use Esprima to generate AST for the code I need, and then put that AST into my code to get the JavaScript. Template literals have only "raw" and "cooked" properties, but "cooked" doesn't work, so only raw can be used. But raw is not as is, this part of the string between expressions. So if you have:
`foo ${bar} baz`
You have 3 Nodes, first and third have property "raw": "foo "
, and "raw": " baz"
.
You can see the output AST using AST Explorer.
from escodegen.
If anyone is interested you only need to escape the string before you pass to escodegen.
function escape_quote(str) {
return str.replace(/\$\{/g, '\\${');
}
from escodegen.
Related Issues (20)
- GBK chaodedracters are automatically encoded HOT 1
- Should be using the directive estree field
- Failes on Line & Block comments
- Support static class fields HOT 5
- Update Node versions in .travis.yml?
- Invalid code is generated with a MemberExpression against an ObjectExpression.
- Can you publish a new version to NPM that includes the latest nullish coalescing operator precedence ??
- Online demo doesn't return the emoji back HOT 3
- {format:{json:true}} option, generate json key without quotes
- Security issue with statement expression parser for identifiers HOT 2
- Update source-map as it's current version 0.6.1 is marked as EOL HOT 1
- `require` of _package.json_ complicates bundling
- Outdated dependency security vulnerability HOT 6
- CVE in 1.14.3 => optionator 0.8.x => word-wrap HOT 1
- word-wrap vulnerable to Regular Expression Denial of Service HOT 4
- "NewExpression" generated without arguments HOT 2
- escodegen expects value in Property key:value pair to have a type; crashes on null
- EcmaVersion 7: Unary minus and exponentiation not working HOT 1
- Attaching inline comments breaks up lines
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from escodegen.