Wrap noevil into vm

(and let its infinite loop error bubble up)
shawnsnyk · Jan 24, 2018 · d4dd5b3 · d4dd5b3
1 parent 62b905b
commit d4dd5b3
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 6 deletions.
diff --git a/data/datacreator.js b/data/datacreator.js
@@ -606,10 +606,10 @@ function createChallenges () {
   models.Challenge.create({
     name: 'Remote Code Execution',
     category: 'Deserialization',
-    description: 'Perform a (DoS-like) Remote Code Execution that would occupy the server for over 2 seconds. (The <em>NoSQL Injection Tier 1</em> challenge does not qualify for this)',
+    description: 'Perform a Remote Code Execution that would keep a less hardened application busy forever.',
     difficulty: 5,
     hint: addHint('The feature you need to exploit for this challenge is not directly advertised anywhere.'),
-    hintUrl: addHint('https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/deserialization.html#perform-a-dos-like-remote-code-execution-that-would-occupy-the-server-for-over-2-seconds'),
+    hintUrl: addHint('https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/deserialization.html#perform-a-remote-code-execution-that-would-keep-a-less-hardened-application-busy-forever'),
     solved: false
   }).then(challenge => {
     challenges.rceChallenge = challenge

diff --git a/ftp/suspicious_errors.yml b/ftp/suspicious_errors.yml
@@ -13,5 +13,6 @@ detection:
         - 'File names cannot contain forward slashes'
         - 'Unrecognized target URL for redirect: *'
         - 'B2B customer complaints via file upload have been deprecated for security reasons'
+        - 'Infinite loop detected'
     condition: keywords
 level: low
diff --git a/routes/b2bOrder.js b/routes/b2bOrder.js
@@ -1,17 +1,21 @@
 const utils = require('../lib/utils')
 const insecurity = require('../lib/insecurity')
 const safeEval = require('notevil')
+const vm = require('vm')
 const challenges = require('../data/datacache').challenges
 
 exports = module.exports = function b2bOrder () {
-  return (req, res) => {
+  return (req, res, next) => {
     const orderLinesData = req.body.orderLinesData || []
     orderLinesData.forEach(orderLineData => {
       try {
-        safeEval(orderLineData)
+        const sandbox = { safeEval, orderLineData }
+        vm.createContext(sandbox)
+        vm.runInContext('safeEval(orderLineData)', sandbox, { timeout: 2000 })
       } catch (err) {
         if (utils.notSolved(challenges.rceChallenge) && err.message === 'Infinite loop detected - reached max iterations') {
           utils.solve(challenges.rceChallenge)
+          next(err)
         }
       }
     })

diff --git a/test/api/b2bOrderSpec.js b/test/api/b2bOrderSpec.js
@@ -7,14 +7,17 @@ const API_URL = 'http://localhost:3000/b2b/v2/orders'
 const authHeader = { 'Authorization': 'Bearer ' + insecurity.authorize(), 'content-type': 'application/json' }
 
 describe('/b2b/v2/orders', () => {
-  it('POST endless loop exploit in "orderLinesData" is possible but request still comes back', done => {
+  it('POST endless loop exploit in "orderLinesData" will raise explicit error', done => {
     frisby.post(API_URL, {
       headers: authHeader,
       body: {
         orderLinesData: ['(function dos() { while(true); })()']
       }
     })
-      .expect('status', 200)
+      .expect('status', 500)
+      .expect('header', 'content-type', /text\/html/)
+      .expect('bodyContains', '<h1>Juice Shop (Express ~')
+      .expect('bodyContains', 'Infinite loop detected - reached max iterations')
       .done(done)
   })