RCE via 'dustjs-helpers'

dust.js is a simple "templating" (string interpolation) library for JavaScript. dustjs-helpers adds useful tags like @if.

Here's an example of how it might be used:

template

{@if cond="'{name}'.length && '{foo}'.length"}
  Hello, {name}! Have a {foo}.
{:else}
  Try again.
{/if}

That might look like a JavaScript expression with string interpolation inside it... which it is. It's also recommended usage. Here's the documentation for the @if helper:

dust-helpers.js (emphasis added)

if helper fails gracefully when there is no body block nor else block
Undefined values and false values in the JSON need to be handled specially with .length check for e.g @if cond=" '{a}'.length && '{b}'.length" is advised when there are chances of the a and b been undefined or false in the context
Use only when the default ? and ^ dust operators and the select fall short in addressing the given logic, since eval executes in the global scope
All dust references are default escaped as they are resolved, hence eval will block malicious scripts in the context

That last comment may not be unconditionally true.

Try it


eval(dust.compile(template, 'test'));

function test() {  // Click to run: 
  dust.render(
    'test',
    { name: inline().value,
      foo : inline().value },
    function(_, s) {
      // Rendered output
      inline().value = s;
    });
};

// Hijack eval() to show what happens
eval=function(eval) { return function(s) {
  inline().value = s;
  return eval(s);
}}(eval);

Spoilers: The "default escaping" is HTML &entity; encoding. \ is not an HTML metacharacter. Try this.

Vendor response

2014-09-17: Reviewed some internal code that was written according to the documentation.

2014-09-17: Emailed security@linkedin.com.

2014-09-17: Response: We will look into it right away.

2014-11-04: dustjs-helpers 1.4 released. No fix.

2014-11-20: dustjs-helpers 1.5 released. Still no fix, but @if is marked as "deprecated".