VDB
KO
MEDIUM 6.4

GHSA-rj44-gpjc-29r7

[thi.ng/egf] Potential arbitrary code execution of `#gpg`-tagged property values

Details

### Impact

Potential for arbitrary code execution in `#gpg`-tagged property values (only if `decrypt: true` option is enabled)

### Patches

[A fix](https://github.com/thi-ng/umbrella/commit/3e14765d6bfd8006742c9e7860bc7d58ae94dfa5) has already been released as v0.4.0

### Workarounds

By default, EGF parse functions do NOT attempt to decrypt values (since GPG is only available in non-browser env).

However, if GPG encrypted values are used/required:

1. Perform a regex search for `#gpg`-tagged values in the EGF source file/string and check for backtick (\`) chars in the encrypted value string 2. Replace/remove them or skip parsing if present...

### References

https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7#advisory-comment-65261

### For more information

If you have any questions or comments about this advisory, please open an issue in the [thi.ng/umbrella repo](https://github.com/thi-ng/umbrella/issues), of which this package is part of.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @thi.ng/egf
Introduced in: 0 Fixed in: 0.4.0
Fix npm install @thi.ng/egf@0.4.0

References