GHSA-rj44-gpjc-29r7
[thi.ng/egf] Potential arbitrary code execution of `#gpg`-tagged property values
상세
### Impact
Potential for arbitrary code execution in `#gpg`-tagged property values (only if `decrypt: true` option is enabled)
### Patches
[A fix](https://github.com/thi-ng/umbrella/commit/3e14765d6bfd8006742c9e7860bc7d58ae94dfa5) has already been released as v0.4.0
### Workarounds
By default, EGF parse functions do NOT attempt to decrypt values (since GPG is only available in non-browser env).
However, if GPG encrypted values are used/required:
1. Perform a regex search for `#gpg`-tagged values in the EGF source file/string and check for backtick (\`) chars in the encrypted value string 2. Replace/remove them or skip parsing if present...
### References
https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7#advisory-comment-65261
### For more information
If you have any questions or comments about this advisory, please open an issue in the [thi.ng/umbrella repo](https://github.com/thi-ng/umbrella/issues), of which this package is part of.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2021-21412 [ADVISORY]
- https://github.com/thi-ng/umbrella/commit/88f61656e5f5cfba960013b8133186389efaf243 [WEB]
- https://github.com/thi-ng/umbrella/blob/develop/packages/egf/CHANGELOG.md#040-2021-03-27 [WEB]
- https://www.npmjs.com/package/@thi.ng/egf [WEB]