Code Injection in storybookjs/telejson


Reported on

Mar 26th 2021

✍️ Description

telejson is a library for teleporting rich data to another place.

The telejson.reviver() which is used to parse string data back to json structure can be abused to execute arbitrary code when the lazyEval option is set to false (i.e., disabled). The root cause is the attackers can purposely inject a bracket at the end of the function property (invoking IIFE), that may be stringified by telejson.replacer() or telejson.stringify(). Even worse, despite the default value of lazyEval option is set to true for telejson.parse(), the telejson.reviver() have that vaule as false by default.

🕵️‍♂️ Proof of Concept

// PoC.js
str = '{"fn":"_function_fn|function () {require(\'child_process\').exec(\'touch HACKED\');}()"}';
JSON.parse(str, telejson.reviver({}), 2);

After running node PoC.js, the file HACKED can be illegally created.

💥 Impact

This vulnerability is capable of executing arbitrary js codes or by the use of package child_process to execute any OS commands.


to join this conversation