Description: Fixed code execution vulnerability due to Object coercion - when you call `ToString()` on `Napi::Value`, it calls `napi_coerce_to_string` underneath, which has the ability to run arbitrary JS code if the passed in value is a crafted object - both remote code execution or denial-of-service are possible via this vulnerability - `toString()` on an Object returns `[object Object]` so instead of calling the function, we're going to hardcode it to prevent this issue . Credits: Dave McDaniel of Cisco Talos Author: Daniel Lockyer Origin: upstream, https://github.com/TryGhost/node-sqlite3/commit/edb1934d Bug: https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74 Forwarded: not-needed Applied-Upstream: version 5.1.5, commit edb1934d Reviewed-By: Yadd Last-Update: 2023-03-14 --- a/src/statement.cc +++ b/src/statement.cc @@ -210,7 +210,7 @@ return new Values::Float(pos, source.ToNumber().DoubleValue()); } else if (source.IsObject()) { - Napi::String napiVal = source.ToString(); + Napi::String napiVal = Napi::String::New(source.Env(), "[object Object]"); // Check whether toString returned a value that is not undefined. if(napiVal.Type() == 0) { return NULL; --- a/test/other_objects.test.js +++ b/test/other_objects.test.js @@ -95,4 +95,20 @@ }); }); + it('should ignore faulty toString in array', function(done) { + const faulty = [[{toString: null}], 1]; + db.all('SELECT * FROM txt_table WHERE txt = ? LIMIT ?', faulty, function (err) { + assert.equal(err, null); + done(); + }); + }); + + it('should ignore faulty toString set to function', function(done) { + const faulty = [[{toString: function () {console.log('oh no');}}], 1]; + db.all('SELECT * FROM txt_table WHERE txt = ? LIMIT ?', faulty, function (err) { + assert.equal(err, undefined); + done(); + }); + }); + });