Description: avoid cross-realm object access Author: Jack Works Bug: https://security-tracker.debian.org/tracker/CVE-2023-28154 Bug-Debian: https://bugs.debian.org/1032904 Forwarded: not-needed Applied-Upstream: 5.76.0, commit:4b4ca3bb Reviewed-By: Yadd Last-Update: 2023-03-14 --- a/lib/Parser.js +++ b/lib/Parser.js @@ -2335,11 +2335,20 @@ if (value && webpackCommentRegExp.test(value)) { // try compile only if webpack options comment is present try { - const val = vm.runInNewContext(`(function(){return {${value}};})()`); - Object.assign(options, val); + for (let [key, val] of Object.entries( + vm.runInNewContext(`(function(){return {${value}};})()`) + )) { + if (typeof val === "object" && val !== null) { + if (val.constructor.name === "RegExp") val = new RegExp(val); + else val = JSON.parse(JSON.stringify(val)); + } + options[key] = val; + } } catch (e) { - e.comment = comment; - errors.push(e); + const newErr = new Error(String(e.message)); + newErr.stack = String(e.stack); + Object.assign(newErr, { comment }); + errors.push(newErr); } } } --- a/lib/dependencies/ImportParserPlugin.js +++ b/lib/dependencies/ImportParserPlugin.js @@ -127,7 +127,7 @@ if (importOptions.webpackInclude !== undefined) { if ( !importOptions.webpackInclude || - importOptions.webpackInclude.constructor.name !== "RegExp" + !(importOptions.webpackInclude instanceof RegExp) ) { parser.state.module.warnings.push( new UnsupportedFeatureWarning( @@ -137,13 +137,13 @@ ) ); } else { - include = new RegExp(importOptions.webpackInclude); + include = importOptions.webpackInclude; } } if (importOptions.webpackExclude !== undefined) { if ( !importOptions.webpackExclude || - importOptions.webpackExclude.constructor.name !== "RegExp" + !(importOptions.webpackExclude instanceof RegExp) ) { parser.state.module.warnings.push( new UnsupportedFeatureWarning( @@ -153,7 +153,7 @@ ) ); } else { - exclude = new RegExp(importOptions.webpackExclude); + exclude = importOptions.webpackExclude; } } }