Impact
Potential for arbitrary code execution in #gpg-tagged property values (only if decrypt: true option is enabled)
Patches
A fix has already been released as v0.4.0
Workarounds
By default, EGF parse functions do NOT attempt to decrypt values (since GPG is only available in non-browser env).
However, if GPG encrypted values are used/required:
- Perform a regex search for
#gpg-tagged values in the EGF source file/string and check for backtick (`) chars in the encrypted value string
- Replace/remove them or skip parsing if present...
References
https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7#advisory-comment-65261
For more information
If you have any questions or comments about this advisory, please open an issue in the thi.ng/umbrella repo, of which this package is part of.
erik-krogh Analyst
Impact
Potential for arbitrary code execution in
#gpg-tagged property values (only ifdecrypt: trueoption is enabled)Patches
A fix has already been released as v0.4.0
Workarounds
By default, EGF parse functions do NOT attempt to decrypt values (since GPG is only available in non-browser env).
However, if GPG encrypted values are used/required:
#gpg-tagged values in the EGF source file/string and check for backtick (`) chars in the encrypted value stringReferences
https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7#advisory-comment-65261
For more information
If you have any questions or comments about this advisory, please open an issue in the thi.ng/umbrella repo, of which this package is part of.