You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(This was previously reported as vega/vega-lite#9469, but I was asked to file it here instead.)
The filter property of a vega-lite select parameter exposes the browser's Window object via event.view, allowing arbitrary code to be executed via scale(event.view.setTimeout, '[code payload here]').
This is related to #3027. It is distinct from GHSA-4vq7-882g-wcg4 and is not fixed by ab371a0 as scale$2 only checks if a scale is registered when the scale is specified as a string; if a function is passed to scale() then it is invoked unconditionally.
(This was previously reported as vega/vega-lite#9469, but I was asked to file it here instead.)
The
filterproperty of a vega-liteselectparameter exposes the browser'sWindowobject viaevent.view, allowing arbitrary code to be executed viascale(event.view.setTimeout, '[code payload here]').This is related to #3027. It is distinct from GHSA-4vq7-882g-wcg4 and is not fixed by ab371a0 as
scale$2only checks if a scale is registered when the scale is specified as a string; if a function is passed toscale()then it is invoked unconditionally.The following example reproduces the issue:
https://vega.github.io/editor/#/url/vega-lite/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykBaADZ04JAKyUAVhDYA7EABoQAEzjQATjRyZ289AEEABBBoIcguIaZJ1h2DcyGA7nRiHETOMtXLDypJhUiioBKKigxEiCDGpoANqgYSD6wUxoAEwAHAC+ColoIABCqWhiYrn56ADCJagALADMFSBJACK1AJwAjM1JAKK1mT15LQUAYrViTSNJAOK1XR29BQASgwDsy+gAkpPp2QC6uSA4NkgIEPGgsudwBdqXShBwFlCYaKCYAJ44d+g4bBosneSjkHxA31+BQQbAYz2UbCc8iUyHUAGtIX8QKYkGQ7koAGY0QSYODqeIgaBROAACjgpGBlGINDgTkoz0wABVTHBYZgFAByanqTA0gA6LQsIolAEoBTKQEdsocUTY0QVrOSlHBZFA2MogWRwQAPcFEl7KAooJSYgqyNgIIFRYJIY00S7hECCJCeQT6WRkCxoAAMyqUXzNLMElvQaRtPyxAEcGEhgXQAjRSCBldkgA