XSS in transform filter

[nename0]

This was found during the hxp ctf.

Credit

@cgvwzq and his writeup

• Describe how to reproduce the bug / the goal of the feature request:
  Paste the below JSON in the Vega Editor.
  Working demo.
  You will see a '1' alert dialog.
  To my understanding you should not be able to run arbitrary JS using vega-lite json, should you?
• Provide an example spec in JSON, wrapped by triple backticks like this:

{
  "data": {
    "values": [{}]
  },
  "transform": [
    {"filter": "(0//1/)-'\\\n,alert(1))))//'"}
  ],
  "mark": "bar"
}

[domoritz]

Thank you for the report and the simple reproduction. I am moving this issue to Vega.

[domoritz]

Repro without Vega-Lite: Open the Chart in the Vega Editor

[jheer]

Here is a reproduction in Vega proper:

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "data": [
    {
      "name": "data",
      "values": [{}],
      "transform": [
        {"type": "filter", "expr": "(0//1/)-'\\\n,alert(1))))//'"}
      ]
    }
  ]
}

[cgvwzq]

I found this in a black-box manner, but I guess the issue should be in https://github.com/vega/vega-expression?

The parser sees a 0 divided by a regexp, while JS treats it as a 0 followed by a comment. Since the resulting parsed expression is passed to eval, we have arbitrary code execution.

[domoritz]

The issue also exists in Vega 2.

{
  "data": [
    {
      "name": "data",
      "values": [{}],
      "transform": [
        {"type": "filter", "test": "(0//1/)-'\\\n,alert(1))))//'"}
      ]
    }
  ]
}

(try at https://vega.github.io/vega-editor/?mode=vega)

[jheer]

The error stemmed from the removal of comments from our parser, which opened the door to seeing "division by a regexp" instead. PR #3019 updates the parser to instead throw when a single-line comment // is encountered, which is the intended design.