Skip to content

Processing untrusted theming resources might execute arbitrary code (ACE)

High
matz3 published GHSA-3crj-w4f5-gwh4 Jan 29, 2021

Package

npm less-openui5 (npm)

Affected versions

<= 0.9.0

Patched versions

0.10.0

Description

Impact

When processing theming resources (i.e. *.less files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.

While this is a feature of the Less.js library, it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development.

Especially in the context of UI5 Tooling, which relies on less-openui5, this poses a security threat:

An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the .less files.

This is an example of inline JavaScript in a Less file:

.rule {
	@var: `(function(){console.log('Hello from JavaScript'); process.exit(1);})()`;
	color: @var;
}

Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3.

Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it:

.rule {
	@var: "`(function(){console.log('Hello from JavaScript'); process.exit(1);})()`";
	color: @var;
}

Patches

We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork.

This fix is available in less-openui5 version v0.10.0

Workarounds

Only process trusted theming resources.

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-21316

Weaknesses

No CWEs