Skip to content

fix: replace scripting pattern blacklist with allowlist (CVE-2025-4318)#1198

Merged
soberm merged 5 commits into
mainfrom
phandpau/fix/cve-2025-4318-bypass
Jun 26, 2026
Merged

fix: replace scripting pattern blacklist with allowlist (CVE-2025-4318)#1198
soberm merged 5 commits into
mainfrom
phandpau/fix/cve-2025-4318-bypass

Conversation

@bobbor

@bobbor bobbor commented Jun 19, 2026

Copy link
Copy Markdown
Member

Summary

Replaces the filterScriptingPatterns regex blacklist with a strict allowlist in escapePropertyValue. The blacklist was trivially bypassed via indirect eval (0,eval)(...) — the regex /eval\s*\(/i requires eval directly before ( but indirect eval puts ) between them.

Fix

escapePropertyValue now only permits strings matching valid JS identifiers or dot-notation paths:

/^[a-zA-Z_$][a-zA-Z0-9_$]*(\.[a-zA-Z_$][a-zA-Z0-9_$]*)*$/

This rejects ALL expression forms (parens, brackets, template literals, etc.) rather than trying to enumerate dangerous patterns.

Testing

  • All 585 existing tests pass
  • Added security-specific tests covering the bypass payload and other injection vectors

References

@bobbor bobbor requested a review from a team as a code owner June 19, 2026 20:36
bobbor added 4 commits June 19, 2026 20:52
@bobbor
fix: restrict event bindings to simple identifiers only
5248022 
Event bindings become direct JSX expressions (onClick={value}), so dot-paths
like document.cookie would access browser globals at runtime. Restrict to
simple identifier regex (no dots) for event binding values.
@bobbor
style: run prettier on changed files
d5f53f2
@bobbor
style: fix prefer-destructuring eslint error
afc00e3
@bobbor
style: add eslint-disable for intentional security test strings
0bda826
@codecov-commenter

codecov-commenter commented Jun 19, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.90%. Comparing base (ce2c72d) to head (0bda826).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1198      +/-   ##
==========================================
+ Coverage   93.87%   93.90%   +0.02%     
==========================================
  Files         150      150              
  Lines        6127     6137      +10     
  Branches     1838     1841       +3     
==========================================
+ Hits         5752     5763      +11     
+ Misses        357      356       -1     
  Partials       18       18
Files with missing lines Coverage Δ
...egen-ui-react/lib/react-component-render-helper.ts 92.22% <100.00%> (+0.08%) ⬆️
packages/codegen-ui-react/lib/workflow/events.ts 97.05% <100.00%> (+4.20%) ⬆️

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ea45c4b...0bda826. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@soberm soberm merged commit a04b816 into main Jun 26, 2026
20 of 23 checks passed
@soberm soberm deleted the phandpau/fix/cve-2025-4318-bypass branch June 26, 2026 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@soberm soberm soberm approved these changes
@osama-rizk osama-rizk osama-rizk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bobbor @codecov-commenter @soberm @osama-rizk