Fixed Function constructor template injection.

xeioex · xeioex · commit 111beead5b1d · 2025-06-02T17:42:47.000-07:00
The Function constructor uses a `(function(<args>) {<body>})` template to construct new functions. This approach was vulnerable to template injection where malicious code could close the function body early and ignore the trailing brackets using // comments. The fix is to insert extra newlines into the template, which prevents // comments from commenting out the remaining template. This fixes issue #921.
diff --git a/src/njs_function.c b/src/njs_function.c
@@ -1049,7 +1049,7 @@ njs_function_constructor(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
         }
     }
 
-    njs_chb_append_literal(&chain, "){");
+    njs_chb_append_literal(&chain, "\n){\n");
 
     if (nargs > 1) {
         ret = njs_value_to_chain(vm, &chain, njs_argument(args, nargs - 1));
@@ -1058,7 +1058,7 @@ njs_function_constructor(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
         }
     }
 
-    njs_chb_append_literal(&chain, "})");
+    njs_chb_append_literal(&chain, "\n})");
 
     ret = njs_chb_join(&chain, &str);
     if (njs_slow_path(ret != NJS_OK)) {
@@ -1125,7 +1125,10 @@ njs_function_constructor(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
 
     njs_chb_destroy(&chain);
 
-    lambda = ((njs_vmcode_function_t *) generator.code_start)->lambda;
+    njs_assert(((njs_vmcode_generic_t *) code->start)->code
+               == NJS_VMCODE_FUNCTION);
+
+    lambda = ((njs_vmcode_function_t *) code->start)->lambda;
 
     function = njs_function_alloc(vm, lambda, (njs_bool_t) async);
     if (njs_slow_path(function == NULL)) {
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
@@ -14189,22 +14189,22 @@ static njs_unit_test_t  njs_test[] =
       njs_str("true") },
 
     { njs_str("new Function('('.repeat(2**13));"),
-      njs_str("SyntaxError: Unexpected token \"}\" in runtime:1") },
+      njs_str("SyntaxError: Unexpected token \"}\" in runtime:4") },
 
     { njs_str("new Function('{'.repeat(2**13));"),
-      njs_str("SyntaxError: Unexpected token \")\" in runtime:1") },
+      njs_str("SyntaxError: Unexpected token \")\" in runtime:4") },
 
     { njs_str("new Function('['.repeat(2**13));"),
-      njs_str("SyntaxError: Unexpected token \"}\" in runtime:1") },
+      njs_str("SyntaxError: Unexpected token \"}\" in runtime:4") },
 
     { njs_str("new Function('`'.repeat(2**13));"),
       njs_str("[object Function]") },
 
     { njs_str("new Function('{['.repeat(2**13));"),
-      njs_str("SyntaxError: Unexpected token \"}\" in runtime:1") },
+      njs_str("SyntaxError: Unexpected token \"}\" in runtime:4") },
 
     { njs_str("new Function('{;'.repeat(2**13));"),
-      njs_str("SyntaxError: Unexpected token \")\" in runtime:1") },
+      njs_str("SyntaxError: Unexpected token \")\" in runtime:4") },
 
     { njs_str("(new Function('1;'.repeat(2**13) + 'return 2'))()"),
       njs_str("2") },
@@ -14216,7 +14216,7 @@ static njs_unit_test_t  njs_test[] =
       njs_str("-4") },
 
     { njs_str("new Function('new '.repeat(2**13));"),
-      njs_str("SyntaxError: Unexpected token \"}\" in runtime:1") },
+      njs_str("SyntaxError: Unexpected token \"}\" in runtime:4") },
 
     { njs_str("(new Function('return ' + 'typeof '.repeat(2**13) + 'x'))()"),
       njs_str("string") },
@@ -14282,7 +14282,10 @@ static njs_unit_test_t  njs_test[] =
       njs_str("ReferenceError: \"foo\" is not defined") },
 
     { njs_str("this.NN = {}; var f = Function('eval = 42;'); f()"),
-      njs_str("SyntaxError: Identifier \"eval\" is forbidden as left-hand in assignment in runtime:1") },
+      njs_str("SyntaxError: Identifier \"eval\" is forbidden as left-hand in assignment in runtime:3") },
+
+    { njs_str("new Function('}); let a; a; function o(){}; //')"),
+      njs_str("SyntaxError: Unexpected token \"}\" in runtime:4") },
 
     { njs_str("RegExp()"),
       njs_str("/(?:)/") },
@@ -19811,7 +19814,7 @@ static njs_unit_test_t  njs_test[] =
       njs_str("[object AsyncFunction]") },
 
     { njs_str("let f = new Function('x', 'await 1; return x'); f(1)"),
-      njs_str("SyntaxError: await is only valid in async functions in runtime:1") },
+      njs_str("SyntaxError: await is only valid in async functions in runtime:3") },
 
     { njs_str("new AsyncFunction()"),
       njs_str("ReferenceError: \"AsyncFunction\" is not defined") },

Original file line number	Diff line number	Diff line change
`@@ -1049,7 +1049,7 @@ njs_function_constructor(njs_vm_t vm, njs_value_t args, njs_uint_t nargs,`
`1049`	`1049`	`}`
`1050`	`1050`	`}`
`1051`	`1051`
`1052`		`- njs_chb_append_literal(&chain, "){");`
	`1052`	`+ njs_chb_append_literal(&chain, "\n){\n");`
`1053`	`1053`
`1054`	`1054`	`if (nargs > 1) {`
`1055`	`1055`	`ret = njs_value_to_chain(vm, &chain, njs_argument(args, nargs - 1));`
`@@ -1058,7 +1058,7 @@ njs_function_constructor(njs_vm_t vm, njs_value_t args, njs_uint_t nargs,`
`1058`	`1058`	`}`
`1059`	`1059`	`}`
`1060`	`1060`
`1061`		`- njs_chb_append_literal(&chain, "})");`
	`1061`	`+ njs_chb_append_literal(&chain, "\n})");`
`1062`	`1062`
`1063`	`1063`	`ret = njs_chb_join(&chain, &str);`
`1064`	`1064`	`if (njs_slow_path(ret != NJS_OK)) {`
`@@ -1125,7 +1125,10 @@ njs_function_constructor(njs_vm_t vm, njs_value_t args, njs_uint_t nargs,`
`1125`	`1125`
`1126`	`1126`	`njs_chb_destroy(&chain);`
`1127`	`1127`
`1128`		`- lambda = ((njs_vmcode_function_t *) generator.code_start)->lambda;`
	`1128`	`+ njs_assert(((njs_vmcode_generic_t *) code->start)->code`
	`1129`	`+ == NJS_VMCODE_FUNCTION);`
	`1130`	`+`
	`1131`	`+ lambda = ((njs_vmcode_function_t *) code->start)->lambda;`
`1129`	`1132`
`1130`	`1133`	`function = njs_function_alloc(vm, lambda, (njs_bool_t) async);`
`1131`	`1134`	`if (njs_slow_path(function == NULL)) {`