CVE-2022-42002 SonicJS through 0.6.0 has file overwrite mutations fileCreate and fileUpdate.

The fileCreate mutation can be called without any authentication. If a developer had access to this mutation, they could easily overwrite any file on an application. The fileUpdate mutation can be called without any authentication. If a developer had access to this mutation, they could easily delete any file on an application. Both of these mutations can be called without any authentication, allowing developers to overwrite any files on an application. These are the main ways that developers can overwrite any files on an application. The other ways include: - modifying the index.js file directly - using a custom build process that copies the index.js into the build folder - using a developer account with root privileges - using a developer account with a restricted access When developers have root or restricted access, they can easily overwrite any files on an application.

The fileCreate mutation can be called without any authentication

. If a developer had access to this mutation, they could easily overwrite any file on an application. The fileUpdate mutation can be called without any authentication. If a developer had access to this mutation, they could easily delete any file on an application.
The example code at the bottom of the page (CryptoJS) is vulnerable to the previous mutations because it makes calls to these two mutations and doesn't authenticate them very well.

Step 1: Detect if the application is vulnerable to overwrite

Developers should first detect if their application is vulnerable to overwrite. Developers can do this by using a Google Chrome extension called "File Scanner". This plugin allows developers to scan for vulnerabilities for any JavaScript file on the web page. If you are using this plugin, open your application in Google Chrome and open File Scanner from the Tools menu. Type in the URL of your application and click "Scan". You will see a list of files that need to be scanned. Click on all of the files that are listed, except the index.js file that is used by NodeJS applications.

Timeline

Published on: 10/01/2022 00:15:00 UTC
Last modified on: 10/04/2022 20:06:00 UTC

References

• https://snyk.io/blog/graphql-security-static-analysis-snyk-code/
• https://github.com/lane711/sonicjs/tags
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42002