> the library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but it fails to validate schema-derived identifiers, such as message names.
Typical "eval is evil" issue.
by skybrian
2 subcomments
How does the attacker supply a malicious schema? Can that be turned off? It doesn't seem like a normal thing to do.
by rvz
2 subcomments
Both "Javascript" and "Typescript" are incredibly flawed languages and the entire npm ecosystem is the bane of the software security industry.
Hacker News