Fixes Improper encoding or escaping of output server-side template Injection

[odaysec]

monaco-editor/website/src/runner/index.ts

Line 57 in f420968

eval(js); // CodeQL [SM01632] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground. // CodeQL [SM02688] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground.

Directly evaluating user input (an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated include AngularJS expressions or JQuery selectors.

To address the issue, the code should validate or sanitize the state.js input before processing it. This ensures that any malicious code injected by an attacker is neutralized before it is evaluated. An alternative approach is to use Function for controlled execution of JavaScript code, which is safer than eval. Additionally, strict Content Security Policies (CSPs) should be enforced to prevent script injection.

The best fix involves:

1. Sanitizing state.js using a library like DOMPurify or implementing strict validation rules.
2. Replacing eval(js) with new Function(js) for better control.
3. Adding appropriate CSPs to further mitigate risks.

References

Server-Side Template Injection