ELO mitigations of CVE: CVE-2022-25844, CVE-2023-26116, CVE-2023-26117, CVE-2023-26118

Author: s-nesbigall

README.md

@@ -1,6 +1,50 @@
 AngularJS [![CircleCI](https://circleci.com/gh/angular/angular.js/tree/master.svg?style=shield)](https://circleci.com/gh/angular/workflows/angular.js/tree/master)
 =========
 
+# Security Mitigation:
+
+The following CVEs has been mitigated. In order those mitigations are working,
+there are POC examples to reproduce the problems in /cve of this repository.
+
+To reproduce the attack, change the according index.html to point to the angular.js (1.8.3)
+version in node_modules (npm install first).
+
+To test the mitigation build this repo (yarn grunt package (node 12.22.12)) and change the according index.html
+to point to /build/angular.js.
+
+## CVE-2022-25869 Is not mitigated: Don't ever use Internet Explorer.
+
+## CVE-2022-25844
+In order to reproduce the problem see /cve/CVE-2022-25844/ (run with angular from node_modules).
+
+This was mitigated by https://github.com/continu/angular.js by doing a manual replacement of the positive quantifiers.
+See https://github.com/angular/angular.js/compare/master...continu:angular.js:master
+in /src/ng/filter/filters.
+
+## CVE-2023-26116
+In order to reproduce the problem see /cve/CVE-2023-26116/ (run with angular from node_modules).
+
+This was mitigated by checking the length (max 10000 characters) of the RegExp pattern when one is found in angular.copy.
+An error is thrown if there are to many characters.
+See /src/Angular.js#1004.
+
+## CVE-2023-26117
+In order to reproduce the problem see /cve/CVE-2023-26117/ (run with angular from node_modules).
+
+This was mitigated by checking the length (max 10000 characters) of the url in setUrlParams.
+An error is thrown if there are to many characters.
+See /src/ngResource/resource.js#612.
+
+## CVE-2023-26118
+In order to reproduce the problem see /cve/CVE-2023-26118/ (run with angular from node_modules).
+
+This was mitigated by checking the length (max 10000 characters) of the url in the input.
+The url is invalid if there are to many characters.
+See /src/ng/directive/input.js#1945.
+
+
+=========
+
 AngularJS lets you write client-side web applications as if you had a smarter browser.  It lets you
 use good old HTML (or HAML, Jade/Pug and friends!) as your template language and lets you extend HTML’s
 syntax to express your application’s components clearly and succinctly.  It automatically

cve/CVE-2022-25844/Readme.md

@@ -0,0 +1,5 @@
+CVE-2022-25844
+
+https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2772735
+
+https://stackblitz.com/edit/angularjs-material-blank-zvtdvb

cve/CVE-2022-25844/angular-locale_en_broken.js

@@ -0,0 +1,145 @@
+'use strict';
+angular.module(
+  'ngLocale',
+  [],
+  [
+    '$provide',
+    function ($provide) {
+      var PLURAL_CATEGORY = {
+        ZERO: 'zero',
+        ONE: 'one',
+        TWO: 'two',
+        FEW: 'few',
+        MANY: 'many',
+        OTHER: 'other',
+      };
+      function getDecimals(n) {
+        n = n + '';
+        var i = n.indexOf('.');
+        return i == -1 ? 0 : n.length - i - 1;
+      }
+
+      function getVF(n, opt_precision) {
+        var v = opt_precision;
+
+        if (undefined === v) {
+          v = Math.min(getDecimals(n), 3);
+        }
+
+        var base = Math.pow(10, v);
+        var f = ((n * base) | 0) % base;
+        return { v: v, f: f };
+      }
+
+      $provide.value('$locale', {
+        DATETIME_FORMATS: {
+          AMPMS: ['AM', 'PM'],
+          DAY: [
+            'Sunday',
+            'Monday',
+            'Tuesday',
+            'Wednesday',
+            'Thursday',
+            'Friday',
+            'Saturday',
+          ],
+          ERANAMES: ['Before Christ', 'Anno Domini'],
+          ERAS: ['BC', 'AD'],
+          FIRSTDAYOFWEEK: 6,
+          MONTH: [
+            'January',
+            'February',
+            'March',
+            'April',
+            'May',
+            'June',
+            'July',
+            'August',
+            'September',
+            'October',
+            'November',
+            'December',
+          ],
+          SHORTDAY: ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'],
+          SHORTMONTH: [
+            'Jan',
+            'Feb',
+            'Mar',
+            'Apr',
+            'May',
+            'Jun',
+            'Jul',
+            'Aug',
+            'Sep',
+            'Oct',
+            'Nov',
+            'Dec',
+          ],
+          STANDALONEMONTH: [
+            'January',
+            'February',
+            'March',
+            'April',
+            'May',
+            'June',
+            'July',
+            'August',
+            'September',
+            'October',
+            'November',
+            'December',
+          ],
+          WEEKENDRANGE: [5, 6],
+          fullDate: 'EEEE, MMMM d, y',
+          longDate: 'MMMM d, y',
+          medium: 'MMM d, y h:mm:ss a',
+          mediumDate: 'MMM d, y',
+          mediumTime: 'h:mm:ss a',
+          short: 'M/d/yy h:mm a',
+          shortDate: 'M/d/yy',
+          shortTime: 'h:mm a',
+        },
+        NUMBER_FORMATS: {
+          CURRENCY_SYM: '$',
+          DECIMAL_SEP: '.',
+          GROUP_SEP: ',',
+          PATTERNS: [
+            {
+              gSize: 3,
+              lgSize: 3,
+              maxFrac: 3,
+              minFrac: 0,
+              minInt: 1,
+              negPre: '-',
+              negSuf: '',
+              posPre: '',
+              posSuf: '',
+            },
+            {
+              gSize: 3,
+              lgSize: 3,
+              maxFrac: 2,
+              minFrac: 2,
+              minInt: 1,
+              negPre: '-\u00a4',
+              negSuf: '',
+              posPre: '\u00a4',
+              //posPre: ' '.repeat(1000000),
+              posSuf: '',
+            },
+          ],
+        },
+        id: 'en',
+        localeID: 'en',
+        pluralCat: function (n, opt_precision) {
+          var i = n | 0;
+          var vf = getVF(n, opt_precision);
+          if (i == 1 && vf.v == 0) {
+            return PLURAL_CATEGORY.ONE;
+          }
+          return PLURAL_CATEGORY.OTHER;
+        },
+      });
+    },
+  ]
+);

cve/CVE-2022-25844/index.html

@@ -0,0 +1,79 @@
+<head>
+  <meta charset="utf-8" />
+  <title>AngularJS $filter Currency ReDos Demo</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+
+  <!--script src="./node_modules/angular/angular.js" type="text/javascript"></script-->
+  <script src="../../build/angular.js" type="text/javascript"></script>
+  <script src="./index.js" type="text/javascript"></script>
+</head>
+
+<body ng-app="app" ng-controller="AppCtrl as $ctrl">
+<main layout="column">
+  <h1 class="md-headline">AngularJS $filter Currency ReDos Demo</h1>
+  <section md-whiteframe="1" class="md-padding">
+    <div>
+      <label>Currency Symbol</label>
+      <input name="symbol" ng-model="$ctrl.currencySymbol" ng-trim="false" />
+    </div>
+    <div>
+      <label>Amount</label>
+      <input name="amount" ng-model="$ctrl.amount" ng-trim="false" />
+    </div>
+    <div>
+      <label>
+        Locale Service
+        <pre style="display: inline; font-weight: bold">posPre</pre>
+        Value
+      </label>
+      <input
+        name="posPre"
+        ng-model="$ctrl.posPre"
+        ng-change="$ctrl.onPosPreChange()"
+        ng-trim="false"
+      />
+    </div>
+    <br />
+    <span style="font-weight: bold">Output: </span>
+    {{ $ctrl.amount | currency : $ctrl.currencySymbol }}
+    <br />
+    <br />
+    <br />
+    <div>
+      <div class="md-title" style="margin-bottom: 4px">WARNING</div>
+      Clicking the <span style="font-style: italic">ReDos Now</span> button
+      will:
+      <ul>
+        <li>
+          Set the
+          <span style="font-style: italic">Currency Symbol</span>
+          input to an empty string
+        </li>
+        <li>
+          Set the
+          <span style="font-style: italic">
+            Locale Service
+            <pre style="display: inline; font-weight: bold">posPre</pre>
+            Value
+          </span>
+          input to 1,000,0000 whitespace characters
+        </li>
+      </ul>
+      <span style="font-weight: bold">THIS WILL FREEZE THE WINDOW</span>
+    </div>
+    <br />
+    <button ng-click="$ctrl.onReDos(10000)" class="md-raised md-primary">
+      ReDos Now 10000
+    </button>
+    <button ng-click="$ctrl.onReDos(100000)" class="md-raised md-primary">
+      ReDos Now 100000
+    </button>
+    <button ng-click="$ctrl.onReDos(1000000)" class="md-raised md-primary">
+      ReDos Now 1000000
+    </button>
+    <button ng-click="$ctrl.onReDos(10000000)" class="md-raised md-primary">
+      ReDos Now 10000000
+    </button>
+  </section>
+</main>
+</body>

cve/CVE-2022-25844/index.js

@@ -0,0 +1,27 @@
+class AppCtrl {
+  constructor($locale, $timeout) {
+    'ngInject';
+    const ctrl = this;
+    ctrl.currencySymbol = '$';
+    ctrl.amount = 100;
+    ctrl.posPre = $locale.NUMBER_FORMATS.PATTERNS[1].posPre;
+
+    ctrl.onPosPreChange = () => {
+      $locale.NUMBER_FORMATS.PATTERNS[1].posPre = ctrl.posPre;
+      const amount = ctrl.amount;
+      ctrl.amount = 0;
+      $timeout(() => (ctrl.amount = amount));
+    };
+
+    ctrl.onReDos = (repeat) => {
+      ctrl.currencySymbol = '';
+      ctrl.posPre = ' '.repeat(repeat);
+      $locale.NUMBER_FORMATS.PATTERNS[1].posPre = ctrl.posPre;
+    };
+  }
+}
+
+// Define and configure the app.
+window.angular
+  .module('app', [])
+  .controller('AppCtrl', AppCtrl);

cve/CVE-2022-25844/package-lock.json

@@ -0,0 +1,8 @@
+{
+  "name": "angularjs-material-blank",
+  "version": "0.0.0",
+  "private": true,
+  "dependencies": {
+    "angular": "^1.8.3"
+  }
+}

cve/CVE-2022-25844/package.json

@@ -0,0 +1,5 @@
+CVE-2022-25869
+
+https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781
+
+https://glitch.com/edit/#!/angular-repro-textarea-xss