Skip to content

🔒 Fix Dynamic Code Execution vulnerability in adventure puzzles#27

Merged
lemononmars merged 2 commits into
mainfrom
security/fix-new-function-rce-720675484460092573
Jul 16, 2026
Merged

🔒 Fix Dynamic Code Execution vulnerability in adventure puzzles#27
lemononmars merged 2 commits into
mainfrom
security/fix-new-function-rce-720675484460092573

Conversation

@lemononmars

Copy link
Copy Markdown
Owner

🎯 What: The vulnerability fixed is a Dynamic Code Execution vulnerability (effectively an RCE / XSS vector in the browser context) found in src/routes/puzzles/adventure/[id].svelte. The application used to accept executable script and cleanup strings from a backend response directly into new Function(data.script)();.
⚠️ Risk: Although the scripts were hardcoded in a backend file (src/lib/data/adventure_data.ts), this architectural pattern is inherently dangerous. If the data source was ever compromised, or if user inputs were later passed into these fields, it would allow a malicious actor to execute arbitrary JavaScript in the user's browser, potentially stealing session data or performing unwanted actions.
🛡️ Solution: The unsafe dynamic evaluation new Function() logic was removed. The script and cleanup payload fields were completely removed from the data structure (adventure_data.ts) and API responses. The side effects (such as adding meta tags, updating document.title, logging to console) were centralized into explicitly defined and safe static functions (executeSetup and executeCleanup) mapping to hardcoded level switch-cases. A minor bug in the original code involving component reuse during SvelteKit routing was also patched to correctly trigger cleanups.


PR created automatically by Jules for task 720675484460092573 started by @lemononmars

Removes dynamic execution of JavaScript scripts passed from the server
to the client using `new Function()`.
Replaces dynamic script strings with statically defined `executeSetup` and
`executeCleanup` logic mappings for each level ID to close the execution vector.

Co-authored-by: lemononmars <26631189+lemononmars@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@vercel

vercel Bot commented Jun 28, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
codebreaker Ready Ready Preview, Comment Jun 28, 2026 4:11pm

@lemononmars
lemononmars merged commit 818a6f0 into main Jul 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant