uglify -c changes behavior of mdast code

[tmcw]

I've created a repo to reproduce this bug: https://github.com/tmcw/mdast-uglify-bug

For the mdast markdown library, the source succeeds when not uglified, and then, passed through uglify -c, its behavior changes and it breaks.

I'm trying to dig through the source, passed through uglify -c and then uglify -b, in order to track down the cause. It's quite a doozy

[wooorm]

I fixed this in mdast (syntax-tree/mdast@1a4fc46), but I’m not sure that this was really my error.

It was basically a long list of logical AND-operators, followed by an expression which I needed the value of (rules[name].exec(value)). For some reason I did not get that value, but true.

[mishoo]

This looks like a bug. Thanks for the test repo, it helped isolating the problem. The simplest test case appears to be:

match = !x &&
    (!z || c) &&
    (!k || d) &&
    the_stuff();

compresses to:

match = !(x || z && !c || k && !d || !the_stuff());

which obviously loses the value returned from the_stuff(). Will investigate as soon as I can.

[mishoo]

Fix pushed.

[tmcw]

👍 awesome, thank you!

[mishoo]

I also published v2.4.24 to npm, since the issue appears to be pretty serious.

[reedloden]

Requested a CVE assignment in http://seclists.org/oss-sec/2015/q3/351

[diracdeltas]

I'm the author of the blog post @reedloden linked above - just wanted to clarify a couple things:

1. I haven't found exploits in the wild for this bug.
2. The PoC's described in the blog post don't work with the current release of UglifyJS2. (Excellent job getting things fixed quickly, @mishoo!)
3. I suspect that it's not uncommon for minifiers, transpilers, and other js processors to accidentally change return values, which of course can lead to security problems.

[rvanvelzen]

I suspect that it's not uncommon

Definitely. Most of the stuff that can bite you is behind --unsafe, but there's probably more to be found.