-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Javascript execution from template #1267
Labels
Comments
This seems like a bug. |
nknapp
added a commit
that referenced
this issue
Feb 7, 2019
This commit fixes a Remote Code Execution (RCE) reported by npm-security. Access to non-enumerable "constructor"-properties is now prohibited by the compiled template-code, because this the first step on the way to creating and execution arbitrary JavaScript code. The vulnerability affects systems where an attacker is allowed to inject templates into the Handlebars setup. Further details of the attack may be disclosed by npm-security. Closes #1267 Closes #1495
nknapp
added a commit
that referenced
this issue
Feb 7, 2019
This commit fixes a Remote Code Execution (RCE) reported by npm-security. Access to non-enumerable "constructor"-properties is now prohibited by the compiled template-code, because this the first step on the way to creating and execution arbitrary JavaScript code. The vulnerability affects systems where an attacker is allowed to inject templates into the Handlebars setup. Further details of the attack may be disclosed by npm-security. Closes #1267 Closes #1495
Merged #1501 into 4.x. |
@hady2 I don't understand your comment. Could you explain? |
This was referenced Jul 2, 2019
1 task
This was referenced Jul 4, 2019
This was referenced Jul 12, 2019
This was referenced Jul 14, 2019
Open
This was referenced Aug 9, 2024
Open
Open
This was referenced Aug 24, 2024
Open
Open
Open
This was referenced Sep 19, 2024
Open
Open
This was referenced Oct 18, 2024
Open
Open
This was referenced Nov 9, 2024
Open
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is possible to execute Javascript from a template without registering any helper/partial/whatever or having any function in the context. I am not sure if you guys care about this, but it probably is not ideal in the event of a template injection. Anyway, it makes the logicless aspect less logicless.
Here is a sample that would execute whatever is in the initial string (eg: alert(1)) without anything extra registered:
I'd venture and say that it could be fixed by making sure that only "own" properties of the helpers/etc dictionaries can be accessed instead of their prototypes' ones as well.
The text was updated successfully, but these errors were encountered: