Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update handlebars package due to a Security Vulnerability #267

Closed
wants to merge 3 commits into from
Closed

Update handlebars package due to a Security Vulnerability #267

wants to merge 3 commits into from

Conversation

adelriosantiago
Copy link

Update handlebars package due to a Security Vulnerability

@adelriosantiago
Update handlebars package due to a Security Vulnerability
f8f563c 
Update handlebars package due to a Security Vulnerability
@adelriosantiago
Copy link
Author

adelriosantiago commented Nov 7, 2019
edited
Loading

Explanation

The handlebars package is vulnerable to Prototype Pollution resulting from Improper Input Validation. Multiple functions in multiple files, as listed below, do not disallow the calling of helperMissing and blockHelperMissing helpers directly. This can enable an attacker to conduct remote code execution attacks by calling methods from object prototypes which should otherwise not have been called.

Vulnerable File(s) and Function(s)

package/lib/handlebars/compiler/javascript-compiler.js

package/dist/amd/handlebars/compiler/javascript-compiler.js

package/dist/cjs/handlebars/compiler/javascript-compiler.js

package/lib/handlebars/helpers/runtime.js

invokePartialWrapper()
package/dist/cjs/handlebars/helpers/runtime.js

invokePartialWrapper()
package/dist/amd/handlebars/helpers/runtime.js

invokePartialWrapper()
package/dist/handlebars.runtime.js

invokePartialWrapper()
package/dist/handlebars.runtime.amd.js

invokePartialWrapper()
package/dist/handlebars.js

invokePartialWrapper()
package/dist/handlebars.amd.js

invokePartialWrapper()
package/dist/handlebars.runtime.min.js

package/dist/handlebars.runtime.amd.min.js

package/dist/handlebars.min.js

package/dist/handlebars.amd.min.js

@UziTech UziTech mentioned this pull request Nov 7, 2019
Open
@UziTech
Copy link

UziTech commented Nov 7, 2019

@sahat could you merge this PR to remove the security vulnerability?

@pgnedoy
Copy link

pgnedoy commented Nov 12, 2019

@sahat please merge this PR

@adelriosantiago
Copy link
Author

Any update on this? We currently rely on this package and we are unable to pass the security checklist.

@sahat

Jupp56
Jupp56 approved these changes Nov 25, 2019
View reviewed changes
Copy link

@Jupp56 Jupp56 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should fix the issue without side effects; Changes on the handlebars side are non-breaking and tested.

@milo526
Copy link

milo526 commented Nov 26, 2019

@adelriosantiago Could you please update this MR to reflect the new advisories?

https://www.npmjs.com/advisories/1300
https://www.npmjs.com/advisories/1316
https://www.npmjs.com/advisories/1324
https://www.npmjs.com/advisories/1325

Remediation
Upgrade to version 4.5.3 or later.

milo526
milo526 suggested changes Nov 26, 2019
View reviewed changes
package.json Outdated
@@ -26,7 +26,7 @@
"dependencies": {
"glob": "^7.1.3",
"graceful-fs": "^4.1.2",
"handlebars": "^4.1.2",
"handlebars": "^4.5.1",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Handlebars ^4.5.1 could still be vulnerable to Arbitrary Code Execution and Prototype Pollution. Please upgrade this to ^4.5.3

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, updated the PR, thanks for the observation.

@milo526 milo526 mentioned this pull request Nov 26, 2019
Open
@adelriosantiago
Bump to next version
fad8fb4 
As @milo526 suggested:
Handlebars ^4.5.1 could still be vulnerable to Arbitrary Code Execution and Prototype Pollution. Please upgrade this to ^4.5.3
@adelriosantiago adelriosantiago mentioned this pull request Jan 23, 2020
Closed
@UziTech
Copy link

UziTech commented Mar 25, 2020

I have finally gotten around to moving this repo to https://github.com/express-handlebars/express-handlebars/ any new development will be done on that repo.

handlebars is up to date in v4.0.0 so this can be closed.

@adelriosantiago
Copy link
Author

Ok, closing this. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pgnedoy pgnedoy pgnedoy approved these changes

@Jupp56 Jupp56 Jupp56 approved these changes

@milo526 milo526 milo526 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@adelriosantiago @UziTech @pgnedoy @milo526 @Jupp56