🔒 Added notes on a potential security vulnerability

- Express.js never intended for template options to be passed via res.render - If you use res.render to pass a layout, the file will be read from disk - If you pass user-submitted data as options to res.render e.g. using req.query, then user-submitted file paths will be read - This is only a potential security vulnerability, depending on the implementation - Further fixes will be pushed to express-hbs to disable this behaviour by default
TryGhost · Apr 22, 2021 · ff6fad6 · ff6fad6
1 parent 070fe17
commit ff6fad6
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -99,6 +99,10 @@ There are three ways to use a layout, listed in precedence order
 
 2.  As an option to render
 
+    ## ⚠️ This creates a potential security vulnerability:
+
+    Do not use this option in conjunction with passing user submitted data to res.render e.g. `res.render('index', req.query)`. This allows users to read arbitrary files from your filesystem!
+
     ```js
     res.render('veggies', {
       title: 'My favorite veggies',