Skip to content

Security Concerns

UnexomWid edited this page Mar 9, 2021 · 19 revisions

Security Concerns

If you know what you're doing, eryn is safe.

All template types use JavaScript blocks of code in order to provide flexibility. However, this can backfire if you are not careful.

The only code that will be executed by the renderer is the one that you write in the templates. Code execution is present in:

  • normal templates (and all derivatives)

  • conditional templates (the expression)

  • inverted conditional templates (the expression)

  • loop templates (the iterator, and also the array)

  • component templates (the context)

While the iterator (in loop templates) is not directly executed, it is assigned to.

Flexibility

Consider the following example:

[|block_of_code|]

This simply runs the block of code, and renders the result. Therefore, something like this can be done:

[|# local.x = 5 |]
The number is [|local.x|].

...which will be rendered as:

The number is 5.

While this allows you to do many things, you should be careful.

Example 1 - Safe

Consider this template:

[|context.text|]

If text is a string equal to while(true) x.push(0);, here's what will be rendered:

while(true) x.push(0);

The text will be rendered as a string, and will not be executed. The only code that will be executed is context.text, which is the one written in the template.

Therefore, this won't affect the renderer and is safe. Though, if the string ends up in something like an HTML or JavaScript file, where it may be executed in the future, you should sanitize the input before passing it to the renderer.

Example 2 - Unsafe

Consider this template instead:

[|eval(context.text)|]

Evidently, this is dangerous. The code that will be executed by the renderer is:

eval("while(true) x.push(0);");

...which will execute while(true) x.push(0);, as the input string will be evaluated by the eval function.

Do not use the eval function inside templates, unless you are sure that the input has already been sanitized. And even then, think twice before using it.

Due to performance reasons, and in order to allow this flexibility, eryn trusts your input and only checks for rendering errors. Also, eryn can render any type of content (even binary), so it doesn't know what you want to render (HTML, JS, CSS, PDF, etc). Therefore, it can't sanitize the input for all cases.

You are responsible for sanitizing the input, depending on what type of content you want to render.

Conclusion

!!!

It is highly recommended to NOT use the eval function, and to sanitize ALL inputs if you are rendering a file that will be executed (like HTML or JS). With great power comes great responsibility

!!!

Disclaimer

As specified in the license of this project:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Intro

    Home

    Getting Started

Engine Basics

    Context

    Templates

    Local

    Shared

    Modes

Functions

    Compile

    Render

    Options

Other

    Security Concerns

    Known Issues

Clone this wiki locally