-
Notifications
You must be signed in to change notification settings - Fork 0
Security Concerns
If you know what you're doing, eryn is safe.
All template types use JavaScript blocks of code in order to provide flexibility. However, this can backfire if you are not careful.
The only code that will be executed by the renderer is the one that you write in the templates. Code execution is present in:
-
normal templates (and all derivatives)
-
conditional templates (the expression)
-
inverted conditional templates (the expression)
-
loop templates (the iterator, and also the array)
-
component templates (the context)
While the iterator (in loop templates) is not directly executed, it is assigned to.
Consider the following example:
[|block_of_code|]
This simply runs the block of code, and renders the result. Therefore, something like this can be done:
[|# local.x = 5 |]
The number is [|local.x|].
...which will be rendered as:
The number is 5.
While this allows you to do many things, you should be careful.
Consider this template:
[|context.text|]
If text
is a string equal to while(true) x.push(0);
, here's what will be rendered:
while(true) x.push(0);
The text will be rendered as a string, and will not be executed. The only code that will be executed is context.text
, which is the one written in the template.
Therefore, this won't affect the renderer and is safe. Though, if the string ends up in something like an HTML or JavaScript file, where it may be executed in the future, you should sanitize the input before passing it to the renderer.
Consider this template instead:
[|eval(context.text)|]
Evidently, this is dangerous. The code that will be executed by the renderer is:
eval("while(true) x.push(0);");
...which will execute while(true) x.push(0);
, as the input string will be evaluated by the eval
function.
Do not use the eval
function inside templates, unless you are sure that the input has already been sanitized. And even then, think twice before using it.
Due to performance reasons, and in order to allow this flexibility, eryn trusts your input and only checks for rendering errors. Also, eryn can render any type of content (even binary), so it doesn't know what you want to render (HTML, JS, CSS, PDF, etc). Therefore, it can't sanitize the input for all cases.
You are responsible for sanitizing the input, depending on what type of content you want to render.
!!!
It is highly recommended to NOT use the eval
function, and to sanitize ALL inputs if you are rendering a file that will be executed (like HTML or JS). With great power comes great responsibility
!!!
As specified in the license of this project:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.