-
-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.0.0 breaks Express.js res.render views configuration #215
Comments
SummaryContinue using DetailWhen we visit
var express = require("express")
var app = express()
var eta = require("eta")
var eta = require("eta")
app.engine("eta", eta.renderFile)
app.set("views", "./OTHER-VIEWS-FOLDER")
app.set("view cache", true)
app.set("view engine", "eta")
app.get("/", function (req, res) {
res.render("template",
req.query
)
})
app.listen(8000, function () {
console.log("listening to requests on port 8000")
}) |
There is another thing worth mentioning about the cache option. (I think its relevent to this issue.) The following code set the cache option of eta.js, which caches eta.configure({ views: "./OTHER-VIEWS-FOLDER", cache: true }) The following code set the cache option of express.js, which caches app.set("view cache", true) THEY ARE DIFFERENT. |
@Ching367436 index.js
views1/template.eta
views2/footer.eta
The error:
|
@SamuelGaona @Ching367436 @gkentr thanks for giving details on this issue -- it's one that I didn't expect. It seems to me that the above problems could be solved in two ways:
However, if a developer passes in
app.engine("eta", eta.renderFile)
eta.configure({ views: "./views-folder", cache: true })
app.set("views", "./views-folder")
app.set("view cache", true)
app.set("view engine", "eta") This is slightly annoying, but may be safer. What do you all think? |
The second option would be better. If we choose the first option, an attacker could do more than just gain access to another folder on the user's machine under certain circumstances. app.get('/', function (req, res) {
res.render('template',
req.query
);
}); Server-side template injection could sometime lead to remote code execution. Update: Server-side template injection in Eta could lead to remote code execution. |
@Ching367436 I think you're right. I'll update the docs to update recommended ExpressJS usage. |
The configuration for the new version 2.0.0 of eta breaks res.render views configuration.
To Reproduce
Steps to reproduce the behavior:
res.render(templateName);
'./views'
Expected behavior
res.render should render as if it was configured with
app.set("views", "./OTHER-VIEWS-FOLDER")
renderFile
works just fine.The text was updated successfully, but these errors were encountered: