New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: use context property for template variables
#163
Conversation
BREAKING CHANGE: An object passed to template data with need to be passed as an object in the `context` property. This prevents mixing untrusted data with express-handlebars options. For more information see https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/ **Example:** ```handlebars <h1>Hi, {{name}}</h1> ``` **<= v5** ```js res.render('hi', {name: "Tony", layout: false}) ``` **v6** ```js res.render('hi', {context: {name: "Tony"}, layout: false}) ```
|
Hello, thanks for tagging me and sorry for the slight delay, I've been swamped with work. I will give it a look now. |
|
So with this change if you force users to pass the template arguments via async renderView (viewPath, options = {}, callback = null) {
const context = options.context || {};
}My concern would be that users that call res.render("name", taintedObject) are still vulnerable because The problem with trying to fix this is that the problem is at three different levels, first the user uses the In my opinion the most balanced way to fix this is to warn clients of handlebars to never pass objects whose keys are attacker controlled to the This is what Until then, I can't imagine a proper solution to the issue. Let me know what you think! |
|
Thanks! I added a note to the readme about this. |
|
I'm going to hold off on this type of change until express fixes their API. Express v5 has been in alpha for almost 7 years |
|
Fantastic @UziTech thank you for your time addressing this issue! |
|
Is it still neccessary to put template variables in a If yes, is it right that i need to access these variables in the handlebar template by calling |
|
@bavarianbytes no this change was not merged as it didn't fix the underlying vulnerability. The documentation should be correct. |
BREAKING CHANGE:
An object passed to template data will need to be passed as an object in the
contextproperty.This prevents mixing untrusted data with express-handlebars options.
For more information see https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/
Thanks @agustingianni for bringing this to my attention.
Example:
<= v5
v6