[deleted] #5537

Shruti-Ramenahalli · 2024-03-14T13:36:41Z

[deleted]

krzysdz · 2024-03-14T14:12:00Z

This is not a problem with express or hbs. The problem is passing user-controlled input to res.render.
The express documentation says:

The locals object is used by view engines to render a response. The object keys may be particularly sensitive and should not contain user-controlled input, as it may affect the operation of the view engine or provide a path to cross-site scripting. Consult the documentation for the used view engine for additional considerations.

joeyguerra · 2024-03-14T15:23:50Z

For further reference, please review OWASP C5: Validate All Inputs.

I'm currently thinking that since hbs knows it's own schema, it could mitigate this issue by disallowing its core underlying design schema from the view model being passed in.

@Shruti-Ramenahalli have you considered submitting a pull request to the hbs repo with a suggested design fix?

wesleytodd · 2024-03-14T15:37:37Z

If you believe there is a security issue please see our reporting guidelines.

Shruti-Ramenahalli added the bug label Mar 14, 2024

wesleytodd closed this as completed Mar 14, 2024

wesleytodd changed the title ~~Security Issue: Express Package Vulnerability~~ [deleted] Mar 14, 2024

wesleytodd added invalid and removed bug labels Mar 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[deleted] #5537

[deleted] #5537

Shruti-Ramenahalli commented Mar 14, 2024 •

edited by wesleytodd

krzysdz commented Mar 14, 2024 •

edited

joeyguerra commented Mar 14, 2024

wesleytodd commented Mar 14, 2024

[deleted] #5537

[deleted] #5537

Comments

Shruti-Ramenahalli commented Mar 14, 2024 • edited by wesleytodd

krzysdz commented Mar 14, 2024 • edited

joeyguerra commented Mar 14, 2024

wesleytodd commented Mar 14, 2024

Shruti-Ramenahalli commented Mar 14, 2024 •

edited by wesleytodd

krzysdz commented Mar 14, 2024 •

edited