Skip to content

JS: Add taint step for handlebars model #8430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Apr 19, 2022
Merged

JS: Add taint step for handlebars model #8430

merged 7 commits into from
Apr 19, 2022

Conversation

kaeluka
Copy link

@kaeluka kaeluka commented Mar 14, 2022
edited
Loading

This adds a taint step that has been missing in the handlebars templating library. Passing data to a template may flow to custom 'helpers'. See the attached test and predicate documentation for details :)

Related CVE:

CVE-2022-24718

DCA

Experiment looking good.

@github-actions github-actions bot added the JS label Mar 14, 2022
@kaeluka kaeluka changed the title Js/CVE 2022 24718 Add taint step for handlebars model Mar 14, 2022
@kaeluka kaeluka mentioned this pull request Mar 14, 2022
Closed
@owen-mc owen-mc changed the title Add taint step for handlebars model JS: Add taint step for handlebars model Mar 15, 2022
@kaeluka kaeluka marked this pull request as ready for review March 24, 2022 11:56
@kaeluka kaeluka requested a review from a team as a code owner March 24, 2022 11:56
@kaeluka kaeluka added the no-change-note-required This PR does not need a change note label Mar 24, 2022
erik-krogh
erik-krogh reviewed Mar 28, 2022
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks OK, but I got some comments.

erik-krogh
erik-krogh reviewed Mar 29, 2022
View reviewed changes
@erik-krogh
Copy link
Contributor

The autoformatter is failing on Handlebars.qll.

erik-krogh
erik-krogh reviewed Apr 1, 2022
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did an evaluation.
(nightly-old + a bunch of random projects that use handlebars.compile(..).

I'm a bit worried about false flow in the case where we don't know the template string, but otherwise LGTM.

@kaeluka
Copy link
Author

kaeluka commented Apr 14, 2022

@erik-krogh I think I've addressed all concerns.

erik-krogh
erik-krogh approved these changes Apr 19, 2022
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kaeluka kaeluka merged commit 2fb3147 into github:main Apr 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erik-krogh erik-krogh erik-krogh approved these changes

Assignees
No one assigned
Labels
JS no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kaeluka @erik-krogh