Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RCE possible in compat and strict mode #1736

Open
nknapp opened this issue Feb 13, 2021 · 5 comments
Open

RCE possible in compat and strict mode #1736

nknapp opened this issue Feb 13, 2021 · 5 comments

Comments

@nknapp
Copy link
Collaborator

@nknapp nknapp commented Feb 13, 2021

Two security issues have arised and are fixed in the referencing commits:

  1. Due to insufficient escaping of the input template, it was possible to inject code into templates that are compiled in "compat" mode.

  2. In "strict" mode, the exploits disclosed in the npm-security advisories 755,
    1164, 1316,
    1324 and 1325 and in the blog-article
    of Mahmoud Gamal possible, because the the method that was used in strict-mode had not called the safe-guard methods.

The issues have been disclosed a couple of weeks ago at https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767 and are fixed in version 4.7.7

nknapp added a commit that referenced this issue Feb 15, 2021
@joshbressers
Copy link

@joshbressers joshbressers commented Mar 4, 2021

This issue is getting flagged by security scanners (the commits have scary words in them it would seem). Can you clarify if these are indeed security fixes?

Thanks in advance

@nknapp
Copy link
Collaborator Author

@nknapp nknapp commented Mar 6, 2021

Yes, these are indeed security fixes, although only relevant in "compat" and "strict" mode.
I'm not sure if they are already disclosed. My plan is to fill this issue with more details and links when they are.

@nknapp nknapp changed the title placeholder RCE possible in compat and strict mode Mar 6, 2021
This was referenced Mar 6, 2021
@jtnord
Copy link

@jtnord jtnord commented May 10, 2021

is there any plan to backport any relevant fixes to the 3.x branch, or is that line considered dead now?

@jtnord
Copy link

@jtnord jtnord commented May 10, 2021

@nknapp seems like 3.0.8 should have all these fixes already due to #1532 and #1656 ? can you confirm this is the case and that the CVE cpe metadata is incorrect?

bitwiseman added a commit to bitwiseman/handlebars.js that referenced this issue May 18, 2021
bitwiseman added a commit to bitwiseman/handlebars.js that referenced this issue May 18, 2021
bitwiseman added a commit to bitwiseman/handlebars.js that referenced this issue May 19, 2021
bitwiseman added a commit to bitwiseman/handlebars.js that referenced this issue May 19, 2021
@bitwiseman
Copy link

@bitwiseman bitwiseman commented May 19, 2021

I've attempted a backport of these fixes to the 3.x release - #1751 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants