Blacklist 'root' option when looking for opts in data obj

mde · Nov 28, 2016 · 3d447c5 · 3d447c5
1 parent 3f38122
commit 3d447c5
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/lib/ejs.js b/lib/ejs.js
@@ -269,6 +269,13 @@ function rethrow(err, str, filename, lineno){
 function cpOptsInData(data, opts) {
   _OPTS.forEach(function (p) {
     if (typeof data[p] != 'undefined') {
+      // Disallow setting the root opt for includes via a passed data obj
+      // Unsanitized, parameterized use of `render` could allow the
+      // include directory to be reset, opening up the possibility of
+      // remote code execution
+      if (p == 'root') {
+        return;
+      }
       opts[p] = data[p];
     }
   });