vuln

[wadahkode]

how to fix?

let ejs = require('ejs') ejs.render('./views/test.ejs',{ filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }', compileDebug: true, message: 'test', client: true })

[mde]

This is not a problem with EJS.

EJS literally evaluates the JavaScript you pass it. It's what EJS is. EJS should never be used server-side with tainted/unsanitized input from an end-user. If you allow people to pass arbitrary code to it, it will run arbitrary code.

If a developer uses EJS this way, they are definitively using EJS wrong.

[dominykas]

While I agree with the sentiment that this is not exactly a security vulnerability in ejs as it is true that you should not be passing unsanitized user input to it, there still is a bug somewhere in there. Note the code - for whatever reason, the code inside options.filename string gets executed.

This only happens if options.compileDebug is set to true, which leads to me believe that there is a bug, likely here:

ejs/lib/ejs.js

Line 639 in 9f69c0a

+ '//# sourceURL=' + opts.filename + '\n';

Namely, if the filename contains a new line, then the second line escapes from the comment.

Not sure what the fix should be. A naive implementation should forbid \n in the filename, but probably this needs URI encoding or smth like that - not sure what the valid values are for this sourceURL comment, or how to escape these values exactly.

[mde]

Updated to prevent this in v3.1.6, now pushed to NPM.