New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add warning against running untrusted templates #17

Closed
vjeux opened this Issue Oct 13, 2014 · 9 comments

Comments

Projects
None yet
3 participants
@vjeux

vjeux commented Oct 13, 2014

I talked to people that are under the impression that it's safe to feed user-defined templates to nunjucks. However it is not. It may be good to add a warning about this.

Proof of concept to run arbitrary code on viewers: http://jsfiddle.net/vjeux/q55ads7r/
Proof of concept to run arbitrary code on the execution environment: http://jsfiddle.net/vjeux/2kcjjgt2/

@jlongster

This comment has been minimized.

Show comment
Hide comment
@jlongster

jlongster Oct 13, 2014

Member

Good point! I wonder if other templating autoescaping escapes = and quotes, which would fix this. I will definitely add a warning if nothing changes, but this feels like something that should be handled by autoescaping.

Member

jlongster commented Oct 13, 2014

Good point! I wonder if other templating autoescaping escapes = and quotes, which would fix this. I will definitely add a warning if nothing changes, but this feels like something that should be handled by autoescaping.

@vjeux

This comment has been minimized.

Show comment
Hide comment
@vjeux

vjeux Oct 13, 2014

Auto-escaping works on the variables you feed into the template, not in the template itself. (and correctly fixes the problem: http://jsfiddle.net/vjeux/3rzsn4sy/ ).

What I'm trying to point here is that it's not safe to have the user define the template itself.

vjeux commented Oct 13, 2014

Auto-escaping works on the variables you feed into the template, not in the template itself. (and correctly fixes the problem: http://jsfiddle.net/vjeux/3rzsn4sy/ ).

What I'm trying to point here is that it's not safe to have the user define the template itself.

@jlongster

This comment has been minimized.

Show comment
Hide comment
@jlongster

jlongster Oct 13, 2014

Member

Oh, duh, right. I misinterpreted. Yeah, of course by default it will output HTML. I will add a warning to the docs.

Member

jlongster commented Oct 13, 2014

Oh, duh, right. I misinterpreted. Yeah, of course by default it will output HTML. I will add a warning to the docs.

@vjeux

This comment has been minimized.

Show comment
Hide comment
@vjeux

vjeux Oct 13, 2014

I think the fact that rendering a template can execute arbitrary javascript code on the server is even more unexpected

nunjucks.renderString('{{a.constructor.__proto__.constructor("alert()")()}}');

vjeux commented Oct 13, 2014

I think the fact that rendering a template can execute arbitrary javascript code on the server is even more unexpected

nunjucks.renderString('{{a.constructor.__proto__.constructor("alert()")()}}');
@jlongster

This comment has been minimized.

Show comment
Hide comment
@jlongster

jlongster Oct 13, 2014

Member

We parse a grammar similar to JS, and output the corresponding JS to the AST, so yes, those holes are exposed. Accessing native methods is an easy way to get a lot for free, so users can just do {{ arr.length }} and stuff. You're right though; we should blacklist a few properties that allow you to access this so that this safety is on by default.

I know other engines have a "sandboxed" mode which we could also support. Is there anything other than constructor that you can think of that we need to blacklist?

Regardless, I will add a warning that we don't guarantee a full sandboxed mode yet.

Member

jlongster commented Oct 13, 2014

We parse a grammar similar to JS, and output the corresponding JS to the AST, so yes, those holes are exposed. Accessing native methods is an easy way to get a lot for free, so users can just do {{ arr.length }} and stuff. You're right though; we should blacklist a few properties that allow you to access this so that this safety is on by default.

I know other engines have a "sandboxed" mode which we could also support. Is there anything other than constructor that you can think of that we need to blacklist?

Regardless, I will add a warning that we don't guarantee a full sandboxed mode yet.

@vjeux

This comment has been minimized.

Show comment
Hide comment
@vjeux

vjeux Oct 13, 2014

Blacklisting properties is very dangerous. If you ever attempt to have a sandboxed mode, I would highly recommend you talk to someone with a web security background. Cure53 audited most of the template engines out there. https://code.google.com/p/mustache-security/ They also privately audited React and had a lot of good suggestions to improve it's security edge cases :)

vjeux commented Oct 13, 2014

Blacklisting properties is very dangerous. If you ever attempt to have a sandboxed mode, I would highly recommend you talk to someone with a web security background. Cure53 audited most of the template engines out there. https://code.google.com/p/mustache-security/ They also privately audited React and had a lot of good suggestions to improve it's security edge cases :)

@jlongster

This comment has been minimized.

Show comment
Hide comment
@jlongster

jlongster Oct 13, 2014

Member

Yeah, blackboxing is just a false sense of security. Nunjucks does not really provide a solution for user-defined templates that should not be able to run arbitrary JS. Some of the current products that use nunjucks are CMS-es where this doesn't matter, because you are using it to customize your own site and you could freely run JS in just a <script> tag.

Handlebars is a better solution for a completely safe user-defined template. I will add notes about this in the docs somewhere.

Member

jlongster commented Oct 13, 2014

Yeah, blackboxing is just a false sense of security. Nunjucks does not really provide a solution for user-defined templates that should not be able to run arbitrary JS. Some of the current products that use nunjucks are CMS-es where this doesn't matter, because you are using it to customize your own site and you could freely run JS in just a <script> tag.

Handlebars is a better solution for a completely safe user-defined template. I will add notes about this in the docs somewhere.

@jlongster

This comment has been minimized.

Show comment
Hide comment
@jlongster

jlongster Apr 3, 2015

Member

I added a warning in the updated docs (published soon, thanks!)

Member

jlongster commented Apr 3, 2015

I added a warning in the updated docs (published soon, thanks!)

@jlongster jlongster closed this Apr 3, 2015

@brianmhunt

This comment has been minimized.

Show comment
Hide comment
@brianmhunt

brianmhunt Jun 8, 2016

For those reading this, there are two bits of info that may be helpful:

  1. On the client-side, you can use a Content Security Policy to limit the sources of scripts i.e. it can prohibit executing scripts from arbitrary urls. You cannot compile nunjucks scripts in the browser when the CSP uses unsafe-eval (which would be the "gold standard" of protections, and what is needed for some applications like Chrome Apps) at this time, per mozilla/nunjucks#298.
  2. You can use a Javascript-like language, such as the one I wrote for knockout-secure-binding, which is CSP-safe (though arguably it simply usurps the protections CSP provides – know your vectors! 😄 ).

brianmhunt commented Jun 8, 2016

For those reading this, there are two bits of info that may be helpful:

  1. On the client-side, you can use a Content Security Policy to limit the sources of scripts i.e. it can prohibit executing scripts from arbitrary urls. You cannot compile nunjucks scripts in the browser when the CSP uses unsafe-eval (which would be the "gold standard" of protections, and what is needed for some applications like Chrome Apps) at this time, per mozilla/nunjucks#298.
  2. You can use a Javascript-like language, such as the one I wrote for knockout-secure-binding, which is CSP-safe (though arguably it simply usurps the protections CSP provides – know your vectors! 😄 ).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment