-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix handlebars upstream vulnerability #178
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just have a general comment. The same concern was raised in #176 (comment) so hoping there is a way.
@@ -69,8 +69,7 @@ function middleware(filename, options, cb) { | |||
cb(null, res); | |||
}); | |||
} catch (err) { | |||
err.message = filename + ': ' + err.message; | |||
cb(err); | |||
cb(new Error(filename + ': ' + err.message)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked into this change too, but was hoping for a backwards compatible one so this didn't need to be a 5.0 release. It drops all custom properties from the original Error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm... What kind of custom properties are present here? The stack trace will be maintained through this pattern (with an extra step, but that should be fine). If handlebars set any other properties we could just copy them over.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Syntax error from handlebars have all those properties which show how the syntax was invalid. For example err.hash.line
is the line the error was on, err.hash.text
was the bad text it encountered, etc. Node.js errors coming through here have their standard err.code
property, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The last time there was a release (in April) the feature was working. It seems like something has changed and it is no longer working for some reason. I'm trying to track down what is causing it to fail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, haha, I forgot I was running handlebars 4.3.1 locally for testing. Yes, the feature still works fine on 4.0.14. So I'm trying to determine what changed in handlebars.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is something in the 4.2.1 release, as it works with handlebars 4.2.0 but does not work with 4.2.1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Filed a bug in handlebars.js project: handlebars-lang/handlebars.js#1562
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dougwilson Good find.
This fixes the upstream prototype pollution vulnerability in handlebars that was fixed in handlebars 4.3.0. Similar to #175 but with tests passing.
Test result against Node.js v10.16.0:
The patch in lib/hbs.js is not strictly related to this patch, but is to get the tests running in the current version of Node.js. Master tests are also broken against Node v10.