Potential security vulnerabilities in ejs

[lkappeler]

We are using the project as a dependency in our project.
The dependency graph on github shows us the following security warning:

Moderate severity: CVE-2017-1000188

nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection

See mde/ejs@49264e0

High severity: CVE-2017-1000228

nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

See https://snyk.io/vuln/npm:ejs:20161128

package-lock.json update suggested:
ejs ~> 2.5.5

[bajtos]

@lkappeler thank you for reporting the problem. Would you mind contributing the upgrade yourself? See our Contribution Guidelines to get your started. I think the process should be pretty straightforward - run npm install --save ejs@latest, then make sure npm test is still passing.

[lkappeler]

Hi @bajtos
Thanks for your answer, unfortunately ist not just updating ejs since they removed the filters in version 2 so the two filters q and getPropertyOfFirstEndpoint needs to be replaced with custom helper functions, tried to do that in my branch but for some reasons the template wont compile anymore. I tried to replace the <%-: with <%- (not sure if correct) could not find a reference to the used pattern in the documentation of ejs. I also tried to install the ejs-linter, but didn't got any hints on where the error could be. I have basically no experience with ejs-templates so I could need some support here on how to determine what and where needs to be fixed in the template.

[bajtos]

Oh, that's unfortunate.

I am leaving for vacation, I'll take a look at this when I get back in January.

[bajtos]

Hello. I checked the two security vulnerabilities, I believe they are affecting ejs API that we are not using in this SDK. Both vulnerabilities are related to renderFile, but we are using render - see lib/services.js#L105.

In that light, I think this issue is not critical. At the same time, I'd like us to fix it anyways, because ignoring security warnings is a bad habit to learn.

[virkt25]

EJS 2.X.X dropped support for filters that are used extensively in the templates in this library. That makes this upgrade non-trivial but still do-able. Here is a comment that proposes a workaround / way to re-implement that missing functionality! It'll just require careful changes / making sure template works as expected after the upgrade.

Comment for workaround: mde/ejs#76 (comment)

[lkappeler]

@virkt25
That's what I tried to do but I think I have messed up somewhere, in case you wan't to have a look: lkappeler@5c6afbc

[bajtos]

@lkappeler the changes in your commit look reasonable to me, I don't see any obvious problems. Please not that we are using JSON.stringify as a way how to produce valid JavaScript strings, that's why the filter is called q as for "quote". I think your helper "toPrettyJson" would be better called "q" or "quotedString".

[lkappeler]

@bajtos Changed the function name to "quotedString" (Originally renamed it since i could not figure out what q stands fore and the space option was set). Nevertheless my main problem is that the test are failing after I update ejs. I have basically no idea where to look for the error since it's complaining about a unexpected : in the code.

Details

legatore@ares:/wrk/loopback-sdk-angular (bugfix/update-ejs *)$ npm test

loopback-sdk-angular@3.2.1 test /home/legatore/Projects/loopback-sdk-angular

mocha && node ./test.e2e/test-server.js node node_modules/karma/bin/karma start --single-run  --browsers PhantomJS

(node:18792) [DEP0006] DeprecationWarning: child_process: options.customFds option is deprecated. Use options.stdio instead.
․
1 passing (13ms)
Test server is listening on http://localhost:3838/

Running node node_modules/karma/bin/karma start --single-run --browsers PhantomJS
START:

18 01 2018 15:51:50.759:INFO [karma]: Karma v0.13.22 server started at http://localhost:9876/

18 01 2018 15:51:50.762:INFO [launcher]: Starting browser PhantomJS

18 01 2018 15:51:50.947:INFO [PhantomJS 2.1.1 (Linux 0.0.0)]: Connected on socket UKp_RjGT0m3w8BmxAAAA with id 7883279

Cannot generate services script: SyntaxError: Unexpected token : while compiling ejs
If the above error is not helpful, you may want to try EJS-Lint:

https://github.com/RyanZim/EJS-Lint

at new Function ()

at Template.compile (/home/legatore/Projects/loopback-sdk-angular/node_modules/ejs/lib/ejs.js:549:12)

at Object.compile (/home/legatore/Projects/loopback-sdk-angular/node_modules/ejs/lib/ejs.js:358:16)

at handleCache (/home/legatore/Projects/loopback-sdk-angular/node_modules/ejs/lib/ejs.js:201:18)

at Object.exports.render (/home/legatore/Projects/loopback-sdk-angular/node_modules/ejs/lib/ejs.js:384:10)

at Object.generateServices [as services] (/home/legatore/Projects/loopback-sdk-angular/lib/services.js:102:14)

at generateService (/home/legatore/Projects/loopback-sdk-angular/test.e2e/test-server.js:177:32)

at /home/legatore/Projects/loopback-sdk-angular/test.e2e/test-server.js:115:24

at /home/legatore/Projects/loopback-sdk-angular/test.e2e/test-server.js:130:32

at /home/legatore/Projects/loopback-sdk-angular/test.e2e/test-server.js:108:3

at Layer.handle [as handle_request] (/home/legatore/Projects/loopback-sdk-angular/node_modules/express/lib/router/layer.js:95:5)

at next (/home/legatore/Projects/loopback-sdk-angular/node_modules/express/lib/router/route.js:137:13)

at Route.dispatch (/home/legatore/Projects/loopback-sdk-angular/node_modules/express/lib/router/route.js:112:3)

at Layer.handle [as handle_request] (/home/legatore/Projects/loopback-sdk-angular/node_modules/express/lib/router/layer.js:95:5)

at /home/legatore/Projects/loopback-sdk-angular/node_modules/express/lib/router/index.js:281:22

at Function.process_params (/home/legatore/Projects/loopback-sdk-angular/node_modules/express/lib/router/index.js:335:12)

express deprecated res.send(status, body): Use res.status(status).send(body) instead test.e2e/test-server.js:124:9

POST /setup 200 26.850 ms - 82

express deprecated res.send(status, body): Use res.status(status).send(body) instead test.e2e/test-server.js:139:7

GET /services?urlBaseAndAuthHeaderCustomization 200 0.457 ms - 136

services

url base and authentication header customization

✖ "before all" hook
Finished in 0.098 secs / NaN secs
SUMMARY:

✔ 0 tests completed

✖ 1 test failed
FAILED TESTS:

services

url base and authentication header customization

✖ "before all" hook

PhantomJS 2.1.1 (Linux 0.0.0)

Script error. (:0)
npm ERR! Test failed.  See above for more details.

[bajtos]

@lkappeler I see. Have you tried to use the linter proposed by the error message to see if it can find the error for you? If it doesn't help, then please open a pull request with the work you a have done so far, it will make it easier for me to run your update and push new changes to your feature branch if needed.

[lkappeler]

@bajtos
Yes I did that but the linter does not give me any output
command: ./node_modules/.bin/ejslint lib/services.template.ejs

Here is the PR: #282