Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update vulnerable handlebars@^3.0.3 to ^4.0.12 #921

Closed
Silic0nS0ldier opened this issue Jan 11, 2019 · 5 comments
Closed

Update vulnerable handlebars@^3.0.3 to ^4.0.12 #921

Silic0nS0ldier opened this issue Jan 11, 2019 · 5 comments
Labels
security Framework security issue
Milestone

Comments

@Silic0nS0ldier
Copy link
Member

Handlebars ^3.0.3 is affected by https://nodesecurity.io/advisories/61 (cross-site scripting)

We should update to ^4.0.12 if possible.

@Silic0nS0ldier Silic0nS0ldier added the security Framework security issue label Jan 11, 2019
@Silic0nS0ldier
Copy link
Member Author

I can only spy 2 cases where there are potential compatibility issues from v3,

  1. = is now escaped in variables to address a potential exploit.
  2. Depthed path logic has been updated to reflect expected behaviour in some circumstances. (not entirely sure what this is, but it affects what values in the template with resolve to)

Would like to see this addressed in 4.2 if possible. Not a big fan of pushing out updates that depend on vulnerable dependencies if it can be helped.

@Silic0nS0ldier Silic0nS0ldier added this to the 4.3.0 milestone Jan 11, 2019
@lcharette lcharette pinned this issue Apr 1, 2019
@lcharette lcharette unpinned this issue Apr 2, 2019
@amosfolz
Copy link
Contributor

I was doing a little research on this and found that this vulnerability does not have anything to do with Handlebars at its core, but more so bad developer practices. (Not wrapping html attribute in ' or ").

The issue is that Handlebars documentation claimed to be escaping content in {{ }} but did not have = included in the list of escaped characters. If following the suggestions here this would not be a problem.

Also, I have updated Handlebars and did not find any noticeable issues or that anything was broken.

@lcharette
Copy link
Member

This might be solved in the 3.x branch by Handlebar and their new release from June 30th ?

https://github.com/wycats/handlebars.js/blob/v3.0.7/release-notes.md#v307---june-30th-2019

@lcharette
Copy link
Member

Looks like we'll have to update to 4.1.0 : handlebars-lang/handlebars.js@edc6220

@lcharette
Copy link
Member

I've did a quick test on my systems and setting the dependencies to 4.1.2 doesn't require any work. All default pages works as intended.

https://github.com/wycats/handlebars.js/blob/v4.1.2/release-notes.md

All "Compatibility notes" are edge cases which we don't use in default pages, which make it probably safe to include in UF 4.3

lcharette added a commit that referenced this issue Jul 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Framework security issue
Projects
None yet
Development

No branches or pull requests

3 participants