Javascript execution from template #1267

cryptoad · 2016-11-03T18:24:25Z

It is possible to execute Javascript from a template without registering any helper/partial/whatever or having any function in the context. I am not sure if you guys care about this, but it probably is not ideal in the event of a template injection. Anyway, it makes the logicless aspect less logicless.

Here is a sample that would execute whatever is in the initial string (eg: alert(1)) without anything extra registered:

{{#with 'alert(1)|'}}
{{#with (split '|' 1)}}
{{#> p constructor.constructor}}
{{> (apply 0 ../this)}}
{{/p}}
{{/with}}
{{/with}}

I'd venture and say that it could be fixed by making sure that only "own" properties of the helpers/etc dictionaries can be accessed instead of their prototypes' ones as well.

The text was updated successfully, but these errors were encountered:

lawnsea · 2016-11-23T04:45:30Z

This seems like a bug.

This commit fixes a Remote Code Execution (RCE) reported by npm-security. Access to non-enumerable "constructor"-properties is now prohibited by the compiled template-code, because this the first step on the way to creating and execution arbitrary JavaScript code. The vulnerability affects systems where an attacker is allowed to inject templates into the Handlebars setup. Further details of the attack may be disclosed by npm-security. Closes #1267 Closes #1495

hady2 · 2019-02-18T20:40:50Z

Merged #1501 into 4.x.

nknapp · 2019-02-19T09:00:16Z

@hady2 I don't understand your comment. Could you explain?

lawnsea added the bug label Nov 23, 2016

nknapp mentioned this issue Sep 11, 2017

Is handlebars + helpers turing complete? #1381

Closed

nknapp closed this as completed in edc6220 Feb 17, 2019

mend-for-github-com bot mentioned this issue Jul 4, 2019

WS-2019-0103 (Medium) detected in handlebars-1.0.12.tgz yaeljacobs67/librenms#66

Open

1 task

This was referenced Jul 12, 2019

WS-2019-0103 (Medium) detected in handlebars-1.3.0.tgz pcrane70/blackrock#68

Open

WS-2019-0103 (Medium) detected in handlebars-4.0.11.tgz pcrane70/mockiato#17

Open

This was referenced Mar 29, 2024

handlebars-4.0.6.min.js: 8 vulnerabilities (highest severity is: 9.8) Dima2022/concord-plugins#579

Open

handlebars-4.0.6.min.js: 8 vulnerabilities (highest severity is: 9.8) Dima2022/concord-plugins#592

Open

mend-bolt-for-github bot mentioned this issue Mar 30, 2024

WS-2019-0103 (Medium) detected in handlebars-1.3.0.tgz valdisiljuconoks/ImageResizer.Plugins.EPiServerBlobReader#157

Open

This was referenced Apr 2, 2024

handlebars-4.0.6.min.js: 8 vulnerabilities (highest severity is: 9.8) Dima2022/concord-plugins#605

Open

handlebars-4.0.6.min.js: 8 vulnerabilities (highest severity is: 9.8) Dima2022/concord-plugins#618

Open

This was referenced May 30, 2024

handlebars-4.0.11.tgz: 15 vulnerabilities (highest severity is: 9.8) reachable amaybaum-dev/cezerin2#28

Open

handlebars-4.0.11.tgz: 15 vulnerabilities (highest severity is: 9.8) amaybaum-dev/cezerin3#7

Open

mend-for-github-com bot mentioned this issue Jun 18, 2024

handlebars-4.0.6.min.js: 8 vulnerabilities (highest severity is: 9.8) Dima2022/concord-plugins#813

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Javascript execution from template #1267

Javascript execution from template #1267

cryptoad commented Nov 3, 2016 •

edited

Loading

lawnsea commented Nov 23, 2016

hady2 commented Feb 18, 2019

nknapp commented Feb 19, 2019

Javascript execution from template #1267

Javascript execution from template #1267

Comments

cryptoad commented Nov 3, 2016 • edited Loading

lawnsea commented Nov 23, 2016

hady2 commented Feb 18, 2019

nknapp commented Feb 19, 2019

cryptoad commented Nov 3, 2016 •

edited

Loading