RCE possible in compat and strict mode

[nknapp]

Two security issues have arised and are fixed in the referencing commits:

1. Due to insufficient escaping of the input template, it was possible to inject code into templates that are compiled in "compat" mode.

2. In "strict" mode, the exploits disclosed in the npm-security advisories 755,
   1164, 1316,
   1324 and 1325 and in the blog-article
   of Mahmoud Gamal possible, because the the method that was used in strict-mode had not called the safe-guard methods.

The issues have been disclosed a couple of weeks ago at https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767 and are fixed in version 4.7.7

[joshbressers]

This issue is getting flagged by security scanners (the commits have scary words in them it would seem). Can you clarify if these are indeed security fixes?

Thanks in advance

[nknapp]

Yes, these are indeed security fixes, although only relevant in "compat" and "strict" mode.
I'm not sure if they are already disclosed. My plan is to fill this issue with more details and links when they are.

[jtnord]

is there any plan to backport any relevant fixes to the 3.x branch, or is that line considered dead now?

[jtnord]

@nknapp seems like 3.0.8 should have all these fixes already due to #1532 and #1656 ? can you confirm this is the case and that the CVE cpe metadata is incorrect?

[bitwiseman]

I've attempted a backport of these fixes to the 3.x release - #1751 .

[jaylinski]

Note: v3.x is EOL and did not receive all relevant security fixes. Upgrade to at least v4.7.7.