Compare commits

...

14 Commits

Author SHA1 Message Date
Nils Knappmeier 272362e44c v4.0.14 2019-04-13 16:39:19 +02:00
Nils Knappmeier 2a5a80110c Update release notes 2019-04-13 16:38:47 +02:00
Nils Knappmeier 7375da4276 test: remove safari from saucelabs 2019-04-13 16:23:54 +02:00
Nils Knappmeier d4e64b6bdc chore: .gitignore more files 2019-04-13 16:23:29 +02:00
Nils Knappmeier 85c8783b34 fix: prevent RCE through the "lookup"-helper
- The "lookup" helper could also be used to run a remote code execution
  by manipulating the template. The same check as for regular
  path queries now also is done in the "lookup"-helper
2019-04-13 16:22:01 +02:00
Nils Knappmeier d97a045f6b chore: reactivate saucelabs-tests 2019-03-15 23:07:01 +01:00
Nils Knappmeier 5f47c4a682 test: make security testcase internet explorer compatible
Internet Explorer does not support the 'class Testclass {}' notation,
and tests are not compiled using babel.

closes #1497
2019-03-15 23:06:50 +01:00
Nils Knappmeier 7c2fbcc9de chore: Use node 10 to build handlebars
Node 10 is LTS now...

(cherry picked from commit 78dd89c13a)
2019-02-07 11:30:31 +01:00
Nils Knappmeier 9d4fff19d4 v4.0.13 2019-02-07 11:26:00 +01:00
Nils Knappmeier 2d49b67a61 Update release notes 2019-02-07 11:25:30 +01:00
Nils Knappmeier 6f93bc53da chore: make sure that 4.0.x does not get "latest"-tag on npm 2019-02-07 11:21:23 +01:00
Nils Knappmeier 7296b6df72 test: run appveyor tests in Node 10 2019-02-07 11:20:20 +01:00
Nils Knappmeier 836b1bfbf4 chore: disable sauce-labs
Related to #1497
2019-02-07 11:20:07 +01:00
Nils Knappmeier 7372d4e9df fix: disallow access to the constructor in templates to prevent RCE
This commit fixes a Remote Code Execution (RCE) reported by
npm-security. Access to non-enumerable "constructor"-properties
is now prohibited by the compiled template-code, because this
the first step on the way to creating and execution arbitrary
JavaScript code.
The vulnerability affects systems where an attacker is allowed to
inject templates into the Handlebars setup.
Further details of the attack may be disclosed by npm-security.

Closes #1267
Closes #1495
2019-02-07 11:19:54 +01:00
12 changed files with 118 additions and 12 deletions
+3
View File
@@ -10,3 +10,6 @@ node_modules
*.sublime-workspace
npm-debug.log
sauce_connect.log*
/.idea/
/*.iml
/yarn-error-log
+1 -2
View File
@@ -13,12 +13,11 @@ env:
- secure: Nm4AgSfsgNB21kgKrF9Tl7qVZU8YYREhouQunFracTcZZh2NZ2XH5aHuSiXCj88B13Cr/jGbJKsZ4T3QS3wWYtz6lkyVOx3H3iI+TMtqhD9RM3a7A4O+4vVN8IioB2YjhEu0OKjwgX5gp+0uF+pLEi7Hpj6fupD3AbbL5uYcKg8=
matrix:
include:
- node_js: '5'
- node_js: '10'
env:
- PUBLISH=true
- secure: pLTzghtVll9yGKJI0AaB0uI8GypfWxLTaIB0ZL8//yN3nAEIKMhf/RRilYTsn/rKj2NUa7vt2edYILi3lttOUlCBOwTc9amiRms1W8Lwr/3IdWPeBLvLuH1zNJRm2lBAwU4LBSqaOwhGaxOQr6KHTnWudhNhgOucxpZfvfI/dFw=
- secure: yERYCf7AwL11D9uMtacly/THGV8BlzsMmrt+iQVvGA3GaY6QMmfYqf6P6cCH98sH5etd1Y+1e6YrPeMjqI6lyRllT7FptoyOdHulazQe86VQN4sc0EpqMlH088kB7gGjTut9Z+X9ViooT5XEh9WA5jXEI9pXhQJNoIHkWPuwGuY=
- node_js: '4'
cache:
directories:
- node_modules
+2 -2
View File
@@ -166,8 +166,8 @@ module.exports = function(grunt) {
browsers: [
{browserName: 'chrome'},
{browserName: 'firefox', platform: 'Linux'},
{browserName: 'safari', version: 9, platform: 'OS X 10.11'},
{browserName: 'safari', version: 8, platform: 'OS X 10.10'},
// {browserName: 'safari', version: 9, platform: 'OS X 10.11'},
// {browserName: 'safari', version: 8, platform: 'OS X 10.10'},
{browserName: 'internet explorer', version: 11, platform: 'Windows 8.1'},
{browserName: 'internet explorer', version: 10, platform: 'Windows 8'}
]
+1 -2
View File
@@ -1,8 +1,7 @@
# Test against these versions of Node.js
environment:
matrix:
- nodejs_version: "4"
- nodejs_version: "5"
- nodejs_version: "10"
platform:
- x64
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "handlebars",
"version": "4.0.12",
"version": "4.0.14",
"main": "handlebars.js",
"license": "MIT",
"dependencies": {}
+1 -1
View File
@@ -2,7 +2,7 @@
<package>
<metadata>
<id>handlebars.js</id>
<version>4.0.12</version>
<version>4.0.14</version>
<authors>handlebars.js Authors</authors>
<licenseUrl>https://github.com/wycats/handlebars.js/blob/master/LICENSE</licenseUrl>
<projectUrl>https://github.com/wycats/handlebars.js/</projectUrl>
+1 -1
View File
@@ -4,7 +4,7 @@ import {registerDefaultHelpers} from './helpers';
import {registerDefaultDecorators} from './decorators';
import logger from './logger';
export const VERSION = '4.0.12';
export const VERSION = '4.0.14';
export const COMPILER_REVISION = 7;
export const REVISION_CHANGES = {
@@ -13,6 +13,9 @@ JavaScriptCompiler.prototype = {
// PUBLIC API: You can override these methods in a subclass to provide
// alternative compiled forms for name lookup and buffering semantics
nameLookup: function(parent, name/* , type*/) {
if (name === 'constructor') {
return ['(', parent, '.propertyIsEnumerable(\'constructor\') ? ', parent, '.constructor : undefined', ')'];
}
if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
return [parent, '.', name];
} else {
+7 -1
View File
@@ -1,5 +1,11 @@
export default function(instance) {
instance.registerHelper('lookup', function(obj, field) {
return obj && obj[field];
if (!obj) {
return obj;
}
if (field === 'constructor' && !obj.propertyIsEnumerable(field)) {
return undefined;
}
return obj[field];
});
}
+4 -1
View File
@@ -1,7 +1,7 @@
{
"name": "handlebars",
"barename": "handlebars",
"version": "4.0.12",
"version": "4.0.14",
"description": "Handlebars provides the power necessary to let you build semantic templates effectively with no frustration",
"homepage": "http://www.handlebarsjs.com/",
"keywords": [
@@ -10,6 +10,9 @@
"template",
"html"
],
"publishConfig": {
"tag": "4.0-patch"
},
"repository": {
"type": "git",
"url": "https://github.com/wycats/handlebars.js.git"
+59 -1
View File
@@ -2,7 +2,65 @@
## Development
[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...master)
[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.14...master)
## v4.0.14 - April 13th, 2019
Chore/Test:
- test: remove safari from saucelabs - 871accc
Bugfixes:
- fix: prevent RCE through the "lookup"-helper - cd38583
Compatibility notes:
Access to the constructor of a class thought `{{lookup obj "constructor" }}` is now prohibited. This closes
a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility.
This kind of access is not the intended use of Handlebars and leads to the vulnerability described
in #1495. We will **not** increase the major version, because such use is not intended or documented,
and because of the potential impact of the issue (we fear that most people won't use a new major version
and the issue may not be resolved on many systems).
[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.13...v4.0.14)
## v4.0.13 - February 7th, 2019
New Features
- none
Security fixes:
- disallow access to the constructor in templates to prevent RCE - 42841c4, #1495
Housekeeping
- chore: fix components/handlebars package.json and auto-update on release - bacd473
- chore: Use node 10 to build handlebars - 78dd89c
Compatibility notes:
Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent
Remote Code Execution. This means that following construct will no work anymore:
```
class SomeClass {
}
SomeClass.staticProperty = 'static'
var template = Handlebars.compile('{{constructor.staticProperty}}');
document.getElementById('output').innerHTML = template(new SomeClass());
// expected: 'static', but now this is empty.
```
This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0)
[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.0.13)
## v4.0.12 - September 4th, 2018
New features:
+35
View File
@@ -0,0 +1,35 @@
describe('security issues', function() {
describe('GH-1495: Prevent Remote Code Execution via constructor', function() {
it('should not allow constructors to be accessed', function() {
shouldCompileTo('{{constructor.name}}', {}, '');
shouldCompileTo('{{lookup (lookup this "constructor") "name"}}', {}, '');
});
it('should allow the "constructor" property to be accessed if it is enumerable', function() {
shouldCompileTo('{{constructor.name}}', {'constructor': {
'name': 'here we go'
}}, 'here we go');
shouldCompileTo('{{lookup (lookup this "constructor") "name"}}', {'constructor': {
'name': 'here we go'
}}, 'here we go');
});
it('should allow prototype properties that are not constructors', function() {
function TestClass() {
}
Object.defineProperty(TestClass.prototype, 'abc', {
get: function() {
return 'xyz';
}
});
shouldCompileTo('{{#with this as |obj|}}{{obj.abc}}{{/with}}',
new TestClass(), 'xyz');
shouldCompileTo('{{#with this as |obj|}}{{lookup obj "abc"}}{{/with}}',
new TestClass(), 'xyz');
});
});
});