Compare commits

...

6 Commits

Author SHA1 Message Date
Nils Knappmeier 9d4fff19d4 v4.0.13 2019-02-07 11:26:00 +01:00
Nils Knappmeier 2d49b67a61 Update release notes 2019-02-07 11:25:30 +01:00
Nils Knappmeier 6f93bc53da chore: make sure that 4.0.x does not get "latest"-tag on npm 2019-02-07 11:21:23 +01:00
Nils Knappmeier 7296b6df72 test: run appveyor tests in Node 10 2019-02-07 11:20:20 +01:00
Nils Knappmeier 836b1bfbf4 chore: disable sauce-labs
Related to #1497
2019-02-07 11:20:07 +01:00
Nils Knappmeier 7372d4e9df fix: disallow access to the constructor in templates to prevent RCE
This commit fixes a Remote Code Execution (RCE) reported by
npm-security. Access to non-enumerable "constructor"-properties
is now prohibited by the compiled template-code, because this
the first step on the way to creating and execution arbitrary
JavaScript code.
The vulnerability affects systems where an attacker is allowed to
inject templates into the Handlebars setup.
Further details of the attack may be disclosed by npm-security.

Closes #1267
Closes #1495
2019-02-07 11:19:54 +01:00
9 changed files with 74 additions and 8 deletions
+1 -1
View File
@@ -228,7 +228,7 @@ module.exports = function(grunt) {
grunt.task.loadTasks('tasks');
grunt.registerTask('bench', ['metrics']);
grunt.registerTask('sauce', process.env.SAUCE_USERNAME ? ['tests', 'connect', 'saucelabs-mocha'] : []);
grunt.registerTask('sauce', [] /* process.env.SAUCE_USERNAME ? ['tests', 'connect', 'saucelabs-mocha'] : [] */);
grunt.registerTask('travis', process.env.PUBLISH ? ['default', 'sauce', 'metrics', 'publish:latest'] : ['default']);
+1 -2
View File
@@ -1,8 +1,7 @@
# Test against these versions of Node.js
environment:
matrix:
- nodejs_version: "4"
- nodejs_version: "5"
- nodejs_version: "10"
platform:
- x64
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "handlebars",
"version": "4.0.12",
"version": "4.0.13",
"main": "handlebars.js",
"license": "MIT",
"dependencies": {}
+1 -1
View File
@@ -2,7 +2,7 @@
<package>
<metadata>
<id>handlebars.js</id>
<version>4.0.12</version>
<version>4.0.13</version>
<authors>handlebars.js Authors</authors>
<licenseUrl>https://github.com/wycats/handlebars.js/blob/master/LICENSE</licenseUrl>
<projectUrl>https://github.com/wycats/handlebars.js/</projectUrl>
+1 -1
View File
@@ -4,7 +4,7 @@ import {registerDefaultHelpers} from './helpers';
import {registerDefaultDecorators} from './decorators';
import logger from './logger';
export const VERSION = '4.0.12';
export const VERSION = '4.0.13';
export const COMPILER_REVISION = 7;
export const REVISION_CHANGES = {
@@ -13,6 +13,9 @@ JavaScriptCompiler.prototype = {
// PUBLIC API: You can override these methods in a subclass to provide
// alternative compiled forms for name lookup and buffering semantics
nameLookup: function(parent, name/* , type*/) {
if (name === 'constructor') {
return ['(', parent, '.propertyIsEnumerable(\'constructor\') ? ', parent, '.constructor : undefined', ')'];
}
if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
return [parent, '.', name];
} else {
+4 -1
View File
@@ -1,7 +1,7 @@
{
"name": "handlebars",
"barename": "handlebars",
"version": "4.0.12",
"version": "4.0.13",
"description": "Handlebars provides the power necessary to let you build semantic templates effectively with no frustration",
"homepage": "http://www.handlebarsjs.com/",
"keywords": [
@@ -10,6 +10,9 @@
"template",
"html"
],
"publishConfig": {
"tag": "4.0-patch"
},
"repository": {
"type": "git",
"url": "https://github.com/wycats/handlebars.js.git"
+39 -1
View File
@@ -2,7 +2,45 @@
## Development
[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...master)
[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.13...master)
## v4.0.13 - February 7th, 2019
New Features
- none
Security fixes:
- disallow access to the constructor in templates to prevent RCE - 42841c4, #1495
Housekeeping
- chore: fix components/handlebars package.json and auto-update on release - bacd473
- chore: Use node 10 to build handlebars - 78dd89c
Compatibility notes:
Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent
Remote Code Execution. This means that following construct will no work anymore:
```
class SomeClass {
}
SomeClass.staticProperty = 'static'
var template = Handlebars.compile('{{constructor.staticProperty}}');
document.getElementById('output').innerHTML = template(new SomeClass());
// expected: 'static', but now this is empty.
```
This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0)
[Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.0.13)
## v4.0.12 - September 4th, 2018
New features:
+23
View File
@@ -0,0 +1,23 @@
describe('security issues', function() {
describe('GH-1495: Prevent Remote Code Execution via constructor', function() {
it('should not allow constructors to be accessed', function() {
shouldCompileTo('{{constructor.name}}', {}, '');
});
it('should allow the "constructor" property to be accessed if it is enumerable', function() {
shouldCompileTo('{{constructor.name}}', {'constructor': {
'name': 'here we go'
}}, 'here we go');
});
it('should allow prototype properties that are not constructors', function() {
class TestClass {
get abc() {
return 'xyz';
}
}
shouldCompileTo('{{#with this as |obj|}}{{obj.abc}}{{/with}}',
new TestClass(), 'xyz');
});
});
});