Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution #263

Open
axago opened this issue Sep 26, 2019 · 7 comments
Open

Prototype Pollution #263

axago opened this issue Sep 26, 2019 · 7 comments

Comments

@axago
Copy link

axago commented Sep 26, 2019

"Versions of handlebars prior to are vulnerable to Prototype Pollution leading to Remote Code Execution"

Remediation
Upgrade to version 4.3.0 or later.

Screen Shot 2019-09-26 at 11 27 50
@spacejack
Copy link

One workaround is to explicity add the current version of handlbars as a dependency to your package.json:

  "dependencies": {
    ...
    "express-handlebars": "^3.1.0",
    "handlebars": "^4.4.2",
    ...
  },

NPM will no longer show the warning.

@jfoclpf
Copy link

jfoclpf commented Mar 25, 2020

same here

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-handlebars                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ express-handlebars > handlebars > optimist > minimist        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@UziTech
Copy link

UziTech commented Mar 25, 2020

I have finally gotten around to moving this repo to https://github.com/express-handlebars/express-handlebars/ any new development will be done on that repo.

@jfoclpf
Copy link

jfoclpf commented Mar 25, 2020

@UziTech what about the npm package? Does it point to the new repo, such that npm update does update this dependency? Thanks

@UziTech
Copy link

UziTech commented Mar 25, 2020

yes the npm package should point to the correct repo since v4.0.0

@jfoclpf
Copy link

jfoclpf commented Mar 25, 2020
edited

Thanks a lot @UziTech , nonetheless it seems the error persist cause handlebars has not yet been updated to remove the vulnerability of its dependencies

npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-handlebars                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ express-handlebars > handlebars > optimist > minimist        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │

$ npm list handlebars express-handlebars optimist minimist
delp.pt@1.0.26 /home/joao/delp.pt
├─┬ express-handlebars@4.0.0 
│ └─┬ handlebars@4.7.3 
│   └─┬ optimist@0.6.1 
│     └── minimist@0.0.10

handlebars-lang/handlebars.js#1661

@jfoclpf
Copy link

jfoclpf commented Mar 25, 2020

@UziTech I realized on your dependency of handlebars on your new repo that you have a fixed version dependency.

"handlebars": "^4.7.3",

Maybe it's recommendable to have "4.7.x" or even "4.x" since according to instructions should be always backward compatible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@UziTech @jfoclpf @spacejack @axago