Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for prototype polution (npm-security advisory 755) #1496

Merged
merged 5 commits into from Feb 7, 2019
Merged

Fix for prototype polution (npm-security advisory 755) #1496

merged 5 commits into from Feb 7, 2019

Conversation

nknapp
Copy link
Collaborator

@nknapp nknapp commented Feb 7, 2019
edited

@nknapp
fix: disallow access to the constructor in templates to prevent RCE
edc6220 
This commit fixes a Remote Code Execution (RCE) reported by
npm-security. Access to non-enumerable "constructor"-properties
is now prohibited by the compiled template-code, because this
the first step on the way to creating and execution arbitrary
JavaScript code.
The vulnerability affects systems where an attacker is allowed to
inject templates into the Handlebars setup.
Further details of the attack may be disclosed by npm-security.

Closes #1267
Closes #1495
@nknapp
chore: add .idea and yarn-error.log to .gitignore
2db0d12
@nknapp nknapp changed the base branch from master to 4.x February 7, 2019 07:53
@nknapp nknapp merged commit b02e9a2 into 4.x Feb 7, 2019
@nknapp
Copy link
Collaborator Author

nknapp commented Feb 7, 2019

Released in 4.1.0

@nknapp
Copy link
Collaborator Author

nknapp commented Feb 15, 2019

Closes #1495

@meszaros-lajos-gyorgy meszaros-lajos-gyorgy mentioned this pull request Mar 8, 2019
Closed
@nknapp
Copy link
Collaborator Author

nknapp commented Apr 11, 2019
edited

@ilsken Thank you for notifying us about that. In the future though, please use private e-mail or reach out via npm-security to notify about security issues. That way, we can fix the issue before its going public.

I'll try to reach out to mahmoudsec too to take the blog post down until this is fixed. I'm going to delete your comment until we fix the problem, just to prevent the blog post from gaining popularity.

@handlebars-lang handlebars-lang deleted a comment from tarqd Apr 11, 2019
@nknapp nknapp changed the title Security issue (description follows after disclosure) Security issue (https://www.npmjs.com/advisories/755) Nov 5, 2019
@nknapp nknapp changed the title Security issue (https://www.npmjs.com/advisories/755) Security issue (prototype polution) Nov 5, 2019
@nknapp nknapp changed the title Security issue (prototype polution) Fix for prototype polution (npm-security advisory 755) Nov 5, 2019
@CMaheshBL CMaheshBL mentioned this pull request May 6, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nknapp @MCoop1963