Update handlebars to version 4.7.1

[znarf]

See: opencollective/opencollective-api#3176

handlebars has some breaking changes in version 4.6, this is related to security issues.

See the comment from @Betree:

Let's wait, the new runtime options will allow us to stay up to date with handlebars. But we should create a follow-up issue to see why we can't access our variables in emails templates with this new config and eventually whitelist the props if that's what is needed.

And the follow up comment from the library author:

Handlebars 4.7.0 has been release with options to disable prototype restrictions:
https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access. Please be aware the you are potentially opening up ways to crash your servers or maybe even remote code execution for people who can inject templates into your system.

We now want to upgrade in a way that is taking care of security concerns.

Warning: Before submitting a contribution, make sure you understand the security aspects and you take care of it in your implementation.

[znarf]

A $200 bounty was attached to this issue. Anyone submitting a Pull Request will be rewarded with $200 when the Pull Request is reviewed, accepted and merged. More info

This bounty is currently reserved to participants of the Open Source Festival event. If not completed there, it will be later open to everyone.

[znarf]

This bounty is open to everyone. Please be aware of the warning, you need to take care properly of the security aspects of this issue. If you don't understand what that means, please pass. We will not give feedback or help unless you did your own research and prove you have a clear understanding of the security implications.

[bolariin]

I have an idea on how to resolve this. Is it okay if I resolve this issue?

[brymut]

Sorry @bolariin , I've already started work on this.

[brymut]

Hi again @bolariin or anyone interested, looks like I won't be able to sort this out to completion over the next week. Unassigning myself, feel free to resolve it.

My possible solutions most revolved around adding the allowedProtoProperties or allowProtoPropertiesByDefault in:
https://github.com/opencollective/opencollective-api/blob/03e81c877af3463040484c28703c5fbbc4af362f/server/lib/email.js#L47
&
https://github.com/opencollective/opencollective-api/blob/03e81c877af3463040484c28703c5fbbc4af362f/server/lib/utils.js#L344
as per the handlebars docs using a rudimentary "whitelisting" function that looked messy and inefficient.

Also, solutions were based on the assumption that all handlebar templates would be authored/ reviewed by a core contributor as per OC needs/requirements and not added by end-users. (@znarf would this be safe to assume ?)

Will still follow this to see how its resolved as I'm interested to see how fresh eyes on this would think of it.

[Betree]

🏆 This issue has been completed by @bolariin

To claim the $200 bounty, you can either:

• Submit an invoice to https://opencollective.com/engineering/expenses/new (please mention the issue number in the expense's title)
• Or ask for an Open Collective gift card of the same value (to donate to other collectives)