search

cbroglie / mustache

The mustache template language in Go
MIT License
473 stars 78 forks source link

Policy on Reporting Potential Security Vulnerabilities #50

Open mathewmarcus opened 3 years ago

mathewmarcus commented 3 years ago

Hello,

I wanted to inquire about any existing policy/your preference for reporting any potential security vulnerability findings. Rather than just opening a public issue, I wanted to check whether there was a responsible disclosure policy of some kind, and/or a private channel through which findings can be reported. Thanks!

cbroglie commented 3 years ago

I think a public issue makes sense, I don't have any mechanism for privately notifying users of potential issues

mathewmarcus commented 3 years ago

Ok got it. In that case, I've noticed that the Partials functionality allows for reading of arbitrary files. For example, given the following template (template.mustache):

{{> ../../../../../../../etc/passwd}}

the following mustache command will display the contents of /etc/passwd.

echo '{}' | mustache ./template.mustache

This is without any explicit configuration of a FileProvider. I just want to confirm that this behavior is expected.

mathewmarcus commented 3 years ago

I believe this behavior stems from these lines here: https://github.com/cbroglie/mustache/blob/master/partials.go#L33-L48. Specifically, the default FileProvider defaults the Paths to the current directory (https://github.com/cbroglie/mustache/blob/master/mustache.go#L718) and Extensions to "", ".mustache", ".stache". Then, because path.Join is used to generate the filename, inclusion of ../ can be used to escape from the intended Paths.

cbroglie commented 3 years ago

I don't think this is a security vulnerability, the binary is subject to the same file permissions as the running user. And the template contents are controlled by the user as well.

mathewmarcus commented 3 years ago

The scenario in which I could see it being in issue is one where - for example - a webapp uses this library to render arbitrary templates supplied by external users. In that scenario, a user could supply templates such as {{> ../../../../../../../etc/passwd}} and read arbitrary files.

cbroglie commented 3 years ago

I'd definitely be wary of rendering any untrusted templates. But one of the defenses for that scenario would be to use chroot.