Open mathewmarcus opened 3 years ago
I think a public issue makes sense, I don't have any mechanism for privately notifying users of potential issues
Ok got it. In that case, I've noticed that the Partials functionality allows for reading of arbitrary files. For example, given the following template (template.mustache):
{{> ../../../../../../../etc/passwd}}
the following mustache command will display the contents of /etc/passwd
.
echo '{}' | mustache ./template.mustache
This is without any explicit configuration of a FileProvider
. I just want to confirm that this behavior is expected.
I believe this behavior stems from these lines here: https://github.com/cbroglie/mustache/blob/master/partials.go#L33-L48. Specifically, the default FileProvider
defaults the Paths
to the current directory (https://github.com/cbroglie/mustache/blob/master/mustache.go#L718) and Extensions
to "", ".mustache", ".stache"
. Then, because path.Join
is used to generate the filename, inclusion of ../
can be used to escape from the intended Paths
.
I don't think this is a security vulnerability, the binary is subject to the same file permissions as the running user. And the template contents are controlled by the user as well.
The scenario in which I could see it being in issue is one where - for example - a webapp uses this library to render arbitrary templates supplied by external users. In that scenario, a user could supply templates such as {{> ../../../../../../../etc/passwd}}
and read arbitrary files.
I'd definitely be wary of rendering any untrusted templates. But one of the defenses for that scenario would be to use chroot.
Hello,
I wanted to inquire about any existing policy/your preference for reporting any potential security vulnerability findings. Rather than just opening a public issue, I wanted to check whether there was a responsible disclosure policy of some kind, and/or a private channel through which findings can be reported. Thanks!