Closed gabetax closed 9 years ago
In general, it's not safe, but it depends on what is allowed in your context. A template can call any method (or, at least, any method with no arguments) on any object in the context. For example:
require 'handlebars'
class Foo
def bar()
File.open('uhoh.txt', 'w') do |file|
file.write('gotcha!')
end
return 'pwned'
end
end
handlebars = Handlebars::Context.new
template = handlebars.compile('Hello from {{ foo.bar }}')
template.call(:foo => Foo.new)
Rendering the template will call #bar
, and a file named uhoh.txt
will be written.
Users can't create their own objects in the context, but anything that you do put in the context is vulnerable. For example, #delete
or #destroy
on an ActiveRecord are probably vulnerable.
For that use case, Liquid is probably a better bet.
I'd like to be able to use handlebars as a safe and simple templating system that can process user provided templates. The README on the project doesn't make a statement on whether this is an intended or safe use of the library. I asked on #handlebars on freenode and got an "unknown" response from wycats.
I ran through the handlebars.rb source and nothing jumped out at me, but I'm uncertain about what can happen in the handoff to the javascript engine.. This seems like it should be a operation, but we all know how fickle security can be. Any comments that we can add to the documentation?