Safety of running handlebars.rb on server-side with user-provided templates?

[gabetax]

I'd like to be able to use handlebars as a safe and simple templating system that can process user provided templates. The README on the project doesn't make a statement on whether this is an intended or safe use of the library. I asked on #handlebars on freenode and got an "unknown" response from wycats.

I ran through the handlebars.rb source and nothing jumped out at me, but I'm uncertain about what can happen in the handoff to the javascript engine.. This seems like it should be a operation, but we all know how fickle security can be. Any comments that we can add to the documentation?

[jimothyGator]

In general, it's not safe, but it depends on what is allowed in your context. A template can call any method (or, at least, any method with no arguments) on any object in the context. For example:

require 'handlebars'

class Foo
    def bar()
        File.open('uhoh.txt', 'w') do |file|
            file.write('gotcha!')
        end

        return 'pwned'
    end
end

handlebars = Handlebars::Context.new
template = handlebars.compile('Hello from {{ foo.bar }}')
template.call(:foo => Foo.new)

Rendering the template will call #bar, and a file named uhoh.txt will be written.

Users can't create their own objects in the context, but anything that you do put in the context is vulnerable. For example, #delete or #destroy on an ActiveRecord are probably vulnerable.

For that use case, Liquid is probably a better bet.