search

flosch / pongo2

Django-syntax like template-engine for Go
https://www.schlachter.tech/pongo2
MIT License
2.87k stars 270 forks source link

Potential security issue #325

Closed benharvie closed 1 year ago

benharvie commented 1 year ago

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@cokebeer) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

flosch commented 1 year ago

Done.

flosch commented 1 year ago

For transparency reasons and everyone being interested what this issue was about, see this link: https://huntr.dev/bounties/d05e6811-35b8-4530-a70e-61173ec86be0/

Summary: This report states the SSI tag being vulnerable to arbitrary file reads, however, SSI is exactly designed for this purpose. Closing as non-issue.

cokeBeer commented 1 year ago

@flosch Better have a look at how other famous template engines warn even an information leak: http://masterminds.github.io/sprig/os.html. In a word, you have no idea of what a potential security issue may harm at all.