[NODE-SECURITY-1164] Upgrade to handlebars 4.3.0+

leshill / handlebars_assets

Use handlebars.js templates with the Rails asset pipeline.

MIT License

649 stars 159 forks source link

[NODE-SECURITY-1164] Upgrade to handlebars 4.3.0+ #171

Closed mikeantonelli closed 4 years ago

mikeantonelli commented 4 years ago

Overview

Versions of handlebars prior to are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads. Remediation

Upgrade to version 4.3.0 or later.

https://www.npmjs.com/advisories/1164

In order to resolve this issue, the existing vendored asset needs to upgraded to version 4.3.0+.

mikeantonelli commented 4 years ago

For others that might need an immediate fix - see the existing section in the README:

Using Another Version of handlebars.js

Newer versions can also be pulled in from the existing CDN:

https://cdnjs.com/libraries/handlebars.js

AlexRiedler commented 4 years ago

I have released v0.23.5 upgrading to 4.3.1 :)

mikeantonelli commented 4 years ago

Thanks for the quick release, much appreciated @AlexRiedler!