Closed wadahkode closed 3 years ago
This is not a problem with EJS.
EJS literally evaluates the JavaScript you pass it. It's what EJS is. EJS should never be used server-side with tainted/unsanitized input from an end-user. If you allow people to pass arbitrary code to it, it will run arbitrary code.
If a developer uses EJS this way, they are definitively using EJS wrong.
While I agree with the sentiment that this is not exactly a security vulnerability in ejs as it is true that you should not be passing unsanitized user input to it, there still is a bug somewhere in there. Note the code - for whatever reason, the code inside options.filename
string gets executed.
This only happens if options.compileDebug
is set to true, which leads to me believe that there is a bug, likely here: https://github.com/mde/ejs/blob/9f69c0a1766dffd5e99db4931d45bfb90ab30e5c/lib/ejs.js#L639
Namely, if the filename
contains a new line, then the second line escapes from the comment.
Not sure what the fix should be. A naive implementation should forbid \n
in the filename, but probably this needs URI encoding or smth like that - not sure what the valid values are for this sourceURL comment, or how to escape these values exactly.
Updated to prevent this in v3.1.6, now pushed to NPM.
how to fix?
let ejs = require('ejs') ejs.render('./views/test.ejs',{ filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }', compileDebug: true, message: 'test', client: true })