olado / doT

The fastest + concise javascript template engine for nodejs and browsers. Partials, custom delimiters and more.

Other

5.01k stars 1.02k forks source link

Security alert #290

Closed dxvladislavvolkov closed 4 years ago

dxvladislavvolkov commented 5 years ago

I get security alert in my project on github

All versions of dot are vulnerable to Command Injection. The template compilation may execute arbitrary commands if an attacker can inject code in the template or if a Prototype Pollution-like vulnerability can be exploited to alter an Object's prototype.

MingweiSamuel commented 5 years ago

This is part of doT's design. Don't pass in arbitrary templates

281

epoberezkin commented 4 years ago

The security model indeed assumes that the templates are fully controlled by the application, and not provided by the users/external data.