high severity vulnerrability

squirrellyjs / squirrelly

Semi-embedded JS template engine that supports helpers, filters, partials, and template inheritance. 4KB minzipped, written in TypeScript ⛺

https://squirrelly.js.org

MIT License

555 stars 81 forks source link

high severity vulnerrability #238

Closed jianyexi closed 1 year ago

jianyexi commented 2 years ago

Describe the bug there is high severity vulnerability in latest npm package, see https://github.com/advisories/GHSA-q8j6-pwqx-pm96 To Reproduce Steps to reproduce the behavior: npm audit

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Package & Environment Details

Environment: ex. Node, Chrome, Firefox, etc. and what version
Version: ex. 8.1.0

Additional context Add any other context about the problem here.

sw360cab commented 2 years ago

dynamikus commented 2 years ago

littlejak20 commented 2 years ago

If I use Squirrelly on the client side, i.e. directly integrate the JS file. Is there a vulnerability there too? Or does this only affect the server-side application, in this case node-express?

I don't see any warnings on the following urls: https://www.npmjs.com/package/squirrelly https://github.com/squirrellyjs/squirrelly

In addition, the package is still online

The "Squirrelly.min.js" JS Script is integrated directly in the browser. I invited the JS file directly via Github. https://github.com/squirrellyjs/squirrelly/arfs/tagen/v8.0.8.zip

I am concerned with whether the security gap exists here too.

sw360cab commented 2 years ago

@littlejak20 you won't find it there.

But if you install it you get an idea here https://snyk.io/advisor/npm-package/squirrelly

The point is that the library as not a current mainteiner. I am planning to give a look I can give a minum fresh update to id and share here, but I will not assure anything to anybody.

ImLunaHey commented 1 year ago

squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications.

Looking through the code I can't find anywhere this is true, data and options/env are never mixed.

Anyone got any further info on this?

ImLunaHey commented 1 year ago

@agustingianni got any other info on this? Trying the exact code you have in the write up isn't producing anything in the console.

legobeat commented 1 year ago

This was fixed in eta, which is practically a fork of Squirrelly: https://github.com/eta-dev/eta/releases/tag/v2.0.0

Took a stab at porting it over here: https://github.com/squirrellyjs/squirrelly/pull/254

Collaboration appreciated.

nebrelbug commented 1 year ago

This has been resolved in Squirrelly 9.0.0