Closed jianyexi closed 1 year ago
+1
+1
If I use Squirrelly on the client side, i.e. directly integrate the JS file. Is there a vulnerability there too? Or does this only affect the server-side application, in this case node-express?
I don't see any warnings on the following urls: https://www.npmjs.com/package/squirrelly https://github.com/squirrellyjs/squirrelly
In addition, the package is still online
The "Squirrelly.min.js" JS Script is integrated directly in the browser. I invited the JS file directly via Github. https://github.com/squirrellyjs/squirrelly/arfs/tagen/v8.0.8.zip
I am concerned with whether the security gap exists here too.
@littlejak20 you won't find it there.
But if you install it you get an idea here https://snyk.io/advisor/npm-package/squirrelly
The point is that the library as not a current mainteiner. I am planning to give a look I can give a minum fresh update to id and share here, but I will not assure anything to anybody.
squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications.
Looking through the code I can't find anywhere this is true, data
and options/env
are never mixed.
Anyone got any further info on this?
@agustingianni got any other info on this? Trying the exact code you have in the write up isn't producing anything in the console.
This was fixed in eta, which is practically a fork of Squirrelly: https://github.com/eta-dev/eta/releases/tag/v2.0.0
Took a stab at porting it over here: https://github.com/squirrellyjs/squirrelly/pull/254
Collaboration appreciated.
This has been resolved in Squirrelly 9.0.0
Describe the bug there is high severity vulnerability in latest npm package, see https://github.com/advisories/GHSA-q8j6-pwqx-pm96 To Reproduce Steps to reproduce the behavior: npm audit
Expected behavior A clear and concise description of what you expected to happen.
Screenshots If applicable, add screenshots to help explain your problem.
Package & Environment Details
Additional context Add any other context about the problem here.