[CRITICAL] [SECURITY] Pug variables leak between different executions of rendered templates

webdiscus / pug-loader

Pug loader for Webpack renders pug to HTML or template function

https://webdiscus.github.io/pug-loader/pug-filters

ISC License

72 stars 5 forks source link

[CRITICAL] [SECURITY] Pug variables leak between different executions of rendered templates #11

Closed Rush closed 2 years ago

Rush commented 2 years ago

To reproduce:

console.log(require('./views/unsupported-browser.pug')({
  baseHref: '/admin',
}));

console.log(require('./views/unsupported-browser.pug')({

}));

Expected: second rendering should not include /admin. Actual: second rendering includes /admin.

To reproduce: Check out https://github.com/Rush/webdiscus-repro and run npm run repro

Rush commented 2 years ago

I think this regressed since 1.4.x

Rush commented 2 years ago

I think you perhaps do Object.assign somewhere to some global variable

webdiscus commented 2 years ago

Hello @Rush,

thanks for the report. How critical is it? Does it block you? I'm just immersed in solving other issues. In 1-2 days I can look your issue.

Rush commented 2 years ago

Thanks. Not blocked, as I reverted the upgrade already. I had some improvements dependent on 1.7.1 which can wait a few days.

Rush commented 2 years ago

maybe the issue is here: https://github.com/webdiscus/pug-loader/blob/master/src/utils.js#L79

webdiscus commented 2 years ago

In your repo are missing required files. This makes it difficult to reproduce the problem described in the ticket. To reproduce concrete the issue, must be removed the line include ./fonts-preload in the file sharedLayout.pug.

Rush commented 2 years ago

Sorry, I added the missing file.

webdiscus commented 2 years ago

It's ok :-), I have found the problem and soon release the fix.

webdiscus commented 2 years ago

The issue is fixed in the version 1.7.3.

Rush commented 2 years ago

Thank you, fixed