Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Template injection vulnerability when using variables inside conditionals #149

Open
felipeptcho opened this issue Apr 26, 2023 · 0 comments

Comments

@felipeptcho
Copy link

Some of my variables come from user input.
The user should be free to type any character, including the delimiters.
But if they type expressions like "{{2*3}}", this can lead to template injection if we use those variables inside conditionals.

Example:

posthtml(expressions({ locals: { variable: '{{2*3}}' } })).process(`
  Here it works: {{variable}}
  <p>Here it works too: {{variable}}</p>

  <if condition="true">
    Here it doesn't work: {{variable}}
  </if>

  This is not documented and probably should only allow HTML characters: {{{variable}}}
`).then((result) => console.log(result.html))

Result:

  Here it works: {{2*3}}
  <p>Here it works too: {{2*3}}</p>
  
    Here it doesn't work: 6
  
  This is not documented and probably should only allow HTML characters: 6

According to my investigation, it seems that the content inside conditionals is being parsed twice by the walk() function.

  • So in the first pass: {{variable}} -> {{2*3}}
  • And in the next pass: {{2*3}} -> 6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant