Skip to content

Commit

Permalink
🔒 Added notes on a potential security vulnerability
Browse files Browse the repository at this point in the history 
- Express.js never intended for template options to be passed via res.render
- If you use res.render to pass a layout, the file will be read from disk
- If you pass user-submitted data as options to res.render e.g. using req.query, then user-submitted file paths will be read
- This is only a potential security vulnerability, depending on the implementation
- Further fixes will be pushed to express-hbs to disable this behaviour by default
  • Loading branch information
@ErisDS
ErisDS committed Apr 22, 2021
1 parent 070fe17 commit ff6fad6
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,10 @@ There are three ways to use a layout, listed in precedence order

2. As an option to render

## ⚠️ This creates a potential security vulnerability:

Do not use this option in conjunction with passing user submitted data to res.render e.g. `res.render('index', req.query)`. This allows users to read arbitrary files from your filesystem!

```js
res.render('veggies', {
title: 'My favorite veggies',
Expand Down

0 comments on commit ff6fad6

Please sign in to comment.