-
Notifications
You must be signed in to change notification settings - Fork 843
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vuln #571
Comments
This is not a problem with EJS. EJS literally evaluates the JavaScript you pass it. It's what EJS is. EJS should never be used server-side with tainted/unsanitized input from an end-user. If you allow people to pass arbitrary code to it, it will run arbitrary code. If a developer uses EJS this way, they are definitively using EJS wrong. |
While I agree with the sentiment that this is not exactly a security vulnerability in ejs as it is true that you should not be passing unsanitized user input to it, there still is a bug somewhere in there. Note the code - for whatever reason, the code inside This only happens if Line 639 in 9f69c0a
Namely, if the Not sure what the fix should be. A naive implementation should forbid |
Updated to prevent this in v3.1.6, now pushed to NPM. |
how to fix?
let ejs = require('ejs') ejs.render('./views/test.ejs',{ filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }', compileDebug: true, message: 'test', client: true })
The text was updated successfully, but these errors were encountered: