-
-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add CVE-2021-23369 and CVE-2021-23383 for handlebars-source
#728
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure that version 4.7.7 of the gem handlebars-source
fixes the issues? Checking the commits between 4.7.6 and 4.7.7 I don't see any mention of the CVEs. The CVE and GHSA information refers to the handlebars.js package, not the rubygem which vendors it. The version numbers between the two packages may be different.
If you look at the commits between 4.7.6 and 4.7.7, check for the two commits on Feb 13, 2021:
These commits are part of handlebars-lang/handlebars.js#1736, and the comments in that PR more directly explain the CVEs fixed. |
I don't know for certain who is deploying https://rubygems.org/gems/handlebars-source appears to host all the same gem versions as the tags that exist at handlebars.js since at least Version 4.7.0, with only a one-day offset between the upload dates (plausibly a timezone issue). |
Regardless of who packaged the rubygem, we can verify that the contents match in an easily reproducible way. Try this: $ mkdir node_modules
$ npm install --ignore-scripts handlebars@4.7.6
$ gem fetch handlebars-source -v 4.7.6 && gem unpack handlebars-source-4.7.6.gem
$ diff -sq handlebars-source-4.7.6/handlebars.js node_modules/handlebars/dist/handlebars.js
Files handlebars-source-4.7.6/handlebars.js and node_modules/handlebars/dist/handlebars.js are identical
$ npm install --ignore-scripts handlebars@4.7.7
$ gem fetch handlebars-source -v 4.7.7 && gem unpack handlebars-source-4.7.7.gem
$ diff -sq handlebars-source-4.7.7/handlebars.js node_modules/handlebars/dist/handlebars.js
Files handlebars-source-4.7.7/handlebars.js and node_modules/handlebars/dist/handlebars.js are identical According to https://rubygems.org/gems/handlebars-source, jaylinski vendored and uploaded the gem. There is a jaylinski on the handlebars.js contributors list (5th contributor down), and he appears to be very active in that repository. What else needs to be done here to prove that the |
The
handlebars-source
gem (wraps the JS library handlebars) has had about a dozen vulnerabilities over the years (see: https://github.com/advisories?query=handlebars and https://security.snyk.io/package/npm/handlebars). I've chosen to only add advisories for the most recent two of these, since handlebars v 4.7.7 will also fix the rest. I hope that's OK.