Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add CVE-2021-23369 and CVE-2021-23383 for handlebars-source #728

Merged
merged 3 commits into from
Jan 18, 2024

Conversation

ddalcino
Copy link
Contributor

@ddalcino ddalcino commented Jan 3, 2024

The handlebars-source gem (wraps the JS library handlebars) has had about a dozen vulnerabilities over the years (see: https://github.com/advisories?query=handlebars and https://security.snyk.io/package/npm/handlebars). I've chosen to only add advisories for the most recent two of these, since handlebars v 4.7.7 will also fix the rest. I hope that's OK.

Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure that version 4.7.7 of the gem handlebars-source fixes the issues? Checking the commits between 4.7.6 and 4.7.7 I don't see any mention of the CVEs. The CVE and GHSA information refers to the handlebars.js package, not the rubygem which vendors it. The version numbers between the two packages may be different.

@ddalcino
Copy link
Contributor Author

ddalcino commented Jan 4, 2024

Are you sure that version 4.7.7 of the gem handlebars-source fixes the issues? Checking the commits between 4.7.6 and 4.7.7 I don't see any mention of the CVEs.

If you look at the commits between 4.7.6 and 4.7.7, check for the two commits on Feb 13, 2021:

  • fix: escape property names in compat mode f058970
  • fix: check prototype property access in strict-mode b6d3de7

These commits are part of handlebars-lang/handlebars.js#1736, and the comments in that PR more directly explain the CVEs fixed.

@ddalcino
Copy link
Contributor Author

ddalcino commented Jan 4, 2024

The CVE and GHSA information refers to the handlebars.js package, not the rubygem which vendors it. The version numbers between the two packages may be different.

I don't know for certain who is deploying handlebars-source to rubygems.org, but the https://github.com/handlebars-lang/handlebars.js is the original JS repository for the library, and they include a gemspec file. I am inferring, perhaps incorrectly, that they are vendoring the library themselves.

https://rubygems.org/gems/handlebars-source appears to host all the same gem versions as the tags that exist at handlebars.js since at least Version 4.7.0, with only a one-day offset between the upload dates (plausibly a timezone issue).

@ddalcino
Copy link
Contributor Author

The version numbers between the two packages may be different.

Regardless of who packaged the rubygem, we can verify that the contents match in an easily reproducible way. Try this:

$ mkdir node_modules
$ npm install --ignore-scripts handlebars@4.7.6
$ gem fetch handlebars-source -v 4.7.6 && gem unpack handlebars-source-4.7.6.gem
$ diff -sq handlebars-source-4.7.6/handlebars.js node_modules/handlebars/dist/handlebars.js
Files handlebars-source-4.7.6/handlebars.js and node_modules/handlebars/dist/handlebars.js are identical

$ npm install --ignore-scripts handlebars@4.7.7
$ gem fetch handlebars-source -v 4.7.7 && gem unpack handlebars-source-4.7.7.gem
$ diff -sq handlebars-source-4.7.7/handlebars.js node_modules/handlebars/dist/handlebars.js
Files handlebars-source-4.7.7/handlebars.js and node_modules/handlebars/dist/handlebars.js are identical

According to https://rubygems.org/gems/handlebars-source, jaylinski vendored and uploaded the gem. There is a jaylinski on the handlebars.js contributors list (5th contributor down), and he appears to be very active in that repository.

What else needs to be done here to prove that the handlebars-source rubygem, at v4.7.6, is vulnerable to CVE-2021-23369 and CVE-2021-23383, and that these CVEs are fixed in the rubygem at v4.7.7?

@postmodern postmodern merged commit 98efdaa into rubysec:master Jan 18, 2024
1 check passed
@ddalcino ddalcino deleted the add-handlebars-src-cves branch January 18, 2024 21:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants