-
Notifications
You must be signed in to change notification settings - Fork 844
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[email protected] has a server-side template injection vulnerability (Unfixed) #735
Comments
Hmmm... I'm not sure it is a code/library issue, mostly it is looking like a monkey with grenade situation of developer. Library is for templates, it is never pretended to be input validator for best practice guide from https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html : Above sample code has such step missed and downstream component of EJS receiving unverified by developer input. |
Additionally https://cwe.mitre.org/data/definitions/74.html Currently such construction done not in EJS itself (for example not by call like ejs.ConstructFromUserInput() or ejs.HandleExpress("/") ) but in sample code above, so such sample code is a product with vulnerability, not EJS itself. |
Just like CVE-2023-29827, it may affect many users with special needs. |
Linux vulnerable for data removal - attacker could gain access to application user and execute /bin/rm |
Please see the SECURITY.md. Never, never give users direct access to the EJS In particular, no 'vulnerabilities' should be submitted with the following code block as the example: app.get('/', (req,res) => {
res.render('index', req.query);
}) |
IDOR on website's messages revealed admin pass EJS SSTI exploit (mde/ejs#735) CVE-2023-22809: Sudoedit Bypass
EJS has a server-side template injection vulnerability. You have fixed some server-side template injection vulnerabilities recently, such as CVE-2022-29078, CVE-2023-29827. But there's one more that hasn't been fixed.
Test code
Payload
Code Audit
In ejs.js, you filter out most of the string splicing from user-controllable parameters through
_JS_IDENTIFIER.test()
, such as severalopts.outputFunctionName
,opts.localsName
, etc. that can also cause code execution :But
_JS_IDENTIFIER.test()
ignores theescapeFn
variable, a variable assigned fromopts.escapeFunction
, which can be controlled by the attacker to pass into the payload:If
opts.client
is true, thenescapeFn
is spliced into the code:Eventually it will be executed along with the anonymous function:
The text was updated successfully, but these errors were encountered: