-
Notifications
You must be signed in to change notification settings - Fork 2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
There was a potential XSS exploit when using unquoted attributes that this should help reduce. Fixes #1083
- Loading branch information
Showing
2 changed files
with
5 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to get this backported into a release on the 3.0.x stream?
That way I can do a non-breaking change release of
express-hbswhich benefits from not having the potential exploit.83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the interest of making this as easy as possible, I tried to make a branch with the right state: https://github.com/ErisDS/handlebars.js/tree/v3-with-fix
Not sure if it really helps 😁
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is listed in the compatibility changes list for 4.0.0 and I suppose that it's debatable wether it is a fix or a breaking change, but I am somewhat hesitant to do a forked release over urging users to move to the 4.x code line. Do you have any sense of the number of users that would be impacted by this and the number that would be overly impacted by a 4.x upgrade to the extent that the wouldn't otherwise?
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we're coming at this from two different angles.
From my perspective, this change is a fix for a security vulnerability in two different codebases that I maintain. The vulnerability is listed by both the node security project and snyk.io. Currently every one of handlebars dependencies which use the 3.x branch, and every sub dependency of those projects, is being flagged as insecure when checked against the available tools.
As the fix isn't available on the 3.x branch, the entire ecosystem has to, currently, do a breaking update and handle several other changes in order to do a security release.
E.g. Ghost is dependent on handlebars through express-hbs. The only way that I can update express-hbs is to move to the 4.x branch, meaning I have to also figure out and publish a full set of compatibility notes, and all of the dependents of express-hbs have to do the same work.
It makes sense to do that when moving forward to get new features from the 4.x line. It does not make sense to do that when you want to update your project to get rid of a security vulnerability.
I'm not sure what the use case is in which adding escaping for
=might cause a breaking change, but if this is a serious concern, then3.1.0makes more sense than3.0.3. However, I do think that this vulnerability fix needs to be available to the 3.x branch because handlebars is so heavily depended upon.83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've never followed branching in the line sense, more of semver as a method to advertise that something may be breaking as the code line progresses forward. There are a few other things since 4.0.0 proper which are flagged in security warnings due to upstream projects (4.0.5).
At this point we don't really have the resources to maintain two code lines, i.e. myself, but if you're willing to maintain a security codeline for 3.x then we should talk to @wycats to make that happen.
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As @wycats knows, I'm more than happy to lend a hand wherever needed 👍
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kpdecker & @wycats can we get this ball in motion?
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ErisDS I don't have admin on this repo, so @wycats will have to do this for you.
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I'm feeling a bit silly 😵. I've got the changes I wanted to release as 3.0.4: https://github.com/wycats/handlebars.js/commits/3.x - I've cherry picked 3 commits from the 4.x branch to get rid of the security warnings for 3.x. Very straightforward changes.
Now I'm ready to do a release, but because the release process is wrapped in the yeoman generator, I am not 100% certain that it will behave correctly for this case? @kpdecker you seem to know the
generator-releasepackage pretty well - are there any commands that would incorrectly try to base themselves from the previous 4.0.5 release or is it safe? I've done a notes dry-run and here's my generator-release file 😁Also I missed that I need permission to do
gem push handlebars-source-*.gem@wycats83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ErisDS generator-release, to my knowledge, has never been used for branching releases. It's certainly a feature that it should have, but I doubt that it will work well right now. I'm in push to get my startup's v1 out the door right now and my 1 month old daughter still believes that sleep is optional for everyone in this house, so I don't have much time for "fun things" :(. Adding a feature like this is on my radar but it might be a little bit before I get to it. Baring that, release generator is mostly just a markdown generator and test executor, so you could do the same with a little bit of manual work.
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kpdecker I totally understand your position - I spent a long time reading what was going on because I'm trying not to be a pain in your arse 😉
It seems this is more work than I had initially hoped, so I've u-turned and am not going to be pursuing this any further. Thanks for your time and patience though.
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ErisDS do you still need a 3.x-release of Handlebars? Apart from handlebars-site and AWS, I now have all the permissions I need to do one and I have (imho successfully) created a 4.0.7 release yesterday.
If you need 3.0.4, I could probably do it.
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nknapp I do not, but thank you for offering 😃
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nknapp @kpdecker Any chance we can get a 3.0.4 released with this security fix?
83b8e84There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3.0.4 and 3.0.5 released today. See #1454