Template injection vulnerability detection in handlebars and pug#4827
Merged
IlyasShabi merged 8 commits intomasterfrom Nov 15, 2024
Merged
Template injection vulnerability detection in handlebars and pug#4827IlyasShabi merged 8 commits intomasterfrom
IlyasShabi merged 8 commits intomasterfrom
Conversation
Contributor
Overall package sizeSelf size: 7.96 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/native-appsec | 8.2.1 | 19.18 MB | 19.19 MB | | @datadog/native-iast-taint-tracking | 3.2.0 | 13.9 MB | 13.91 MB | | @datadog/pprof | 5.4.1 | 9.76 MB | 10.13 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.5.0 | 2.51 MB | 2.65 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.0.1 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
IlyasShabi
force-pushed
the
template-injection-handlebars
branch
from
a5f156b to
9e4e570
Compare
BenchmarksBenchmark execution time: 2024-11-12 09:14:00 Comparing candidate commit 04a6184 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 259 metrics, 7 unstable metrics. |
IlyasShabi
force-pushed
the
template-injection-handlebars
branch
from
9e4e570 to
ae71ef5
Compare
IlyasShabi
force-pushed
the
template-injection-handlebars
branch
2 times, most recently
from
5d7462b to
08105c7
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4827 +/- ##
==========================================
- Coverage 93.86% 86.88% -6.98%
==========================================
Files 107 10 -97
Lines 3373 511 -2862
==========================================
- Hits 3166 444 -2722
+ Misses 207 67 -140 ☔ View full report in Codecov by Sentry. |
IlyasShabi
force-pushed
the
template-injection-handlebars
branch
from
08105c7 to
7370611
Compare
uurien
reviewed
Oct 28, 2024
IlyasShabi
force-pushed
the
template-injection-handlebars
branch
4 times, most recently
from
3cbe3cd to
8b78a14
Compare
simon-id
reviewed
Oct 29, 2024
simon-id
reviewed
Oct 29, 2024
simon-id
reviewed
Oct 29, 2024
IlyasShabi
force-pushed
the
template-injection-handlebars
branch
from
8b78a14 to
57101bd
Compare
uurien
reviewed
Nov 4, 2024
Contributor
|
In Handlebars there is one more vulnerable point that this PR is not covering: Let's take the following code as an example: Handlebars.registerPartial('vulnerablePartial', req.query.partial).
const templateSource = `{{> vulnerablePartial }}`
const template = Handlebars.compile(templateSource)This code is vulnerable to |
CarlesDD
reviewed
Nov 6, 2024
IlyasShabi
force-pushed
the
template-injection-handlebars
branch
from
86c0eee to
66b9c86
Compare
CarlesDD
previously approved these changes
Nov 7, 2024
uurien
reviewed
Nov 7, 2024
uurien
previously approved these changes
Nov 7, 2024
IlyasShabi
force-pushed
the
template-injection-handlebars
branch
from
d22bf54 to
0408305
Compare
uurien
approved these changes
Nov 7, 2024
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| - run: yarn test:appsec:plugins:ci | ||
| - uses: ./.github/actions/node/latest | ||
| - run: yarn test:appsec:plugins:ci | ||
| - uses: codecov/codecov-action@v3 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
CarlesDD
approved these changes
Nov 13, 2024
Merged
rochdev
pushed a commit
that referenced
this pull request
Nov 15, 2024
* Template injection vulnerability detection in handlebars * template injection vulnerability detection in pug * fix lint and naming issues * create separate job for template injection * add support to registerPartial function * add tests for pug render function
Merged
rochdev
pushed a commit
that referenced
this pull request
Nov 15, 2024
* Template injection vulnerability detection in handlebars * template injection vulnerability detection in pug * fix lint and naming issues * create separate job for template injection * add support to registerPartial function * add tests for pug render function
rochdev
pushed a commit
that referenced
this pull request
Nov 19, 2024
* Template injection vulnerability detection in handlebars * template injection vulnerability detection in pug * fix lint and naming issues * create separate job for template injection * add support to registerPartial function * add tests for pug render function
rochdev
pushed a commit
that referenced
this pull request
Nov 19, 2024
* Template injection vulnerability detection in handlebars * template injection vulnerability detection in pug * fix lint and naming issues * create separate job for template injection * add support to registerPartial function * add tests for pug render function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Add support to server Template injection using handlebars and pug
Plugin Checklist
Additional Notes