Is handlebars + helpers turing complete?

[sethgrid]

Not sure where to ask, so I thought I'd start here: Can a combination of helpers lead to a turing complete situation within a handlebars template?

I ask because, if so, then anything can be done within a handlebars template. AKA a security nightmare. One of our engineers is thinking that we might need to have a handlebars parser service that runs server side in a container or chroot situation to prevent escaping and messing up or giving access to server information.

[nknapp]

If you allow your users to provide custom helper from the remote, and you execute Handlebars within nodejs on your server, then you have a security problem.

Apart from that, look at #1267. It shows a way to inject code even without helpers.

[sethgrid]

In our case it would be Perl and/or Go parsing the template using an approved set of handlebar helpers. Thanks for the link.

[nknapp]

@sethgrid Late but better than never... Starting 4.0.13 and 4.1.0, issue #1267 is fixed. So, currently there is no known possibility to execute arbitrary code, just by fabricating a template.

That does not means there is none. JavaScript is a very dynamic language and Handlebars is compiled to JavaScript after all.