fix autoescape for non-string values; fixes #835 #836
Conversation
|
Imo, a bugfix for the issue is release asap material (even if it's not this one). Maybe submit a CVE? |
| if(autoescape && typeof val === 'string') { | ||
| val = lib.escape(val); | ||
| if(autoescape && !(val instanceof SafeString)) { | ||
| val = lib.escape(''+val); |
There was a problem hiding this comment.
val.toString() will be clearer
|
@devoidfury thanks for this! Looks solid. Could you update the I don't know if we need to submit a CVE. I understand the risk of this bug. But I don't know the protocol or procedure. @carljm what's the procedure to release this? I've read |
|
Probably would be better to publish 2.4.3 and 2.5.0 to fix vulnerability, so users with all the cases of package.json versioning |
|
@vecmezoni well there are multiple unreleased features on 2.x, so that's why the minor bump. I agree that normally we'd merge this PR and release patch. But I'm not sure where to merge onto for that patch release. It's not master. But is it |
|
We can make separate branch from 2.4.2 version, apply this patch and release 2.4.3. Then we can apply this patch to 2.x and decide to release or not to release 2.5. I've asked @carljm to give me access to npm, waiting. |
|
In this case people with |
|
@devoidfury add note to |
|
Should the escape filter also do the same? |
devoidfury
force-pushed
the
autoescape-cast-xss
branch
from
c13d81e to
5f93be5
Compare
|
Yes, thanks @matt- -- added another commit to fix this. |
| @@ -26,6 +26,9 @@ Changelog | |||
| * Fix handling of macro arg with default value which shares a name with another | |||
| macro. Merge of [#791](https://github.com/mozilla/nunjucks/pull/791). | |||
|
|
|||
| * Fix potential cast-related XSS vulnerability in autoescape mode, and with `escape` filter. | |||
There was a problem hiding this comment.
Can be merged without, but credits where due: "Thanks Matt Austin and Thomas Hunkapiller.".
|
👍 Merging this to master, then i'll create branch 2.4.3 from 2.4.2 release, backport this patch and rebase 2.x branch on 2.4.3. |
|
@vecmezoni sounds good, but I'd avoid rebasing the |
|
|
Seems like this change broke the use of the With |
|
@dlmr Could you provide a simple test case here? |
|
@devoidfury I think I found the problem when trying to create a minimal example. I was using React Helmet but did not use the So I was actually using this "bug" in my code. The more correct thing is of course to use Thanks for the quick reply and the fix in the first place! Sorry to blame the PR for this! 😄 |
|
Haha thanks @dimr for catching this. I just hit this with an old filter we were using for embedding optional svgs. It definitely woke me up this morning!
If I'm parsing the tests in this PR correctly, I should be doing something like this in my filter, correct? 'use strict';
var fs = require('fs');
module.exports = function (path) {
try {
return fs.readFileSync(path); // which has a .toString() method
} catch () {
return '';
}
};EDIT: Looks like I should just return the string itself. ☝️ noted for anyone that runs into this thread later. |
|
@vecmezoni @carljm should we modify the SafeString constructor to automatically do a string conversion? Right now, it's no-op (identity) on non-strings, but after that point it's going to be cast to string anyway, and with autoescape, if it's not a SafeString, it will escape. |
|
Should we fix this in 1.x? |
| } | ||
| return str; | ||
| return r.markSafe(lib.escape(str.toString())); |
There was a problem hiding this comment.
this will throw TypeError: Cannot read property 'toString' of null when str is null or undefined
fix: undefined escape at #836
#835