This repository has been archived by the owner on Nov 3, 2020. It is now read-only.

chore(deps): update dependency handlebars to v4.5.3 [security] #430

Open

renovate wants to merge 1 commit into master from renovate/npm-handlebars-vulnerability

Contributor

renovate bot commented Mar 15, 2020 •

edited

Loading

This PR contains the following updates:

Package	Type	Update	Change
handlebars (source)	resolutions	minor	`4.1.2` -> `4.5.3`

GitHub Vulnerability Alerts

CVE-2019-19919

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Recommendation

Upgrade to version 3.0.8, 4.3.0 or later.

GHSA-f52g-6jhx-586p

Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.

Recommendation

Upgrade to version 4.4.5 or later.

GHSA-g9r4-xpmj-mj65

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

GHSA-2cf5-4w76-r9qv

Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

The following template can be used to demonstrate the vulnerability:

Recommendation

Upgrade to version 3.0.8, 4.5.2 or later.

GHSA-q2c6-c6pm-g3gh

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

Release Notes

wycats/handlebars.js

`v4.5.3`

Bugfixes:

fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7
fix: add more properties required to be enumerable - 1988878

Chores / Build:

fix: use !== 0 instead of != 0 - c02b05f
add chai and dirty-chai and sinon, for cleaner test-assertions and spies,
deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0

Security:

The properties __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__
have been added to the list of "properties that must be enumerable".
If a property by that name is found and not enumerable on its parent,
it will silently evaluate to undefined. This is done in both the compiled template and the "lookup"-helper.
This will prevent new Remote-Code-Execution exploits that have been
published recently.

Compatibility notes:

Due to the security-fixes. The semantics of the templates using
__proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ in the respect that those expression now return
undefined rather than their actual value from the proto.
The semantics have not changed in cases where the properties are enumerable, as in:

{
  __proto__: 'some string';
}

The change may be breaking in that respect, but we still only
increase the patch-version, because the incompatible use-cases
are not intended, undocumented and far less important than fixing
Remote-Code-Execution exploits on existing systems.

`v4.5.2`

`v4.5.1`

Bugfixs

fix: move "eslint-plugin-compat" to devDependencies - 5e9d17f (#1589)

Compatibility notes:

No compatibility issues are to be expected

`v4.5.0`

Features / Improvements

Add method Handlebars.parseWithoutProcessing (#1584) - 62ed3c2
add guard to if & unless helpers (#1549)
show source location for the strict lookup exceptions - feb60f8

Bugfixes:

Use objects for hash value tracking - 7fcf9d2

Chore:

Resolve deprecation warning message from eslint while running eslint (#1586) - 7052e88
chore: add eslint-plugin-compat and eslint-plugin-es5 - 088e618

Compatibility notes:

No compatibility issues are to be expected

`v4.4.5`

Bugfixes:

Contents of raw-blocks must be matched with non-eager regex-matching - 8d5530e, #1579

`v4.4.4`

Bugfixes:

fix: prevent zero length tokens in raw-blocks (#1577, #1578) - f1752fe

Chore:

chore: link to s3 bucket with https, add "npm ci" to build instructions - 0b593bf

Compatibility notes:

no compatibility issues are expected

`v4.4.3`

Bugfixes

Typings:

add missing type fields to AST typings and add tests for them - 0440af2

`v4.4.2`

chore: fix grunt-saucelabs dependency - b7eada0

`v4.4.1`

#1562 - Error message for syntax error missing location in 4.2.1+

`v4.4.0`

Added support for iterable objects in {{#each}} helper (#1557) - cf7545e

`v4.3.5`

`v4.3.4`

fix: harden "propertyIsEnumerable"-check - ff4d827

Compatibility notes:

No incompatibilities are known.

`v4.3.3`

fix test case for browsers that do not support defineGetter - 8742bde

`v4.3.2`

Use Object.prototype.propertyIsEnumerable to check for constructors - 213c0bb, #1563

Compatibility notes:

There are no breaking changes

`v4.3.1`

Fixes:

do not break on precompiled templates from Handlebars >=4.0.0 <4.3.0 - 1266838, #1561
Ensure allowCallsToHelperMissing runtime option is optional in typings - 93444c5, 64ecb9e, #1560

`v4.3.0`

Fixes:

Security: Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72
Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72

Features:

Add new runtime option allowCallsToHelperMissing to allow calling blockHelperMissing and helperMissing.

Breaking changes:

Compatibility notes:

Compiler revision increased - 06b7224
- This means that template compiled with versions prior to 4.3.0 will not work with runtimes >= 4.3.0
  The increase was done because the "helperMissing" and "blockHelperMissing" are now moved from the helpers
  to the internal "container.hooks" object, so old templates will not be able to call them anymore. We suggest
  that you always recompile your templates with the latest compiler in your build pipelines.
Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72
- Calling "helperMissing" and "blockHelperMissing" directly from a template (like in {{blockHelperMissing}} was
  never intended and was part of the exploits that have been revealed early in 2019
  (see #1495). It is also part of a new exploit that
  is not captured by the earlier fix. In order to harden Handlebars against such exploits, calling thos helpers
  is now not possible anymore. Overriding those helpers is still possible.
- If you really need this behavior, you can set the runtime option allowCallsToHelperMissing to true and the
  calls will again be possible

Both bullet points imly that Handlebars is not 100% percent compatible to 4.2.0, despite the minor version bump.

We consider it more important to resolve a major security issue than to maintain 100% compatibility.

`v4.2.2`

`v4.2.1`

Bugfixes:

The "browser" property in the package.json has been updated to use the common-js builds instead of the minified UMD - c55a7be, #1553

Compatibility notes:

No compatibility issues should arise

`v4.2.0`

Chore/Test:

Use custom grunt-saucelab with current sauce-connect proxy - f119497
Add framework for various integration tests - f9cce4d
Add integration test for webpack - a57b682

Bugfixes:

#1544 - Typescript types: knownHelpers doesnt allow for custom helpers (@NickCis)
#1534 - Add typings for "Handlebars.VM.resolvePartial (@AndrewLeedham)

Features:

#1540 - added "browser"-property to package.json, resolves #1102 (@ouijan)

Compatibility notes:

The new "browser"-property should not break anything, but you can never be sure. The integration test for webpack
shows that it works, but if it doesn't please open an issue.

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.


          chore(deps): update dependency handlebars to v4.5.3 [security]

189cb7e

renovate bot force-pushed the renovate/npm-handlebars-vulnerability branch from bd8dbb9 to 189cb7e Compare

October 27, 2020 08:47

renovate bot changed the title ~~chore(deps): update dependency handlebars to v4.3.0 [security]~~ chore(deps): update dependency handlebars to v4.5.3 [security]

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet