[Security] Prototype Pollution in handlebars < 4.7.7: CVE-2021-23383

[ddalcino]

Quote from GH security advisory for CVE-2021-23383, first reported on May 4, 2021:

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

GHSA has scored this a 9.8/10 (Critical).

I'm opening this issue as a sort of PSA, in case anyone is still using this gem as-is. It probably would not be too difficult to fix this (just update the gemspec to allow handlebars-source '~>4.7.7'), but since this gem hasn't been updated in 9 years I don't expect that's going to happen.

As stated in the readme, "In general, you should not trust user-provided templates", and if you're doing that, this CVE likely won't affect you. On the other hand, if you are depending on using user-provided templates, you should be aware that this CVE (and a dozen more, see: https://security.snyk.io/vuln/npm?search=handlebars) could affect you.