Disallow calling "helperMissing" and "blockHelperMissing" directly #1558
Comments
Okay, so since I'm pretty much busy with other work I'm really getting fed up by all those apps *not* providing changelogs. Instead of spending hours of searching the corresponding repositories, diffing all the changes and summarise them just to provide an adequate changelog (as I've done in the past, see Git history), I decided to ping the maintainers to (hopefully) encourage them to write changelogs. Apart from just my little project here, I think even users of the updater UI deserve to know what has changed and what they're going to give access to their private data. So if you're one of the maintainers pinged here: Can you please, please, *PLEASE* provide a changelog when updating your apps on apps.nextcloud.com? Here we go, these are the apps updated without changelogs: .--------------------+--------+---------+-------------------. | App | From | To | Author/Maintainer | +--------------------+--------+---------+-------------------+ | bookmarks | 2.3.1 | 2.3.3 | @marcelklehr | | carnet | 0.18.7 | 0.18.12 | @PhieF | | circles | 0.17.9 | 0.17.10 | @daita | | cms_pico | 0.9.8 | 1.0.2 | @PhrozenByte | | cookbook | 0.5.4 | 0.5.5 | @mrzapp | | dicomviewer | 1.2.0 | 1.2.1 | @ayselafsar | | discoursesso | 0.9.16 | 0.9.17 | @soudis | | files_antivirus | 2.2.0 | 2.2.1 | @rullzer | | files_photospheres | 1.0.5 | 1.0.6 | @R0Wi | | files_readmemd | 1.1.2 | 1.1.3 | @mamatt | | flowupload | 0.1.5 | 0.1.7 | @e-alfred | | music | 0.11.0 | 0.11.1 | @paulijar | | ocr | 4.4.16 | 4.4.25 | @janis91 | | oidc_login | 1.0.3 | 1.1.0 | @pulsejet | | passman | 2.3.3 | 2.3.5 | @newhinton | | sharingpath | 0.0.3 | 0.1.0 | @rookie0 | | terms_of_service | 1.3.0 | 1.3.1 | @nickvergessen | | timetracker | 0.0.34 | 0.0.39 | @puthre | | user_cas | 1.7.4 | 1.8.0 | @felixrupp | | zimbradrive | 0.8.23 | 0.8.24 | @bud-mo | `--------------------+--------+---------+-------------------' Hopefully if I start to annoy everybody frequently enough on every new update, maybe more people will start providing changelogs. However, if things don't improve I will either start writing a series of scrapers to fetch the upstream changelogs (which I'm glad at least most of the apps mentioned above have) or automate annoying maintainers :-D So, let's continue with the apps that *actually* provide a changelog. Apps updated for Nextcloud 15, 16 and 17: passwords (2019.11.1 -> 2019.12.0): * Add lazy loading for favicons and avatars * Fix server timeout on settings page * Fix mobile layout in NC 17 * Fix navigation in NC 15 * Attempt to send mails to users without email Kudos/thanks to @marius-wieschollek, you're awesome! previewgenerator (2.1.0 -> 2.2.0): * Add Nextcloud 18 support Kudos/thanks to @rullzer, even though not providing a changelog for files_antivirus. richdocuments (3.4.4 -> 3.4.6): Changes for version 3.4.6: * Force read operation to trigger audit log when issuing a token * Add Nextcloud 18 compatibility Changes for version 3.4.5: * Retry putContent operation if locked * Include locale in the loleaflet lang parameter * Make sure files created from the same template have a different WOPI file id * Always use the owner file owner to access for share links * Make sure Firefox doesn't navigate out of the current directory * Dependency bumps Kudos/thanks to @juliushaertl, you're awesome! secsignid (0.2.4 -> 0.2.5): * Fix issue regarding integrity check Kudos/thanks to @BjoernSecSign, you're awesome! Apps updated for Nextcloud 16 and 17 only: news (14.0.1 -> 14.0.2): * Get content:encoded of item if available * Update js and php dependencies * Generate enclosure div only for audio & video Kudos/thanks to @Grotax, you're awesome! twofactor_gateway (0.14.1 -> 0.15.0): * Add Spryng gateway support * Add Sms77io gateway support * Add Nextcloud 18 support * Add php7.4 support * Update ecall API to new version * Add/update translations * Remove PHP 7.1 support Kudos/thanks to @ChristophWurst, you're awesome! Apps updated for Nextcloud 17 only: mail (0.18.1 -> 0.20.1): Changes for version 0.20.1: * Add occ command to diagnose an account * Add/update translations * Update dependencies * Fix provisioned account update password check when password is set to empty string Changes for version 0.20.0: * Add admin settings UI to configure provisioned accounts * Default account configuration via config.php Changes for version 0.19.1: * Add/update translations * Update dependencies Changes for version 0.19.0: * Add PHP 7.4 support * Mail detail view now only has one back/menu button * Composer attachment buttons moved into action menu * Simpler wording for plain text/rich text switch * Fix opening messages with attachment content-type and content-disposition * Fix spacing in settings section * Fix missing popover for addresses without a display name * Fix horizontal scrolling issue on mobile * Show recipient avatar instead of sender avatar in \sent mailboxes * Focus "to" field automatically when writing a new message * Fix virtual flagged inbox shown as child of the inbox * Add missing label of unified inbox * Fix .ics attachment mime detection * Fix .ics attachment import * Fix unwanted flowed text formatting * Remove PHP 7.1 support Kudos/thanks to @ChristophWurst, you're awesome... again! phonetrack (0.5.10 -> 0.5.11): * Fix auto export cron job failing on some setups Kudos/thanks to @eneiluj, you're awesome! sentry (5.1.0 -> 6.0.1): Changes for version 6.0.1: * Add new Sentry SDKs * Fix application class instantiation warning Changes for version 6.0.0: * Add PHP 7.4 support * Add Nextcloud 18 support * Add new Sentry JavaScript SDK * Fix "app name as tag" regression * Remove PHP 7.1 support Changes for version 5.2.0: * Add new Sentry JavaScript SDK * Updated dependencies @ChristophWurst again! Thanks a lot! suspicious_login (2.4.1 -> 3.0.0): * Add PHP 7.4 support * Add/update translations * Update dependencies * Fix IPv6 optimizer * Remove PHP 7.1 support Did I mention "Kudos/thanks to @ChristophWurst"? ;-) twofactor_nextcloud_notification (2.1.1 -> 2.2.0): * Make Nextcloud 18 compatible This makes 1 app without changelog and 2 for @rullzer, so thanks/kudos to you! You're awesome! twofactor_totp (4.0.0 -> 4.1.0): * Add Nextcloud 18 support * Add PHP 7.4 support * Add/update translations * Update dependencies Well, @ChristophWurst at it again! twofactor_u2f (4.0.0 -> 5.0.0): * Add Nextcloud 18 support * Add PHP 7.4 support * Add/update translations * Update dependencies * Fix Npm dependency vulnerability: handlebars-lang/handlebars.js#1558 * Fix unnecessarily big challenge bundle * Remove PHP 7.1 support Guess who? It's either about some sausage or their name just doesn't matter, who knows? Of course: @ChristophWurst New apps added to Nextcloud 16 and 17: analytics - Data analytics/visualisation for Nextcloud and ownCloud Also, the breeze-dark theme update for Nextcloud 17 contains the following changes: * Add app-specific favicons * Add icon for the "circles" app * Add styling for "bookmarks" app * Fix hover styling for notifications * Add icons for disabled users * Add personal icon in "activity" app * Allow for custom app folder/style icon for individual U2F devices * Change login fields to be background-dark * Change icon used for delete-hover in "quicknotes" Now looking up all these authors/maintainers took a little bit more than an hour*, which I think won't scale very well in the future. Especially I want to avoid annoying people who *do* provide a changelog, so I'm going to just call out everybody who *doesn't* provide one in the future. * -> An hour for digging up the maintainers - reviewing the diffs for the apps I actually use took way longer... Signed-off-by: aszlig <aszlig@nix.build>
|
@nknapp Does 7b67a29 fix CVE-2019-19919 ? :) |
|
Please look at the docs. Under api-reference -> runtime options. I have added links to all npm advisories regarding prototype access that are public so far. They contain the resolved versions. I think your CVE has an advisory linked, so you can compare it. I can't post any links right now, doesn't work with my mobile phone. |
|
You can also search advisories. Just add a "search=handlebars" query param when you are on the advisory list at npmjs.com |
|
MongoDB Connected hey |
|
Are you using handlebars directly in your project, or is it used by another dependency of yours? |
|
I am using handlebars directly in the project.
…On Sat, Jan 18, 2020 at 11:33 PM Nils Knappmeier ***@***.***> wrote:
Are you using handlebars directly in your project, or is it used by
another dependency of yours?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1558>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKSQTLN2YZEWI2VNAEEGZ4LQ6M77LANCNFSM4IY6IYTQ>
.
|
|
Have you had a look at the link to the documentation? It explains the thoughts behind the new limitation and the runtime-options that control it. If the documentation is not good enough, I would like to know what is missing. I can explain of here as well, but please have a look at the documentation before. |
|
I have read the documentation but I unable to figure out the problem. earlier it was working just fine. //menu index in this block the error is generating when i output {{#each menus}} {{name}} {{/each}} |
|
The problem is that "name" is defined on the prototype of the object you are using as input. See #1635 for details about the change that forbids that. You are not using handlebars directly. You are using "express-hbs" or something like that. I am not sure how to pass a runtime option to the template with that framework. What handlebars-related dependencies do you have in your package.json exactly? I can look for a solution but there are multiple similar packages and I need to know which one you are using |
|
I am using express handlebars. "express-handlebars": "^3.1.0", |
|
I'd like to move this discussion to #1642, which I just created for this kind of question (I have some of them already) |
|
Thank You @nknapp . I figured out the problem. |
The recent remote-code-execution exploits where misusing the helper
blockHelperMissingin order to call methods from object prototypes that actually should not have been called.The helpers "helperMissing" and "blockHelperMissing" are not meant to be called directly as in
We can offer a flag that allows execution in case someone really wants it, but the default will be not to allow this.
Note that although calling
{{helperMissing}}from the template is not part of the documented API and I assume it makes no sense other then to build an exploit. From this point of view this is not a breaking change an will result in a minor version update only (because of the feature flag).Even though it is not documented, I would rather try to maintain compatibility here, but since this a security-relevant change I will not do that in this case.
The text was updated successfully, but these errors were encountered: