发表新帖
发表新帖

Handlebars: Access has been denied to resolve the property “from” because it is not an “own property” of its parent

后端 未结
关注
11 1731
我在风中等你
我在风中等你 2020-12-05 13:27

I am using a Nodejs backend with server-side rendering using handlebars. After reading a doc array of objects from handlebars, which contains key \"content\" an

相关标签:
11条回答
  • 鱼传尺愫
    2020-12-05 13:36

    Starting from version 4.6.0 onward, Handlebars forbids accessing prototype properties and methods of the context object by default. This is related to a security issue described here: https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html

    Refer to https://github.com/wycats/handlebars.js/issues/1642

    If you are certain that only developers have access to the templates, it's possible to allow prototype access by installing the following package:

    npm i @handlebars/allow-prototype-access

    If you are using express-handlebars you should proceed as:

    const 
    express = require('express'),
    _handlebars = require('handlebars'),
    expressHandlebars = require('express-handlebars'),
    {allowInsecurePrototypeAccess} = require('@handlebars/allow-prototype-access')

const app = express()

app.engine('handlebars', expressHandlebars({
    handlebars: allowInsecurePrototypeAccess(_handlebars)
}))
app.set('view engine', 'handlebars')
    0 讨论(0)
  • 情深已故
    2020-12-05 13:36

    There was a breaking change in the recent release of Handlebars which has caused this error.

    You could simply add the configurations they suggest in their documentation, however be aware, depending on you implementation, this could lead the vulnerability to XXS and RCE attacks.

    https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access

    Confession.find()
  .sort({date: -1})
  .then(function(doc){
    for(var i=0; i < doc.length; i++){
      //Check whether sender is anonymous
      if (doc[i].from === "" || doc[i].from == null){
        doc[i].from = "Anonymous";
      }

      //Add an extra JSON Field for formatted date
      doc[i].formattedDate = formatTime(doc[i].date);
    }
    res.render('index', {title: 'Confession Box', success:req.session.success, errors: req.session.errors, confession: doc}, {

      // Options to allow access to the properties and methods which as causing the error.

      allowProtoMethodsByDefault: true,
      allowProtoPropertiesByDefault: true

    });

    req.session.errors = null;
    req.session.success = null;
  });
    0 讨论(0)
  • 清歌不尽
    2020-12-05 13:38

    try npm install handlebars version 4.5.3

    npm install handlebars@4.5.3

    It worked for me

    0 讨论(0)
  • 抹茶落季
    2020-12-05 13:41

    A cleaner way to solve this issue is to use the mongoose document .toJSON() method.

    let data = dbName.find({})
  .exec(function(error, body) {
     //Some code
  });
    data = data.toJSON()
//use {{data}} on .hbs template
    0 讨论(0)
  • 有刺的猬
    2020-12-05 13:42

    There is a workaround for this that works in all versions of hbs: do this and sent database to the page. This works without changing the Handlbar template and we can proceed with 0 vulnerabilities finally

    var database=[];
for(var i=0;i<foundData.length;i++)
{
 database[i]=foundData[i].toObject();
}
    0 讨论(0)
  • 清歌不尽
    2020-12-05 13:45

    i solve this issue by installing a dev dependency for handlebars

    npm i -D handlebars@4.5.0

    0 讨论(0)
 看不清?
提交回复
热议问题