I am using a Nodejs backend with server-side rendering using handlebars.
After reading a doc
array of objects from handlebars, which contains key \"content\" an
Starting from version 4.6.0 onward, Handlebars forbids accessing prototype properties and methods of the context object by default. This is related to a security issue described here: https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html
Refer to https://github.com/wycats/handlebars.js/issues/1642
If you are certain that only developers have access to the templates, it's possible to allow prototype access by installing the following package:
npm i @handlebars/allow-prototype-access
If you are using express-handlebars you should proceed as:
const
express = require('express'),
_handlebars = require('handlebars'),
expressHandlebars = require('express-handlebars'),
{allowInsecurePrototypeAccess} = require('@handlebars/allow-prototype-access')
const app = express()
app.engine('handlebars', expressHandlebars({
handlebars: allowInsecurePrototypeAccess(_handlebars)
}))
app.set('view engine', 'handlebars')
There was a breaking change in the recent release of Handlebars which has caused this error.
You could simply add the configurations they suggest in their documentation, however be aware, depending on you implementation, this could lead the vulnerability to XXS and RCE attacks.
https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access
Confession.find()
.sort({date: -1})
.then(function(doc){
for(var i=0; i < doc.length; i++){
//Check whether sender is anonymous
if (doc[i].from === "" || doc[i].from == null){
doc[i].from = "Anonymous";
}
//Add an extra JSON Field for formatted date
doc[i].formattedDate = formatTime(doc[i].date);
}
res.render('index', {title: 'Confession Box', success:req.session.success, errors: req.session.errors, confession: doc}, {
// Options to allow access to the properties and methods which as causing the error.
allowProtoMethodsByDefault: true,
allowProtoPropertiesByDefault: true
});
req.session.errors = null;
req.session.success = null;
});
try npm install handlebars version 4.5.3
npm install handlebars@4.5.3
It worked for me
A cleaner way to solve this issue is to use the mongoose document .toJSON() method.
let data = dbName.find({})
.exec(function(error, body) {
//Some code
});
data = data.toJSON()
//use {{data}} on .hbs template
There is a workaround for this that works in all versions of hbs: do this and sent database to the page. This works without changing the Handlbar template and we can proceed with 0 vulnerabilities finally
var database=[];
for(var i=0;i<foundData.length;i++)
{
database[i]=foundData[i].toObject();
}
i solve this issue by installing a dev dependency for handlebars
npm i -D handlebars@4.5.0