🔐 Restricted reading files from outside the theme directory

closes https://github.com/TryGhost/Product/issues/4191

Without this patch, themes can read arbitrary files from your system and
expose them to the internet via the layout feature of express-hbs.

For example `{{!< ../../../../config.production.json}}` would spit out config,
which can contain secrets.

As theme upload is restricted to users with the Admin role, this mostly effects
hosting providers which use their own secret keys for e.g. mail or database config
This commit is contained in:
Fabien "egg" O'Carroll 2023-11-27 12:12:55 +00:00
parent d30a6633ab
commit 07f9564eea
4 changed files with 17 additions and 5 deletions

View File

@ -112,7 +112,7 @@ class ActiveTheme {
siteApp.cache = {};
// Set the views and engine
siteApp.set('views', this.path);
siteApp.engine('hbs', engine.configure(this.partialsPath));
siteApp.engine('hbs', engine.configure(this.partialsPath, this.path));
this._mounted = true;
}

View File

@ -9,12 +9,13 @@ if (config.get('env') !== 'production') {
instance.escapeExpression = instance.handlebars.Utils.escapeExpression;
instance.configure = function configure(partialsPath) {
instance.configure = function configure(partialsPath, themePath) {
const hbsOptions = {
partialsDir: [config.get('paths').helperTemplates],
onCompile: function onCompile(exhbs, source) {
return exhbs.handlebars.compile(source, {preventIndent: true});
}
},
restrictLayoutsTo: themePath
};
if (partialsPath) {

View File

@ -178,7 +178,7 @@
"downsize": "0.0.8",
"express": "4.18.2",
"express-brute": "1.0.1",
"express-hbs": "2.4.2",
"express-hbs": "2.5.0",
"express-jwt": "8.4.1",
"express-lazy-router": "1.0.6",
"express-query-boolean": "2.0.0",

View File

@ -17345,7 +17345,18 @@ express-brute@1.0.1, express-brute@^1.0.1:
long-timeout "~0.1.1"
underscore "~1.8.3"
express-hbs@2.4.2, express-hbs@^2.4.2:
express-hbs@2.5.0:
version "2.5.0"
resolved "https://registry.yarnpkg.com/express-hbs/-/express-hbs-2.5.0.tgz#28ed0b8507bb7bcceb102b63fe863585f13a4d89"
integrity sha512-i2O1ZBwKO32KF0MePnkgYHsAAILr9H9Sp5GoGp9JWz/qhsBfTMSq9VF1pN109DHysPX6YO88y7B+f6xnEEF/mg==
dependencies:
handlebars "^4.7.7"
lodash "^4.17.21"
readdirp "^3.6.0"
optionalDependencies:
js-beautify "^1.13.11"
express-hbs@^2.4.2:
version "2.4.2"
resolved "https://registry.yarnpkg.com/express-hbs/-/express-hbs-2.4.2.tgz#9bc18a08d89eea2aaea94b2e5c38859e86a99019"
integrity sha512-lFtWrsAGprvzPrVlfNE6WGJnyE+o/UxsTpl2CWcJt1CRYaUwht9+BkfKOWqs+xG0zhhRAm/bsYEyQ4EwA+ovSw==