Handlebars version 1.3.0, released on January 2, 2014, offers a refined templating experience compared to its predecessor, version 1.2.1 released just days before in late December 2013. While both versions share the same core description – providing the power to build semantic templates effectively – a closer look reveals subtle improvements that enhance developer workflows. Both versions depend on optimist and uglify-js and have the same devDependencies, including tools for testing, benchmarking, and automating tasks such as grunt, mocha, and benchmark, suggesting a consistent approach to development and quality assurance. Both include uglify-js also in optionalDependencies indicating an attempt to ensure smoother operation even if some dependencies aren't perfectly resolved. From a developer perspective, the incremental update from 1.2.1 to 1.3.0 likely includes bug fixes, performance enhancements, and potentially minor feature additions that refine the overall Handlebars experience. While the provided data doesn't explicitly detail these changes, the rapid release cycle suggests a commitment to continuous improvement and addressing user feedback. Developers upgrading from 1.2.1 to 1.3.0 could expect a more stable and performant templating engine without significant breaking changes, enabling them to build dynamic web applications with confidence. Always refer also to the changelog to understand what changed in more detail.
All the vulnerabilities related to the version 1.3.0 of the package
Prototype Pollution in handlebars
Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or later.
Arbitrary Code Execution in handlebars
Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
The following template can be used to demonstrate the vulnerability:
{{#with split as |a|}}
{{pop (push "alert('Vulnerable Handlebars JS');")}}
{{#with (concat (lookup join (slice 0 1)))}}
{{#each (slice 2 3)}}
{{#with (apply 0 a)}}
{{.}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}```
## Recommendation
Upgrade to version 3.0.8, 4.5.2 or later.
Arbitrary Code Execution in Handlebars
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Prototype Pollution in handlebars
Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.
Upgrade to version 3.0.8, 4.5.3 or later.
Arbitrary Code Execution in handlebars
Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
Upgrade to version 3.0.8, 4.5.3 or later.
Prototype Pollution in handlebars
Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Upgrade to version 3.0.8, 4.3.0 or later.
Cross-Site Scripting in handlebars
Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.
Template:
<a href={{foo}}/>
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href=test.com onload=alert(1)/>
Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.
Prototype Pollution in handlebars
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Upgrade UglifyJS to version >= 2.4.24.
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.