Created
November 19, 2024 21:45
-
-
Save boneskull/1a0a32d495061f518417975381e9b60e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/node_modules/lodash.template/index.js b/node_modules/lodash.template/index.js | |
index f051141..c4cb7e1 100644 | |
--- a/node_modules/lodash.template/index.js | |
+++ b/node_modules/lodash.template/index.js | |
@@ -1519,9 +1519,29 @@ function template(string, options, guard) { | |
// Like with sourceURL, we take care to not check the option's prototype, | |
// as this configuration is a code injection vector. | |
var variable = hasOwnProperty.call(options, 'variable') && options.variable; | |
+ | |
+ var INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`'; | |
+ | |
+ /** | |
+ * Used to validate the `validate` option in `_.template` variable. | |
+ * | |
+ * Forbids characters which could potentially change the meaning of the function argument definition: | |
+ * - "()," (modification of function parameters) | |
+ * - "=" (default value) | |
+ * - "[]{}" (destructuring of function parameters) | |
+ * - "/" (beginning of a comment) | |
+ * - whitespace | |
+ */ | |
+ var reForbiddenIdentifierChars = /[()=,{}\[\]\/\s]/; | |
+ | |
if (!variable) { | |
source = 'with (obj) {\n' + source + '\n}\n'; | |
} | |
+ // Throw an error if a forbidden character was found in `variable`, to prevent | |
+ // potential command injection attacks. | |
+ else if (reForbiddenIdentifierChars.test(variable)) { | |
+ throw new Error(INVALID_TEMPL_VAR_ERROR_TEXT); | |
+ } | |
// Cleanup code by stripping empty strings. | |
source = (isEvaluating ? source.replace(reEmptyStringLeading, '') : source) | |
.replace(reEmptyStringMiddle, '$1') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment