Skip to content

Instantly share code, notes, and snippets.

@boneskull
Created November 19, 2024 21:45
Show Gist options
  • Save boneskull/1a0a32d495061f518417975381e9b60e to your computer and use it in GitHub Desktop.
Save boneskull/1a0a32d495061f518417975381e9b60e to your computer and use it in GitHub Desktop.
diff --git a/node_modules/lodash.template/index.js b/node_modules/lodash.template/index.js
index f051141..c4cb7e1 100644
--- a/node_modules/lodash.template/index.js
+++ b/node_modules/lodash.template/index.js
@@ -1519,9 +1519,29 @@ function template(string, options, guard) {
// Like with sourceURL, we take care to not check the option's prototype,
// as this configuration is a code injection vector.
var variable = hasOwnProperty.call(options, 'variable') && options.variable;
+
+ var INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`';
+
+ /**
+ * Used to validate the `validate` option in `_.template` variable.
+ *
+ * Forbids characters which could potentially change the meaning of the function argument definition:
+ * - "()," (modification of function parameters)
+ * - "=" (default value)
+ * - "[]{}" (destructuring of function parameters)
+ * - "/" (beginning of a comment)
+ * - whitespace
+ */
+ var reForbiddenIdentifierChars = /[()=,{}\[\]\/\s]/;
+
if (!variable) {
source = 'with (obj) {\n' + source + '\n}\n';
}
+ // Throw an error if a forbidden character was found in `variable`, to prevent
+ // potential command injection attacks.
+ else if (reForbiddenIdentifierChars.test(variable)) {
+ throw new Error(INVALID_TEMPL_VAR_ERROR_TEXT);
+ }
// Cleanup code by stripping empty strings.
source = (isEvaluating ? source.replace(reEmptyStringLeading, '') : source)
.replace(reEmptyStringMiddle, '$1')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment