squirrelly icon indicating copy to clipboard operation
squirrelly copied to clipboard
verified publisher icon squirrellyjs

high severity vulnerrability

Open jianyexi opened this issue 4 years ago • 4 comments

Describe the bug there is high severity vulnerability in latest npm package, see https://github.com/advisories/GHSA-q8j6-pwqx-pm96 To Reproduce Steps to reproduce the behavior: npm audit

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Package & Environment Details

  • Environment: ex. Node, Chrome, Firefox, etc. and what version
  • Version: ex. 8.1.0

Additional context Add any other context about the problem here.

jianyexi avatar Dec 14 '21 03:12 jianyexi

+1

sw360cab avatar Feb 05 '22 16:02 sw360cab

+1

dynamikus avatar May 26 '22 00:05 dynamikus

If I use Squirrelly on the client side, i.e. directly integrate the JS file. Is there a vulnerability there too? Or does this only affect the server-side application, in this case node-express?

I don't see any warnings on the following urls: https://www.npmjs.com/package/squirrelly https://github.com/squirrellyjs/squirrelly

In addition, the package is still online

The "Squirrelly.min.js" JS Script is integrated directly in the browser. I invited the JS file directly via Github. https://github.com/squirrellyjs/squirrelly/arfs/tagen/v8.0.8.zip

I am concerned with whether the security gap exists here too.

littlejak20 avatar Jun 16 '22 10:06 littlejak20

@littlejak20 you won't find it there.

But if you install it you get an idea here https://snyk.io/advisor/npm-package/squirrelly

The point is that the library as not a current mainteiner. I am planning to give a look I can give a minum fresh update to id and share here, but I will not assure anything to anybody.

sw360cab avatar Jun 16 '22 12:06 sw360cab

squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications.

Looking through the code I can't find anywhere this is true, data and options/env are never mixed.

Anyone got any further info on this?

ImLunaHey avatar Mar 07 '23 01:03 ImLunaHey

@agustingianni got any other info on this? Trying the exact code you have in the write up isn't producing anything in the console.

ImLunaHey avatar Mar 07 '23 01:03 ImLunaHey

This was fixed in eta, which is practically a fork of Squirrelly: https://github.com/eta-dev/eta/releases/tag/v2.0.0

Took a stab at porting it over here: https://github.com/squirrellyjs/squirrelly/pull/254

Collaboration appreciated.

legobeat avatar May 10 '23 11:05 legobeat

This has been resolved in Squirrelly 9.0.0

bgub avatar May 13 '23 02:05 bgub