安全的方式让用户在nodejs中注册handelbars助手 [英] Safe way to let users register handelbars helpers in nodejs
问题描述
我有一个使用车把的节点js web应用程序。用户要求我让他们注册他们自己的把手助手。
我对让他们这么做犹豫不决...但我会给它一个如果这样做有一个安全的方法。
var Handlebars = require(handlebars);
var fs = require(fs);
var content = fs.readFileSync(template.html,utf8);
//这个帮助器将由用户发布
var userHandlebarsHelpers =Handlebars.registerHelper('foo',function(value){return'Foo'+ value; });
// eval(userHandlebarsHelpers);这我不喜欢! Eval是邪恶的
//使用用户提交的Helpers编译句柄
var template = Handlebars.compile(content);
var handleBarContent = template({foo:bar});
//保存已编译的模板和一些额外的代码。
预先感谢您!
继jfriend00输入和经过一些严重测试后,我找到了一种使用nodejs vm模块的方法。
用户将输入帮助者用这种格式:
[[HBHELPER'customHelper'value]]
value.replace(/ [0-9 ]/G, );
[[HBHELPER]]
[[HBHELPER'模数'指数模块结果块]]
if(parseInt(index)%mod === parseInt(result))
block.fn(this);
[[/ HBHELPER]]
//执行脚本执行超时时会引发错误。
[[HBHELPER'infiniteLoop'value]]
while(1){}
[[/ HBHELPER]]
我将该块翻译成这个并执行它:
Handlebars.registerHelper 'customHelper',函数(value){
//所有代码都在VM
中执行return vm.runInNewContext('value.replace(/ [0-9] / g,); ',{
value:value
},{
timeout:1000
});
});
Handlebars.registerHelper('modulus',function(index,mod,result,block){
return vm.runInNewContext('if(parseInt(index)%mod === parseInt结果))block.fn(this);',{
index:index,
mod:mod,
result:result,
block:block
}, {
timeout:1000
});
});
Handlebars.registerHelper('infiniteLoop',function(value){
// Error
return vm.runInNewContext('while(1){}',{
值:值
},{
超时:1000
});
});
到目前为止我做了多个测试,试图删除文件,需要模块,无限循环。一切都进行得很顺利,所有这些操作都失败了。
在虚拟机中运行句柄助手回调函数是为我工作的,因为我的主要问题是使用虚拟机并运行里面的所有代码都是将这些助手添加到我的全局Handlebars对象中。
如果我找到了利用它的方法,我会更新。
I have a node js web app that is using handlebars. Users are asking me to let them register their own handlebars helpers.
I'm quite hesitant about letting them do it... but I'll give it a go if there is a secure way of doing it so.
var Handlebars = require("handlebars");
var fs = require("fs");
var content = fs.readFileSync("template.html", "utf8");
//This helper will be posted by the user
var userHandlebarsHelpers = "Handlebars.registerHelper('foo', function(value) { return 'Foo' + value; });"
//eval(userHandlebarsHelpers); This I do not like! Eval is evil
//Compile handlebars with user submitted Helpers
var template = Handlebars.compile(content);
var handleBarContent = template({ foo: bar });
//Save compiled template and some extra code.
Thank you in advance!
Following @jfriend00 input and after some serious testing I found a way to do it using nodejs vm module.
Users will input their helpers with this format:
[[HBHELPER 'customHelper' value]]
value.replace(/[0-9]/g, "");
[[/HBHELPER]]
[[HBHELPER 'modulus' index mod result block]]
if(parseInt(index) % mod === parseInt(result))
block.fn(this);
[[/HBHELPER]]
//This will throw an error when executed "Script execution timed out."
[[HBHELPER 'infiniteLoop' value]]
while(1){}
[[/HBHELPER]]
I translate that block into this and execute it:
Handlebars.registerHelper('customHelper', function(value) {
//All the code is executed inside the VM
return vm.runInNewContext('value.replace(/[0-9]/g, "");', {
value: value
}, {
timeout: 1000
});
});
Handlebars.registerHelper('modulus', function(index, mod, result, block) {
return vm.runInNewContext('if(parseInt(index) % mod === parseInt(result)) block.fn(this);', {
index: index,
mod: mod,
result: result,
block: block
}, {
timeout: 1000
});
});
Handlebars.registerHelper('infiniteLoop', function(value) {
//Error
return vm.runInNewContext('while(1){}', {
value: value
}, {
timeout: 1000
});
});
I made multiple tests so far, trying to delete files, require modules, infinite loops. Everything is going perfectly, all those operations failed.
Running the handlebar helper callback function in a VM is what made this work for me, because my main problem using VM's and running the whole code inside was adding those helpers to my global Handlebars object.
I'll update if I found a way to exploit it.
这篇关于安全的方式让用户在nodejs中注册handelbars助手的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
