Nunjucks security vulnerability

Question

Nunjucks security vulnerability

Closed this issue 3 months ago · 4 comments

Hello,

I’m using the latest version of the Nunjucks library (3.2.4), but I’m encountering a high-severity security vulnerability warning related to the following dependency chains:

nunjucks > chokidar > braces
globby > fast-glob > micromatch > braces

The details of this issue are outlined in this GitHub advisory.

Despite my attempts to update the sub-dependencies, I haven't been able to fully resolve the vulnerability.
Could you please provide guidance on how to address this? Are there any plans to release a fix that resolves these vulnerabilities?

Thank you!

Answer 1 · 2024-09-19T19:34:04.000Z

It is not safe to use user input as templates in the first place; but as long as you're not doing that, this vuln should not have any surface area or affect you here in any way.

Chokidar is only used for file-watching, if your templates are changing on disk. If you're caching templates (which you should be in production), you can fully uninstall this peer dependency.

Answer 2 · 2024-09-21T16:19:51.000Z

Thank you for your quick reply! I’m still a little unclear about your response.
To clarify, we mainly use the Nunjucks library to call renderString with a context, which can include user inputs (like filters with arguments). We're not using any of the dependencies related to the reported security vulnerability.

For reference, here are the dependencies from our package.json:

  "dependencies": {
    "@actions/core": "^1.10.1",
    "@gitbeaker/rest": "^40.0.3",
    "@linearb/gitstream-core-js": "0.1.52",
    "@octokit/rest": "^20.1.1",
    "ajv": "^8.13.0",
    "axios": "^1.7.4",
    "js-yaml": "^4.1.0",
    "jsonwebtoken": "^9.0.2",
    "lodash": "^4.17.21",
    "moment": "^2.30.1",
    "nunjucks": "^3.2.4",
    "parse-diff": "^0.11.1",
    "prettier": "^2.8.8",
    "shell-quote": "^1.8.1"
  }

This is how we initialize the Nunjucks environment:

this.env = new nunjucks.Environment(
  new nunjucks.FileSystemLoader(__dirname),
  { autoescape: false },
);

After that, we add the filters as I mentioned before.
Am I in the clear regarding the vulnerabilities?

Thanks 🙏

Answer 3 · 2024-09-21T16:26:10.000Z

As I mentioned earlier, whether or not your application is vulnerable to arbitrary code execution, irrelevant of this particular CVE, is going to be more about how you're calling render/renderString. It's a similar problem you'll run into when you're manually building SQL strings and then can be vulnerable to SQLi -- except instead of SQL, nunjucks is compiling to javascript and running directly in your program.

See here: https://mozilla.github.io/nunjucks/api.html#user-defined-templates-warning

nunjucks does not sandbox execution so it is not safe to run user-defined templates or inject user-defined content into template definitions. On the server, you can expose attack vectors for accessing sensitive data and remote code execution. On the client, you can expose cross-site scripting vulnerabilities even for precompiled templates...

I'd also mention that, it looks like you're not using the watch option so unless you're using chokidar elsewhere, you can remove that dependency.

Answer 4 · 2024-09-22T08:05:12.000Z

Thank you for the clarification.
I now understand that the vulnerability is similar to SQL injection risks. Since the code runs on the user's side, they are responsible for handling it, so it should be fine in our case.