olado/doT

Security alert

dxvladislavvolkov opened this issue · 2 comments

dxvladislavvolkov commented

I get security alert in my project on github

All versions of dot are vulnerable to Command Injection. The template compilation may execute arbitrary commands if an attacker can inject code in the template or if a Prototype Pollution-like vulnerability can be exploited to alter an Object's prototype.

MingweiSamuel commented

This is part of doT's design.
Don't pass in arbitrary templates
#281

  • 👍1
epoberezkin commented

The security model indeed assumes that the templates are fully controlled by the application, and not provided by the users/external data.