Security alert
dxvladislavvolkov opened this issue · 2 comments
dxvladislavvolkov commented
I get security alert in my project on github
All versions of dot are vulnerable to Command Injection. The template compilation may execute arbitrary commands if an attacker can inject code in the template or if a Prototype Pollution-like vulnerability can be exploited to alter an Object's prototype.
MingweiSamuel commented
This is part of doT's design.
Don't pass in arbitrary templates
#281
epoberezkin commented
The security model indeed assumes that the templates are fully controlled by the application, and not provided by the users/external data.