[GHSA-f2jv-r9rf-7988] Remote code execution in handlebars when compiling templates #607
Conversation
github-actions
bot
changed the base branch from
main
to
westonsteimel/advisory-improvement-607
|
I think there is also a Jenkins plugin that embeds these directly but I wanted to wait and see what the thoughts were on these before investigating that further. Thanks so much for building and curating this dataset! |
Sorry for the delayed reply. The webjars artifacts are certainly valid and we've had some internal conversation about them before since they seem like a target for automated inclusion. The conversation always stalls out when we get to impact though as they don't seem to be wildly used so.... ya. I do wish I knew more about why this project exists and how it works, but that's a rabbit hole I haven't had time to dive down yet. For this PR I can definitely merge these in, but maybe it's worth also getting a conversation going on how to include relevant webjars and other re-packagings started too.
You're very welcome. Thank you for all the great contributions 😄 |
|
@darakian @westonsteimel I wonder if this should be discussed in a similar manner to how a Linux distribution packages software. It's common for those packages to contain other things (tm). There are two easy ways to view this
I think option 1 is the future state we all want |
|
Linux packages present a lot of challenges that we're not well equipped to tackle and the major linux distros all run their own security trackers. |
Right, my comment was just using it as a theoretical comparison. Where does this project track big questions like this? I suspect this pull request isn't the best place |
Feel free to open an issue for it 👍 |
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
|
@westonsteimel apologies for the delay on my end too. I just got back from some time off and am catching up on things. No problems on merging this, but I'm going to alter your range for |
|
Hi @westonsteimel! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
Including the webjars which package up the handlebars javascript as a Java artifact and are available on Maven
https://search.maven.org/artifact/org.webjars.bowergithub.wycats/handlebars.js/4.7.2/jar
https://search.maven.org/artifact/org.webjars.npm/handlebars/4.7.7/jar
https://search.maven.org/artifact/org.webjars/handlebars/4.7.6/jar
https://search.maven.org/artifact/org.webjars.bower/handlebars/4.7.6/jar