From f0e73cb126495eda73adcc480e7b5dab76a30346 Mon Sep 17 00:00:00 2001 From: Penar Musaraj Date: Wed, 5 Jun 2019 13:54:52 -0400 Subject: [PATCH] SECURITY: Bump Handlebars to version 4.1.2 WS-2019-0064: Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects prototype, thus allowing an attacker to execute arbitrary code on the server. --- package.json | 2 +- vendor/assets/javascripts/handlebars.js | 12 +++++++++--- vendor/assets/javascripts/handlebars.runtime.js | 12 +++++++++--- yarn.lock | 8 ++++---- 4 files changed, 23 insertions(+), 11 deletions(-) diff --git a/package.json b/package.json index f3ae82902f0..6a040ffd53c 100644 --- a/package.json +++ b/package.json @@ -12,7 +12,7 @@ "bootstrap": "v3.4.1", "chart.js": "2.7.3", "favcount": "https://github.com/chrishunt/favcount", - "handlebars": "^4.1.1", + "handlebars": "^4.1.2", "highlight.js": "https://github.com/highlightjs/highlight.js", "htmlparser": "https://github.com/tautologistics/node-htmlparser", "intersection-observer": "^0.5.1", diff --git a/vendor/assets/javascripts/handlebars.js b/vendor/assets/javascripts/handlebars.js index 2895c269ed6..868d1edd12e 100644 --- a/vendor/assets/javascripts/handlebars.js +++ b/vendor/assets/javascripts/handlebars.js @@ -1,7 +1,7 @@ /**! @license - handlebars v4.1.1 + handlebars v4.1.2 Copyright (C) 2011-2017 by Yehuda Katz @@ -275,7 +275,7 @@ return /******/ (function(modules) { // webpackBootstrap var _logger2 = _interopRequireDefault(_logger); - var VERSION = '4.1.1'; + var VERSION = '4.1.2'; exports.VERSION = VERSION; var COMPILER_REVISION = 7; @@ -868,7 +868,13 @@ return /******/ (function(modules) { // webpackBootstrap exports['default'] = function (instance) { instance.registerHelper('lookup', function (obj, field) { - return obj && obj[field]; + if (!obj) { + return obj; + } + if (field === 'constructor' && !obj.propertyIsEnumerable(field)) { + return undefined; + } + return obj[field]; }); }; diff --git a/vendor/assets/javascripts/handlebars.runtime.js b/vendor/assets/javascripts/handlebars.runtime.js index 43b6e99c0c8..169d038fed4 100644 --- a/vendor/assets/javascripts/handlebars.runtime.js +++ b/vendor/assets/javascripts/handlebars.runtime.js @@ -1,7 +1,7 @@ /**! @license - handlebars v4.1.1 + handlebars v4.1.2 Copyright (C) 2011-2017 by Yehuda Katz @@ -207,7 +207,7 @@ return /******/ (function(modules) { // webpackBootstrap var _logger2 = _interopRequireDefault(_logger); - var VERSION = '4.1.1'; + var VERSION = '4.1.2'; exports.VERSION = VERSION; var COMPILER_REVISION = 7; @@ -800,7 +800,13 @@ return /******/ (function(modules) { // webpackBootstrap exports['default'] = function (instance) { instance.registerHelper('lookup', function (obj, field) { - return obj && obj[field]; + if (!obj) { + return obj; + } + if (field === 'constructor' && !obj.propertyIsEnumerable(field)) { + return undefined; + } + return obj[field]; }); }; diff --git a/yarn.lock b/yarn.lock index 5123e356e6e..b552a1915e1 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1051,10 +1051,10 @@ graceful-fs@^4.1.2: resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.1.15.tgz#ffb703e1066e8a0eeaa4c8b80ba9253eeefbfb00" integrity sha512-6uHUhOPEBgQ24HM+r6b/QwWfZq+yiFcipKFrOFiBEnWdy5sdzYoi+pJeQaPI5qOLRFqWmAXUPQNsielzdLoecA== -handlebars@^4.1.1: - version "4.1.1" - resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.1.1.tgz#6e4e41c18ebe7719ae4d38e5aca3d32fa3dd23d3" - integrity sha512-3Zhi6C0euYZL5sM0Zcy7lInLXKQ+YLcF/olbN010mzGQ4XVm50JeyBnMqofHh696GrciGruC7kCcApPDJvVgwA== +handlebars@^4.1.2: + version "4.1.2" + resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.1.2.tgz#b6b37c1ced0306b221e094fc7aca3ec23b131b67" + integrity sha512-nvfrjqvt9xQ8Z/w0ijewdD/vvWDTOweBUm96NTr66Wfvo1mJenBLwcYmPs3TIBP5ruzYGD7Hx/DaM9RmhroGPw== dependencies: neo-async "^2.6.0" optimist "^0.6.1"