dust.js是否可以安全地执行用户端上传的随机模板?
[英]dust.js are random user uploaded templates secure to execute server side?
问题描述
I want to allow my users to upload their own dust templates. 
我想允许我的用户上传自己的灰尘模板。
Right now I compile and store them in a database. 现在,我将它们编译并存储在数据库中。 I then load them from the database and execute them as needed. 然后,我从数据库中加载它们并根据需要执行它们。
My platform server side is node.js. 我的平台服务器端是node.js。
Could a user insert malicious data in a template that would arm my running node.js process? 用户能否在模板中插入恶意数据,该模板会武装我正在运行的node.js进程? Infinite loops? 无限循环? Code Injection? 代码注入?
Thanks 谢谢
1 个解决方案
解决方案1
1 已采纳 2015-03-26 03:48:12
It is not possible for a user-generated template to contain anything evil or harmful; 用户生成的模板不可能包含任何有害或有害的内容; the template will simply not compile in most cases. 在大多数情况下,模板将根本无法编译。 Templates always compile to safe, Dust-generated strings. 模板始终会编译为由Dust生成的安全字符串。
However, if you allow users to provide their own data to pass to the templates, there could be a risk. 但是,如果允许用户提供他们自己的数据以传递到模板,则可能存在风险。 Dust runs any functions it finds in the render context and you could write unescaped HTML like this: Dust运行它在渲染上下文中找到的所有功能,您可以编写未转义的HTML,如下所示:
{
"foo": function(chunk) {
return chunk.write("<script src='evil'>");
}
}
So a user could insert a script tag somewhere and introduce an XSS. 因此,用户可以在某个位置插入脚本标签并引入XSS。
If you render templates server-side, Dust runs the rendering process as part of the main event loop, so a context function has access to anything in scope at that time... 如果在服务器端渲染模板,Dust将渲染过程作为主事件循环的一部分运行,因此当时上下文函数可以访问作用域中的任何对象...
{
"foo": function(chunk) {
console.log("I'm writing to the server console!");
dust.log("Spammin' ur logz", "ERROR");
chunk.write("I'm stealing ur keyz: " + SECRET_API_KEY);
database.eraseAllTheThings({ howMany: "all of them", yaRly: true });
}
}
To protect against this, it's best to use the vm module to isolate the render from your main Node script when you allow users to provide their own data. 为了防止这种情况,当允许用户提供自己的数据时,最好使用vm模块将渲染与主Node脚本隔离。 You could also run the render in a separate process. 您也可以在单独的过程中运行渲染。 Or you could force the data to be JSON-only. 或者,您可以强制数据仅使用JSON。
A template by itself cannot be harmful, compiled or uncompiled. 模板本身不能是有害的,已编译或未编译的。 The only possible attack would be to provide a template of extreme size (hundreds of MB) and just DoS your server. 唯一可能的攻击方法是提供一个超大大小的模板(数百MB),仅提供服务器DoS。
If you provided helpers that were written poorly, your helpers could hang indefinitely if provided with the correct template invocation: 如果您提供的助手编写得不好,那么如果提供了正确的模板调用,您的助手可能会无限期地挂起:
{@loop from=1 to=999999999999999999999999999999999999999999999}{/loop}
The solution to this is to run the render in a separate process with a timeout. 解决方案是在具有超时的单独进程中运行渲染。
tl;dr templates only, vanilla Dust, you're safe. tl;仅博士模板,香草粉尘,您很安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.