handlebars¶¯µ÷

Ô­ÎÄÁ´½Ó https://blog.p6.is/AST-Injection/

const Handlebars = require('handlebars');
Object.prototype.pendingContent = `<script>alert(origin)</script>`
const source = `Hello {{ msg }}`;
const template = Handlebars.compile(source);
console.log(template({"msg": "posix"})); // <script>alert(origin)</script>Hello posix

¾­¹ý¼¸ÂÖ¶¯Ì¬µ÷ÊÔ ÕÒµ½ÁËÈçϼ¸´¦¹Ø¼üλÖÃ

ÅÜÆðÀ´³ÌÐò

´ÓÕâÀïÏÈf11 È»ºó shift + f11 ÔÙf11

×îºÃ²»ÒªÖ±½Óf10?»áÌø¹ýһЩ²½Öè

½øÈëcompile

Ç°ÃæÊÇÉèÖÃһЩ±äÁ¿

ÎÒÃÇÖ±½Ó f5 µ½ÏÂÒ»¸ö¶Ïµã

ÕâÀïopcode Ò»¹²ÓÐ8¸ö

µÚÒ»¸öΪappendContent

ÕâÀï¿ÉÒÔ¿´µ½ appendContent ¾ÍÊÇ?"<script>alert(origin)</script>

content¾ÍÊÇ?Hello

×Ö·û´®ÏàÁ¬

¹Ø¼üÎļþΪ?

nodet1/node_modules/handlebars/dist/cjs/handlebars/compiler/javascript-compiler.js

¼ÌÐøf10 »Øµ½opcodes Ñ­»·

×ß¹ý¼¸¸öopcode¿ÉÒÔ½øÈëµ½

pushSource

f11 ½øÈëµ½?pushSource

Ö÷ÒªÊÇ ÈÃpendingContent?±ä³É?developer/article/1940247/undefined??

¼ÌÐø?»Øµ½?

nodet1/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js

  function compileInput() {
    var ast = env.parse(input, options),
        environment = new env.Compiler().compile(ast, options),
        templateSpec = new env.JavaScriptCompiler().compile(environment, options, ?developer/article/1940247/undefined, true);
    return env.template(templateSpec);
  }
  ¡£¡£¡£
  console.log(template({"msg":"posix"}));

´òÓ¡µ½¿ØÖÆ̨