Bug 1400032

Summary: nodejs-ejs: Remote code execution via ejs.render()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avibelli, gsterlin, jbalunas, jshepherd, rrajasek, tchollingsworth, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-ejs 2.5.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:02:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1400033, 1400034    
Bug Blocks: 1400035    

Description Adam Mariš 2016-11-30 10:24:57 UTC 
ejs.render() function can be invoked in two ways. The first way is by calling ejs.render(template, data, options), and the second is calling ejs.render(template, data) where ejs lets the options be passed as part of the data. If used with a variable list supplied by the user (e.g. by reading it from the URI with qs or equivalent), an attacker can control ejs options, including the root option, which allows changing the project root for includes with an absolute path. As a result, the attacker can take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.

Upstream patch:

https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6

External References:

https://snyk.io/vuln/npm:ejs:20161128
Comment 1 Adam Mariš 2016-11-30 10:25:28 UTC 
Created nodejs-ejs tracking bugs for this issue:

Affects: fedora-all [bug 1400033]
Affects: epel-all [bug 1400034]