Backport security fixes for #1736

[bitwiseman]

I would not file a PR for this except that the security advisory has already been filed.
This PR addresses the vulnerability in compat mode and documents the lack of vulnerability in strict mode.
@nknapp

Generally we like to see pull requests that

• Please don't start pull requests for security issues. Instead, file a report at https://www.npmjs.com/advisories/report?package=handlebars
• Maintain the existing code style
• Are focused on a single change (i.e. avoid large refactoring or style adjustments in untouched code if not the primary goal of the pull request)
• Have good commit messages
• Have tests
• Have the typings (lib/handlebars.d.ts) updated on every API change. If you need help, updating those, please mention that in the PR description.
• Don't significantly decrease the current code coverage (see coverage/lcov-report/index.html)
• Currently, the 4.x-branch contains the latest version. Please target that branch in the PR.

[bitwiseman]

This was already the case in 3.x before this change and remains after this change currently. strict mode resulted in a TypeError when accessing constructor, __proto__, etc. We can fix this but it would require more changes and would not improve the security.

[bitwiseman]

This covers compat mode.

[bitwiseman]

It appears strict mode is already covered by the check in javascript-compiler.js:

handlebars.js/lib/handlebars/compiler/javascript-compiler.js

Lines 16 to 19 in 16bd606

	if (dangerousPropertyRegex.test(name)) {
	const isOwnProperty = [ this.aliasable('Object.prototype.hasOwnProperty'), '.call(', parent, ',', JSON.stringify(name), ')'];
	return ['(', isOwnProperty, '?', _actualLookup(), ' : undefined)'];
	}

However, the reason why this vulnerability appeared in 4.x was because that check was removed and this change was present. Better to make this change to make it completely clear.

[batmat]

@nknapp hello! Any chance you would be able to look into this some day soon? We are ready to help as need be, please let us know :-).
Thanks a lot for your hard work!

[bitwiseman]

@ErisDS @Afanyiyu @kpdecker @lawnsea @wycats
Sorry for pinging you all but this is a security issue that it would be great to get backported sooner rather than later.

[bitwiseman]

@jaylinski
Hey, thanks for the label update. If there is anything I can do to make this PR merge sooner, please just say so.
@car-roll @batmat @jtnord may also want to be updated on this.

[jaylinski]

Memo to myself:

• Think about back-porting GitHub CI code for tests
• Don't use npm lock-file version v2, keep it to v1
• Test fixes against exploits (https://snyk.io/vuln/npm:handlebars)
• Close RCE possible in compat and strict mode #1736 when this PR is merged and tagged

[nknapp]

@bitwiseman I think the compat-mode (f058970) part is worth backporting, but I wouldn't touch the part that is no real security issue in version 3.

Changes in version 3 are only done on a strict "need to be there" basis, as far as I am concerned...

[nknapp]

can you modify your PR, so that only f058970 is backported?

[windusayles]

@bitwiseman @nknapp do we need the modification you mentioned, f058970, in order to merge this fix?

[wycats]

@windusayles yeah 👍

Can you update the PR to limit it to just f058970?

[jaylinski]

Closing since v3.0.8 only has a few thousand downloads a week. So most people moved on to the latest (and more secure) version.

https://www.npmjs.com/package/handlebars?activeTab=versions

Also: v3.x is now marked as EOL in our security policy (35f0018).