Policy on Reporting Potential Security Vulnerabilities #50
Comments
|
I think a public issue makes sense, I don't have any mechanism for privately notifying users of potential issues |
|
Ok got it. In that case, I've noticed that the Partials functionality allows for reading of arbitrary files. the following mustache command will display the contents of echo '{}' | mustache ./template.mustacheThis is without any explicit configuration of a |
|
I believe this behavior stems from these lines here: https://github.com/cbroglie/mustache/blob/master/partials.go#L33-L48. Specifically, the default |
|
I don't think this is a security vulnerability, the binary is subject to the same file permissions as the running user. And the template contents are controlled by the user as well. |
|
The scenario in which I could see it being in issue is one where - for example - a webapp uses this library to render arbitrary templates supplied by external users. In that scenario, a user could supply templates such as |
|
I'd definitely be wary of rendering any untrusted templates. But one of the defenses for that scenario would be to use chroot. |
Hello,
I wanted to inquire about any existing policy/your preference for reporting any potential security vulnerability findings. Rather than just opening a public issue, I wanted to check whether there was a responsible disclosure policy of some kind, and/or a private channel through which findings can be reported. Thanks!
The text was updated successfully, but these errors were encountered: