CVE-2023-23630: Release Version 2.0.0 · eta-dev/eta

TL;DR

This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data parameter of renderFile() into config – meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName, include, includeFile, and useWith, and thus insert arbitrary code into user template functions.

With this release, such behavior is removed. Configuration cannot be passed through the data parameter to eta.renderFile().

Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.

Practical Implications

• Configuration must be passed to renderFile explicitly, rather than merged with the data parameter
• Using Express.js app.set() to modify views and view cache will no longer change Eta’s configuration of views and cache.
  • However, since Express still uses its own views and view cache options under the hood, users should configure both Eta and Express with desired values (example below)
• Eta no longer recognizes the legacy Express.js settings[“view options”] property

Example Code Changes

// Change THIS: renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2 // To THIS: renderFile(filePath, {}, { cache: true }) // This works in v1 and v2

// Change THIS: var eta = require(“eta”) app.set("view engine", “eta”) app.set("views", “./views”) app.set("view cache", true) // To THIS: var eta = require(“eta”) app.engine("eta", eta.renderFile) eta.configure({ views: "./views", cache: true }) // configure eta app.set("views", “./views”) // configure Express app.set("view cache", true) // configure Express app.set("view engine", “eta”)

Commits

• Don’t use data object for Eta configuration (#214) 5651392

v1.14.2…v2.0.0