DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

SBOMs are essential to circumventing software supply chain attacks, and they provide visibility into various software components.

Related

  • Maximizing Return on Investment When Securing Our Supply Chains: Where to Focus Our Limited Time to Maximize Reward
  • The Untold Costs of Automation: Are We Sacrificing Security for Speed?
  • Exploring Cloud-Based Testing With the Elastic Execution Grid
  • Agentic AI for Automated Application Security and Vulnerability Management

Trending

  • Cloud Hardware Diagnostics for AI Workloads
  • What Is Plagiarism? How to Avoid It and Cite Sources
  • API Standards Are Data Standards
  • Serverless Machine Learning: Running AI Models Without Managing Infrastructure
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. How to Fix the Remote Code Execution Vulnerability in EJS

How to Fix the Remote Code Execution Vulnerability in EJS

Learn how to deal with a vulnerability in Snyk that has to do with EJS and code executions.

By 
Tim Kadlec user avatar
Tim Kadlec
·
Dec. 04, 16 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
6.4K Views

Join the DZone community and get the full member experience.

Join For Free

This week, Snyk added a high-severity Remote Code Execution vulnerability in the EJS package to our vulnerability database.

EJS (Embedded JavaScript Templates) is a fast, simple and very popular JavaScript templating engine. EJS provides a few different options for you to render a template. Two of them, render and renderFile are fairly similar, the only difference being that renderexpects a string to be used for the template and renderFile expects a path to a template file. Both methods also accept arguments for the data and an optional set of configuration options. The renderFile method also accepts a callback function.

ejs.render(str, data, options);

ejs.renderFile(filename, data, options, callback)

Both methods also allow you to roll the data and options together into one single object.

ejs.render(str, dataAndOptions);

ejs.renderFile(filename, dataAndOptions, callback)

The Vulnerability

Using the shortcut method may seem easier, but mixing in data and options could be error prone over time. If that’s not enough to sway you off it, here’s a better reason: using the shortcut method can expose your application to a remote code execution vulnerability

The EJS templates that you compile can include other files by using an include directive.

<%- include('path/to/include'); %>

By default, these includes are relative to the template. If the template is in the templatesfolder, then EJS will look in templates/path/to/include to find the file to include.

This isn’t a problem when your options are passed as a separate argument but it does become a problem if you combine your options and data into a single object. If the method passes along a list of data supplied by the user, an attacker could intercept and inject
One of the configuration options available to you is the root option, which enables you to change the default location from which those includes are being pulled.

ejs.renderFile('my-template', {root:'/bad/root/'}, callback);

By passing along the root directive in the line above, any includes would now be pulled from /bad/root instead of the path intended, resulting in remote code execution.

While being able to configure the root can be useful for developers using the EJS engine, allowing it to be configured in an object alongside user data presents a serious security risk. The developer could indeed take some steps to sanitize the input, but the engine itself would be insecure by default.

Our security team found the issue and disclosed it on November 27th. The project’s owner, Matthew Eernisse, put together a simple fix that blacklists the root option so that it can’t be included in alongside user data.

Frequently, vulnerabilities remain unfixed long after their initial disclosure. In fact, if you recall the XSS vulnerability in Marked, that took over a year to be addressed. Thankfully that wasn’t the case here. Thanks to a remarkably quick release from Matthew, the vulnerability went from disclosed to fixed in only one day. Version 2.5.3 of EJS, released on November 28th, includes the fix for the vulnerability.

How to Fix It

If you’ve told Snyk to watch your project and it uses EJS, you likely already received an alert about the issue. The vulnerability can be resolved by either using the GitHub integration to generate a pull-request from your dashboard or by running snyk wizardfrom the command-line interface. In either case, Snyk will identify the issue and prompt you to update the EJS package to the latest version.

If you’re not running Snyk, you can address the issue by manually updating to the latest version of EJS. Just be sure to check all of your dependencies as well. If one of them is pulling in the EJS package, that won’t show up in your package.json file and updating may be a much more involved process.

Vulnerability remote Execution (computing)

Published at DZone with permission of Tim Kadlec. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Maximizing Return on Investment When Securing Our Supply Chains: Where to Focus Our Limited Time to Maximize Reward
  • The Untold Costs of Automation: Are We Sacrificing Security for Speed?
  • Exploring Cloud-Based Testing With the Elastic Execution Grid
  • Agentic AI for Automated Application Security and Vulnerability Management

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • [email protected]

Let's be friends: