HIGH 7.5

GHSA-r4gv-qr8j-p3pg

handlebars.java FileTemplateLoader Path Traversal

Details

### Impact Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path parameters, request parameters, or other user-controlled sources.

### Patches com.github.jknack:handlebars:4.5.2

### Workarounds

Validate template name is derived from user input.

```java if (!file.getPath().startsWith(new File(prefix).getCanonicalPath())) { throw new IOException("Path traversal attempt detected: " + location); } ```

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / com.github.jknack:handlebars

Introduced in: 0 Fixed in: 4.5.2

Fix # pom.xml: bump <version>4.5.2</version> for com.github.jknack:handlebars

References

https://github.com/jknack/handlebars.java/security/advisories/GHSA-r4gv-qr8j-p3pg [WEB]
https://github.com/jknack/handlebars.java [PACKAGE]