Handlebars dynamic adjustment

Link to the original text https://blog.p6.is/AST-Injection/

const Handlebars = require('handlebars');
Object.prototype.pendingContent = `<script>alert(origin)</script>`
const source = `Hello {{ msg }}`;
const template = Handlebars.compile(source);
console.log(template({"msg": "posix"})); // <script>alert(origin)</script>Hello posix

After several rounds of dynamic debugging The following key positions have been found

Running program

From here f11 then shift + f11 Again f11

It is better not to f10  Will skip some steps

Get into compile

The previous step is to set some variables

We directly f5 To the next breakpoint

here opcode Altogether 8 individual

The first is appendContent

Here you can see appendContent Namely  "<script>alert(origin)</script>

content Namely  Hello

String concatenation

The key documents are  

nodet1/node_modules/handlebars/dist/cjs/handlebars/compiler/javascript-compiler.js

continue f10 go back to opcodes loop

Walk a few opcode Have access to

pushSource

f11 Enter into  pushSource

Mainly Give Way pendingContent  become undefined  

continue   go back to  

nodet1/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js

  function compileInput() {
    var ast = env.parse(input, options),
        environment = new env.Compiler().compile(ast, options),
        templateSpec = new env.JavaScriptCompiler().compile(environment, options, undefined, true);
    return env.template(templateSpec);
  }
  ...
  console.log(template({"msg":"posix"}));

Print to console