🔒 Fixed RCE exploit with date helper & locale setting

refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-7v28-g2pq-ggg8

A vulnerability in an upstream library means an attacker can abuse locale input
to execute arbitrary commands from a file that has previously been uploaded
using the file upload functionality in the post editor.

core/frontend/helpers/date.js

@@ -45,7 +45,9 @@ module.exports = function (...attrs) {
     // i18n: Making dates, including month names, translatable to any language.
     // Documentation: http://momentjs.com/docs/#/i18n/
     // Locales: https://github.com/moment/moment/tree/develop/locale
-    dateMoment.locale(locale);
+    if (locale && locale.match('^[^/\\\\]*$') !== null) {
+        dateMoment.locale(locale);
+    }
 
     if (timeago) {
         date = dateMoment.tz(timezone).from(timeNow);

test/unit/frontend/helpers/date.test.js

@@ -1,3 +1,4 @@
+const assert = require('assert');
 const sinon = require('sinon');
 const should = require('should');
 
@@ -7,6 +8,23 @@ const date = require('../../../../core/frontend/helpers/date');
 const moment = require('moment-timezone');
 
 describe('{{date}} helper', function () {
+    afterEach(function () {
+        sinon.restore();
+    });
+    it('does not call moment locale method with a path', function () {
+        const localeStub = sinon.stub(moment.prototype, 'locale');
+        date.call('1970-01-01', {
+            hash: {},
+            data: {
+                site: {
+                    locale: '../../../content/files/1970/01/hax.js',
+                    timezone: 'Europe/Dublin'
+                }
+            }
+        });
+        assert(localeStub.notCalled, 'locale should not have been called with a path');
+    });
+
     it('creates properly formatted date strings', function () {
         const testDates = [
             '2013-12-31T11:28:58.593+02:00',