Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-06 22:40:14 -05:00
Code Issues Activity
ghost/core/frontend/helpers/date.js
Fabien "egg" O'Carroll b82dc7ae7c 🔒 Fixed RCE exploit with date helper & locale setting 
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-7v28-g2pq-ggg8

A vulnerability in an upstream library means an attacker can abuse locale input
to execute arbitrary commands from a file that has previously been uploaded
using the file upload functionality in the post editor.
2022-06-14 22:50:22 -04:00

59 lines
1.9 KiB
JavaScript
Raw Blame History

// # Date Helper
// Usage: `{{date format="DD MM, YYYY"}}`, `{{date updated_at format="DD MM, YYYY"}}`
//
// Formats a date using moment-timezone.js. Formats published_at by default but will also take a date as a parameter
const {SafeString} = require('../services/handlebars');
const moment = require('moment-timezone');
const _ = require('lodash');
module.exports = function (...attrs) {
// Options is the last argument
const options = attrs.pop();
let date;
// If there is any more arguments, date is the first one
if (!_.isEmpty(attrs)) {
date = attrs.shift();
// If there is no date argument & the current context contains published_at use that by default,
// else date being undefined means moment will use the current date
} else if (this.published_at) {
date = this.published_at;
}
// ensure that date is undefined, not null, as that can cause errors
date = date === null ? undefined : date;
const {
format = 'll',
timeago,
timezone = options.data.site.timezone,
locale = options.data.site.locale
} = options.hash;
const timeNow = moment().tz(timezone);
// Our date might be user input
let testDateInput = Date.parse(date);
let dateMoment;
if (isNaN(testDateInput) === false) {
dateMoment = moment.parseZone(date);
} else {
dateMoment = timeNow;
}
// i18n: Making dates, including month names, translatable to any language.
// Documentation: http://momentjs.com/docs/#/i18n/
// Locales: https://github.com/moment/moment/tree/develop/locale
if (locale && locale.match('^[^/\\\\]*$') !== null) {
dateMoment.locale(locale);
}
if (timeago) {
date = dateMoment.tz(timezone).from(timeNow);
} else {
date = dateMoment.tz(timezone).format(format);
}
return new SafeString(date);
};
Reference in a new issue View git blame Copy permalink