<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Scriban - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/scriban/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 02 May 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/scriban/feed.xml" rel="self" type="application/rss+xml"/><item><title>Scriban TemplateContext MemberFilter Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-05-02-scriban-sandbox-escape/</link><pubDate>Thu, 02 May 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-02-scriban-sandbox-escape/</guid><description>Scriban versions before 7.0.0 are vulnerable to a sandbox escape due to improper caching of type accessors in `TemplateContext`, leading to a `MemberFilter` bypass when a `TemplateContext` is reused, potentially exposing sensitive data.</description><content:encoded><![CDATA[<p>Scriban, a .NET templating engine, is vulnerable to a sandbox escape vulnerability affecting versions prior to 7.0.0. This vulnerability arises from the <code>TemplateContext</code> caching type accessors without clearing them upon reset. Specifically, the <code>TemplateContext</code> caches accessors based on <code>Type</code>, but these accessors are created using the <code>MemberFilter</code> and <code>MemberRenamer</code> active at the time. When a <code>TemplateContext</code> is reused with a tightened filter for subsequent renders, Scriban reuses the old accessor, potentially exposing members that should be hidden. This bypass allows unauthorized access or modification of filtered properties or fields, leading to policy bypass across requests, users, or tenants when contexts are pooled. The vulnerability is present in <code>src/Scriban/TemplateContext.cs</code> and <code>src/Scriban/Runtime/Accessors/TypedObjectAccessor.cs</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An application initializes a <code>TemplateContext</code> with a permissive <code>MemberFilter</code>, allowing access to a wide range of object members.</li>
<li>The application renders a template using the <code>TemplateContext</code>, creating a <code>TypedObjectAccessor</code> for a specific type and caching it within the <code>_memberAccessors</code> dictionary using the <code>Type</code> as the key.</li>
<li>The application calls <code>TemplateContext.Reset()</code>, which clears most of the context but crucially does <em>not</em> clear the <code>_memberAccessors</code> cache.</li>
<li>The application modifies the <code>MemberFilter</code> to be more restrictive, aiming to limit access to specific members.</li>
<li>The application renders another template using the same (reused) <code>TemplateContext</code>.</li>
<li>When the application attempts to access members of the same type as in step 2, Scriban retrieves the cached <code>TypedObjectAccessor</code> from <code>_memberAccessors</code>.</li>
<li>The cached <code>TypedObjectAccessor</code> still uses the original, permissive <code>MemberFilter</code>, bypassing the newly configured restrictive filter.</li>
<li>Sensitive data, which should have been filtered, is exposed or modified, leading to unauthorized access or policy bypass.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows unauthorized read or write access to properties and fields that should have been filtered by the <code>MemberFilter</code>. This can lead to the exposure of sensitive data, unauthorized modification of application state, and policy bypass across requests, users, or tenants. Applications that rely on <code>TemplateContext.MemberFilter</code> for sandboxing or object-exposure policy are particularly vulnerable. The vulnerability affects Scriban versions prior to 7.0.0.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Scriban version 7.0.0 or later to remediate the vulnerability (Affected Packages: nuget/scriban (vulnerable: &lt; 7.0.0)).</li>
<li>Avoid reusing <code>TemplateContext</code> instances with different <code>MemberFilter</code> configurations. Create a new <code>TemplateContext</code> for each rendering operation with a distinct <code>MemberFilter</code>.</li>
<li>Implement server-side checks to validate and sanitize data before rendering it with Scriban to mitigate the impact of potential sandbox escapes.</li>
<li>Monitor Scriban template rendering for unexpected data access patterns to detect potential exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>scriban</category><category>sandbox-escape</category><category>memberfilter-bypass</category></item><item><title>Scriban `object.to_json` Uncontrolled Recursion DoS</title><link>https://feed.craftedsignal.io/briefs/2024-01-scriban-stack-overflow/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-scriban-stack-overflow/</guid><description>The Scriban library is vulnerable to a denial-of-service attack where a specially crafted template with a self-referencing object passed to the `object.to_json` function causes unbounded recursion, leading to a `StackOverflowException` that terminates the .NET process.</description><content:encoded><![CDATA[<p>Scriban versions prior to 7.0.0 are susceptible to a denial-of-service vulnerability due to uncontrolled recursion in the <code>object.to_json</code> function. This function, used for recursive JSON serialization, lacks depth limits, circular reference detection, and stack overflow guards. A malicious Scriban template containing a self-referencing object, when processed by <code>object.to_json</code>, triggers unbounded recursion, leading to a <code>StackOverflowException</code> that terminates the hosting .NET process. This vulnerability poses a significant risk to applications embedding Scriban for user-provided templates, such as CMS platforms, email template engines, and static site generators. The vulnerability is easily exploitable, requiring only a single line of template code, and does not require authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Scriban template containing a self-referencing object. For example: <code>{{ x = {}; x.self = x; x | object.to_json }}</code>.</li>
<li>The template is submitted to an application that uses Scriban for template processing.</li>
<li>The Scriban engine parses the template and encounters the <code>object.to_json</code> function call.</li>
<li>The <code>ToJson()</code> function in <code>ObjectFunctions.cs</code> calls the vulnerable <code>WriteValue()</code> function.</li>
<li><code>WriteValue()</code> attempts to serialize the self-referencing object without proper recursion checks.</li>
<li>Due to the self-reference, <code>WriteValue()</code> enters an infinite recursion loop.</li>
<li>Each recursive call consumes stack space, eventually leading to a <code>StackOverflowException</code>.</li>
<li>The <code>StackOverflowException</code> terminates the entire .NET process hosting the Scriban engine, resulting in a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to a denial-of-service condition, crashing the entire .NET process hosting the Scriban engine. Any application embedding Scriban for user-provided templates is vulnerable. Because <code>StackOverflowException</code> cannot be caught by application code, the hosting application cannot implement try/catch to survive this. This allows an unauthenticated attacker to trivially crash services using Scriban.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Scriban version 7.0.0 or later, which includes the fix for this vulnerability.</li>
<li>If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent the use of self-referencing objects in Scriban templates.</li>
<li>Monitor application logs for signs of <code>StackOverflowException</code> errors originating from Scriban template processing.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>denial-of-service</category><category>scriban</category><category>.net</category></item><item><title>Scriban Template Engine LoopLimit Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-scriban-dos/</link><pubDate>Sat, 27 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-scriban-dos/</guid><description>Scriban's LoopLimit can be bypassed by crafted template expressions, allowing attackers to perform resource exhaustion through CPU or memory amplification, leading to denial of service.</description><content:encoded><![CDATA[<p>The Scriban template engine is vulnerable to a denial-of-service attack due to a bypass in its <code>LoopLimit</code> functionality. This vulnerability, affecting Scriban versions prior to 7.0.0, allows attackers to craft template expressions that bypass the configured loop limits, leading to excessive CPU or memory consumption. The issue stems from the fact that <code>LoopLimit</code> only applies to script loop statements and not to expensive iteration performed inside operators and built-in functions such as <code>array.size</code> and string multiplication. An attacker can exploit this by submitting a single expression, like <code>{{ 1..1000000 | array.size }}</code> for CPU exhaustion or <code>{{ 'A' * 200000000 }}</code> for memory amplification, even when <code>LoopLimit</code> is set to a small value. This vulnerability impacts applications using Scriban with untrusted template content, including template-as-a-service systems, CMS, and email rendering systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Scriban template containing an expression designed to bypass <code>LoopLimit</code>. Example: <code>{{ 1..1000000 | array.size }}</code> or <code>{{ 'A' * 200000000 }}</code>.</li>
<li>The attacker submits the malicious template to a vulnerable application that uses Scriban for template processing.</li>
<li>The application parses the template using <code>Template.Parse()</code>.</li>
<li>The application renders the template using <code>template.Render(context)</code> with a specified <code>LoopLimit</code> in <code>TemplateContext</code>.</li>
<li>The <code>array.size</code> function (or string multiplication) is invoked, leading to a large number of iterations or memory allocations <em>without</em> respecting the <code>LoopLimit</code>.</li>
<li>The application's CPU or memory resources are exhausted due to the uncontrolled iteration or allocation.</li>
<li>The application becomes unresponsive or crashes, resulting in a denial-of-service condition.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows for uncontrolled resource consumption, leading to denial-of-service conditions. Any application that accepts attacker-controlled templates and relies on <code>LoopLimit</code> is vulnerable. Observed damage includes CPU exhaustion and memory amplification. Vulnerable systems could include template-as-a-service platforms, content management systems (CMS), and email rendering systems. A successful attack can cause application downtime, impacting availability and potentially leading to data loss or corruption if the system crashes during critical operations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Scriban to version 7.0.0 or later to address the vulnerability.</li>
<li>Implement additional safeguards to limit the resources available to template rendering, such as setting CPU and memory limits.</li>
<li>Implement input validation on templates to detect and reject potentially malicious expressions. Specifically, look for large ranges used in conjunction with <code>array.size</code>, or excessively large string multiplications. Deploy the Sigma rules in this brief to your SIEM and tune for your environment.</li>
<li>Monitor application resource usage (CPU, memory) for unusual spikes during template rendering. Enable process monitoring and alerting to detect processes consuming excessive resources.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>scriban</category><category>dos</category><category>template-injection</category></item><item><title>Scriban TemplateContext Reset Authorization Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-scriban-auth-bypass/</link><pubDate>Tue, 09 Jan 2024 18:23:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-scriban-auth-bypass/</guid><description>Scriban versions before 7.0.0 have an authorization bypass vulnerability due to a stale include cache surviving TemplateContext.Reset(), potentially serving previously authorized content to subsequent renders in applications reusing TemplateContext objects with request-dependent ITemplateLoaders.</description><content:encoded><![CDATA[<p>Scriban, a .NET templating engine, is vulnerable to an authorization bypass issue affecting applications that reuse <code>TemplateContext</code> objects. Specifically, versions prior to 7.0.0 do not properly clear the <code>CachedTemplates</code> collection when <code>TemplateContext.Reset()</code> is called. This can lead to a situation where an <code>ITemplateLoader</code> that resolves content based on request-specific state (e.g., user identity, tenant context) serves a stale, previously authorized template to subsequent renders, even after the context is reset. This bypass occurs because the <code>include</code> function retrieves templates from the cache without re-evaluating authorization, potentially leaking sensitive data across requests or tenants. This vulnerability could be exploited in multi-tenant or permission-sensitive applications using Scriban templates.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An application initializes a <code>TemplateContext</code> object and configures an <code>ITemplateLoader</code> that resolves template content based on the current request or user context.</li>
<li>A user (e.g., an administrator) makes a request that causes the <code>ITemplateLoader</code> to load a privileged template (e.g., &quot;admin_profile.scriban&quot;) into the <code>TemplateContext</code>.</li>
<li>The <code>include</code> function is used within the main template to load the privileged template. The compiled template is then cached in <code>CachedTemplates</code>.</li>
<li>The application calls <code>TemplateContext.Reset()</code> in an attempt to clear the context for reuse. However, <code>CachedTemplates</code> is not cleared during this reset operation.</li>
<li>A different user (e.g., a regular user) makes a subsequent request that reuses the same <code>TemplateContext</code> object.</li>
<li>The <code>include</code> function is called again, attempting to load a template.</li>
<li>The <code>TemplateContext</code> retrieves the previously cached, privileged template from <code>CachedTemplates</code> without calling <code>ITemplateLoader.Load()</code> again, bypassing the intended authorization check.</li>
<li>The regular user is served the content of the administrator's template, leading to information disclosure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows unauthorized access to sensitive information or functionality in applications using Scriban templating. The primary impact is cross-render data isolation issues, where previously authorized template content can be leaked across different requests, users, or tenants. This can lead to the exposure of sensitive data, privilege escalation, or other security breaches, depending on the content of the leaked templates. Applications that pool or reuse <code>TemplateContext</code> objects, call <code>Reset()</code> between requests, use <code>include</code> for template inclusion, and resolve included content based on request-specific state are vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Scriban version 7.0.0 or later, where this vulnerability is resolved.</li>
<li>If upgrading is not immediately feasible, avoid reusing <code>TemplateContext</code> objects across different requests or user sessions. Create a new <code>TemplateContext</code> for each request.</li>
<li>Review and audit existing Scriban templates and <code>ITemplateLoader</code> implementations to ensure that sensitive data is not inadvertently exposed through template inclusion.</li>
<li>Implement additional authorization checks within the templates themselves to verify user permissions before displaying sensitive data, even if the <code>TemplateLoader</code> is compromised.</li>
<li>Monitor the usage of <code>TemplateContext.Reset()</code> in your application and ensure that it is used correctly and does not lead to unintended data leakage.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>scriban</category><category>template-injection</category><category>authorization-bypass</category></item></channel></rss>