add CVE-2021-23369 and CVE-2021-23383 for handlebars-source

[ddalcino]

The handlebars-source gem (wraps the JS library handlebars) has had about a dozen vulnerabilities over the years (see: https://github.com/advisories?query=handlebars and https://security.snyk.io/package/npm/handlebars). I've chosen to only add advisories for the most recent two of these, since handlebars v 4.7.7 will also fix the rest. I hope that's OK.

[postmodern]

Are you sure that version 4.7.7 of the gem handlebars-source fixes the issues? Checking the commits between 4.7.6 and 4.7.7 I don't see any mention of the CVEs. The CVE and GHSA information refers to the handlebars.js package, not the rubygem which vendors it. The version numbers between the two packages may be different.

[ddalcino]

Are you sure that version 4.7.7 of the gem handlebars-source fixes the issues? Checking the commits between 4.7.6 and 4.7.7 I don't see any mention of the CVEs.

If you look at the commits between 4.7.6 and 4.7.7, check for the two commits on Feb 13, 2021:

• fix: escape property names in compat mode f058970
• fix: check prototype property access in strict-mode b6d3de7

These commits are part of handlebars-lang/handlebars.js#1736, and the comments in that PR more directly explain the CVEs fixed.

[ddalcino]

The CVE and GHSA information refers to the handlebars.js package, not the rubygem which vendors it. The version numbers between the two packages may be different.

I don't know for certain who is deploying handlebars-source to rubygems.org, but the https://github.com/handlebars-lang/handlebars.js is the original JS repository for the library, and they include a gemspec file. I am inferring, perhaps incorrectly, that they are vendoring the library themselves.

https://rubygems.org/gems/handlebars-source appears to host all the same gem versions as the tags that exist at handlebars.js since at least Version 4.7.0, with only a one-day offset between the upload dates (plausibly a timezone issue).

[ddalcino]

The version numbers between the two packages may be different.

Regardless of who packaged the rubygem, we can verify that the contents match in an easily reproducible way. Try this:

$ mkdir node_modules
$ npm install --ignore-scripts handlebars@4.7.6
$ gem fetch handlebars-source -v 4.7.6 && gem unpack handlebars-source-4.7.6.gem
$ diff -sq handlebars-source-4.7.6/handlebars.js node_modules/handlebars/dist/handlebars.js
Files handlebars-source-4.7.6/handlebars.js and node_modules/handlebars/dist/handlebars.js are identical

$ npm install --ignore-scripts handlebars@4.7.7
$ gem fetch handlebars-source -v 4.7.7 && gem unpack handlebars-source-4.7.7.gem
$ diff -sq handlebars-source-4.7.7/handlebars.js node_modules/handlebars/dist/handlebars.js
Files handlebars-source-4.7.7/handlebars.js and node_modules/handlebars/dist/handlebars.js are identical

According to https://rubygems.org/gems/handlebars-source, jaylinski vendored and uploaded the gem. There is a jaylinski on the handlebars.js contributors list (5th contributor down), and he appears to be very active in that repository.

What else needs to be done here to prove that the handlebars-source rubygem, at v4.7.6, is vulnerable to CVE-2021-23369 and CVE-2021-23383, and that these CVEs are fixed in the rubygem at v4.7.7?