Skip to content

Implement path traversal protection in MJML includes#3065

Open
zdods wants to merge 1 commit intomjmlio:masterfrom
zdods:fix/CVE-2020-12827
Open

Implement path traversal protection in MJML includes#3065
zdods wants to merge 1 commit intomjmlio:masterfrom
zdods:fix/CVE-2020-12827

Conversation

@zdods
Copy link
Copy Markdown

@zdods zdods commented Mar 31, 2026

  • Added security checks to prevent relative and absolute path traversal in mj-include tags, ensuring included files are within the project directory.
  • Introduced a new helper function assertPathWithinRoot to validate file paths.
  • Updated documentation to reflect the new security measures.
  • Added tests to verify the enforcement of these security rules and ensure error messages do not leak filesystem paths.

@zdods
Implement path traversal protection in MJML includes
3748c64 
- Added security checks to prevent relative and absolute path traversal in `mj-include` tags, ensuring included files are within the project directory.
- Introduced a new helper function `assertPathWithinRoot` to validate file paths.
- Updated documentation to reflect the new security measures.
- Added tests to verify the enforcement of these security rules and ensure error messages do not leak filesystem paths.
@zdods zdods force-pushed the fix/CVE-2020-12827 branch from e2bd3d9 to 3748c64 Compare March 31, 2026 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zdods