Merge commit from fork

StefH · web-flow · commit ff36c1ee6f26 · 2025-03-04T17:58:38.000+01:00
diff --git a/README.md b/README.md
@@ -64,6 +64,11 @@ A breaking change is introduced which is related to System.Linq.Dynamic.Core Dyn
 - The `LinqMatcher` is not allowed.
 - The [Handlebars.Net.Helpers.DynamicLinq](https://www.nuget.org/packages/Handlebars.Net.Helpers.DynamicLinq) package is not included anymore.
 
+### 1.8.0
+A breaking change is introduced which is related to the usage of the custom Handlebars.Net `File`-helper.
+By default this is not allowed anymore because of security reasons (insecure server-side template injection).
+To still enable this feature, you need to set the `AllowedCustomHandlebarHelpers` property to `File` in the `WireMockServerSettings` class.
+
 ---
 
 ## :memo: Development
diff --git a/src/WireMock.Net.Abstractions/Types/CustomHandlebarHelpers.cs b/src/WireMock.Net.Abstractions/Types/CustomHandlebarHelpers.cs
@@ -0,0 +1,16 @@
+using System;
+
+namespace WireMock.Types;
+
+/// <summary>
+/// A enum defining the supported Handlebar helpers.
+/// </summary>
+[Flags]
+public enum CustomHandlebarHelpers
+{
+    None = 0,
+
+    File = 1,
+
+    All = File
+}
diff --git a/src/WireMock.Net/Settings/WireMockServerSettings.cs b/src/WireMock.Net/Settings/WireMockServerSettings.cs
@@ -329,4 +329,13 @@ public class WireMockServerSettings
     /// </summary>
     [PublicAPI]
     public string? AdminPath { get; set; }
+
+    /// <summary>
+    /// Defines the allowed custom HandlebarHelpers which can be used. Possible values are:
+    /// - <see cref="CustomHandlebarHelpers.None"/> (Default)
+    /// - <see cref="CustomHandlebarHelpers.File"/>
+    /// - <see cref="CustomHandlebarHelpers.All"/>
+    /// </summary>
+    [PublicAPI]
+    public CustomHandlebarHelpers AllowedCustomHandlebarHelpers { get; set; } = CustomHandlebarHelpers.None;
 }
diff --git a/src/WireMock.Net/Settings/WireMockServerSettingsParser.cs b/src/WireMock.Net/Settings/WireMockServerSettingsParser.cs
@@ -50,6 +50,7 @@ public static bool TryParseArguments(string[] args, IDictionary? environment, [N
             AdminPath = parser.GetStringValue(nameof(WireMockServerSettings.AdminPath), "/__admin"),
             AllowBodyForAllHttpMethods = parser.GetBoolValue(nameof(WireMockServerSettings.AllowBodyForAllHttpMethods)),
             AllowCSharpCodeMatcher = parser.GetBoolValue(nameof(WireMockServerSettings.AllowCSharpCodeMatcher)),
+            AllowedCustomHandlebarHelpers = parser.GetEnumValue(nameof(WireMockServerSettings.AllowedCustomHandlebarHelpers), CustomHandlebarHelpers.None),
             AllowOnlyDefinedHttpStatusCodeInResponse = parser.GetBoolValue(nameof(WireMockServerSettings.AllowOnlyDefinedHttpStatusCodeInResponse)),
             AllowPartialMapping = parser.GetBoolValue(nameof(WireMockServerSettings.AllowPartialMapping)),
             Culture = parser.GetValue(nameof(WireMockServerSettings.Culture), strings => CultureInfoUtils.Parse(strings.FirstOrDefault()), CultureInfo.CurrentCulture),
diff --git a/src/WireMock.Net/Transformers/Handlebars/FileHelpers.cs b/src/WireMock.Net/Transformers/Handlebars/FileHelpers.cs
@@ -11,19 +11,21 @@ namespace WireMock.Transformers.Handlebars;
 
 internal class FileHelpers : BaseHelpers, IHelpers
 {
+    internal const string Name = "File";
+
     private readonly IFileSystemHandler _fileSystemHandler;
 
     public FileHelpers(IHandlebars context, IFileSystemHandler fileSystemHandler) : base(context)
     {
         _fileSystemHandler = Guard.NotNull(fileSystemHandler);
     }
 
-    [HandlebarsWriter(WriterType.String, usage: HelperUsage.Both, passContext: true, name: "File")]
+    [HandlebarsWriter(WriterType.String, usage: HelperUsage.Both, passContext: true, name: Name)]
     public string Read(Context context, string path)
     {
         var templateFunc = Context.Compile(path);
-        var transformed = templateFunc(context.Value);
-        return _fileSystemHandler.ReadResponseBodyAsString(transformed);
+        var transformedPath = templateFunc(context.Value);
+        return _fileSystemHandler.ReadResponseBodyAsString(transformedPath);
     }
 
     public Category Category => Category.Custom;
diff --git a/src/WireMock.Net/Transformers/Handlebars/HandlebarsContextFactory.cs b/src/WireMock.Net/Transformers/Handlebars/HandlebarsContextFactory.cs
@@ -23,7 +23,7 @@ public ITransformerContext Create()
         };
         var handlebars = HandlebarsDotNet.Handlebars.Create(config);
 
-        WireMockHandlebarsHelpers.Register(handlebars, _settings.FileSystemHandler);
+        WireMockHandlebarsHelpers.Register(handlebars, _settings);
 
         _settings.HandlebarsRegistrationCallback?.Invoke(handlebars, _settings.FileSystemHandler);
 
diff --git a/src/WireMock.Net/Transformers/Handlebars/WireMockHandlebarsHelpers.cs b/src/WireMock.Net/Transformers/Handlebars/WireMockHandlebarsHelpers.cs
@@ -2,21 +2,20 @@
 
 using System;
 using System.Collections.Generic;
-using System.Diagnostics;
 using System.IO;
-using System.Reflection;
 using HandlebarsDotNet;
 using HandlebarsDotNet.Helpers;
 using HandlebarsDotNet.Helpers.Helpers;
-using WireMock.Handlers;
+using WireMock.Settings;
+using WireMock.Types;
 
 namespace WireMock.Transformers.Handlebars;
 
 internal static class WireMockHandlebarsHelpers
 {
-    public static void Register(IHandlebars handlebarsContext, IFileSystemHandler fileSystemHandler)
+    internal static void Register(IHandlebars handlebarsContext, WireMockServerSettings settings)
     {
-        // Register https://.com/StefH/Handlebars.Net.Helpers
+        // Register https://.com/Handlebars.Net/Handlebars.Net.Helpers
         HandlebarsHelpers.Register(handlebarsContext, o =>
         {
             var paths = new List<string>
@@ -33,17 +32,18 @@ void Add(string? path, ICollection<string> customHelperPaths)
                     customHelperPaths.Add(path!);
                 }
             }
-            Add(Path.GetDirectoryName(Assembly.GetEntryAssembly()?.Location), paths);
-            Add(Path.GetDirectoryName(Assembly.GetCallingAssembly().Location), paths);
-            Add(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), paths);
-            Add(Path.GetDirectoryName(Process.GetCurrentProcess().MainModule?.FileName), paths);
+            Add(Path.GetDirectoryName(System.Reflection.Assembly.GetEntryAssembly()?.Location), paths);
+            Add(Path.GetDirectoryName(System.Reflection.Assembly.GetCallingAssembly().Location), paths);
+            Add(Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), paths);
+            Add(Path.GetDirectoryName(System.Diagnostics.Process.GetCurrentProcess().MainModule?.FileName), paths);
 #endif
             o.CustomHelperPaths = paths;
 
-            o.CustomHelpers = new Dictionary<string, IHelpers>
+            o.CustomHelpers = new Dictionary<string, IHelpers>();
+            if (settings.AllowedCustomHandlebarHelpers.HasFlag(CustomHandlebarHelpers.File))
             {
-                { "File", new FileHelpers(handlebarsContext, fileSystemHandler) }
-            };
+                o.CustomHelpers.Add(FileHelpers.Name, new FileHelpers(handlebarsContext, settings.FileSystemHandler));
+            }
         });
     }
 
diff --git a/test/WireMock.Net.Tests/ResponseBuilders/ResponseWithHandlebarsFileTests.cs b/test/WireMock.Net.Tests/ResponseBuilders/ResponseWithHandlebarsFileTests.cs
@@ -1,23 +1,28 @@
 // Copyright © WireMock.Net
 
+using System;
 using System.Threading.Tasks;
+using FluentAssertions;
 using HandlebarsDotNet;
+using HandlebarsDotNet.Helpers;
 using Moq;
 using Newtonsoft.Json.Linq;
 using NFluent;
 using WireMock.Handlers;
 using WireMock.Models;
 using WireMock.ResponseBuilders;
 using WireMock.Settings;
+using WireMock.Transformers.Handlebars;
+using WireMock.Types;
 using Xunit;
 
 namespace WireMock.Net.Tests.ResponseBuilders;
 
 public class ResponseWithHandlebarsFileTests
 {
-    private readonly WireMockServerSettings _settings = new();
     private const string ClientIp = "::1";
 
+    private readonly WireMockServerSettings _settings;
     private readonly Mock<IMapping> _mappingMock;
     private readonly Mock<IFileSystemHandler> _filesystemHandlerMock;
 
@@ -28,7 +33,11 @@ public ResponseWithHandlebarsFileTests()
         _filesystemHandlerMock = new Mock<IFileSystemHandler>(MockBehavior.Strict);
         _filesystemHandlerMock.Setup(fs => fs.ReadResponseBodyAsString(It.IsAny<string>())).Returns("abc");
 
-        _settings.FileSystemHandler = _filesystemHandlerMock.Object;
+        _settings = new()
+        {
+            AllowedCustomHandlebarHelpers = CustomHandlebarHelpers.File,
+            FileSystemHandler = _filesystemHandlerMock.Object
+        };
     }
 
     [Fact]
@@ -48,7 +57,7 @@ public async Task Response_ProvideResponseAsync_Handlebars_File()
         var response = await responseBuilder.ProvideResponseAsync(_mappingMock.Object, request, _settings).ConfigureAwait(false);
 
         // Assert
-        JObject j = JObject.FromObject(response.Message.BodyData.BodyAsJson);
+        var j = JObject.FromObject(response.Message.BodyData.BodyAsJson);
         Check.That(j["Data"].Value<string>()).Equals("abc");
 
         // Verify
@@ -73,7 +82,7 @@ public async Task Response_ProvideResponseAsync_Handlebars_File_Replace()
         var response = await responseBuilder.ProvideResponseAsync(_mappingMock.Object, request, _settings).ConfigureAwait(false);
 
         // Assert
-        JObject j = JObject.FromObject(response.Message.BodyData.BodyAsJson);
+        var j = JObject.FromObject(response.Message.BodyData.BodyAsJson);
         Check.That(j["Data"].Value<string>()).Equals("abc");
 
         // Verify
@@ -101,4 +110,28 @@ public void Response_ProvideResponseAsync_Handlebars_File_WithMissingArgument_Th
         _filesystemHandlerMock.Verify(fs => fs.ReadResponseBodyAsString(It.IsAny<string>()), Times.Never);
         _filesystemHandlerMock.VerifyNoOtherCalls();
     }
+
+    [Fact]
+    public void Response_ProvideResponseAsync_Handlebars_File_NotAllowed_Throws_HandlebarsRuntimeException()
+    {
+        // Assign
+        var settings = new WireMockServerSettings
+        {
+            AllowedCustomHandlebarHelpers = CustomHandlebarHelpers.None,
+            FileSystemHandler = _filesystemHandlerMock.Object
+        };
+        var request = new RequestMessage(new UrlDetails("http://localhost:1234?id=x"), "GET", ClientIp);
+
+        var responseBuilder = Response.Create()
+            .Witdy("{{File \"{{request.query.id}}.json\"}}")
+            .WithTransformer();
+
+        // Act
+        Func<Task> action = () => responseBuilder.ProvideResponseAsync(_mappingMock.Object, request, settings);
+
+        action.Should().ThrowAsync<HandlebarsRuntimeException>();
+
+        // Verify
+        _filesystemHandlerMock.VerifyNoOtherCalls();
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -11,19 +11,21 @@ namespace WireMock.Transformers.Handlebars;`
`11`	`11`
`12`	`12`	`internal class FileHelpers : BaseHelpers, IHelpers`
`13`	`13`	`{`
	`14`	`+internal const string Name = "File";`
	`15`	`+`
`14`	`16`	`private readonly IFileSystemHandler _fileSystemHandler;`
`15`	`17`
`16`	`18`	`public FileHelpers(IHandlebars context, IFileSystemHandler fileSystemHandler) : base(context)`
`17`	`19`	`{`
`18`	`20`	`_fileSystemHandler = Guard.NotNull(fileSystemHandler);`
`19`	`21`	`}`
`20`	`22`
`21`		`-[HandlebarsWriter(WriterType.String, usage: HelperUsage.Both, passContext: true, name: "File")]`
	`23`	`+[HandlebarsWriter(WriterType.String, usage: HelperUsage.Both, passContext: true, name: Name)]`
`22`	`24`	`public string Read(Context context, string path)`
`23`	`25`	`{`
`24`	`26`	`var templateFunc = Context.Compile(path);`
`25`		`-var transformed = templateFunc(context.Value);`
`26`		`-return _fileSystemHandler.ReadResponseBodyAsString(transformed);`
	`27`	`+var transformedPath = templateFunc(context.Value);`
	`28`	`+return _fileSystemHandler.ReadResponseBodyAsString(transformedPath);`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`public Category Category => Category.Custom;`