This is admittedly a strange use-case, but I’ve been working on writing a Handlebars parser in Elixir and one of the gotchas is that you don’t want clever users injecting random Elixir code into your templates.
For example, this is a nice and benign Handlebars template:
{{#if some_variable}}
Hello there!
{{/if}}
– it would get safely converted to EEx and no harm is done.
However, if some clever nefarious user provided a template like this:
{{#if File.write!("/path/to/webroot/index.html", "All your base belong to us!")}}
Hello there!
{{/if}}
then I want to be able to catch it. It’s tough however… parentheses are optional, legitimate values may be quoted or not. The only thing I can think of is checking the input (File.write!("/path/to/webroot/index.html", "All your base belong to us!")
in this case) to see if it
a) begins with a capital letter (i.e. if it might be a module name) or
b) begins with a colon (which would denote some Erlang code)
Does anyone have any other ideas? Many thanks!