GHSA-5wr9-m6jw-xx44
Summary
TemplateContext caches type accessors by Type only, but those accessors are built using the current MemberFilter and MemberRenamer. When a TemplateContext is reused and the filter is tightened for a later render, Scriban still reuses the old accessor and continues exposing members that should now be hidden.
Details
The relevant code path is:
TemplateContext.GetMemberAccessor()caches accessors in_memberAccessorsbyTypeinsrc/Scriban/TemplateContext.cslines 850–863.- For plain .NET objects,
GetMemberAccessorImpl()creates a newTypedObjectAccessor(type, _keyComparer, MemberFilter, MemberRenamer)insrc/Scriban/TemplateContext.cslines 909–939. TypedObjectAccessorstores the current filter and precomputes the exposed member set in its constructor andPrepareMembers()insrc/Scriban/Runtime/Accessors/TypedObjectAccessor.cslines 33–40 and 119–179.- Member access later goes through
ScriptMemberExpression.GetValue()insrc/Scriban/Syntax/Expressions/ScriptMemberExpression.cslines 67–95, which uses the cached accessor. TemplateContext.Reset()does not clear_memberAccessorsinsrc/Scriban/TemplateContext.cslines 877–902.
As a result, once a permissive accessor has been created for a given type, changing TemplateContext.MemberFilter later does not take effect for that type on the same reused context.
This is especially relevant because the Scriban docs explicitly recommend TemplateContext.MemberFilter for indirect .NET object exposure.
---
Proof of Concept
Setup
mkdir scriban-poc2
cd scriban-poc2
dotnet new console --framework net8.0
dotnet add package Scriban --version 6.6.0Program.cs
using System.Reflection;
using Scriban;
using Scriban.Runtime;
var template = Template.Parse("{{ model.secret }}");
var context = new TemplateContext
{
EnableRelaxedMemberAccess = false
};
var globals = new ScriptObject();
globals["model"] = new SensitiveModel();
context.PushGlobal(globals);
context.MemberFilter = _ => true;
Console.WriteLine("first=" + template.Render(context));
context.Reset();
var globals2 = new ScriptObject();
globals2["model"] = new SensitiveModel();
context.PushGlobal(globals2);
context.MemberFilter = member => member.Name == nameof(SensitiveModel.Public);
Console.WriteLine("second=" + template.Render(context));
sealed class SensitiveModel
{
public string Public => "ok";
public string Secret => "leaked";
}Run
dotnet runActual Output
first=leaked
second=leakedExpected Behavior
The second render should fail or stop exposing Secret, because the filter only allows Public and EnableRelaxedMemberAccess is disabled.
This reproduces a direct filter bypass caused by the stale cached accessor.
---
Impact
This is a protection-mechanism bypass. Applications that use TemplateContext.MemberFilter as part of their sandbox or object-exposure policy can unintentionally expose hidden members across requests when they reuse a TemplateContext.
The impact includes:
- Unauthorized read access to filtered properties or fields
- Unauthorized writes if the filtered member also has a setter
- Policy bypass across requests, users, or tenants when contexts are pooled
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/scriban/scriban/security/advisories/GHSA-5wr9-m6jw-xx44, https://github.com/scriban/scriban
Basic Information
