Pebble Templates Arbitrary File Inclusion Vulnerability via Include Tag

A vulnerability allowing arbitrary local file inclusion has been identified in all versions of the Pebble templating engine, specifically through the use of the include tag. This issue arises because the include tag can be exploited to access sensitive local files, such as /etc/passwd or /proc/1/environ. The vulnerability requires a high-privileged attacker who can create malicious notification templates that leverage the include tag to access these files.

Impact

Exploitation of this vulnerability allows for arbitrary file inclusion, with the potential to access sensitive system files.

Reproduction

To reproduce this vulnerability, create a Pebble template that includes the include tag with a path to a sensitive file, such as /etc/passwd. This can be done using the PebbleEngine's getLiteralTemplate method, which processes the template string and evaluates it with the included file path.

Remediation

This vulnerability can be mitigated by disabling the include macro in Pebble Templates. This can be done by creating a new PebbleEngine instance and registering an extension customizer that disallows the include tag.