I have a node js web app that is using handlebars. Users are asking me to let them register their own handlebars helpers.

I'm quite hesitant about letting them do it... but I'll give it a go if there is a secure way of doing it so.

var Handlebars = require("handlebars");
var fs = require("fs");
var content = fs.readFileSync("template.html", "utf8");


//This helper will be posted by the user
var userHandlebarsHelpers = "Handlebars.registerHelper('foo', function(value) { return 'Foo' + value; });"

//eval(userHandlebarsHelpers); This I do not like! Eval is evil

//Compile handlebars with user submitted Helpers
var template = Handlebars.compile(content);
var handleBarContent = template({ foo: bar });


//Save compiled template and some extra code.

Thank you in advance!

Because helpers are just Javascript code, the only way you could safely run arbitrary Javascript from the outside world on your server is if you either ran it an isolated sandbox process or you somehow sanitized the code before you ran it.

The former can be done with isolated VMs and external control over the process, but that makes it quite a pain to have helper code in some external process as you now have to develop ways to even call it and pass data back and forth.

Sanitizing Javascript to be safe from running exploits on your server is a pretty much impossible task when your API set is as large as node.js. The browser has a very tightly controlled set of things that Javascript can do to keep the underlying system safe from what browser Javascript can do. node.js has none of those safeguards. You could put code in one of these helpers to erase the entire hard drive of the server or install multiple viruses or pretty much whatever evil exploit you wanted to code. So, running arbitrary Javascript will simply not be safe.

Depending upon the exact problems that need to be solved, one can something develop a data driven approach where, instead of code, the user provides some higher level set of instructions (map this to that, substitute this with that, replace this with that, display from this set of data, etc...) that is not actually Javascript, but rather some non-executable meta data. That is much more feasible to make safe because you control all the code that acts on this meta data so you just have to make sure that the code that processes the meta data isn't capable of being tricked into doing something evil.

Following @jfriend00 input and after some serious testing I found a way to do it using nodejs vm module.

Users will input their helpers with this format:

[[HBHELPER 'customHelper' value]]
   value.replace(/[0-9]/g, "");
[[/HBHELPER]]

[[HBHELPER 'modulus' index mod result block]]
   if(parseInt(index) % mod === parseInt(result))
      block.fn(this);
[[/HBHELPER]]

//This will throw an error when executed "Script execution timed out."
[[HBHELPER 'infiniteLoop' value]] 
   while(1){}
[[/HBHELPER]]

I translate that block into this and execute it:

 Handlebars.registerHelper('customHelper', function(value) {
    //All the code is executed inside the VM
    return vm.runInNewContext('value.replace(/[0-9]/g, "");', {
        value: value
    }, {
        timeout: 1000
    });
});

Handlebars.registerHelper('modulus', function(index, mod, result, block) {
    return vm.runInNewContext('if(parseInt(index) % mod === parseInt(result)) block.fn(this);', {
        index: index,
        mod: mod,
        result: result,
        block: block
    }, {
        timeout: 1000
    });
});

Handlebars.registerHelper('infiniteLoop', function(value) {
    //Error
    return vm.runInNewContext('while(1){}', {
        value: value
    }, {
        timeout: 1000
    });
});

I made multiple tests so far, trying to delete files, require modules, infinite loops. Everything is going perfectly, all those operations failed.

Running the handlebar helper callback function in a VM is what made this work for me, because my main problem using VM's and running the whole code inside was adding those helpers to my global Handlebars object.

I'll update if I found a way to exploit it.