forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathTemplateObjectInjection.qhelp
More file actions
45 lines (41 loc) · 1.44 KB
/
TemplateObjectInjection.qhelp
File metadata and controls
45 lines (41 loc) · 1.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Directly using user-controlled objects as arguments to template engines might allow an attacker to do
local file reads or even remote code execution.
</p>
</overview>
<recommendation>
<p>
Avoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with
the specific properties needed by the template.
</p>
</recommendation>
<example>
<p>
In the example below a server uses the user-controlled <code>profile</code> object to
render the <code>index</code> template.
</p>
<sample src="examples/TemplateObjectInjection.js" />
<p>
However, if an attacker adds a <code>layout</code> property to the <code>profile</code> object then
the server will load the file specified by the <code>layout</code> property, thereby allowing an attacker
to do local file reads.
</p>
<p>
The fix is to have the server construct the object, and only add the properties that are needed by the template.
</p>
<sample src="examples/TemplateObjectInjection_fixed.js" />
</example>
<references>
<li>
blog.shoebpatel.com: <a href="https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/">The Secret Parameter, LFR, and Potential RCE in NodeJS Apps</a>.
</li>
<li>
cwe.mitre.org: <a href="https://cwe.mitre.org/data/definitions/73.html">CWE-73: External Control of File Name or Path</a>
</li>
</references>
</qhelp>