ajinabraham.njsscan.eval.server_side_template_injection.server_side_template_injection

ajinabraham

Author

unknown

Download Count*

License

Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: server_side_template_injection
    patterns:
      - pattern-either:
          - pattern-inside: |
              require('handlebars')
              ...
          - pattern-inside: |
              require('pug')
              ...
          - pattern-inside: |
              require('hamljs')
              ...
          - pattern-inside: |
              require('ejs')
              ...
          - pattern-inside: |
              require('squirrelly')
              ...
          - pattern-inside: |
              require('eta')
              ...
      - pattern-either:
          - pattern-inside: function ($REQ, $RES, ...) {...}
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern: |
              $HB.compile(..., <... $REQ.$FOO ...>, ...)
          - pattern: |
              $HB.compile(..., <... $REQ.$FOO.$BAR ...>, ...)
          - pattern: |
              $X = <... $REQ.$FOO ...>;
              ...
              $HB.compile(..., <... $X ...>, ...)
          - pattern: |
              $X = <... $REQ.$FOO.$BAR ...>;
              ...
              $HB.compile(..., <... $X ...>, ...)
          - pattern: |
              $X = $SOURCE.replace('...', <... $REQ.$FOO ...>, ...)
              ...
              $HB.compile(..., <... $X ...>, ...)
          - pattern: |
              $X = $SOURCE.replace('...', <... $REQ.$FOO.$BAR ...>, ...)
              ...
              $HB.compile(..., <... $X ...>, ...)
          - pattern: |
              $HB.Compile(..., <... $REQ.$FOO ...>, ...)
          - pattern: |
              $HB.Compile(..., <... $REQ.$FOO.$BAR ...>, ...)
          - pattern: |
              $X = <... $REQ.$FOO ...>;
              ...
              $HB.Compile(..., <... $X ...>, ...)
          - pattern: |
              $X = <... $REQ.$FOO.$BAR ...>;
              ...
              $HB.Compile(..., <... $X ...>, ...)
          - pattern: |
              $X = $SOURCE.replace('...', <... $REQ.$FOO ...>, ...)
              ...
              $HB.Compile(..., <... $X ...>, ...)
          - pattern: |
              $X = $SOURCE.replace('...', <... $REQ.$FOO.$BAR ...>, ...)
              ...
              $HB.Compile(..., <... $X ...>, ...)
    message: Untrusted user input in templating engine's compile() function can
      result in Remote Code Execution via server side template injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a1
      cwe: cwe-94
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other

Short Link: https://sg.run/8XpE