ajinabraham.njsscan.express_hbs_lfr.express_lfr_warning
ajinabrahamAuthor
1,129
Download Count*
License
Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
Run Locally
Run in CI
Defintion
rules:
- id: express_lfr_warning
patterns:
- pattern-not-inside: |
require('hbs')
...
- pattern-inside: |
require('express')
...
- pattern-either:
- pattern: |
$INP = <... $REQ.$QUERY ...>;
...
$RES.render($VIEW, <... $INP ...>)
- pattern: |
$INP = <... $REQ.$QUERY.$FOO ...>;
...
$RES.render($VIEW, <... $INP ...>)
- pattern: $RES.render($VIEW, <... $REQ.$QUERY.$FOO ...>)
- pattern: $RES.render($VIEW, <... $REQ.$BODY ...>)
message: Untrusted user input in express render() function can result in
arbitrary file read if hbs templating is used.
languages:
- javascript
severity: WARNING
metadata:
owasp-web: a5
cwe: cwe-23
license: LGPL-3.0-or-later
Short Link: https://sg.run/l2XD