ajinabraham.njsscan.server_side_template_injection.server_side_template_injection

ajinabraham

Author

1,129

Download Count*

License

Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: server_side_template_injection
    patterns:
      - pattern-either:
          - pattern-inside: |
              require('handlebars')
              ...
          - pattern-inside: |
              require('pug')
              ...
          - pattern-inside: |
              require('hamljs')
              ...
          - pattern-inside: |
              require('ejs')
              ...
          - pattern-inside: |
              require('squirrelly')
              ...
          - pattern-inside: |
              require('eta')
              ...
      - pattern-either:
          - pattern-inside: function ($REQ, $RES, ...) {...}
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern: |
              $HB.compile(..., <... $REQ.$FOO ...>, ...)
          - pattern: |
              $HB.compile(..., <... $REQ.$FOO.$BAR ...>, ...)
          - pattern: |
              $X = <... $REQ.$FOO ...>;
              ...
              $HB.compile(..., <... $X ...>, ...)
          - pattern: |
              $X = <... $REQ.$FOO.$BAR ...>;
              ...
              $HB.compile(..., <... $X ...>, ...)
          - pattern: |
              $X = $SOURCE.replace('...', <... $REQ.$FOO ...>, ...)
              ...
              $HB.compile(..., <... $X ...>, ...)
          - pattern: |
              $X = $SOURCE.replace('...', <... $REQ.$FOO.$BAR ...>, ...)
              ...
              $HB.compile(..., <... $X ...>, ...)
          - pattern: |
              $HB.Compile(..., <... $REQ.$FOO ...>, ...)
          - pattern: |
              $HB.Compile(..., <... $REQ.$FOO.$BAR ...>, ...)
          - pattern: |
              $X = <... $REQ.$FOO ...>;
              ...
              $HB.Compile(..., <... $X ...>, ...)
          - pattern: |
              $X = <... $REQ.$FOO.$BAR ...>;
              ...
              $HB.Compile(..., <... $X ...>, ...)
          - pattern: |
              $X = $SOURCE.replace('...', <... $REQ.$FOO ...>, ...)
              ...
              $HB.Compile(..., <... $X ...>, ...)
          - pattern: |
              $X = $SOURCE.replace('...', <... $REQ.$FOO.$BAR ...>, ...)
              ...
              $HB.Compile(..., <... $X ...>, ...)
    message: Untrusted user input in templating engine's compile() function can
      result in Remote Code Execution via server side template injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a1
      cwe: cwe-94
      license: LGPL-3.0-or-later

Short Link: https://sg.run/W8xo