ajinabraham.njsscan.traversal.express_hbs_lfr.express_lfr

profile photo of ajinabrahamajinabraham
Author
unknown
Download Count*
License

Untrusted user input in express render() function can result in arbitrary file read when hbs templating is used.

Run Locally

Run in CI

Defintion

rules:
  - id: express_lfr
    patterns:
      - pattern-inside: |
          require('hbs')
          ...
      - pattern-inside: |
          require('express')
          ...
      - pattern-either:
          - pattern: |
              $INP = <... $REQ.$QUERY ...>;
              ...
              $RES.render($VIEW, <... $INP ...>)
          - pattern: |
              $INP = <... $REQ.$QUERY.$FOO ...>;
              ...
              $RES.render($VIEW, <... $INP ...>)
          - pattern: $RES.render($VIEW, <... $REQ.$QUERY.$FOO ...>)
          - pattern: $RES.render($VIEW, <... $REQ.$BODY ...>)
    message: Untrusted user input in express render() function can result in
      arbitrary file read when hbs templating is used.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a5
      cwe: cwe-23
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other