javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape

profile photo of returntocorpreturntocorp
Author
7,795
Download Count*

Detected an explicit unescape in a Mustache template, using triple braces '{{{...}}}' or ampersand '&'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.

Run Locally

Run in CI

Defintion

rules:
  - id: template-explicit-unescape
    message: Detected an explicit unescape in a Mustache template, using triple
      braces '{{{...}}}' or ampersand '&'. If external data can reach these
      locations, your application is exposed to a cross-site scripting (XSS)
      vulnerability. If you must do this, ensure no external data can reach this
      location.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://github.com/janl/mustache.js/#variables
        - https://ractive.js.org/v0.x/0.7/mustaches#variables
      category: security
      technology:
        - express
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - regex
    severity: WARNING
    paths:
      include:
        - "*.mustache"
        - "*.hbs"
        - "*.html"
    pattern-either:
      - pattern-regex: "{{{((?!include).)*?}}}"
      - pattern-regex: "{{[\\\\s]*&.*}}"

Examples

explicit-unescape.mustache

<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
<!DOCTYPE HTML>
<html>

<head>
    <title>Demo Mustache.JS</title>
    <meta charset="utf-8">
    <link rel="stylesheet" href="node_modules\bootstrap\dist\css\bootstrap.min.css">
    <script type="text/javascript" src="node_modules\jquery\dist\jquery.min.js"></script>
    <script type="text/javascript" src="node_modules\bootstrap\dist\js\bootstrap.min.js"></script>
    <script type="text/javascript" src="node_modules\mustache\mustache.min.js"></script>
    <script type="text/javascript" src="demo-mustache.js"></script>
</head>

<body onload="carregarDemo();">
    <div class="content">
        <div id="mustache-header"></div>
        <div id="mustache-cards"></div>
    </div>
</body>

<!-- ok: template-explicit-unescape -->
{{{include 'html/partials/some-partial.html'}}}

<script id="template-header" type="x-tmpl-mustache">
    <div class="jumbotron text-center">
        <!-- ruleid: template-explicit-unescape -->
        <h1 class="display-4">Oi, meu nome é {{{autor.nome}}} {{autor.sobrenome}}!</h1>
        <p class="lead">Isso é apenas uma demonstração de como utilizar o Mustache.JS</p>
    </div>
</script>

<script id="template-cards" type="x-tmpl-mustache">
    <div class="text-center">
        <!-- ok: template-explicit-unescape -->
        <h2>Apresentando o time da <b>{{time.nome}}</b></h2>
        <!-- ruleid: template-explicit-unescape -->
        <h6>Predio {{{time.predio}}}</h6>
    </div>
    {{#time}}
    <div class="container" style="margin-top: 30px;">
        <div class="row">
            {{#squads}}
            <div class="col-sm-6">
                <div class="card">
                    <div class="card-header text-center">
                        <!-- ruleid: template-explicit-unescape -->
                        <b>{{&nome}}</b>
                        <!-- ok: template-explicit-unescape -->
                        <b>{{ "A&nbsp;"*100 }}</b>
                    </div>
                    <div class="card-body">
                        <!-- ok: template-explicit-unescape -->
                        {{! Partial de tabela de membros do Squad }}
                        {{> template-table}}
                    </div>
                </div>
            </div>
            {{/squads}}
        </div>
    </div>
    {{/time}}
</script>

<!-- ok: template-explicit-unescape -->
<custom-element color="{{ form.controls.name.invalid && form.controls.name.touched ? 'red': 'green' }}"></custom-element>

</html>