javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape
semgrep
Author
7,795
Download Count*
License
Detected an explicit unescape in a Mustache template, using triple braces '{{{...}}}' or ampersand '&'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.
Run Locally
Run in CI
Defintion
rules:
- id: template-explicit-unescape
message: Detected an explicit unescape in a Mustache template, using triple
braces '{{{...}}}' or ampersand '&'. If external data can reach these
locations, your application is exposed to a cross-site scripting (XSS)
vulnerability. If you must do this, ensure no external data can reach this
location.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://github.com/janl/mustache.js/#variables
- https://ractive.js.org/v0.x/0.7/mustaches#variables
category: security
technology:
- express
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- regex
severity: WARNING
paths:
include:
- "*.mustache"
- "*.hbs"
- "*.html"
pattern-either:
- pattern-regex: "{{{((?!include).)*?}}}"
- pattern-regex: "{{[\\\\s]*&.*}}"
Examples
explicit-unescape.mustache
<!-- cf. https://github.com/caiomartini/mustache-demo/blob/97b9200ebd2d27953febff23e6718aa1aa9ee44d/demo-mustache.html -->
<!DOCTYPE HTML>
<html>
<head>
<title>Demo Mustache.JS</title>
<meta charset="utf-8">
<link rel="stylesheet" href="node_modules\bootstrap\dist\css\bootstrap.min.css">
<script type="text/javascript" src="node_modules\jquery\dist\jquery.min.js"></script>
<script type="text/javascript" src="node_modules\bootstrap\dist\js\bootstrap.min.js"></script>
<script type="text/javascript" src="node_modules\mustache\mustache.min.js"></script>
<script type="text/javascript" src="demo-mustache.js"></script>
</head>
<body onload="carregarDemo();">
<div class="content">
<div id="mustache-header"></div>
<div id="mustache-cards"></div>
</div>
</body>
<!-- ok: template-explicit-unescape -->
{{{include 'html/partials/some-partial.html'}}}
<script id="template-header" type="x-tmpl-mustache">
<div class="jumbotron text-center">
<!-- ruleid: template-explicit-unescape -->
<h1 class="display-4">Oi, meu nome é {{{autor.nome}}} {{autor.sobrenome}}!</h1>
<p class="lead">Isso é apenas uma demonstração de como utilizar o Mustache.JS</p>
</div>
</script>
<script id="template-cards" type="x-tmpl-mustache">
<div class="text-center">
<!-- ok: template-explicit-unescape -->
<h2>Apresentando o time da <b>{{time.nome}}</b></h2>
<!-- ruleid: template-explicit-unescape -->
<h6>Predio {{{time.predio}}}</h6>
</div>
{{#time}}
<div class="container" style="margin-top: 30px;">
<div class="row">
{{#squads}}
<div class="col-sm-6">
<div class="card">
<div class="card-header text-center">
<!-- ruleid: template-explicit-unescape -->
<b>{{&nome}}</b>
<!-- ok: template-explicit-unescape -->
<b>{{ "A "*100 }}</b>
</div>
<div class="card-body">
<!-- ok: template-explicit-unescape -->
{{! Partial de tabela de membros do Squad }}
{{> template-table}}
</div>
</div>
</div>
{{/squads}}
</div>
</div>
{{/time}}
</script>
<!-- ok: template-explicit-unescape -->
<custom-element color="{{ form.controls.name.invalid && form.controls.name.touched ? 'red': 'green' }}"></custom-element>
</html>
Short Link: https://sg.run/Lwx9