javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape

profile photo of semgrepsemgrep
Author
7,795
Download Count*
LGPL Commons Clause
License

Detected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: template-explicit-unescape
    message: Detected an explicit unescape in a Pug template, using either '!=' or
      '!{...}'. If external data can reach these locations, your application is
      exposed to a cross-site scripting (XSS) vulnerability. If you must do
      this, ensure no external data can reach this location.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://pugjs.org/language/code.html#unescaped-buffered-code
        - https://pugjs.org/language/attributes.html#unescaped-attributes
      category: security
      technology:
        - express
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - regex
    severity: WARNING
    paths:
      include:
        - "*.pug"
    pattern-either:
      - pattern-regex: \w.*(!=)[^=].*
      - pattern-regex: "!{.*?}"

Examples

explicit-unescape.pug

// cf. https://github.com/abdulaz1z/nodejs-pug-starter/blob/42b48dd68416a87904258d1228686321206efc36/views/index.pug
doctype html
html(lang="en")
  include includes/head.pug
  body
    //- Navigation
    nav(class="navbar navbar-expand-lg navbar-dark bg-dark fixed-bottom")
      div(class="container")
        a(class="navbar-brand" href="/") NodeJs-Pug-Starter
        button(class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation")
          span(class="navbar-toggler-icon")

        div(class="collapse navbar-collapse" id="navbarResponsive")
          ul(class="navbar-nav ml-auto")
            li(class="nav-item")
              a(class="nav-link" href="/") Home
            li(class="nav-item")
              // ruleid: template-explicit-unescape
              a(class="nav-link" target="_blank" href!=url) Documentation

    // ok: template-explicit-unescape
    if disableSignUp !== true
      a.button(href="/signup")=t("Signup")

    //- Page Content
    section
      div(class="container")
        div(class="row")
          div(class="col-lg-6")
            // ruleid: template-explicit-unescape
            h1(class="mt-5 text-white") !{title_text}
            p(class= "text-light") This project is a simple application skeleton for a NodeJs web app with PugJs templating. You can use it to quickly bootstrap your NodeJs webapp projects and dev environment for these projects.

    script(src='vendor/jquery/jquery.min.js')
    script(src='vendor/bootstrap/js/bootstrap.bundle.min.js')