JS: add query for Express-HBS LFR

2026-04-29 02:35:15 +02:00 · 2021-02-01 18:01:34 +05:30
parent 064d89735b
commit 3363f5e6db
3 changed files with 64 additions and 0 deletions
--- a/javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql
+++ b/javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql
@@ -0,0 +1,44 @@
+/**
+ * @name Express-Hbs Local File Read and Potential RCE
+ * @description Writing user input directly to res.render of ExpressJS used with Hbs can lead to LFR
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/express-hbs-lfr
+ * @tags security
+ *       external/cwe/cwe-073
+ *       external/cwe/cwe-094
+ */
+
+import javascript
+import DataFlow
+import PathGraph
+import Express
+import semmle.javascript.DynamicPropertyAccess
+
+predicate isUsingHbsEngine() {
+  exists(MethodCallExpr method |
+    method.getMethodName() = "set" and
+    Express::appCreation().flowsToExpr(method.getReceiver()) and
+    method.getArgument(1).getStringValue().matches("hbs")
+  )
+}
+
+class HbsLFRTaint extends TaintTracking::Configuration {
+  HbsLFRTaint() { this = "HbsLFRTaint" }
+
+  override predicate isSource(Node node) { node instanceof RemoteFlowSource }
+
+  override predicate isSink(Node node) {
+    exists(MethodCallExpr mc |
+      Express::isResponse(mc.getReceiver()) and
+      mc.getMethodName() = "render" and
+      node.asExpr() = mc.getArgument(1) and
+      isUsingHbsEngine()
+    )
+  }
+}
+
+from HbsLFRTaint cfg, Node source, Node sink
+where cfg.hasFlow(source, sink)
+select source, sink
--- a/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js
+++ b/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js
@@ -0,0 +1,10 @@
+var app = require('express')();
+app.set('view engine', 'hbs');
+
+app.post('/path', function(req, res) {
+    var bodyParameter = req.body.bodyParameter
+    var queryParameter = req.query.queryParameter
+    
+    res.render('template', bodyParameter)
+    res.render('template', queryParameter)
+});
--- a/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js
+++ b/javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js
@@ -0,0 +1,10 @@
+var app = require('express')();
+app.set('view engine', 'hbs');
+
+app.post('/path', function(req, res) {
+    var bodyParameter = req.body.bodyParameter
+    var queryParameter = req.query.queryParameter
+    
+    res.render('template', {bodyParameter})
+    res.render('template', {queryParameter})
+});