mirror of
https://github.com/github/codeql.git
synced 2026-02-08 19:21:07 +01:00
46 lines
1.4 KiB
XML
46 lines
1.4 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
<overview>
|
|
<p>
|
|
Directly using user-controlled objects as arguments to template engines might allow an attacker to do
|
|
local file reads or even remote code execution.
|
|
</p>
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>
|
|
Avoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with
|
|
the specific properties needed by the template.
|
|
</p>
|
|
</recommendation>
|
|
|
|
<example>
|
|
<p>
|
|
In the example below a server uses the user-controlled <code>profile</code> object to
|
|
render the <code>index</code> template.
|
|
</p>
|
|
<sample src="examples/TemplateObjectInjection.js" />
|
|
<p>
|
|
However, if an attacker adds a <code>layout</code> property to the <code>profile</code> object then
|
|
the server will load the file specified by the <code>layout</code> property, thereby allowing an attacker
|
|
to do local file reads.
|
|
</p>
|
|
<p>
|
|
The fix is to have the server construct the object, and only add the properties that are needed by the template.
|
|
</p>
|
|
<sample src="examples/TemplateObjectInjection_fixed.js" />
|
|
</example>
|
|
|
|
<references>
|
|
<li>
|
|
blog.shoebpatel.com: <a href="https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/">The Secret Parameter, LFR, and Potential RCE in NodeJS Apps</a>.
|
|
</li>
|
|
<li>
|
|
cwe.mitre.org: <a href="https://cwe.mitre.org/data/definitions/73.html">CWE-73: External Control of File Name or Path</a>
|
|
</li>
|
|
|
|
</references>
|
|
</qhelp>
|