CodeQL documentation

Template Object Injection

ID: js/template-object-injection
Kind: path-problem
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-073
   - external/cwe/cwe-094
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Directly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.

Recommendation

Avoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.

Example

In the example below a server uses the user-controlled profile object to render the index template.

var app = require('express')();
app.set('view engine', 'hbs');

app.post('/', function (req, res, next) {
    var profile = req.body.profile;
    res.render('index', profile);
});

However, if an attacker adds a layout property to the profile object then the server will load the file specified by the layout property, thereby allowing an attacker to do local file reads.

The fix is to have the server construct the object, and only add the properties that are needed by the template.

var app = require('express')();
app.set('view engine', 'hbs');

app.post('/', function (req, res, next) {
    var profile = req.body.profile;
    res.render('index', {
        name: profile.name,
        location: profile.location
    });
});

References