Untrusted user input in express render() function
Description
This application is using untrusted user input in express render() function. Rendering templates with untrusted user input enables arbitrary file read vulnerabilities when using templating engines like Handlebars (hbs). An attacker can craft malicious input that traverses the filesystem and exposes sensitive files. Consider sanitizing and validating all user input before passing it to render() to prevent arbitrary file reads.
Examples
Insecure Code
javascript
app.get("/traversal", async (req, res) => { res.render(req.params.file, { title: "Index Page" }) });Secure Code
javascript
app.get("/traversal/2", async (req, res) => { var indexPath = "index"; res.render(indexPath, { title: "Index Page" }) });Remediation
Sanitize and validate all user input before passing it to the render() function.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0417 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-23 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Path Traversal, Arbitrary File Read |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |