Untrusted user input in express render() function
Description
Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
Examples
Insecure Code
javascript
res.render('view', { foo: req.query.foo });Secure Code
javascript
const validatedFoo = validateInput(req.query.foo); res.render('view', { foo: validatedFoo });Remediation
Validate and sanitize user input before passing it to the render() function. Consider using a templating engine that is not vulnerable to path traversal attacks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0418 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-23 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | path traversal, arbitrary file read |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |