add qhelp

erik-krogh · erik-krogh · commit 70b8cdee9bd3 · 2021-03-09T16:17:33.000+01:00
diff --git a/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.qhelp b/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.qhelp
@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Directly using user-controlled objects as arguments to template engines might allow an attacker to do 
+local file reads or even remote code execution. 
+</p>
+</overview>
+
+<recommendation>
+<p>
+Avoid using user-controlled objects as arguments to template engine, instead construct the object explicitly with 
+the specific properties needed by the template.
+</p>
+</recommendation>
+
+<example>
+<p>
+In the below example a server uses the user-controlled <code>profile</code> object to 
+render the <code>index</code> template.  
+</p>
+<sample src="examples/TemplateObjectInjection.js" />
+<p>
+However, if an attacker adds a <code>layout</code> property to the <code>profile</code> object then 
+the server will load the file specified by the <code>layout</code> property, thereby allowing an attacker
+to do local file reads.
+</p>
+<p>
+The fix is to have the server construct the object, and only add the properties that are needed by the template. 
+</p>
+<sample src="examples/TemplateObjectInjection_fixed.js" />
+</example>
+
+<references>
+<li>
+blog.shoebpatel.com: <a href="https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/">The Secret Parameter, LFR, and Potential RCE in NodeJS Apps</a>.
+</li>
+<li>
+cwe.mitre.org: <a href="https://cwe.mitre.org/data/definitions/73.html">CWE-73: External Control of File Name or Path</a>
+</li>
+
+</references>
+</qhelp>
diff --git a/javascript/ql/src/Security/CWE-073/examples/TemplateObjectInjection.js b/javascript/ql/src/Security/CWE-073/examples/TemplateObjectInjection.js
@@ -1,10 +1,7 @@
 var app = require('express')();
 app.set('view engine', 'hbs');
 
-app.post('/path', function(req, res) {
-    var bodyParameter = req.body.bodyParameter
-    var queryParameter = req.query.queryParameter
-    
-    res.render('template', bodyParameter)
-    res.render('template', queryParameter)
+app.post('/', function (req, res, next) {
+    var profile = req.body.profile;
+    res.render('index', profile);
 });
diff --git a/javascript/ql/src/Security/CWE-073/examples/TemplateObjectInjection_fixed.js b/javascript/ql/src/Security/CWE-073/examples/TemplateObjectInjection_fixed.js
@@ -1,10 +1,10 @@
 var app = require('express')();
 app.set('view engine', 'hbs');
 
-app.post('/path', function(req, res) {
-    var bodyParameter = req.body.bodyParameter
-    var queryParameter = req.query.queryParameter
-    
-    res.render('template', {bodyParameter})
-    res.render('template', {queryParameter})
+app.post('/', function (req, res, next) {
+    var profile = req.body.profile;
+    res.render('index', {
+        name: profile.name,
+        location: profile.location
+    });
 });
