Code injection
Interpreting unsanitized user input as code allows a malicious user arbitrary code execution.
Template, which may contain code, depends on a user-provided value.
Commit SHA: 459cd0fa4ebaaec6cee08c99e42c2050d46521c4
Line Number: 58
Tool Name: CodeQL
File Path: src/app.controller.ts:58
Mitigation: # Code injection
Directly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.
Recommendation
Avoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.
Example
The following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.
The following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as #{global.process.exit(1)}.
const express = require('express')
var pug = require('pug');
const app = express()
app.post('/', (req, res) => {
var input = req.query.username;
var template = `
doctype
html
head
title= 'Hello world'
body
form(action='/' method='post')
input#name.form-control(type='text)
button.btn.btn-primary(type='submit') Submit
p Hello `+ input
var fn = pug.compile(template);
var html = fn();
res.send(html);
})
Below is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression #{username} whose value is provided as an option to the template, instead of being part of the template string itself:
const express = require('express')
var pug = require('pug');
const app = express()
app.post('/', (req, res) => {
var input = req.query.username;
var template = `
doctype
html
head
title= 'Hello world'
body
form(action='/' method='post')
input#name.form-control(type='text)
button.btn.btn-primary(type='submit') Submit
p Hello #{username}`
var fn = pug.compile(template);
var html = fn({username: input});
res.send(html);
})
Code injection Interpreting unsanitized user input as code allows a malicious user arbitrary code execution. Template, which may contain code, depends on a user-provided value. Commit SHA: 459cd0fa4ebaaec6cee08c99e42c2050d46521c4 Line Number: 58 Tool Name: CodeQL
File Path: src/app.controller.ts:58
Mitigation: # Code injection Directly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.
Recommendation
Avoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.
Example
The following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.
The following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as
#{global.process.exit(1)}
.Below is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression
#{username}
whose value is provided as an option to the template, instead of being part of the template string itself:References
Impact: See Description
Tool Finding Id: 44