jssrc: create TemplateDom nodes for tags in EJS templates

joernio / joern

Open-source code analysis platform for C/C++/Java/Binary/Javascript/Python/Kotlin based on code property graphs. Discord https://discord.gg/vv4MH284Hc

https://joern.io/

Apache License 2.0

2.03k stars 271 forks source link

jssrc: create TemplateDom nodes for tags in EJS templates #2051

Open maltek opened 1 year ago

maltek commented 1 year ago

for a snippet like

<a href='/app/modifyproduct?id=<%-output.products[i].id%>'>Edit</a>

ideally we'd have

a DOM node for <a ...
a DOM node for href=... (we know it's an attribute because the code doesn't start with <)
a DOM node for <%-output.products[i].id%> (XSS risk)
expression for the JS code output.products[i].id (already exists)

max-leuthaeuser commented 1 year ago

Unfortunately, with the current babel parser that's not possible as these EJS tags can occur in quite weird combination resulting in unparsable code. Thus, I had to strip them away (see: https://github.com/joernio/joern/blob/master/joern-cli/frontends/jssrc2cpg/src/test/scala/io/joern/jssrc2cpg/preprocessing/EjsPreprocessorTest.scala). Hence, the DOM nodes are dropped. One might be able to re-scan the original ejs file to find e.g., something like the XSS in your example.

ml86 commented 1 year ago

So in other words Babel does not support EJS and we strip away the EJS parts that Babel does not understand?

max-leuthaeuser commented 1 year ago

Exactly. EJS templates are neither valid HTML code (that's why I can't use jsoup e.g.) nor valid JS/JSX (EJS allows for embedding any JS construct in a template tag - but JSX allows for expressions only).