Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space CBJS and version Publish

Tracks user-controlled values to an unescaped lodash template placeholder.

Ql
import javascript::
import DataFlow
import DataFlow::PathGraph

/**
 * Gets the name of an unescaped placeholder in a lodash template.
 *
 * For example, the string `<h1><%= title %></h1>` contains the placeholder `title`.
 */
bindingset[s]
string getAPlaceholderInString(string s) {
  result = s.regexpCapture(".*<%=\\s*([a-zA-Z0-9_]+)\\s*%>.*", 1)
}

class TemplateInjection extends TaintTracking::Configuration {
  TemplateInjection() { this = "TemplateInjection" }

  override predicate isSource(Node node) { node instanceof RemoteFlowSource }

  override predicate isSink(Node node) {
    exists(CallNode call, string placeholder |
      call = LodashUnderscore::member("template").getACall() and
      placeholder = getAPlaceholderInString(call.getArgument(0).getStringValue()) and
      node = call.getOptionArgument(1, placeholder)
    )
  }
}

from TemplateInjection cfg, PathNode source, PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
  "User-controlled value from $@ occurs unescaped in a lodash template.", source.getNode(), "here."
Htmlcomment
hiddentrue
hashconfluence_uploader_hash:b19d45e40669eb75372c34c859a520442892939b475f0781cbe58c98656aba58654342940078a71a