id: express-lfr

info:
  name: Express - Local File Read
  author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
  severity: info
  description: Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
  tags: file,nodejs,express,lfr
file:
  - extensions:
      - all
    matchers:
      - type: regex
        regex:
          - "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)"
          - "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+?\\.\\$[\\w\\W]+? [\\w\\W]+? >\\)"
          - "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)"
        condition: or

# digest: 4b0a00483046022100e7798827d9cc0ed3a27739501621560cd2752e52aba95d220252540f0361afeb022100a8c14ce89e7beca1fb0c19891d37761ed32e3c096e6033a2c2d4a1b77f1a49f6:922c64590222798bb761d5b6d8e72950