id: express-lfr

info:
  name: Express - Local File Read
  author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
  severity: info
  description: Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
  tags: file,nodejs,express,lfr
file:
  - extensions:
      - all
    matchers:
      - type: regex
        regex:
          - "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)"
          - "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+?\\.\\$[\\w\\W]+? [\\w\\W]+? >\\)"
          - "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)"
        condition: or
# digest: 490a004630440220621aa2ce4e4f6ba77ec2649e58fe97bb8a7201aa5770dae6376f781471e08ff8022058f128ef05d2113c5534015821b6c8620bf8c88efabd4508b19c5760429a7c69:922c64590222798bb761d5b6d8e72950