Unsanitized User Input in Resource Rendering

Overview

• Rule ID: javascript_express_external_resource

• Applicable Languages: Javascript

• Weakness ID: CWE-706

Description

Exception messages that expose sensitive information can be a critical security vulnerability. When exception details are printed directly to the default output, they might reveal crucial information about the application’s configuration or environment, such as file paths, server details, or database configurations. This not only aids attackers in identifying potential entry points but also risks exposing user-specific data, leading to privacy violations.

Remediation Guidelines

• Do not pass user or request input directly to res.render() without sanitization. Using user input directly in resource rendering can introduce security risks.

  Copy

  res.render(req.body.page); // unsafe
  System.out.println(e); // Unsafe
  

• Instead, sanitize the input or use a safelist if you need to rely on user input for resource rendering. This ensures that only expected and safe resources are rendered.

  Copy

  var path = req.body.path;
  if (['users', 'posts', 'pages'].includes(path)) {
      return res.render(`${path}/success`);
  }

References

• CWE-706: Use of Incorrectly-Resolved Name or Reference

• OWASP Top 10: A01:2021 - Broken Access Control

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL