-
Notifications
You must be signed in to change notification settings - Fork 306
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Template injection vulnerability detection in handlebars
- Loading branch information
1 parent
c007354
commit a5f156b
Showing
6 changed files
with
134 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
'use strict' | ||
|
||
const shimmer = require('../../datadog-shimmer') | ||
const { channel, addHook } = require('./helpers/instrument') | ||
|
||
const handlebarsReadCh = channel('datadog:handlebars:compile:start') | ||
|
||
function wrapCompile (compile) { | ||
return function () { | ||
if (handlebarsReadCh.hasSubscribers) { | ||
const source = arguments[0] | ||
handlebarsReadCh.publish({ source }) | ||
} | ||
return compile.apply(this, arguments) | ||
} | ||
} | ||
|
||
addHook({ name: 'handlebars', file: 'dist/cjs/handlebars/compiler/compiler.js', versions: ['>=4.0.0'] }, compiler => { | ||
shimmer.wrap(compiler, 'compile', wrapCompile) | ||
shimmer.wrap(compiler, 'precompile', wrapCompile) | ||
return compiler | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
packages/dd-trace/src/appsec/iast/analyzers/template-injection-analyzer.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
'use strict' | ||
|
||
const InjectionAnalyzer = require('./injection-analyzer') | ||
const { TEMPLATE_INJECTION } = require('../vulnerabilities') | ||
|
||
class TemplateInjectionAnalyzer extends InjectionAnalyzer { | ||
constructor () { | ||
super(TEMPLATE_INJECTION) | ||
} | ||
|
||
onConfigure () { | ||
this.addSub('datadog:handlebars:compile:start', ({ source }) => this.analyze(source)) | ||
} | ||
} | ||
|
||
module.exports = new TemplateInjectionAnalyzer() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
93 changes: 93 additions & 0 deletions
93
packages/dd-trace/test/appsec/iast/analyzers/template-injection-analyzer.handlebars.spec.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
'use strict' | ||
|
||
const { prepareTestServerForIast } = require('../utils') | ||
const { storage } = require('../../../../../datadog-core') | ||
const iastContextFunctions = require('../../../../src/appsec/iast/iast-context') | ||
const { newTaintedString } = require('../../../../src/appsec/iast/taint-tracking/operations') | ||
|
||
describe.only('template-injection-analyzer with handlebars', () => { | ||
withVersions('handlebars', 'handlebars', version => { | ||
let lib | ||
before(() => { | ||
lib = require(`../../../../../../versions/handlebars@${version}`).get() | ||
}) | ||
|
||
describe('compile', () => { | ||
prepareTestServerForIast('template injection analyzer', | ||
(testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { | ||
testThatRequestHasVulnerability(() => { | ||
const store = storage.getStore() | ||
const iastContext = iastContextFunctions.getIastContext(store) | ||
const source = ` | ||
{{#with "s" as |string|}} | ||
{{#with "e"}} | ||
{{#with split as |conslist|}} | ||
{{this.pop}} | ||
{{this.push (lookup string.sub "constructor")}} | ||
{{this.pop}} | ||
{{#with string.split as |codelist|}} | ||
{{this.pop}} | ||
{{this.push "return JSON.stringify(process.env);"}} | ||
{{this.pop}} | ||
{{#each conslist}} | ||
{{#with (string.sub.apply 0 codelist)}} | ||
{{this}} | ||
{{/with}} | ||
{{/each}} | ||
{{/with}} | ||
{{/with}} | ||
{{/with}} | ||
{{/with}} | ||
` | ||
const command = newTaintedString(iastContext, source, 'param', 'Request') | ||
const template = lib.compile(command) | ||
template() | ||
}, 'TEMPLATE_INJECTION') | ||
|
||
testThatRequestHasNoVulnerability(() => { | ||
const source = '<p>{{name}}</p>' | ||
const template = lib.compile(source) | ||
template() | ||
}, 'TEMPLATE_INJECTION') | ||
}) | ||
}) | ||
|
||
describe('precompile', () => { | ||
prepareTestServerForIast('template injection analyzer', | ||
(testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { | ||
testThatRequestHasVulnerability(() => { | ||
const store = storage.getStore() | ||
const iastContext = iastContextFunctions.getIastContext(store) | ||
const source = ` | ||
{{#with "s" as |string|}} | ||
{{#with "e"}} | ||
{{#with split as |conslist|}} | ||
{{this.pop}} | ||
{{this.push (lookup string.sub "constructor")}} | ||
{{this.pop}} | ||
{{#with string.split as |codelist|}} | ||
{{this.pop}} | ||
{{this.push "return JSON.stringify(process.env);"}} | ||
{{this.pop}} | ||
{{#each conslist}} | ||
{{#with (string.sub.apply 0 codelist)}} | ||
{{this}} | ||
{{/with}} | ||
{{/each}} | ||
{{/with}} | ||
{{/with}} | ||
{{/with}} | ||
{{/with}} | ||
` | ||
const command = newTaintedString(iastContext, source, 'param', 'Request') | ||
lib.precompile(command) | ||
}, 'TEMPLATE_INJECTION') | ||
|
||
testThatRequestHasNoVulnerability(() => { | ||
const source = '<p>{{name}}</p>' | ||
lib.precompile(source) | ||
}, 'TEMPLATE_INJECTION') | ||
}) | ||
}) | ||
}) | ||
}) |