ExpressJs Local File Read via the layout parameter
Description
ExpressJs applications using Handlebars templating engine (via the hbs view engine) are vulnerable to local file read attacks through the layout parameter. This vulnerability occurs when user-controlled data is passed directly to the res.render() function as the second argument without proper encapsulation. An attacker can exploit this by injecting a malicious layout parameter in the request body, causing the server to read and potentially expose arbitrary files from the filesystem.
The vulnerable pattern occurs when code like this is used:
router.post('/', function(req, res, next) {
var profile = req.body.profile
res.render('index', profile) // Vulnerable: user data passed directly
});The issue stems from passing the entire profile object directly to res.render(), which allows attackers to inject special parameters like layout that are interpreted by the templating engine.
Remediation
Modify the code to wrap user-controlled data in an object literal before passing it to res.render(). This prevents attackers from injecting special parameters like layout that are interpreted by the templating engine.
Vulnerable Code:
router.post('/', function(req, res, next) {
var profile = req.body.profile
res.render('index', profile) // DO NOT USE
});Secure Code:router.post('/', function(req, res, next) {
var profile = req.body.profile
res.render('index', { profile }) // Wrap in object literal
});Additionally, implement the following security measures:- Validate and sanitize all user input before using it in render functions
- Use allowlists to restrict which properties can be passed to templates
- Update the hbs package to the latest version to mitigate potential RCE escalation paths
- Apply the principle of least privilege to limit file system access for the application process