← all rules

ast/template-injection-user-input

Server-side template injection: template engine compiled / rendered with user input

criticalASTcommand-injectionCWE-1336js · ts

What it detects

Handlebars / Pug / EJS / Mustache / Nunjucks compile() or render() was called with a template string sourced from user input. These engines parse `{{...}}` (Handlebars/Mustache), `#{...}` / `!=` (Pug), or `<%-%>` (EJS) and execute helper expressions inside — most engines reach JavaScript eval via the prototype chain or escape filters, giving the attacker remote code execution. Render with FIXED templates, never the user's template body; let the user only fill the data slots.

How it runs

Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.