new capacity bits (#67)

tests/fixtures/ssti/javascript/safe_handlebars_constant.js

@@ -0,0 +1,11 @@
+// Safe: Handlebars.compile receives a constant template source string.
+// Variables provided at render time are not template source and do not
+// activate SSTI.
+const Handlebars = require('handlebars');
+
+function handler(req, res) {
+    const compiled = Handlebars.compile('Hello, {{name}}');
+    res.send(compiled({ name: req.query.name }));
+}
+
+module.exports = handler;

tests/fixtures/ssti/javascript/safe_nunjucks_render_string.js

@@ -0,0 +1,13 @@
+// Safe-template-var: nunjucks.renderString gets a *constant* template
+// source; only the data context (arg 1) carries user input.  Per the
+// gated SSTI classifier (payload_args=[0]), this must NOT fire.
+const nunjucks = require('nunjucks');
+
+function handler(req, res) {
+    const html = nunjucks.renderString('Hello, {{ name }}', {
+        name: req.query.name,
+    });
+    res.send(html);
+}
+
+module.exports = handler;

tests/fixtures/ssti/javascript/unsafe_handlebars_compile.js

@@ -0,0 +1,11 @@
+// Unsafe: Handlebars.compile receives a template *source* string built from
+// req.body.  SSTI fires on the source argument.
+const Handlebars = require('handlebars');
+
+function handler(req, res) {
+    const tmpl = req.body.template;
+    const compiled = Handlebars.compile(tmpl);
+    res.send(compiled({}));
+}
+
+module.exports = handler;

tests/fixtures/ssti/javascript/unsafe_nunjucks_render_string.js

@@ -0,0 +1,11 @@
+// Unsafe: nunjucks.renderString receives a tainted template *source*
+// string (arg 0) built from req.body; SSTI fires on the source argument.
+const nunjucks = require('nunjucks');
+
+function handler(req, res) {
+    const src = req.body.template;
+    const html = nunjucks.renderString(src, { user: 'anon' });
+    res.send(html);
+}
+
+module.exports = handler;