CWE-209 in Restify

CWE-209 describes Improper Neutralization of Dynamic Tags in Output Used in an Expression Language. In the context of Restify, this typically appears when user-supplied data is interpolated into an expression language parser that is later evaluated. A common vector is the use of req.params, req.query or request bodies as part of a template or configuration string that is passed to a JavaScript eval or new Function call.

One documented incident, CVE-2020-7491, affected Restify versions prior to 8.6.0. An attacker could supply a crafted query parameter that, when concatenated into a configuration string, triggered arbitrary code execution inside the Node.js process. The vulnerability arises when Restify’s built‑in restify.plugins.responseTime or custom middleware evaluates a string that includes unsanitized input, allowing an expression language injection that bypasses authentication checks.

Typical attack patterns include:

• Injecting ${{system.exec('id')}} into a property that is later rendered by a templating engine.
• Using %{...} syntax in a configuration file that is parsed by a JavaScript expression engine.
• Supplying a malicious value to a route that is later used in a new Function call to build dynamic route handlers.

Because Restify does not automatically escape values placed into expression contexts, any endpoint that reflects user input back into a configuration or evaluation context is potentially vulnerable.

Detecting CWE-209 in a Restify API requires scanning the unauthenticated attack surface for places where user data reaches an expression evaluator. middleBrick can be used from the CLI to probe each endpoint:

middlebrick scan https://api.example.com/endpoint

The scanner checks for patterns such as:

• Use of eval, new Function, or template literal interpolation in route definitions.
• Interpolation of req.query or req.body into configuration strings.
• Dynamic property access that is later passed to a templating engine without sanitization.

When middleBrick identifies a potential injection point, it reports a finding with a severity rating and a remediation suggestion. The finding includes a snippet of the offending code and references to the relevant CWE and CVE identifiers, enabling developers to locate the issue quickly.

Remediation should eliminate the direct evaluation of unsanitized user input. The following patterns are recommended for Restify applications:

// Bad: using eval with interpolated query parameter
const handler = function(req, res, next) {
  const expr = `return ${req.query.filter}`;
  const result = eval(expr);
  // ...
};

Replace the above with a whitelist approach and avoid dynamic code generation:

// Good: validate and map filter values
const allowedFilters = { name: true, status: true };
if (!allowedFilters[req.query.filter]) {
  return res.status(400).send('Invalid filter');
}
// Use the validated value directly
const filter = req.query.filter;

When configuration strings are required, use a safe templating library that auto‑escapes values, such as mustache or handlebars with strict contexts, and never feed raw query data into the template engine.

Additionally, upgrade to a Restify version that patches known expression‑language vulnerabilities (e.g., 8.6.0 or later) and enable the built‑in restify.disableErrorHandler to prevent detailed stack traces from being exposed to attackers.