Server Side Template Injection in Loopback with Hmac Signatures
Server Side Template Injection in Loopback with Hmac Signatures — how this specific combination creates or exposes the vulnerability
Server Side Template Injection (SSTI) in Loopback applications that use Hmac Signatures for request integrity can occur when user-controlled data is incorporated into templates or serialization logic that later evaluates expressions. Loopback models often serialize objects to JSON and sign them with an Hmac to ensure integrity between client and server. If an attacker can inject template code or expression language into a model property that is included in the signed payload, they may be able to influence server-side behavior when the template is rendered or deserialized.
Consider a scenario where an API accepts user input that is embedded in a Handlebars-like template stored on the server and included in a response that is Hmac-signed. The signature ensures that the payload has not been tampered with, but it does not protect against malicious template content supplied by the attacker. For example, an attacker may submit a payload such as {{this.constructor.constructor('return process')()}} into a field that is later rendered by a vulnerable template engine. When the server processes the signed payload, the injected template code executes in the context of the server runtime, potentially exposing environment variables or enabling further attacks.
The combination of Hmac Signatures and SSTI is particularly dangerous because the signature may give developers a false sense of integrity. The signature verifies that the payload matches what the server generated, but if the server itself processes attacker-supplied template content, the integrity check does not prevent code execution. This can lead to unauthorized access to sensitive data, remote code execution, or privilege escalation depending on the server environment.
In Loopback, models that include computed or transformed fields may use template functions to format values before signing. If these functions do not properly sanitize inputs, an attacker may manipulate the template syntax through crafted input. For instance, an attacker might send a request with a modified JSON payload where a string field contains embedded template directives. Upon deserialization and template rendering, those directives execute on the server, bypassing intended access controls.
Real-world exploitation patterns mirror known CVEs affecting template engines integrated with signed payloads. Attackers probe endpoints that accept structured data, then attempt to inject executable expressions into fields that are later processed by server-side rendering logic. Because the Hmac Signature validates the entire payload, the server may trust the content and execute the injected template, leading to unintended behavior.
Hmac Signatures-Specific Remediation in Loopback — concrete code fixes
To mitigate SSTI in Loopback when using Hmac Signatures, ensure that user input is never directly embedded in executable templates or evaluation contexts. Validate and sanitize all incoming data, and avoid dynamic template rendering of user-controlled content. Below are concrete remediation steps with code examples.
1. Validate and escape all user input
Before including any user data in a model or template context, validate its type and escape special characters. Use strict allowlists for expected formats.
const escapeHtml = (str) => {
if (typeof str !== 'string') return str;
return str.replace(/[<>"'&/=]/g, (char) => {
const escapeMap = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'/': '/',
'=': '='
};
return escapeMap[char];
});
};
const safeData = {
username: escapeHtml(req.body.username),
displayName: escapeHtml(req.body.displayName)
};
2. Use strict model validation rules
Define Loopback model properties with strict validation to reject unexpected types or patterns that could carry template syntax.
const User = require('./user');
User.validatesPropertiesOfModel('username', {
type: 'string',
required: true,
length: { min: 3, max: 64 },
matches: /^[a-zA-Z0-9_\-\.]+$/,
message: 'Username contains invalid characters'
});
3. Avoid dynamic template evaluation with user data
Do not use functions like eval, Function constructor, or template engines that execute code on user input. If templating is required, use a sandboxed context with a whitelist of safe helpers.
const handlebars = require('handlebars');
// Safe: only use predefined helpers, no eval of user input
const templateSource = 'Welcome, {{username}}';
const template = handlebars.compile(templateSource);
const context = {
username: safeData.username
};
const result = template(context);
4. Sign only necessary data, and verify before use
When using Hmac Signatures, sign a canonical representation of trusted server-generated data only. Verify the signature before processing, and do not incorporate unverified data into execution paths.
const crypto = require('crypto');
function generateHmac(payload, secret) {
return crypto.createHmac('sha256', secret).update(JSON.stringify(payload)).digest('hex');
}
function verifyHmac(payload, receivedSignature, secret) {
const expected = generateHmac(payload, secret);
return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(receivedSignature));
}
// Example usage
const payload = { action: 'updateProfile', timestamp: Date.now() };
const signature = generateHmac(payload, process.env.HMAC_SECRET);
// Later, verify before use
if (!verifyHmac(payload, req.headers['x-hmac-signature'], process.env.HMAC_SECRET)) {
throw new Error('Invalid signature');
}
5. Enforce least privilege and isolate template rendering
Run template rendering in a restricted context with minimal access. Avoid giving templates access to global objects or sensitive modules.
const { createContext, runInContext } = require('vm');
const context = createContext({ console, JSON });
// Provide only safe globals
runInContext('username = "safeUser"; result = JSON.stringify(username);', context);