JS: Delete old query and update qhelp

Author: asgerf

javascript/ql/src/Security/CWE-094/CodeInjection.qhelp

@@ -32,6 +32,23 @@ for example, steal cookies containing session information.
 <sample src="examples/CodeInjection.js" />
 </example>
 
+<example>
+<p>
+The following example shows a Pug template being constructed from user input, allowing attackers to run
+arbitrary code via a payload such as <code>#{global.process.exit(1)}</code>.
+</p>
+
+<sample src="examples/ServerSideTemplateInjection.js" />
+
+<p>
+Below is an example of how to use a template engine without any risk of template injection.
+The user input is included via an interpolation expression <code>#{username}</code> whose value is provided
+as an option to the template, instead of being part of the template string itself:
+</p>
+
+<sample src="examples/ServerSideTemplateInjectionSafe.js" />
+</example>
+
 <references>
 <li>
 OWASP:
@@ -40,5 +57,13 @@ OWASP:
 <li>
 Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection">Code Injection</a>.
 </li>
+<li>
+OWASP:
+<a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection">Server Side Template Injection</a>.
+</li>
+<li>
+PortSwigger Research Blog:
+<a href="https://portswigger.net/research/server-side-template-injection">Server-Side Template Injection</a>.
+</li>
 </references>
 </qhelp>

javascript/ql/src/Security/CWE-094/examples/ServerSideTemplateInjection.js

@@ -0,0 +1,20 @@
+const express = require('express')
+var pug = require('pug');
+const app = express()
+
+app.post('/', (req, res) => {
+    var input = req.query.username;
+    var template = `
+doctype
+html
+head
+    title= 'Hello world'
+body
+    form(action='/' method='post')
+        input#name.form-control(type='text)
+        button.btn.btn-primary(type='submit') Submit
+    p Hello `+ input
+    var fn = pug.compile(template);
+    var html = fn();
+    res.send(html);
+})

javascript/ql/src/Security/CWE-094/examples/ServerSideTemplateInjectionSafe.js

@@ -0,0 +1,20 @@
+const express = require('express')
+var pug = require('pug');
+const app = express()
+
+app.post('/', (req, res) => {
+    var input = req.query.username;
+    var template = `
+doctype
+html
+head
+    title= 'Hello world'
+body
+    form(action='/' method='post')
+        input#name.form-control(type='text)
+        button.btn.btn-primary(type='submit') Submit
+    p Hello #{username}`
+    var fn = pug.compile(template);
+    var html = fn({username: input});
+    res.send(html);
+})