Vulnerable templating

gistfile1.txt

// PHP
`if (isset($_GET['language'])) {
    include($_GET['language']);
}`

// NodeJS
`if(req.query.language) {
    fs.readFile(path.join(__dirname, req.query.language), function (err, data) {
    res.write(data);
});
}`

// JS
`app.get("/about/:language", function(req, res) {
    res.render(/${req.params.language}/about.html);
});`

// C#
`@if (!string.IsNullOrEmpty(HttpContext.Request.Query['language'])) {
    <% Response.WriteFile("<% HttpContext.Request.Query['language'] %>"); %>
}`
or
`@Html.Partial(HttpContext.Request.Query['language'])`
or
`<!--#include file="<% HttpContext.Request.Query['language'] %>"-->`


| **Function** | **Read Content** | **Execute** | **Remote URL** |
| --- | --- | --- | --- |
| **PHP** |  |  |  |
| `include()`/`include_once()` | ✅ | ✅ | ✅ |
| `require()`/`require_once()` | ✅ | ✅ | ❌ |
| `file_get_contents()` | ✅ | ❌ | ✅ |
| `fopen()`/`file()` | ✅ | ❌ | ❌ |
| **NodeJS** |  |  |  |
| `fs.readFile()` | ✅ | ❌ | ❌ |
| `fs.sendFile()` | ✅ | ❌ | ❌ |
| `res.render()` | ✅ | ✅ | ❌ |
| **Java** |  |  |  |
| `include` | ✅ | ❌ | ❌ |
| `import` | ✅ | ✅ | ✅ |
| **.NET** |  |  |  |
| `@Html.Partial()` | ✅ | ❌ | ❌ |
| `@Html.RemotePartial()` | ✅ | ❌ | ✅ |
| `Response.WriteFile()` | ✅ | ❌ | ❌ |
| `include` | ✅ | ✅ | ✅ |