Skip to content

Instantly share code, notes, and snippets.

@minusworld

minusworld/node-js-taint-rules.yaml

Created August 23, 2022 17:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save minusworld/c7442a0b3dd51759c8a95bbb9395eb73 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save minusworld/c7442a0b3dd51759c8a95bbb9395eb73 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
node-js-taint-rules.yaml
rules:
- id: detect-child-process
metadata:
cwe:
"CWE-78: Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection')"
owasp:
- A03:2021 - Injection
- A01:2017 - Injection
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js
category: security
technology:
- javascript
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
message: >-
Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is
user controllable, where possible avoid calls to child_process,
if it is needed ensure user input is correctly sanitized or sandboxed.
mode: taint
pattern-sources:
- patterns:
- pattern-inside: |
function ... (...,$FUNC,...) {
...
}
- focus-metavariable: $FUNC
pattern-sinks:
- patterns:
- pattern-either:
- pattern-inside: |
$CP = require('child_process')
...
- pattern-inside: |
import * as $CP from 'child_process'
...
- pattern-inside: |
import $CP from 'child_process'
...
- pattern-either:
- pattern: $CP.exec($CMD,...)
- pattern: $CP.execSync($CMD,...)
- pattern: $CP.spawn($CMD,...)
- pattern: $CP.spawnSync($CMD,...)
- pattern-not-inside: $CP.$EXEC("...",...)
- pattern-not-inside: $CP.$EXEC(["...",...],...)
- pattern-not-inside: |
$CMD = "..."
...
- pattern-not-inside: |
$CMD = ["...",...]
...
- focus-metavariable: $CMD
- patterns:
- pattern-either:
- pattern: child_process.exec($CMD,...)
- pattern: child_process.execSync($CMD,...)
- pattern: child_process.spawn($CMD,...)
- pattern: child_process.spawnSync($CMD,...)
- pattern-not-inside: child_process.$EXEC("...",...)
- pattern-not-inside: child_process.$EXEC(["...",...],...)
- pattern-not-inside: |
$CMD = "..."
...
- pattern-not-inside: |
$CMD = ["...",...]
...
- focus-metavariable: $CMD
severity: ERROR
languages:
- javascript
- typescript
- id: detect-eval-with-expression
metadata:
cwe:
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
Code ('Eval Injection')"
owasp:
- A03:2021 - Injection
- A07:2017 - Cross-Site Scripting (XSS)
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-eval-with-expression.js
references:
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!
category: security
technology:
- javascript
message: >-
Detected use of dynamic execution of JavaScript which may come from
user-input, which can lead to Cross-Site-Scripting (XSS). Where possible
avoid including user-input in functions which dynamically execute user-input.
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern-inside: |
$PROP = new URLSearchParams($WINDOW. ... .location.search).get('...')
...
- pattern-inside: |
$PROP = new URLSearchParams(location.search).get('...')
...
- pattern-inside: |
$PROP = new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...')
...
- pattern-inside: |
$PROP = new URLSearchParams(location.hash.substring(1)).get('...')
...
- focus-metavariable: $PROP
- patterns:
- pattern-either:
- pattern-inside: |
$PROPS = new URLSearchParams($WINDOW. ... .location.search)
...
- pattern-inside: |
$PROPS = new URLSearchParams(location.search)
...
- pattern-inside: |
$PROPS = new
URLSearchParams($WINDOW. ... .location.hash.substring(1))
...
- pattern-inside: |
$PROPS = new URLSearchParams(location.hash.substring(1))
...
- pattern: $PROPS.get('...')
- focus-metavariable: $PROPS
- patterns:
- pattern-either:
- pattern: location.href
- pattern: location.hash
- pattern: location.search
- pattern: $WINDOW. ... .location.href
- pattern: $WINDOW. ... .location.hash
- pattern: $WINDOW. ... .location.search
pattern-sinks:
- patterns:
- pattern-either:
- pattern: eval(<... $SINK ...>)
- pattern: window.eval(<... $SINK ...>)
- pattern: new Function(<... $SINK ...>)
- pattern: new Function(<... $SINK ...>)(...)
- pattern: setTimeout(<... $SINK ...>,...)
- pattern: setInterval(<... $SINK ...>,...)
- focus-metavariable: $SINK
pattern-sanitizers:
- patterns:
- pattern-either:
- pattern: location.href = $FUNC(...)
- pattern: location.hash = $FUNC(...)
- pattern: location.search = $FUNC(...)
- pattern: $WINDOW. ... .location.href = $FUNC(...)
- pattern: $WINDOW. ... .location.hash = $FUNC(...)
- pattern: $WINDOW. ... .location.search = $FUNC(...)
severity: WARNING
languages:
- javascript
- typescript
- id: unsafe-formatstring
mode: taint
languages:
- javascript
- typescript
metadata:
owasp: "A1: Injection"
cwe: "CWE-134: Use of Externally-Controlled Format String"
category: security
technology:
- javascript
message: >-
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects
a format specifier in the string, it will forge the log message. Try to use constant values for the format string.
severity: WARNING
pattern-sinks:
- patterns:
- pattern: $STR
- pattern-either:
- pattern-inside: |
console.$LOG($STR,$PARAM,...)
- patterns:
- pattern-inside: |
$UTIL = require('util')
...
- pattern-inside: |
$UTIL.format($STR,$PARAM,...)
pattern-sources:
- patterns:
- pattern-either:
- pattern: $X + $Y
- pattern: $X.concat($Y)
- pattern: |
`...${...}...`
- pattern-not: |
"..." + "..."
- pattern-not: |
$X.concat("...")
- id: detect-non-literal-fs-filename
mode: taint
pattern-sources:
- patterns:
- pattern-inside: function ... (..., $ARG,...) {...}
- focus-metavariable: $ARG
pattern-sinks:
- patterns:
- pattern-either:
- pattern-inside: |
$FS = require('fs')
...
- pattern-inside: |
$FS = require('fs/promises')
...
- pattern-inside: |
import * as $FS from 'fs'
...
- pattern-inside: |
import $FS from 'fs'
...
- pattern-inside: |
import * as $FS from 'fs/promises'
...
- pattern-inside: |
import $FS from 'fs/promises'
...
- pattern-not: $FS. ... .$METHOD("...", ...)
- pattern-either:
- pattern: $FS. ... .access($FILE,...)
- pattern: $FS. ... .appendFile($FILE,...)
- pattern: $FS. ... .chmod($FILE,...)
- pattern: $FS. ... .chown($FILE,...)
- pattern: $FS. ... .close($FILE,...)
- pattern: $FS. ... .copyFile($FILE,...)
- pattern: $FS. ... .copyFile($SMTH, $FILE,...)
- pattern: $FS. ... .cp($FILE, ...)
- pattern: $FS. ... .cp($SMTH, $FILE, ...)
- pattern: $FS. ... .createReadStream($FILE,...)
- pattern: $FS. ... .createWriteStream($FILE,...)
- pattern: $FS. ... .exists($FILE, ...)
- pattern: $FS. ... .fchmod($FILE, ...)
- pattern: $FS. ... .fchown($FILE, ...)
- pattern: $FS. ... .fdatasync($FILE, ...)
- pattern: $FS. ... .fstat($FILE, ...)
- pattern: $FS. ... .fsync($FILE, ...)
- pattern: $FS. ... .ftruncate($FILE, ...)
- pattern: $FS. ... .futimes($FILE, ...)
- pattern: $FS. ... .lchmod($FILE, ...)
- pattern: $FS. ... .lchown($FILE, ...)
- pattern: $FS. ... .lutimes($FILE, ...)
- pattern: $FS. ... .link($FILE, ...)
- pattern: $FS. ... .link($SMTH, $FILE, ...)
- pattern: $FS. ... .lstat($FILE, ...)
- pattern: $FS. ... .mkdir($FILE, ...)
- pattern: $FS. ... .mkdtemp($FILE, ...)
- pattern: $FS. ... .open($FILE, ...)
- pattern: $FS. ... .opendir($FILE, ...)
- pattern: $FS. ... .read($FILE, ...)
- pattern: $FS. ... .read($FILE, ...)
- pattern: $FS. ... .readdir($FILE, ...)
- pattern: $FS. ... .readFile($FILE, ...)
- pattern: $FS. ... .readlink($FILE, ...)
- pattern: $FS. ... .readv($FILE, ...)
- pattern: $FS. ... .realpath($FILE, ...)
- pattern: $FS. ... .realpath.native($FILE, ...)
- pattern: $FS. ... .rename($FILE, ...)
- pattern: $FS. ... .rename($SMTH, $FILE, ...)
- pattern: $FS. ... .rmdir($FILE, ...)
- pattern: $FS. ... .rm($FILE, ...)
- pattern: $FS. ... .stat($FILE, ...)
- pattern: $FS. ... .symlink($SMTH, $FILE, ...)
- pattern: $FS. ... .symlink($FILE, ...)
- pattern: $FS. ... .truncate($FILE, ...)
- pattern: $FS. ... .unlink($FILE, ...)
- pattern: $FS. ... .unwatchFile($FILE, ...)
- pattern: $FS. ... .utimes($FILE, ...)
- pattern: $FS. ... .watch($FILE, ...)
- pattern: $FS. ... .watchFile($FILE, ...)
- pattern: $FS. ... .write($FILE, ...)
- pattern: $FS. ... .writeFile($FILE, ...)
- pattern: $FS. ... .writev($FILE, ...)
- pattern: $FS. ... .accessSync($FILE, ...)
- pattern: $FS. ... .appendFileSync($FILE, ...)
- pattern: $FS. ... .chmodSync($FILE, ...)
- pattern: $FS. ... .chownSync($FILE, ...)
- pattern: $FS. ... .closeSync($FILE, ...)
- pattern: $FS. ... .copyFileSync($FILE, ...)
- pattern: $FS. ... .copyFileSync($SMTH, $FILE, ...)
- pattern: $FS. ... .cpSync($FILE, ...)
- pattern: $FS. ... .cpSync($SMTH, $FILE, ...)
- pattern: $FS. ... .existsSync($FILE, ...)
- pattern: $FS. ... .fchmodSync($FILE, ...)
- pattern: $FS. ... .fchownSync($FILE, ...)
- pattern: $FS. ... .fdatasyncSync($FILE, ...)
- pattern: $FS. ... .fstatSync($FILE, ...)
- pattern: $FS. ... .fsyncSync($FILE, ...)
- pattern: $FS. ... .ftruncateSync($FILE, ...)
- pattern: $FS. ... .futimesSync($FILE, ...)
- pattern: $FS. ... .lchmodSync($FILE, ...)
- pattern: $FS. ... .lchownSync($FILE, ...)
- pattern: $FS. ... .lutimesSync($FILE, ...)
- pattern: $FS. ... .linkSync($FILE, ...)
- pattern: $FS. ... .linkSync($SMTH, $FILE, ...)
- pattern: $FS. ... .lstatSync($FILE, ...)
- pattern: $FS. ... .mkdirSync($FILE, ...)
- pattern: $FS. ... .mkdtempSync($FILE, ...)
- pattern: $FS. ... .opendirSync($FILE, ...)
- pattern: $FS. ... .openSync($FILE, ...)
- pattern: $FS. ... .readdirSync($FILE, ...)
- pattern: $FS. ... .readFileSync($FILE, ...)
- pattern: $FS. ... .readlinkSync($FILE, ...)
- pattern: $FS. ... .readSync($FILE, ...)
- pattern: $FS. ... .readSync($FILE, ...)
- pattern: $FS. ... .readvSync($FILE, ...)
- pattern: $FS. ... .realpathync($FILE, ...)
- pattern: $FS. ... .realpathSync.native($FILE, ...)
- pattern: $FS. ... .renameSync($FILE, ...)
- pattern: $FS. ... .renameSync($SMTH, $FILE, ...)
- pattern: $FS. ... .rmdirSync($FILE, ...)
- pattern: $FS. ... .rmSync($FILE, ...)
- pattern: $FS. ... .statSync($FILE, ...)
- pattern: $FS. ... .symlinkSync($FILE, ...)
- pattern: $FS. ... .symlinkSync($SMTH, $FILE, ...)
- pattern: $FS. ... .truncateSync($FILE, ...)
- pattern: $FS. ... .unlinkSync($FILE, ...)
- pattern: $FS. ... .utimesSync($FILE, ...)
- pattern: $FS. ... .writeFileSync($FILE, ...)
- pattern: $FS. ... .writeSync($FILE, ...)
- pattern: $FS. ... .writevSync($FILE, ...)
- focus-metavariable: $FILE
- patterns:
- pattern-either:
- pattern-inside: |
import 'fs'
...
- pattern-inside: |
import 'fs/promises'
...
- pattern-not: $METHOD("...", ...)
- pattern-either:
- pattern: access($FILE,...)
- pattern: appendFile($FILE,...)
- pattern: chmod($FILE,...)
- pattern: chown($FILE,...)
- pattern: close($FILE,...)
- pattern: copyFile($FILE,...)
- pattern: copyFile($SMTH, $FILE,...)
- pattern: cp($FILE, ...)
- pattern: cp($SMTH, $FILE, ...)
- pattern: createReadStream($FILE,...)
- pattern: createWriteStream($FILE,...)
- pattern: exists($FILE, ...)
- pattern: fchmod($FILE, ...)
- pattern: fchown($FILE, ...)
- pattern: fdatasync($FILE, ...)
- pattern: fstat($FILE, ...)
- pattern: fsync($FILE, ...)
- pattern: ftruncate($FILE, ...)
- pattern: futimes($FILE, ...)
- pattern: lchmod($FILE, ...)
- pattern: lchown($FILE, ...)
- pattern: lutimes($FILE, ...)
- pattern: link($FILE, ...)
- pattern: link($SMTH, $FILE, ...)
- pattern: lstat($FILE, ...)
- pattern: mkdir($FILE, ...)
- pattern: mkdtemp($FILE, ...)
- pattern: open($FILE, ...)
- pattern: opendir($FILE, ...)
- pattern: read($FILE, ...)
- pattern: read($FILE, ...)
- pattern: readdir($FILE, ...)
- pattern: readFile($FILE, ...)
- pattern: readlink($FILE, ...)
- pattern: readv($FILE, ...)
- pattern: realpath($FILE, ...)
- pattern: realpath.native($FILE, ...)
- pattern: rename($FILE, ...)
- pattern: rename($SMTH, $FILE, ...)
- pattern: rmdir($FILE, ...)
- pattern: rm($FILE, ...)
- pattern: stat($FILE, ...)
- pattern: symlink($SMTH, $FILE, ...)
- pattern: symlink($FILE, ...)
- pattern: truncate($FILE, ...)
- pattern: unlink($FILE, ...)
- pattern: unwatchFile($FILE, ...)
- pattern: utimes($FILE, ...)
- pattern: watch($FILE, ...)
- pattern: watchFile($FILE, ...)
- pattern: write($FILE, ...)
- pattern: writeFile($FILE, ...)
- pattern: writev($FILE, ...)
- pattern: accessSync($FILE, ...)
- pattern: appendFileSync($FILE, ...)
- pattern: chmodSync($FILE, ...)
- pattern: chownSync($FILE, ...)
- pattern: closeSync($FILE, ...)
- pattern: copyFileSync($FILE, ...)
- pattern: copyFileSync($SMTH, $FILE, ...)
- pattern: cpSync($FILE, ...)
- pattern: cpSync($SMTH, $FILE, ...)
- pattern: existsSync($FILE, ...)
- pattern: fchmodSync($FILE, ...)
- pattern: fchownSync($FILE, ...)
- pattern: fdatasyncSync($FILE, ...)
- pattern: fstatSync($FILE, ...)
- pattern: fsyncSync($FILE, ...)
- pattern: ftruncateSync($FILE, ...)
- pattern: futimesSync($FILE, ...)
- pattern: lchmodSync($FILE, ...)
- pattern: lchownSync($FILE, ...)
- pattern: lutimesSync($FILE, ...)
- pattern: linkSync($FILE, ...)
- pattern: linkSync($SMTH, $FILE, ...)
- pattern: lstatSync($FILE, ...)
- pattern: mkdirSync($FILE, ...)
- pattern: mkdtempSync($FILE, ...)
- pattern: opendirSync($FILE, ...)
- pattern: openSync($FILE, ...)
- pattern: readdirSync($FILE, ...)
- pattern: readFileSync($FILE, ...)
- pattern: readlinkSync($FILE, ...)
- pattern: readSync($FILE, ...)
- pattern: readSync($FILE, ...)
- pattern: readvSync($FILE, ...)
- pattern: realpathync($FILE, ...)
- pattern: realpathSync.native($FILE, ...)
- pattern: renameSync($FILE, ...)
- pattern: renameSync($SMTH, $FILE, ...)
- pattern: rmdirSync($FILE, ...)
- pattern: rmSync($FILE, ...)
- pattern: statSync($FILE, ...)
- pattern: symlinkSync($FILE, ...)
- pattern: symlinkSync($SMTH, $FILE, ...)
- pattern: truncateSync($FILE, ...)
- pattern: unlinkSync($FILE, ...)
- pattern: utimesSync($FILE, ...)
- pattern: writeFileSync($FILE, ...)
- pattern: writeSync($FILE, ...)
- pattern: writevSync($FILE, ...)
- focus-metavariable: $FILE
message: >-
Detected function `$ARG` enter fs module. An attacker could
potentially control the location of this file, to include going
backwards in the directory with '../'. To address this,
ensure that user-controlled variables in file paths are validated.
languages:
- typescript
- javascript
severity: WARNING
metadata:
cwe:
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')"
references:
- https://owasp.org/www-community/attacks/Path_Traversal
owasp:
- A01:2021 - Broken Access Control
- A05:2017 - Broken Access Control
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-fs-filename.js
category: security
technology:
- typescript
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
- id: detect-non-literal-regexp
mode: taint
pattern-sources:
- patterns:
- pattern-inside: |
function ... (...,$ARG,...) {...}
- focus-metavariable: $ARG
pattern-sinks:
- patterns:
- pattern-either:
- pattern: new RegExp($ARG, ...)
- pattern: RegExp($ARG, ...)
- pattern-not: RegExp("...", ...)
- pattern-not: new RegExp("...", ...)
- pattern-not: RegExp(/.../, ...)
- pattern-not: new RegExp(/.../, ...)
message: >-
RegExp() called with a `$ARG` function argument, this might
allow an attacker to cause a Denial of Service (DoS)
within your application as RegExP which blocks the main thread.
languages:
- javascript
- typescript
severity: WARNING
metadata:
owasp:
- "A05:2021 - Security Misconfiguration"
- "A06:2017 - Security Misconfiguration"
cwe: "CWE-185: Incorrect Regular Expression"
references:
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js
category: security
technology:
- javascript
- id: path-join-resolve-traversal
mode: taint
pattern-sources:
- patterns:
- pattern: $X
- pattern-either:
- pattern-inside: |
function ... (...,$X,...) {...}
- pattern-inside: |
function ... (...,{...,$X,...},...) {...}
pattern-sinks:
- patterns:
- pattern: $SINK
- pattern-either:
- pattern-inside: |
$PATH = require('path');
...
- pattern-inside: |
import $PATH from 'path';
...
- pattern-either:
- pattern-inside: $PATH.join(...,$SINK,...)
- pattern-inside: $PATH.resolve(...,$SINK,...)
- patterns:
- pattern: $SINK
- pattern-inside: |
import 'path';
...
- pattern-either:
- pattern-inside: path.join(...,$SINK,...)
- pattern-inside: path.resolve(...,$SINK,...)
pattern-sanitizers:
- pattern: $Y.replace(...)
- pattern: $Y.indexOf(...)
- pattern: |
function ... (...) {
...
<... $Y.indexOf(...) ...>
...
}
- patterns:
- pattern: $FUNC(...)
- metavariable-regex:
metavariable: $FUNC
regex: sanitize
message: >-
Possible writing/reading outside of the destination,
make sure that the target path is nested in the intended destination.
languages:
- javascript
- typescript
metadata:
owasp: "A01:2021 - Broken Access Control"
cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
category: security
references:
- https://owasp.org/www-community/attacks/Path_Traversal
technology:
- javascript
- node.js
severity: WARNING
- id: md5-used-as-password
languages: [javascript]
severity: WARNING
message: >-
It looks like MD5 is used as a password hash. MD5 is not considered a
secure password hash because it can be cracked by an attacker in a short
amount of time. Use a suitable password hashing function such as bcrypt.
You can use the `bcrypt` node.js package.
metadata:
category: security
technology:
- crypto
- md5
references:
- https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html
- https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
- https://github.com/returntocorp/semgrep-rules/issues/1609
- https://www.npmjs.com/package/bcrypt
owasp:
- A02:2017 - Broken Authentication
- A02:2021 - Cryptographic Failures
cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
mode: taint
pattern-sources:
- pattern: $CRYPTO.createHash("md5")
pattern-sinks:
- patterns:
- pattern: $FUNCTION(...);
- metavariable-regex:
metavariable: $FUNCTION
regex: (?i)(.*password.*)
- id: code-string-concat
message: >-
Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.
languages:
- javascript
- typescript
severity: WARNING
metadata:
confidence: HIGH
owasp:
- "A01:2017 - Injection"
- "A03:2021 - Injection"
cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
references:
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
- https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback
- https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/
- https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html
category: security
technology:
- node.js
- Express
- Next.js
mode: taint
pattern-sources:
- pattern-either:
- patterns:
- pattern-either:
- pattern-inside: function ... ($REQ, $RES) {...}
- pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
- patterns:
- pattern-either:
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
- metavariable-regex:
metavariable: $METHOD
regex: ^(get|post|put|head|delete|options)$
- pattern-either:
- pattern: $REQ.query
- pattern: $REQ.body
- pattern: $REQ.params
- pattern: $REQ.cookies
- pattern: $REQ.headers
- patterns:
- pattern-either:
- pattern-inside: |
import { ...,$IMPORT,... } from 'next/router'
...
- pattern-inside: |
import $IMPORT from 'next/router';
...
- pattern-either:
- patterns:
- pattern-inside: |
$ROUTER = $IMPORT()
...
- pattern-either:
- pattern-inside: |
const { ...,$PROPS,... } = $ROUTER.query
...
- pattern-inside: |
var { ...,$PROPS,... } = $ROUTER.query
...
- pattern-inside: |
let { ...,$PROPS,... } = $ROUTER.query
...
- focus-metavariable: $PROPS
- patterns:
- pattern-inside: |
$ROUTER = $IMPORT()
...
- pattern: |
$ROUTER.query.$VALUE
- patterns:
- pattern: $IMPORT().query.$VALUE
pattern-sinks:
- patterns:
- pattern: |
eval(...)
- id: node-mysql-sqli
severity: WARNING
message: >-
Detected a `$IMPORT` SQL statement that comes from a function argument.
This could lead to SQL injection if the variable is user-controlled and is not
properly sanitized. In order to prevent SQL injection, it is recommended to
use parameterized queries or prepared statements.
languages:
- javascript
- typescript
mode: taint
metadata:
references:
- https://www.npmjs.com/package/mysql2
- https://www.npmjs.com/package/mysql
- https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
category: security
owasp:
- A03:2021 - Injection
- A01:2017 - Injection
cwe:
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')"
confidence: LOW
technology:
- mysql
- mysql2
- javascript
- nodejs
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
pattern-sources:
- patterns:
- pattern-inside: function ... (..., $Y,...) {...}
- pattern: $Y
- pattern-not-inside: |
function ... (..., $Y: number,...) {...}
- pattern-not-inside: $Y.query
- pattern-not-inside: $Y.body
- pattern-not-inside: $Y.params
- pattern-not-inside: $Y.cookies
- pattern-not-inside: $Y.headers
pattern-sinks:
- patterns:
- focus-metavariable: $QUERY
- pattern-either:
- pattern-inside: $POOL.query($QUERY, ...)
- pattern-inside: $POOL.execute($QUERY, ...)
- pattern-either:
- pattern-inside: |
import $S from "$IMPORT"
...
- pattern-inside: |
import { ... } from "$IMPORT"
...
- pattern-inside: |
import * as $S from "$IMPORT"
...
- pattern-inside: |
require("$IMPORT")
...
- metavariable-regex:
metavariable: $IMPORT
regex: (mysql|mysql2)
pattern-sanitizers:
- patterns:
- pattern: parseInt(...)
- id: node-knex-sqli
severity: WARNING
message: >-
Detected SQL statement that is tainted by `$REQ` object. This could
lead to SQL injection if the variable is user-controlled and not properly
sanitized. In order to prevent SQL injection, it is recommended to
use parameterized queries or prepared statements. An example of
parameterized queries like so: `knex.raw('SELECT $1 from table',
[userinput])` can help prevent SQLi.
languages:
- javascript
- typescript
mode: taint
metadata:
confidence: MEDIUM
references:
- https://knexjs.org/#Builder-fromRaw
- https://knexjs.org/#Builder-whereRaw
- https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
category: security
owasp:
- A03:2021 - Injection
- A01:2017 - Injection
cwe:
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')"
technology:
- express
- nodejs
- knex
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
pattern-sources:
- patterns:
- pattern-either:
- pattern-inside: function ... ($REQ, $RES) {...}
- pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
- patterns:
- pattern-either:
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
- metavariable-regex:
metavariable: $METHOD
regex: ^(get|post|put|head|delete|options)
- pattern-either:
- pattern: $REQ.query
- pattern: $REQ.body
- pattern: $REQ.params
- pattern: $REQ.cookies
- pattern: $REQ.headers
- patterns:
- pattern-either:
- pattern-inside: >
({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
{...}
- pattern-inside: |
({ $REQ }: Request,$RES: Response) => {...}
- focus-metavariable: $REQ
- pattern-either:
- pattern: params
- pattern: query
- pattern: cookies
- pattern: headers
- pattern: body
pattern-sinks:
- patterns:
- focus-metavariable: $QUERY
- pattern-either:
- pattern-inside: $KNEX.fromRaw($QUERY, ...)
- pattern-inside: $KNEX.whereRaw($QUERY, ...)
- pattern-inside: $KNEX.raw($QUERY, ...)
- pattern-either:
- pattern-inside: |
require('knex')
...
- pattern-inside: |
import 'knex'
...
pattern-sanitizers:
- patterns:
- pattern: parseInt(...)
- id: insecure-object-assign
mode: taint
message: >-
Depending on the context, user control data in `Object.assign` can cause web response
to include data that it should not have or can lead to a mass assignment vulnerability.
metadata:
cwe: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
owasp: "A1: Injection"
references:
- https://nodesecroadmap.fyi/chapter-1/threat-EXF.html
- https://en.wikipedia.org/wiki/Mass_assignment_vulnerability
category: security
technology:
- javascript
languages:
- javascript
- typescript
severity: WARNING
pattern-sources:
- patterns:
- pattern: JSON.parse(...)
- pattern-not: JSON.parse("...",...)
pattern-sinks:
- pattern: Object.assign(...)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment