Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Published Rules - p0_security.direct-response-write-copy #3382

Merged
merged 5 commits into from
May 9, 2024
Merged

New Published Rules - p0_security.direct-response-write-copy #3382

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
96de3be
add p0_security/direct-response-write-copy.yaml
nbrahms May 8, 2024
964079d
add p0_security/direct-response-write-copy.jsx
nbrahms May 8, 2024
335ac43
move direct-response-write rule to xss folder
inkz May 9, 2024
2be6991
update direct-response-write metadata
inkz May 9, 2024
31ececd
Merge branch 'develop' into semgrep-live-PeodN
inkz May 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions javascript/express/security/audit/xss/direct-response-write.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,15 @@ app.get('/xss', function (req, res) {
res.write('Response</br>' + html);
});

const jsonRouter = express.Router();
jsonRouter.use(express.json());
jsonRouter.get('/noxss-json', function (req, res) {
var name = req.query.name;
// ok: direct-response-write
res.write({ name });
});
app.use(jsonRouter);

// For https://github.com/returntocorp/semgrep-rules/issues/2872
app.post(
"/:id",
Expand Down
16 changes: 10 additions & 6 deletions javascript/express/security/audit/xss/direct-response-write.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
rules:
- id: direct-response-write
message: >-
Detected directly writing to a Response object from user-defined input. This bypasses
any HTML escaping and may expose your application to a Cross-Site-scripting
(XSS) vulnerability. Instead, use 'resp.render()' to render
safely escaped HTML.
Detected directly writing to a Response object from user-defined input.
This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting
(XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.
options:
interfile: true
metadata:
Expand All @@ -15,7 +14,8 @@ rules:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
- 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
Scripting'')'
category: security
technology:
- express
Expand All @@ -26,6 +26,9 @@ rules:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
Expand Down Expand Up @@ -112,6 +115,7 @@ rules:
- pattern: $RES.send($ARG)
- pattern-not: $RES. ... .set('...'). ... .send($ARG)
- pattern-not: $RES. ... .type('...'). ... .send($ARG)
- pattern-not-inside: $RES.$METHOD({ ... })
- focus-metavariable: $ARG
pattern-sanitizers:
- patterns:
Expand Down Expand Up @@ -222,7 +226,7 @@ rules:
- metavariable-regex:
metavariable: $F
regex: (?!.*text/html)
- patterns:
- patterns:
- pattern-inside: |
$X = [...];
...
Expand Down
Loading