New Published Rules - p0_security.direct-response-write-copy (#3382)

* add p0_security/direct-response-write-copy.yaml * add p0_security/direct-response-write-copy.jsx * move direct-response-write rule to xss folder * update direct-response-write metadata --------- Co-authored-by: Nathan Brahms <nbrahms@gmail.com> Co-authored-by: Vasilii <inkz@xakep.ru>
semgrep · May 9, 2024 · 4c5bd64 · 4c5bd64
1 parent 48f6e91
commit 4c5bd64
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/javascript/express/security/audit/xss/direct-response-write.js b/javascript/express/security/audit/xss/direct-response-write.js
@@ -132,6 +132,15 @@ app.get('/xss', function (req, res) {
     res.write('Response</br>' + html);
 });
 
+const jsonRouter = express.Router();
+jsonRouter.use(express.json());
+jsonRouter.get('/noxss-json', function (req, res) {
+    var name = req.query.name;
+    // ok: direct-response-write
+    res.write({ name });
+});
+app.use(jsonRouter);
+
 // For https://github.com/returntocorp/semgrep-rules/issues/2872
 app.post(
     "/:id",

diff --git a/javascript/express/security/audit/xss/direct-response-write.yaml b/javascript/express/security/audit/xss/direct-response-write.yaml
@@ -1,10 +1,9 @@
 rules:
 - id: direct-response-write
   message: >-
-    Detected directly writing to a Response object from user-defined input. This bypasses
-    any HTML escaping and may expose your application to a Cross-Site-scripting
-    (XSS) vulnerability. Instead, use 'resp.render()' to render
-    safely escaped HTML.
+    Detected directly writing to a Response object from user-defined input.
+    This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting
+    (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.
   options:
     interfile: true
   metadata:
@@ -15,7 +14,8 @@ rules:
     - A07:2017 - Cross-Site Scripting (XSS)
     - A03:2021 - Injection
     cwe:
-    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+    - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
+      Scripting'')'
     category: security
     technology:
     - express
@@ -26,6 +26,9 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
+    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
+    vulnerability_class:
+    - Cross-Site-Scripting (XSS)
   languages:
   - javascript
   - typescript
@@ -112,6 +115,7 @@ rules:
       - pattern: $RES.send($ARG)
     - pattern-not: $RES. ... .set('...'). ... .send($ARG)
     - pattern-not: $RES. ... .type('...'). ... .send($ARG)
+    - pattern-not-inside: $RES.$METHOD({ ... })
     - focus-metavariable: $ARG
   pattern-sanitizers:
   - patterns:
@@ -222,7 +226,7 @@ rules:
     - metavariable-regex:
         metavariable: $F
         regex: (?!.*text/html)
-  - patterns: 
+  - patterns:
     - pattern-inside: |
         $X = [...];
         ...