From 4c5bd64dddf7164b574997b8c09532f0eba19c37 Mon Sep 17 00:00:00 2001
From: "semgrep-dev-pr-bot[bot]"
 <63393893+semgrep-dev-pr-bot[bot]@users.noreply.github.com>
Date: Thu, 9 May 2024 03:05:44 +0000
Subject: [PATCH] New Published Rules - p0_security.direct-response-write-copy
 (#3382)

* add p0_security/direct-response-write-copy.yaml

* add p0_security/direct-response-write-copy.jsx

* move direct-response-write rule to xss folder

* update direct-response-write metadata

---------

Co-authored-by: Nathan Brahms <nbrahms@gmail.com>
Co-authored-by: Vasilii <inkz@xakep.ru>
---
 .../security/audit/xss/direct-response-write.js  |  9 +++++++++
 .../audit/xss/direct-response-write.yaml         | 16 ++++++++++------
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/javascript/express/security/audit/xss/direct-response-write.js b/javascript/express/security/audit/xss/direct-response-write.js
index 3898522ff5..f0718cd16f 100644
--- a/javascript/express/security/audit/xss/direct-response-write.js
+++ b/javascript/express/security/audit/xss/direct-response-write.js
@@ -132,6 +132,15 @@ app.get('/xss', function (req, res) {
     res.write('Response</br>' + html);
 });
 
+const jsonRouter = express.Router();
+jsonRouter.use(express.json());
+jsonRouter.get('/noxss-json', function (req, res) {
+    var name = req.query.name;
+    // ok: direct-response-write
+    res.write({ name });
+});
+app.use(jsonRouter);
+
 // For https://github.com/returntocorp/semgrep-rules/issues/2872
 app.post(
     "/:id",
diff --git a/javascript/express/security/audit/xss/direct-response-write.yaml b/javascript/express/security/audit/xss/direct-response-write.yaml
index 370edab86c..25959b5687 100644
--- a/javascript/express/security/audit/xss/direct-response-write.yaml
+++ b/javascript/express/security/audit/xss/direct-response-write.yaml
@@ -1,10 +1,9 @@
 rules:
 - id: direct-response-write
   message: >-
-    Detected directly writing to a Response object from user-defined input. This bypasses
-    any HTML escaping and may expose your application to a Cross-Site-scripting
-    (XSS) vulnerability. Instead, use 'resp.render()' to render
-    safely escaped HTML.
+    Detected directly writing to a Response object from user-defined input.
+    This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting
+    (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.
   options:
     interfile: true
   metadata:
@@ -15,7 +14,8 @@ rules:
     - A07:2017 - Cross-Site Scripting (XSS)
     - A03:2021 - Injection
     cwe:
-    - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+    - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
+      Scripting'')'
     category: security
     technology:
     - express
@@ -26,6 +26,9 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
+    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
+    vulnerability_class:
+    - Cross-Site-Scripting (XSS)
   languages:
   - javascript
   - typescript
@@ -112,6 +115,7 @@ rules:
       - pattern: $RES.send($ARG)
     - pattern-not: $RES. ... .set('...'). ... .send($ARG)
     - pattern-not: $RES. ... .type('...'). ... .send($ARG)
+    - pattern-not-inside: $RES.$METHOD({ ... })
     - focus-metavariable: $ARG
   pattern-sanitizers:
   - patterns:
@@ -222,7 +226,7 @@ rules:
     - metavariable-regex:
         metavariable: $F
         regex: (?!.*text/html)
-  - patterns: 
+  - patterns:
     - pattern-inside: |
         $X = [...];
         ...