Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Published Rules - p0_security.direct-response-write-copy #3382

Merged
merged 5 commits into from
May 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,15 @@ app.get('/xss', function (req, res) {
res.write('Response</br>' + html);
});

const jsonRouter = express.Router();
jsonRouter.use(express.json());
jsonRouter.get('/noxss-json', function (req, res) {
var name = req.query.name;
// ok: direct-response-write
res.write({ name });
});
app.use(jsonRouter);

// For https://github.com/returntocorp/semgrep-rules/issues/2872
app.post(
"/:id",
Expand Down
16 changes: 10 additions & 6 deletions javascript/express/security/audit/xss/direct-response-write.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
rules:
- id: direct-response-write
message: >-
Detected directly writing to a Response object from user-defined input. This bypasses
any HTML escaping and may expose your application to a Cross-Site-scripting
(XSS) vulnerability. Instead, use 'resp.render()' to render
safely escaped HTML.
Detected directly writing to a Response object from user-defined input.
This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting
(XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.
options:
interfile: true
metadata:
Expand All @@ -15,7 +14,8 @@ rules:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
- 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site
Scripting'')'
category: security
technology:
- express
Expand All @@ -26,6 +26,9 @@ rules:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
Expand Down Expand Up @@ -112,6 +115,7 @@ rules:
- pattern: $RES.send($ARG)
- pattern-not: $RES. ... .set('...'). ... .send($ARG)
- pattern-not: $RES. ... .type('...'). ... .send($ARG)
- pattern-not-inside: $RES.$METHOD({ ... })
- focus-metavariable: $ARG
pattern-sanitizers:
- patterns:
Expand Down Expand Up @@ -222,7 +226,7 @@ rules:
- metavariable-regex:
metavariable: $F
regex: (?!.*text/html)
- patterns:
- patterns:
- pattern-inside: |
$X = [...];
...
Expand Down
Loading