feat(javascript rule): dangerous javvascript html inserts (#693)

* feat: add rule for dangerous insert html * feat: dangerous insert html * docs: update docs
Bearer · Mar 1, 2023 · 72e7f07 · 72e7f07
1 parent 0d94455
commit 72e7f07
Show file tree

Hide file tree

Showing 8 changed files with 105 additions and 0 deletions.
diff --git a/integration/rules/javascript_test.go b/integration/rules/javascript_test.go
@@ -59,6 +59,11 @@ func TestJavascriptHardcodedSecret(t *testing.T) {
 	getRunner(t).runTest(t, javascriptRulesPath+"lang/hardcoded_secret")
 }
 
+func TestJavascriptDangeoursInsertHTML(t *testing.T) {
+	t.Parallel()
+	getRunner(t).runTest(t, javascriptRulesPath+"lang/dangerous_insert_html")
+}
+
 func TestJavascriptAwsLambdaSqlInjection(t *testing.T) {
 	t.Parallel()
 	getRunner(t).runTest(t, javascriptRulesPath+"aws_lambda/sql_injection")

diff --git a/pkg/commands/process/settings/rules/javascript/lang/dangerous_insert_html.yml b/pkg/commands/process/settings/rules/javascript/lang/dangerous_insert_html.yml
@@ -0,0 +1,62 @@
+patterns:
+  - pattern: |
+      document.$<METHOD>($<...>$<DATA>$<...>)
+    filters:
+      - variable: METHOD
+        values:
+          - write
+          - writeLn
+      - not:
+          variable: DATA
+          detection: javascript_dangerous_insert_html_sanitzed_input
+  - pattern: |
+      $<_>.$<METHOD>($<...>$<DATA>$<...>)
+    filters:
+      - variable: METHOD
+        values:
+          - setHTML
+          - insertAdjacentHTML
+          - createElement
+          - replaceWith
+          - replaceChildren
+      - not:
+          variable: DATA
+          detection: javascript_dangerous_insert_html_sanitzed_input
+auxiliary:
+  - id: javascript_dangerous_insert_html_sanitzed_input
+    patterns:
+      - pattern: |
+          $<ANYTHING:string|template_string>
+        filters:
+          - not:
+              variable: ANYTHING
+              detection: javascript_dangerous_insert_html_unsanitzed_input
+      - sanitize($<_>)
+      - sanitizeHTML($<_>)
+  - id: javascript_dangerous_insert_html_unsanitzed_input
+    patterns:
+      - |
+        `$<...>${$<...>$<_>$<...>}$<...>`
+languages:
+  - javascript
+trigger: presence
+severity:
+  default: medium
+metadata:
+  description: "Dangerous dynamic HTML insert detected."
+  remediation_message: |
+    ## Description
+
+    TODO
+
+    ## Remediations
+
+    TODO
+
+    <!--
+    ## Resources
+    Coming soon.
+    -->
+  cwe_id:
+    - 79
+  id: "javascript_dangerous_insert_html"
diff --git a/...cript/lang/dangerous_insert_html/.snapshots/TestJavascriptDangeoursInsertHTML--secure.yml b/...cript/lang/dangerous_insert_html/.snapshots/TestJavascriptDangeoursInsertHTML--secure.yml
@@ -0,0 +1,3 @@
+{}
+
+
diff --git a/...ous_insert_html/.snapshots/TestJavascriptDangeoursInsertHTML--unsecure-document_write.yml b/...ous_insert_html/.snapshots/TestJavascriptDangeoursInsertHTML--unsecure-document_write.yml
@@ -0,0 +1,13 @@
+medium:
+    - rule:
+        cwe_ids:
+            - "79"
+        id: javascript_dangerous_insert_html
+        description: Dangerous dynamic HTML insert detected.
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_dangerous_insert_html
+      line_number: 2
+      filename: unsecure-document_write.js
+      parent_line_number: 2
+      parent_content: document.write(`<li>${input}</li>`)
+
+
diff --git a/...gerous_insert_html/.snapshots/TestJavascriptDangeoursInsertHTML--unsecure-element_ref.yml b/...gerous_insert_html/.snapshots/TestJavascriptDangeoursInsertHTML--unsecure-element_ref.yml
@@ -0,0 +1,13 @@
+medium:
+    - rule:
+        cwe_ids:
+            - "79"
+        id: javascript_dangerous_insert_html
+        description: Dangerous dynamic HTML insert detected.
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_dangerous_insert_html
+      line_number: 2
+      filename: unsecure-element_ref.js
+      parent_line_number: 2
+      parent_content: this.ref.replaceChildren(`<li>${input}</li>`)
+
+
diff --git a/pkg/commands/process/settings/rules/javascript/lang/dangerous_insert_html/testdata/secure.js b/pkg/commands/process/settings/rules/javascript/lang/dangerous_insert_html/testdata/secure.js
@@ -0,0 +1,3 @@
+function renderListItem(input) {
+	this.ref.insertAdjacentHTML("beforebegin", `<li>fixed list item</li>`);
+}
diff --git a/.../settings/rules/javascript/lang/dangerous_insert_html/testdata/unsecure-document_write.js b/.../settings/rules/javascript/lang/dangerous_insert_html/testdata/unsecure-document_write.js
@@ -0,0 +1,3 @@
+function renderListItem(input) {
+	document.write(`<li>${input}</li>`);
+}
diff --git a/...ess/settings/rules/javascript/lang/dangerous_insert_html/testdata/unsecure-element_ref.js b/...ess/settings/rules/javascript/lang/dangerous_insert_html/testdata/unsecure-element_ref.js
@@ -0,0 +1,3 @@
+function renderListItem(input) {
+	this.ref.replaceChildren(`<li>${input}</li>`);
+}