diff --git a/integration/rules/javascript_test.go b/integration/rules/javascript_test.go index 9ea3ea97e..1824201b6 100644 --- a/integration/rules/javascript_test.go +++ b/integration/rules/javascript_test.go @@ -50,6 +50,7 @@ func TestJavascriptExpressUnsafeDeserialization(t *testing.T) { } func TestJavascriptExpressInsecureRefResolution(t *testing.T) { + t.Parallel() getRunner(t).runTest(t, javascriptRulesPath+"express/insecure_ref_resolution") } @@ -58,7 +59,13 @@ func TestJavascriptExpressExposedDirListing(t *testing.T) { getRunner(t).runTest(t, javascriptRulesPath+"express/exposed_dir_listing") } +func TestJavascriptExpressCrossSiteScripting(t *testing.T) { + t.Parallel() + getRunner(t).runTest(t, javascriptRulesPath+"express/cross_site_scripting") +} + func TestJavascriptExpressServerSideRequestForgery(t *testing.T) { + t.Parallel() getRunner(t).runTest(t, javascriptRulesPath+"express/server_side_request_forgery") } diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml new file mode 100644 index 000000000..4b04ca848 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml @@ -0,0 +1,28 @@ +patterns: + - pattern: | + res.write($) + filters: + - variable: EXPRESS_REQ + detection: javascript_express_cross_site_scripting_request_obj + - pattern: | + res.send($) + filters: + - variable: EXPRESS_REQ + detection: javascript_express_cross_site_scripting_request_obj +auxiliary: + - id: javascript_express_cross_site_scripting_request_obj + patterns: + - req.$<_> +languages: + - javascript +trigger: presence +severity: + default: low +metadata: + description: "Cross-site scripting (XSS) vulnerability detected." + remediation_message: | + ## Description + TODO + cwe_id: + - 79 + id: "javascript_express_cross_site_scripting" diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--no_xss.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--no_xss.yml new file mode 100644 index 000000000..5cf32ecc5 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--no_xss.yml @@ -0,0 +1,3 @@ +{} + + diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_send_xss.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_send_xss.yml new file mode 100644 index 000000000..9f9e0e9c9 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_send_xss.yml @@ -0,0 +1,11 @@ +low: + - rule_dsrid: "" + rule_display_id: javascript_express_cross_site_scripting + rule_description: Cross-site scripting (XSS) vulnerability detected. + rule_documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting + line_number: 5 + filename: res_send_xss.js + parent_line_number: 5 + parent_content: res.send("

" + req.body.customer.name + "

") + + diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_write_xss.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_write_xss.yml new file mode 100644 index 000000000..161d1cde0 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_write_xss.yml @@ -0,0 +1,11 @@ +low: + - rule_dsrid: "" + rule_display_id: javascript_express_cross_site_scripting + rule_description: Cross-site scripting (XSS) vulnerability detected. + rule_documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting + line_number: 6 + filename: res_write_xss.js + parent_line_number: 6 + parent_content: res.write("

Greetings " + customerName + "

") + + diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js new file mode 100644 index 000000000..11444a613 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js @@ -0,0 +1,6 @@ +const express = require("express"); +const app = express(); + +app.get("/goos", (_, res) => { + res.send("

hello world

") +}) \ No newline at end of file diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_send_xss.js b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_send_xss.js new file mode 100644 index 000000000..1da68e906 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_send_xss.js @@ -0,0 +1,6 @@ +const express = require("express"); +const app = express(); + +app.get("/bad", (req, res) => { + res.send("

" + req.body.customer.name + "

") +}) \ No newline at end of file diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_write_xss.js b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_write_xss.js new file mode 100644 index 000000000..8c7c3d82a --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_write_xss.js @@ -0,0 +1,7 @@ +const express = require("express"); +const app = express(); + +app.get("/bad", (req, res) => { + var customerName = req.body.customer.name + res.write("

Greetings " + customerName + "

") +}) \ No newline at end of file