From 41f0adc8f640c33db1c6be5eef58b96e11e12dc6 Mon Sep 17 00:00:00 2001
From: elsapet <elizabeth@bearer.sh>
Date: Wed, 22 Feb 2023 16:16:09 +0200
Subject: [PATCH 1/2] feat: JS express cross-site scripting

---
 integration/rules/javascript_test.go          |  7 ++++
 .../express/cross_site_scripting.yml          | 38 +++++++++++++++++++
 ...criptExpressCrossSiteScripting--no_xss.yml |  3 ++
 ...xpressCrossSiteScripting--res_send_xss.yml | 11 ++++++
 ...pressCrossSiteScripting--res_write_xss.yml | 11 ++++++
 ...pressCrossSiteScripting--sequelize_xss.yml | 11 ++++++
 .../cross_site_scripting/testdata/no_xss.js   |  7 ++++
 .../testdata/res_send_xss.js                  |  6 +++
 .../testdata/res_write_xss.js                 |  7 ++++
 .../testdata/sequelize_xss.js                 |  7 ++++
 10 files changed, 108 insertions(+)
 create mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml
 create mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--no_xss.yml
 create mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_send_xss.yml
 create mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_write_xss.yml
 create mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--sequelize_xss.yml
 create mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js
 create mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_send_xss.js
 create mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_write_xss.js
 create mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/sequelize_xss.js

diff --git a/integration/rules/javascript_test.go b/integration/rules/javascript_test.go
index 9ea3ea97e..1824201b6 100644
--- a/integration/rules/javascript_test.go
+++ b/integration/rules/javascript_test.go
@@ -50,6 +50,7 @@ func TestJavascriptExpressUnsafeDeserialization(t *testing.T) {
 }
 
 func TestJavascriptExpressInsecureRefResolution(t *testing.T) {
+	t.Parallel()
 	getRunner(t).runTest(t, javascriptRulesPath+"express/insecure_ref_resolution")
 }
 
@@ -58,7 +59,13 @@ func TestJavascriptExpressExposedDirListing(t *testing.T) {
 	getRunner(t).runTest(t, javascriptRulesPath+"express/exposed_dir_listing")
 }
 
+func TestJavascriptExpressCrossSiteScripting(t *testing.T) {
+	t.Parallel()
+	getRunner(t).runTest(t, javascriptRulesPath+"express/cross_site_scripting")
+}
+
 func TestJavascriptExpressServerSideRequestForgery(t *testing.T) {
+	t.Parallel()
 	getRunner(t).runTest(t, javascriptRulesPath+"express/server_side_request_forgery")
 }
 
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml
new file mode 100644
index 000000000..fb588dc93
--- /dev/null
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml
@@ -0,0 +1,38 @@
+patterns:
+  - pattern: |
+      res.write($<EXPRESS_REQ>)
+    filters:
+      - variable: EXPRESS_REQ
+        detection: javascript_express_cross_site_scripting_request_obj
+  - pattern: |
+      res.send($<EXPRESS_REQ>)
+    filters:
+      - variable: EXPRESS_REQ
+        detection: javascript_express_cross_site_scripting_request_obj
+  - pattern: |
+      $<SEQUELIZE>.query($<EXPRESS_REQ>)
+    filters:
+      - variable: SEQUELIZE
+        detection: javascript_express_cross_site_scripting_sequelize_init
+      - variable: EXPRESS_REQ
+        detection: javascript_express_cross_site_scripting_request_obj
+auxiliary:
+  - id: javascript_express_cross_site_scripting_request_obj
+    patterns:
+      - req.$<_>
+  - id: javascript_express_cross_site_scripting_sequelize_init
+    patterns:
+      - new Sequelize()
+languages:
+  - javascript
+trigger: presence
+severity:
+  default: low
+metadata:
+  description: "Cross-site scripting (XSS) vulnerability detected."
+  remediation_message: |
+    ## Description
+    TODO
+  cwe_id:
+    - 79
+  id: "javascript_express_cross_site_scripting"
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--no_xss.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--no_xss.yml
new file mode 100644
index 000000000..5cf32ecc5
--- /dev/null
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--no_xss.yml
@@ -0,0 +1,3 @@
+{}
+
+
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_send_xss.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_send_xss.yml
new file mode 100644
index 000000000..9f9e0e9c9
--- /dev/null
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_send_xss.yml
@@ -0,0 +1,11 @@
+low:
+    - rule_dsrid: ""
+      rule_display_id: javascript_express_cross_site_scripting
+      rule_description: Cross-site scripting (XSS) vulnerability detected.
+      rule_documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting
+      line_number: 5
+      filename: res_send_xss.js
+      parent_line_number: 5
+      parent_content: res.send("<p>" + req.body.customer.name + "</p>")
+
+
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_write_xss.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_write_xss.yml
new file mode 100644
index 000000000..161d1cde0
--- /dev/null
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_write_xss.yml
@@ -0,0 +1,11 @@
+low:
+    - rule_dsrid: ""
+      rule_display_id: javascript_express_cross_site_scripting
+      rule_description: Cross-site scripting (XSS) vulnerability detected.
+      rule_documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting
+      line_number: 6
+      filename: res_write_xss.js
+      parent_line_number: 6
+      parent_content: res.write("<h3> Greetings " + customerName + "</h3>")
+
+
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--sequelize_xss.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--sequelize_xss.yml
new file mode 100644
index 000000000..058aa1916
--- /dev/null
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--sequelize_xss.yml
@@ -0,0 +1,11 @@
+low:
+    - rule_dsrid: ""
+      rule_display_id: javascript_express_cross_site_scripting
+      rule_description: Cross-site scripting (XSS) vulnerability detected.
+      rule_documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting
+      line_number: 6
+      filename: sequelize_xss.js
+      parent_line_number: 6
+      parent_content: sqlite.query(customerQuery)
+
+
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js
new file mode 100644
index 000000000..331962b6f
--- /dev/null
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js
@@ -0,0 +1,7 @@
+import { Sequelize } from "sequelize";
+
+module.exports.fooBar = function(req, _res) {
+  var sqlite = new Sequelize('sqlite::memory:')
+  var customerQuery = "SELECT * FROM customers WHERE status = ACTIVE"
+  sqlite.query(customerQuery)
+}
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_send_xss.js b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_send_xss.js
new file mode 100644
index 000000000..1da68e906
--- /dev/null
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_send_xss.js
@@ -0,0 +1,6 @@
+const express = require("express");
+const app = express();
+
+app.get("/bad", (req, res) => {
+  res.send("<p>" + req.body.customer.name + "</p>")
+})
\ No newline at end of file
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_write_xss.js b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_write_xss.js
new file mode 100644
index 000000000..8c7c3d82a
--- /dev/null
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_write_xss.js
@@ -0,0 +1,7 @@
+const express = require("express");
+const app = express();
+
+app.get("/bad", (req, res) => {
+  var customerName = req.body.customer.name
+  res.write("<h3> Greetings " + customerName + "</h3>")
+})
\ No newline at end of file
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/sequelize_xss.js b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/sequelize_xss.js
new file mode 100644
index 000000000..6c0d63343
--- /dev/null
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/sequelize_xss.js
@@ -0,0 +1,7 @@
+import { Sequelize } from "sequelize";
+
+module.exports.fooBar = function(req, _res) {
+  var sqlite = new Sequelize('sqlite::memory:')
+  var customerQuery = "SELECT * FROM customers WHERE status = " + req.params.customer.status
+  sqlite.query(customerQuery)
+}

From ce158e8bd01370aa66eec18c48152106f53569ac Mon Sep 17 00:00:00 2001
From: elsapet <elizabeth@bearer.sh>
Date: Thu, 23 Feb 2023 09:52:38 +0200
Subject: [PATCH 2/2] fix: remove sql injection examples from xss

---
 .../rules/javascript/express/cross_site_scripting.yml | 10 ----------
 ...scriptExpressCrossSiteScripting--sequelize_xss.yml | 11 -----------
 .../express/cross_site_scripting/testdata/no_xss.js   | 11 +++++------
 .../cross_site_scripting/testdata/sequelize_xss.js    |  7 -------
 4 files changed, 5 insertions(+), 34 deletions(-)
 delete mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--sequelize_xss.yml
 delete mode 100644 pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/sequelize_xss.js

diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml
index fb588dc93..4b04ca848 100644
--- a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml
@@ -9,20 +9,10 @@ patterns:
     filters:
       - variable: EXPRESS_REQ
         detection: javascript_express_cross_site_scripting_request_obj
-  - pattern: |
-      $<SEQUELIZE>.query($<EXPRESS_REQ>)
-    filters:
-      - variable: SEQUELIZE
-        detection: javascript_express_cross_site_scripting_sequelize_init
-      - variable: EXPRESS_REQ
-        detection: javascript_express_cross_site_scripting_request_obj
 auxiliary:
   - id: javascript_express_cross_site_scripting_request_obj
     patterns:
       - req.$<_>
-  - id: javascript_express_cross_site_scripting_sequelize_init
-    patterns:
-      - new Sequelize()
 languages:
   - javascript
 trigger: presence
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--sequelize_xss.yml b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--sequelize_xss.yml
deleted file mode 100644
index 058aa1916..000000000
--- a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--sequelize_xss.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-low:
-    - rule_dsrid: ""
-      rule_display_id: javascript_express_cross_site_scripting
-      rule_description: Cross-site scripting (XSS) vulnerability detected.
-      rule_documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting
-      line_number: 6
-      filename: sequelize_xss.js
-      parent_line_number: 6
-      parent_content: sqlite.query(customerQuery)
-
-
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js
index 331962b6f..11444a613 100644
--- a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js
+++ b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js
@@ -1,7 +1,6 @@
-import { Sequelize } from "sequelize";
+const express = require("express");
+const app = express();
 
-module.exports.fooBar = function(req, _res) {
-  var sqlite = new Sequelize('sqlite::memory:')
-  var customerQuery = "SELECT * FROM customers WHERE status = ACTIVE"
-  sqlite.query(customerQuery)
-}
+app.get("/goos", (_, res) => {
+  res.send("<p>hello world</p>")
+})
\ No newline at end of file
diff --git a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/sequelize_xss.js b/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/sequelize_xss.js
deleted file mode 100644
index 6c0d63343..000000000
--- a/pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/sequelize_xss.js
+++ /dev/null
@@ -1,7 +0,0 @@
-import { Sequelize } from "sequelize";
-
-module.exports.fooBar = function(req, _res) {
-  var sqlite = new Sequelize('sqlite::memory:')
-  var customerQuery = "SELECT * FROM customers WHERE status = " + req.params.customer.status
-  sqlite.query(customerQuery)
-}