Put high quality rules for the Node.js API in a new p/nodejs ruleset
and created p/expressjs set that covers common Express.js misconfigurations.
On the graph you can see number of rules in each ruleset and how they are distributed. The Node.js ruleset includes
We decided to write patterns to identify vulnerabilities in both client-side and server-side code. Some of them:
bracket object injection
Object injection via bracket notation. It looks innocent but it can lead to severe problems like prototype pollution, hidden property attacks or various business logic bypasses.
A trending vulnerability nowadays, there’s lots of research in this field going on (e.g. this or this one) and you definitely do not want to be affected by it. Its possible impacts vary from XSS to RCE.
non literal regex
RegExp()called with a variable may allow an attacker to DOS your application.
Multiple rules for finding hardcoded API keys will always be appropriate.
and many more...
To run the Semgrep Node.js ruleset, use:
1semgrep --config "p/nodejs"
We tried to cherry-pick those rules that work only with the Node.js API.
shell parameter set to true
Setting shell to true when spawning commands with Node.js is the first step to command injection, so it is important to track this invariant in your code.
pseudo random bytes
Usage of deprecated pseudoRandomBytes function - weak random number generator
TLS misconfigurations and bypasses
Multiple rules for identifying disabled TLS verification and outdated TLS versions are very useful if your app sends or receives data from outside the company network.
Simple but effective rules that highlight weak and broken hashing algorithms, like SHA1, MD5, AES with ECB etc.
check out full list here
To run the Semgrep Express.js ruleset, use:
1semgrep --config "p/expressjs"
We chose to cover the most common misconfigurations in the framework and the most popular libraries that are widely used with Express.
Wrongly configured CORS can be a gateway for complex exploit chains in a web application. It is better to mitigate this risk.
default cookie settings
We have multiple rules that can help harden the application's cookie settings and not let an attacker steal critical information.
Letting user input into web application response can result in an XSS vulnerability. We have rules that help to mitigate this risk.
XSS bugs from our previous research
We did in-depth research on how XSS can be introduced in an Express application, so we included all of the rules from that research.
We plan to upgrade and bring better coverage for all languages and frameworks that we support. Stay tuned for updates. If you have ideas or wishes for new or existing rulesets, we'd love to hear from you!
Semgrep is a fast, open-source, static analysis tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.