- Put high quality rules for the Node.js API in a new p/nodejs ruleset
- and created p/expressjs set that covers common Express.js misconfigurations.
On the graph you can see number of rules in each ruleset and how they are distributed. The Node.js ruleset includes
We decided to write patterns to identify vulnerabilities in both client-side and server-side code. Some of them:
A trending vulnerability nowadays, there’s lots of research in this field going on (e.g. this or this one) and you definitely do not want to be affected by it. Its possible impacts vary from XSS to RCE.
RegExp()called with a variable may allow an attacker to DOS your application.
Multiple rules for finding hardcoded API keys will always be appropriate.
and many more...
To run the Semgrep Node.js ruleset, use:
semgrep --config "p/nodejs"
We tried to cherry-pick those rules that work only with the Node.js API.
Setting shell to true when spawning commands with Node.js is the first step to command injection, so it is important to track this invariant in your code.
Usage of deprecated pseudoRandomBytes function - weak random number generator
Multiple rules for identifying disabled TLS verification and outdated TLS versions are very useful if your app sends or receives data from outside the company network.
Simple but effective rules that highlight weak and broken hashing algorithms, like SHA1, MD5, AES with ECB etc.
check out full list here
To run the Semgrep Express.js ruleset, use:
semgrep --config "p/expressjs"
We chose to cover the most common misconfigurations in the framework and the most popular libraries that are widely used with Express.
Wrongly configured CORS can be a gateway for complex exploit chains in a web application. It is better to mitigate this risk.
We have multiple rules that can help harden the application's cookie settings and not let an attacker steal critical information.
Letting user input into web application response can result in an XSS vulnerability. We have rules that help to mitigate this risk.
XSS bugs from our previous research
We did in-depth research on how XSS can be introduced in an Express application, so we included all of the rules from that research.
We plan to upgrade and bring better coverage for all languages and frameworks that we support. Stay tuned for updates. If you have ideas or wishes for new or existing rulesets, we'd love to hear from you!