@datahogo/core 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +661 -0
- package/README.md +17 -0
- package/dist/engines/config.d.ts +3 -0
- package/dist/engines/config.d.ts.map +1 -0
- package/dist/engines/config.js +433 -0
- package/dist/engines/config.js.map +1 -0
- package/dist/engines/dast.d.ts +3 -0
- package/dist/engines/dast.d.ts.map +1 -0
- package/dist/engines/dast.js +167 -0
- package/dist/engines/dast.js.map +1 -0
- package/dist/engines/db-rules.d.ts +3 -0
- package/dist/engines/db-rules.d.ts.map +1 -0
- package/dist/engines/db-rules.js +166 -0
- package/dist/engines/db-rules.js.map +1 -0
- package/dist/engines/dependencies.d.ts +3 -0
- package/dist/engines/dependencies.d.ts.map +1 -0
- package/dist/engines/dependencies.js +167 -0
- package/dist/engines/dependencies.js.map +1 -0
- package/dist/engines/github-actions.d.ts +3 -0
- package/dist/engines/github-actions.d.ts.map +1 -0
- package/dist/engines/github-actions.js +215 -0
- package/dist/engines/github-actions.js.map +1 -0
- package/dist/engines/gitleaks.d.ts +3 -0
- package/dist/engines/gitleaks.d.ts.map +1 -0
- package/dist/engines/gitleaks.js +107 -0
- package/dist/engines/gitleaks.js.map +1 -0
- package/dist/engines/npm-audit.d.ts +3 -0
- package/dist/engines/npm-audit.d.ts.map +1 -0
- package/dist/engines/npm-audit.js +113 -0
- package/dist/engines/npm-audit.js.map +1 -0
- package/dist/engines/patterns.d.ts +3 -0
- package/dist/engines/patterns.d.ts.map +1 -0
- package/dist/engines/patterns.js +1330 -0
- package/dist/engines/patterns.js.map +1 -0
- package/dist/engines/secrets.d.ts +4 -0
- package/dist/engines/secrets.d.ts.map +1 -0
- package/dist/engines/secrets.js +260 -0
- package/dist/engines/secrets.js.map +1 -0
- package/dist/engines/semgrep.d.ts +3 -0
- package/dist/engines/semgrep.d.ts.map +1 -0
- package/dist/engines/semgrep.js +173 -0
- package/dist/engines/semgrep.js.map +1 -0
- package/dist/engines/types.d.ts +30 -0
- package/dist/engines/types.d.ts.map +1 -0
- package/dist/engines/types.js +3 -0
- package/dist/engines/types.js.map +1 -0
- package/dist/engines/url-scanner.d.ts +3 -0
- package/dist/engines/url-scanner.d.ts.map +1 -0
- package/dist/engines/url-scanner.js +469 -0
- package/dist/engines/url-scanner.js.map +1 -0
- package/dist/index.d.ts +8 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -0
- package/dist/orchestrator.d.ts +32 -0
- package/dist/orchestrator.d.ts.map +1 -0
- package/dist/orchestrator.js +237 -0
- package/dist/orchestrator.js.map +1 -0
- package/dist/rules/.gitkeep +0 -0
- package/dist/rules/ai-llm-security.yaml +199 -0
- package/dist/rules/api-security.yaml +489 -0
- package/dist/rules/auth-patterns.yaml +406 -0
- package/dist/rules/crypto-patterns.yaml +227 -0
- package/dist/rules/database-cloud-security.yaml +169 -0
- package/dist/rules/general-security.yaml +588 -0
- package/dist/rules/injection-patterns.yaml +318 -0
- package/dist/rules/nextjs-security.yaml +532 -0
- package/dist/rules/node-security.yaml +380 -0
- package/dist/rules/rules/.gitkeep +0 -0
- package/dist/rules/rules/ai-llm-security.yaml +199 -0
- package/dist/rules/rules/api-security.yaml +489 -0
- package/dist/rules/rules/auth-patterns.yaml +406 -0
- package/dist/rules/rules/crypto-patterns.yaml +227 -0
- package/dist/rules/rules/database-cloud-security.yaml +169 -0
- package/dist/rules/rules/general-security.yaml +588 -0
- package/dist/rules/rules/injection-patterns.yaml +318 -0
- package/dist/rules/rules/nextjs-security.yaml +532 -0
- package/dist/rules/rules/node-security.yaml +380 -0
- package/dist/rules/rules/supabase-security.yaml +387 -0
- package/dist/rules/supabase-security.yaml +387 -0
- package/dist/scanning/agents/csharp-agent.d.ts +12 -0
- package/dist/scanning/agents/csharp-agent.d.ts.map +1 -0
- package/dist/scanning/agents/csharp-agent.js +592 -0
- package/dist/scanning/agents/csharp-agent.js.map +1 -0
- package/dist/scanning/agents/go-agent.d.ts +14 -0
- package/dist/scanning/agents/go-agent.d.ts.map +1 -0
- package/dist/scanning/agents/go-agent.js +641 -0
- package/dist/scanning/agents/go-agent.js.map +1 -0
- package/dist/scanning/agents/java-agent.d.ts +8 -0
- package/dist/scanning/agents/java-agent.d.ts.map +1 -0
- package/dist/scanning/agents/java-agent.js +807 -0
- package/dist/scanning/agents/java-agent.js.map +1 -0
- package/dist/scanning/agents/javascript-agent.d.ts +8 -0
- package/dist/scanning/agents/javascript-agent.d.ts.map +1 -0
- package/dist/scanning/agents/javascript-agent.js +77 -0
- package/dist/scanning/agents/javascript-agent.js.map +1 -0
- package/dist/scanning/agents/mobile-agent.d.ts +8 -0
- package/dist/scanning/agents/mobile-agent.d.ts.map +1 -0
- package/dist/scanning/agents/mobile-agent.js +916 -0
- package/dist/scanning/agents/mobile-agent.js.map +1 -0
- package/dist/scanning/agents/php-agent.d.ts +8 -0
- package/dist/scanning/agents/php-agent.d.ts.map +1 -0
- package/dist/scanning/agents/php-agent.js +679 -0
- package/dist/scanning/agents/php-agent.js.map +1 -0
- package/dist/scanning/agents/python-agent.d.ts +8 -0
- package/dist/scanning/agents/python-agent.d.ts.map +1 -0
- package/dist/scanning/agents/python-agent.js +701 -0
- package/dist/scanning/agents/python-agent.js.map +1 -0
- package/dist/scanning/agents/supabase-agent.d.ts +8 -0
- package/dist/scanning/agents/supabase-agent.d.ts.map +1 -0
- package/dist/scanning/agents/supabase-agent.js +484 -0
- package/dist/scanning/agents/supabase-agent.js.map +1 -0
- package/dist/scanning/orchestrator.d.ts +29 -0
- package/dist/scanning/orchestrator.d.ts.map +1 -0
- package/dist/scanning/orchestrator.js +186 -0
- package/dist/scanning/orchestrator.js.map +1 -0
- package/dist/scanning/tech-detector.d.ts +12 -0
- package/dist/scanning/tech-detector.d.ts.map +1 -0
- package/dist/scanning/tech-detector.js +252 -0
- package/dist/scanning/tech-detector.js.map +1 -0
- package/dist/scanning/types.d.ts +87 -0
- package/dist/scanning/types.d.ts.map +1 -0
- package/dist/scanning/types.js +5 -0
- package/dist/scanning/types.js.map +1 -0
- package/dist/utils/child-process.d.ts +2 -0
- package/dist/utils/child-process.d.ts.map +1 -0
- package/dist/utils/child-process.js +4 -0
- package/dist/utils/child-process.js.map +1 -0
- package/dist/utils/context-classifier.d.ts +11 -0
- package/dist/utils/context-classifier.d.ts.map +1 -0
- package/dist/utils/context-classifier.js +79 -0
- package/dist/utils/context-classifier.js.map +1 -0
- package/dist/utils/exec.d.ts +18 -0
- package/dist/utils/exec.d.ts.map +1 -0
- package/dist/utils/exec.js +51 -0
- package/dist/utils/exec.js.map +1 -0
- package/dist/utils/file-filter.d.ts +4 -0
- package/dist/utils/file-filter.d.ts.map +1 -0
- package/dist/utils/file-filter.js +68 -0
- package/dist/utils/file-filter.js.map +1 -0
- package/dist/utils/fs.d.ts +2 -0
- package/dist/utils/fs.d.ts.map +1 -0
- package/dist/utils/fs.js +5 -0
- package/dist/utils/fs.js.map +1 -0
- package/dist/utils/logger.d.ts +12 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +27 -0
- package/dist/utils/logger.js.map +1 -0
- package/dist/utils/post-processor.d.ts +10 -0
- package/dist/utils/post-processor.d.ts.map +1 -0
- package/dist/utils/post-processor.js +183 -0
- package/dist/utils/post-processor.js.map +1 -0
- package/package.json +44 -0
|
@@ -0,0 +1,318 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
# ID 71: LDAP Injection
|
|
3
|
+
- id: datahogo-ldap-injection
|
|
4
|
+
patterns:
|
|
5
|
+
- pattern-either:
|
|
6
|
+
- pattern: |
|
|
7
|
+
$CLIENT.search($BASE, { filter: `...(${$INPUT})...` }, ...)
|
|
8
|
+
- pattern: |
|
|
9
|
+
$CLIENT.search($BASE, { filter: `...(${$REQ.body.$FIELD})...` }, ...)
|
|
10
|
+
- pattern: |
|
|
11
|
+
const filter = `(&(uid=${$USERNAME})(...))`
|
|
12
|
+
- pattern: |
|
|
13
|
+
ldap.$METHOD($DN, `...${$VAR}...`, ...)
|
|
14
|
+
- pattern-not: |
|
|
15
|
+
const filter = `(&(uid=${escapeLDAP($USERNAME)})(...))`
|
|
16
|
+
- pattern-not: |
|
|
17
|
+
ldapEscape.filter($VAR)
|
|
18
|
+
message: "LDAP query built with unsanitized user input - use ldap-escape or equivalent sanitization"
|
|
19
|
+
severity: ERROR
|
|
20
|
+
languages: [typescript, javascript]
|
|
21
|
+
metadata:
|
|
22
|
+
datahogo_id: 71
|
|
23
|
+
datahogo_category: "injection"
|
|
24
|
+
owasp_ref: "A03:2021"
|
|
25
|
+
|
|
26
|
+
# ID 72: XXE - XML External Entity
|
|
27
|
+
- id: datahogo-xxe-libxml
|
|
28
|
+
patterns:
|
|
29
|
+
- pattern-either:
|
|
30
|
+
- pattern: libxmljs.parseXml($INPUT)
|
|
31
|
+
- pattern: libxmljs.parseXmlString($INPUT)
|
|
32
|
+
- pattern: libxmljs.parseXml($INPUT, { noent: true })
|
|
33
|
+
message: "libxmljs XML parsing may allow XXE - disable external entities via options"
|
|
34
|
+
severity: ERROR
|
|
35
|
+
languages: [typescript, javascript]
|
|
36
|
+
metadata:
|
|
37
|
+
datahogo_id: 72
|
|
38
|
+
datahogo_category: "injection"
|
|
39
|
+
owasp_ref: "A03:2021"
|
|
40
|
+
|
|
41
|
+
- id: datahogo-xxe-xml2js
|
|
42
|
+
patterns:
|
|
43
|
+
- pattern: xml2js.parseString($INPUT, ...)
|
|
44
|
+
- pattern-not: xml2js.parseString($INPUT, { explicitCharkey: ..., ignoreAttrs: ... })
|
|
45
|
+
message: "xml2js parsing with untrusted input may allow XXE or billion-laughs attacks"
|
|
46
|
+
severity: WARNING
|
|
47
|
+
languages: [typescript, javascript]
|
|
48
|
+
metadata:
|
|
49
|
+
datahogo_id: 72
|
|
50
|
+
datahogo_category: "injection"
|
|
51
|
+
owasp_ref: "A03:2021"
|
|
52
|
+
|
|
53
|
+
- id: datahogo-xxe-domparser
|
|
54
|
+
pattern: |
|
|
55
|
+
new DOMParser().parseFromString($INPUT, ...)
|
|
56
|
+
message: "DOMParser with untrusted XML input may allow XXE - validate and sanitize input"
|
|
57
|
+
severity: WARNING
|
|
58
|
+
languages: [typescript, javascript]
|
|
59
|
+
metadata:
|
|
60
|
+
datahogo_id: 72
|
|
61
|
+
datahogo_category: "injection"
|
|
62
|
+
owasp_ref: "A03:2021"
|
|
63
|
+
|
|
64
|
+
# ID 73: Header Injection (CRLF)
|
|
65
|
+
- id: datahogo-header-injection-crlf
|
|
66
|
+
patterns:
|
|
67
|
+
- pattern-either:
|
|
68
|
+
- pattern: |
|
|
69
|
+
$RESPONSE.setHeader($HEADER_NAME, $REQ.body.$FIELD)
|
|
70
|
+
- pattern: |
|
|
71
|
+
$RESPONSE.setHeader($HEADER_NAME, $REQ.query.$PARAM)
|
|
72
|
+
- pattern: |
|
|
73
|
+
new Headers({ $KEY: $REQ.query.$PARAM })
|
|
74
|
+
- pattern-not: |
|
|
75
|
+
$RESPONSE.setHeader($HEADER_NAME, $VAR.replace(/[\r\n]/g, ''))
|
|
76
|
+
- pattern-not: |
|
|
77
|
+
sanitizeHeader($VALUE)
|
|
78
|
+
message: "HTTP header set with user-controlled value - strip CRLF (\\r\\n) to prevent header injection"
|
|
79
|
+
severity: WARNING
|
|
80
|
+
languages: [typescript, javascript]
|
|
81
|
+
metadata:
|
|
82
|
+
datahogo_id: 73
|
|
83
|
+
datahogo_category: "injection"
|
|
84
|
+
owasp_ref: "A03:2021"
|
|
85
|
+
|
|
86
|
+
# ID 74: Email Header Injection
|
|
87
|
+
- id: datahogo-email-header-injection-to
|
|
88
|
+
patterns:
|
|
89
|
+
- pattern-either:
|
|
90
|
+
- pattern: |
|
|
91
|
+
$MAILER.sendMail({ to: $REQ.body.email, ... })
|
|
92
|
+
- pattern: |
|
|
93
|
+
$MAILER.sendMail({ from: $REQ.body.from, ... })
|
|
94
|
+
- pattern: |
|
|
95
|
+
$MAILER.sendMail({ subject: `...${ $REQ.body.subject }...`, ... })
|
|
96
|
+
message: "Email headers built from user input - sanitize To/From/Subject fields to prevent email header injection"
|
|
97
|
+
severity: WARNING
|
|
98
|
+
languages: [typescript, javascript]
|
|
99
|
+
metadata:
|
|
100
|
+
datahogo_id: 74
|
|
101
|
+
datahogo_category: "injection"
|
|
102
|
+
owasp_ref: "A03:2021"
|
|
103
|
+
|
|
104
|
+
- id: datahogo-email-header-injection-resend
|
|
105
|
+
patterns:
|
|
106
|
+
- pattern-either:
|
|
107
|
+
- pattern: |
|
|
108
|
+
resend.emails.send({ to: $REQ.body.$FIELD, ... })
|
|
109
|
+
- pattern: |
|
|
110
|
+
resend.emails.send({ from: $REQ.body.$FIELD, ... })
|
|
111
|
+
- pattern: |
|
|
112
|
+
resend.emails.send({ subject: `...${ $REQ.body.$FIELD }...`, ... })
|
|
113
|
+
message: "Resend email fields built from user input - validate email addresses and sanitize subject lines"
|
|
114
|
+
severity: WARNING
|
|
115
|
+
languages: [typescript, javascript]
|
|
116
|
+
metadata:
|
|
117
|
+
datahogo_id: 74
|
|
118
|
+
datahogo_category: "injection"
|
|
119
|
+
owasp_ref: "A03:2021"
|
|
120
|
+
|
|
121
|
+
# ID 75: Log Injection
|
|
122
|
+
- id: datahogo-log-injection-console
|
|
123
|
+
patterns:
|
|
124
|
+
- pattern-either:
|
|
125
|
+
- pattern: console.log(`...${ $REQ.body.$FIELD }...`)
|
|
126
|
+
- pattern: console.log(`...${ $REQ.query.$PARAM }...`)
|
|
127
|
+
- pattern: console.log(`...${ $REQ.params.$PARAM }...`)
|
|
128
|
+
- pattern: console.error(`...${ $REQ.body.$FIELD }...`)
|
|
129
|
+
- pattern: console.warn(`...${ $REQ.body.$FIELD }...`)
|
|
130
|
+
message: "User-controlled input in log statements enables log injection/forging - sanitize before logging"
|
|
131
|
+
severity: INFO
|
|
132
|
+
languages: [typescript, javascript]
|
|
133
|
+
metadata:
|
|
134
|
+
datahogo_id: 75
|
|
135
|
+
datahogo_category: "injection"
|
|
136
|
+
owasp_ref: "A09:2021"
|
|
137
|
+
|
|
138
|
+
- id: datahogo-log-injection-structured
|
|
139
|
+
patterns:
|
|
140
|
+
- pattern-either:
|
|
141
|
+
- pattern: logger.info(`...${ $REQ.body.$FIELD }...`)
|
|
142
|
+
- pattern: logger.error(`...${ $REQ.body.$FIELD }...`)
|
|
143
|
+
- pattern: winston.log($LEVEL, `...${ $REQ.body.$FIELD }...`)
|
|
144
|
+
- pattern: pino().info(`...${ $REQ.body.$FIELD }...`)
|
|
145
|
+
message: "User input in log messages enables log injection - pass as structured field instead of string interpolation"
|
|
146
|
+
severity: INFO
|
|
147
|
+
languages: [typescript, javascript]
|
|
148
|
+
metadata:
|
|
149
|
+
datahogo_id: 75
|
|
150
|
+
datahogo_category: "injection"
|
|
151
|
+
owasp_ref: "A09:2021"
|
|
152
|
+
|
|
153
|
+
# ID 76: Template Injection (SSTI)
|
|
154
|
+
- id: datahogo-template-injection-ejs
|
|
155
|
+
patterns:
|
|
156
|
+
- pattern-either:
|
|
157
|
+
- pattern: ejs.render($REQ.body.$TEMPLATE, ...)
|
|
158
|
+
- pattern: ejs.render($REQ.query.$PARAM, ...)
|
|
159
|
+
- pattern: ejs.renderFile($REQ.body.$PATH, ...)
|
|
160
|
+
message: "EJS rendering with user-controlled template enables Server-Side Template Injection (SSTI)"
|
|
161
|
+
severity: CRITICAL
|
|
162
|
+
languages: [typescript, javascript]
|
|
163
|
+
metadata:
|
|
164
|
+
datahogo_id: 76
|
|
165
|
+
datahogo_category: "injection"
|
|
166
|
+
owasp_ref: "A03:2021"
|
|
167
|
+
|
|
168
|
+
- id: datahogo-template-injection-handlebars
|
|
169
|
+
patterns:
|
|
170
|
+
- pattern-either:
|
|
171
|
+
- pattern: |
|
|
172
|
+
const template = Handlebars.compile($REQ.body.$FIELD)
|
|
173
|
+
- pattern: |
|
|
174
|
+
const template = Handlebars.compile($REQ.query.$PARAM)
|
|
175
|
+
message: "Handlebars compiling user-controlled templates enables SSTI - only compile static templates"
|
|
176
|
+
severity: CRITICAL
|
|
177
|
+
languages: [typescript, javascript]
|
|
178
|
+
metadata:
|
|
179
|
+
datahogo_id: 76
|
|
180
|
+
datahogo_category: "injection"
|
|
181
|
+
owasp_ref: "A03:2021"
|
|
182
|
+
|
|
183
|
+
- id: datahogo-template-injection-pug
|
|
184
|
+
patterns:
|
|
185
|
+
- pattern-either:
|
|
186
|
+
- pattern: pug.render($REQ.body.$FIELD, ...)
|
|
187
|
+
- pattern: pug.compile($REQ.body.$FIELD, ...)
|
|
188
|
+
message: "Pug rendering with user-controlled template content enables SSTI"
|
|
189
|
+
severity: CRITICAL
|
|
190
|
+
languages: [typescript, javascript]
|
|
191
|
+
metadata:
|
|
192
|
+
datahogo_id: 76
|
|
193
|
+
datahogo_category: "injection"
|
|
194
|
+
owasp_ref: "A03:2021"
|
|
195
|
+
|
|
196
|
+
# ID 104: Unsafe deserialization
|
|
197
|
+
- id: datahogo-unsafe-deserialize-node-serialize
|
|
198
|
+
patterns:
|
|
199
|
+
- pattern-either:
|
|
200
|
+
- pattern: serialize.unserialize($INPUT)
|
|
201
|
+
- pattern: nodeSerialize.unserialize($INPUT)
|
|
202
|
+
message: "node-serialize unserialize() is unsafe with untrusted input and allows Remote Code Execution"
|
|
203
|
+
severity: ERROR
|
|
204
|
+
languages: [typescript, javascript]
|
|
205
|
+
metadata:
|
|
206
|
+
datahogo_id: 104
|
|
207
|
+
datahogo_category: "injection"
|
|
208
|
+
owasp_ref: "A08:2021"
|
|
209
|
+
|
|
210
|
+
- id: datahogo-unsafe-yaml-load
|
|
211
|
+
patterns:
|
|
212
|
+
- pattern-either:
|
|
213
|
+
- pattern: yaml.load($INPUT)
|
|
214
|
+
- pattern: jsYaml.load($INPUT)
|
|
215
|
+
- pattern: require("js-yaml").load($INPUT)
|
|
216
|
+
message: "yaml.load() with untrusted input can execute arbitrary code. Use yaml.safeLoad() or yaml.load() with schema: CORE_SCHEMA"
|
|
217
|
+
severity: ERROR
|
|
218
|
+
languages: [typescript, javascript]
|
|
219
|
+
metadata:
|
|
220
|
+
datahogo_id: 104
|
|
221
|
+
datahogo_category: "injection"
|
|
222
|
+
owasp_ref: "A08:2021"
|
|
223
|
+
|
|
224
|
+
# ID 106: Path traversal
|
|
225
|
+
- id: datahogo-path-traversal-readfile
|
|
226
|
+
patterns:
|
|
227
|
+
- pattern-either:
|
|
228
|
+
- pattern: |
|
|
229
|
+
fs.readFile(`${__dirname}/${$REQ.query.$PARAM}`, ...)
|
|
230
|
+
- pattern: |
|
|
231
|
+
fs.readFile(`${$BASE_PATH}/${$REQ.body.$FIELD}`, ...)
|
|
232
|
+
- pattern: |
|
|
233
|
+
fs.readFileSync(`${$DIR}/${$REQ.params.$PARAM}`)
|
|
234
|
+
- pattern: |
|
|
235
|
+
path.join($BASE_DIR, $REQ.query.$PARAM)
|
|
236
|
+
- pattern-not: |
|
|
237
|
+
path.join($BASE_DIR, path.basename($VAR))
|
|
238
|
+
- pattern-not: |
|
|
239
|
+
$PATH.includes('..')
|
|
240
|
+
message: "File path built with user input - use path.basename() and validate to prevent path traversal"
|
|
241
|
+
severity: ERROR
|
|
242
|
+
languages: [typescript, javascript]
|
|
243
|
+
metadata:
|
|
244
|
+
datahogo_id: 106
|
|
245
|
+
datahogo_category: "files-media"
|
|
246
|
+
owasp_ref: "A01:2021"
|
|
247
|
+
|
|
248
|
+
- id: datahogo-path-traversal-send
|
|
249
|
+
patterns:
|
|
250
|
+
- pattern-either:
|
|
251
|
+
- pattern: |
|
|
252
|
+
res.sendFile(`${__dirname}/${$REQ.params.$PARAM}`)
|
|
253
|
+
- pattern: |
|
|
254
|
+
res.sendFile(path.join($DIR, $REQ.query.$PARAM))
|
|
255
|
+
message: "Dynamic file serving with user-controlled path - validate against allowed file list"
|
|
256
|
+
severity: ERROR
|
|
257
|
+
languages: [typescript, javascript]
|
|
258
|
+
metadata:
|
|
259
|
+
datahogo_id: 106
|
|
260
|
+
datahogo_category: "files-media"
|
|
261
|
+
owasp_ref: "A01:2021"
|
|
262
|
+
|
|
263
|
+
# ID 111: Zip Slip
|
|
264
|
+
- id: datahogo-zip-slip
|
|
265
|
+
patterns:
|
|
266
|
+
- pattern-either:
|
|
267
|
+
- pattern: |
|
|
268
|
+
$ENTRY.extract($DEST_PATH)
|
|
269
|
+
- pattern: |
|
|
270
|
+
fs.writeFile(`${$OUTPUT_DIR}/${$ENTRY.fileName}`, ...)
|
|
271
|
+
- pattern: |
|
|
272
|
+
const targetPath = path.join($OUTPUT, $ENTRY.entryName)
|
|
273
|
+
- pattern-not: |
|
|
274
|
+
if (!targetPath.startsWith($OUTPUT))
|
|
275
|
+
- pattern-not: |
|
|
276
|
+
if (targetPath.includes('..'))
|
|
277
|
+
message: "ZIP extraction without path validation allows Zip Slip - verify extracted path is within target directory"
|
|
278
|
+
severity: ERROR
|
|
279
|
+
languages: [typescript, javascript]
|
|
280
|
+
metadata:
|
|
281
|
+
datahogo_id: 111
|
|
282
|
+
datahogo_category: "files-media"
|
|
283
|
+
owasp_ref: "A01:2021"
|
|
284
|
+
|
|
285
|
+
# ID 110: PDF generation injection
|
|
286
|
+
- id: datahogo-pdf-html-injection-puppeteer
|
|
287
|
+
patterns:
|
|
288
|
+
- pattern-either:
|
|
289
|
+
- pattern: |
|
|
290
|
+
$PAGE.setContent(`...${ $REQ.body.$FIELD }...`)
|
|
291
|
+
- pattern: |
|
|
292
|
+
$PAGE.setContent(`...${ $INPUT }...`)
|
|
293
|
+
- pattern-not: |
|
|
294
|
+
DOMPurify.sanitize($INPUT)
|
|
295
|
+
- pattern-not: |
|
|
296
|
+
sanitizeHtml($INPUT)
|
|
297
|
+
message: "User-controlled HTML in PDF generation (Puppeteer) allows script injection - sanitize HTML before passing to setContent()"
|
|
298
|
+
severity: WARNING
|
|
299
|
+
languages: [typescript, javascript]
|
|
300
|
+
metadata:
|
|
301
|
+
datahogo_id: 110
|
|
302
|
+
datahogo_category: "files-media"
|
|
303
|
+
owasp_ref: "A03:2021"
|
|
304
|
+
|
|
305
|
+
- id: datahogo-pdf-html-injection-pdfkit
|
|
306
|
+
patterns:
|
|
307
|
+
- pattern-either:
|
|
308
|
+
- pattern: |
|
|
309
|
+
$DOC.text($REQ.body.$FIELD, ...)
|
|
310
|
+
- pattern: |
|
|
311
|
+
$PDF.text(`...${ $REQ.body.$FIELD }...`)
|
|
312
|
+
message: "User-controlled content passed directly to PDF generator - sanitize to prevent content injection"
|
|
313
|
+
severity: INFO
|
|
314
|
+
languages: [typescript, javascript]
|
|
315
|
+
metadata:
|
|
316
|
+
datahogo_id: 110
|
|
317
|
+
datahogo_category: "files-media"
|
|
318
|
+
owasp_ref: "A03:2021"
|