npm - pinata-security-cli - Versions diffs - 0.6.0 → 0.6.1 - Mend

pinata-security-cli 0.6.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/src/categories/definitions/security/ssrf.yml CHANGED Viewed

@@ -69,6 +69,18 @@ detectionPatterns:
     pattern: "fetch\\s*\\(.*req\\.(body|query|params)"
     confidence: high
     description: Detects fetch with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
   - id: ts-axios-user-url
     type: regex
@@ -76,6 +88,18 @@ detectionPatterns:
     pattern: "axios\\.(get|post|put|delete|patch)\\s*\\(.*req\\."
     confidence: high
     description: Detects axios with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
   - id: ts-got-user-url
     type: regex
@@ -83,6 +107,18 @@ detectionPatterns:
     pattern: "got\\s*\\(.*req\\.|got\\.(get|post)\\s*\\(.*req\\."
     confidence: high
     description: Detects got library with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
   - id: ts-node-fetch-user
     type: regex
@@ -90,6 +126,18 @@ detectionPatterns:
     pattern: "node-fetch.*req\\.(body|query|params)"
     confidence: high
     description: Detects node-fetch with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
   - id: ts-http-request-user
     type: regex
@@ -97,6 +145,18 @@ detectionPatterns:
     pattern: "http\\.request\\s*\\(.*req\\.|https\\.request\\s*\\(.*req\\."
     confidence: high
     description: Detects native http/https with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
 testTemplates:
   - id: pytest-ssrf

package/src/categories/definitions/security/xss.yml CHANGED Viewed

@@ -63,6 +63,21 @@ detectionPatterns:
     pattern: "\\.innerHTML\\s*=|\\.outerHTML\\s*="
     confidence: high
     description: Detects direct innerHTML/outerHTML assignment
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\blocation\\.(hash|search|href)"
+      - "\\bwindow\\.location"
+      - "\\bdocument\\.cookie"
+      - "\\bURLSearchParams"
+    sanitizers:
+      - "DOMPurify\\.sanitize\\("
+      - "escapeHtml\\("
+      - "sanitizeHtml\\("
+      - "encodeURIComponent\\("
+      - "textContent\\s*="
+      - "xss\\("
   - id: ts-document-write
     type: regex
@@ -70,6 +85,14 @@ detectionPatterns:
     pattern: "document\\.write\\s*\\(|document\\.writeln\\s*\\("
     confidence: high
     description: Detects document.write() which is vulnerable to XSS
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\blocation\\.(hash|search|href)"
+      - "\\bURLSearchParams"
+    sanitizers:
+      - "DOMPurify\\.sanitize\\("
+      - "escapeHtml\\("
+      - "encodeURIComponent\\("
   - id: ts-dangerouslysetinnerhtml
     type: regex
@@ -78,6 +101,15 @@ detectionPatterns:
     confidence: medium
     description: Detects React dangerouslySetInnerHTML usage
     negativePattern: "DOMPurify\\.sanitize|sanitizeHtml|xss\\("
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\bprops\\."
+      - "\\buseSearchParams"
+      - "\\bfetch\\("
+    sanitizers:
+      - "DOMPurify\\.sanitize\\("
+      - "sanitizeHtml\\("
+      - "xss\\("
   - id: ts-eval-user-input
     type: regex
@@ -85,6 +117,10 @@ detectionPatterns:
     pattern: "eval\\s*\\(|new\\s+Function\\s*\\(|setTimeout\\s*\\(\\s*[`\"'].*\\$\\{"
     confidence: high
     description: Detects eval() or Function() with potential user input
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
   - id: ts-jquery-html
     type: regex

package/src/categories/definitions/security/xxe.yml CHANGED Viewed

@@ -71,6 +71,15 @@ detectionPatterns:
     pattern: "DOMParser\\s*\\(\\)|xmldom|xml2js"
     confidence: medium
     description: Detects XML parsing libraries that may allow XXE
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "disableExternalEntities"
+      - "noent:\\s*false"
+      - "explicitCharkey"
+      - "xmlParserOptions.*noent"
   - id: ts-libxmljs
     type: regex
@@ -79,6 +88,14 @@ detectionPatterns:
     confidence: high
     description: Detects libxmljs which allows XXE by default
     negativePattern: "noent:\\s*false|nonet:\\s*true"
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "noent:\\s*false"
+      - "nonet:\\s*true"
+      - "disableExternalEntities"
   - id: ts-fast-xml-parser
     type: regex
@@ -86,6 +103,14 @@ detectionPatterns:
     pattern: "XMLParser\\s*\\(\\)|fast-xml-parser"
     confidence: low
     description: Detects fast-xml-parser usage (check external entity settings)
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "processEntities:\\s*false"
+      - "disableExternalEntities"
+      - "noent:\\s*false"
   - id: ts-express-xml
     type: regex
@@ -93,6 +118,13 @@ detectionPatterns:
     pattern: "express-xml-bodyparser|body-parser-xml"
     confidence: medium
     description: Detects Express XML body parsers that may enable XXE
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "disableExternalEntities"
+      - "noent:\\s*false"
+      - "xmlParserOptions.*noent"
 testTemplates:
   - id: pytest-xxe