xploitscan-shared-rules 1.11.1 → 1.13.0

package/dist/index.js

@@ -815,7 +815,7 @@ var SERVER_SIDE_PATH_RE = new RegExp(
   ].join("|"),
   "i"
 );
-var SERVER_SIDE_CONTENT_RE = /\b(?:req|request)\.(?:body|query|params|headers|cookies)\b|\b(?:app|router)\.(?:get|post|put|patch|delete|use|all)\s*\(|\bctx\.request\b|\bevent\.(?:body|queryStringParameters|pathParameters)\b|\(\s*req\s*,\s*res\b/;
+var SERVER_SIDE_CONTENT_RE = /\b(?:req|request)\.(?:body|query|params|headers|cookies)\b|\b(?:app|router)\.(?:get|post|put|patch|delete|use|all)\s*\(|\bctx\.request\b|\bevent\.(?:body|queryStringParameters|pathParameters)\b|\(\s*req\s*,\s*res\b|(?:import|require)\b[^;\n]*['"]express['"]|\bNextFunction\b/;
 function isServerSideFile(filePath, content) {
   if (isTestFile(filePath)) return false;
   if (SERVER_SIDE_PATH_RE.test(filePath)) return true;
@@ -1217,6 +1217,41 @@ var sqlInjection = {
         matches.push(m);
       }
     }
+    if (/\.\s*(?:query|execute|raw|queryRawUnsafe|executeRawUnsafe|\$queryRawUnsafe|\$executeRawUnsafe)\s*\(/.test(content)) {
+      const ctx = tryParse(content, filePath);
+      if (ctx) {
+        const { parsed, taint } = ctx;
+        const SQL_SINKS = /* @__PURE__ */ new Set([
+          "query",
+          "execute",
+          "raw",
+          "queryRawUnsafe",
+          "executeRawUnsafe",
+          "$queryRawUnsafe",
+          "$executeRawUnsafe"
+        ]);
+        visitCalls(
+          parsed,
+          (callee) => callee.type === "MemberExpression" && callee.property.type === "Identifier" && SQL_SINKS.has(callee.property.name),
+          (call, line) => {
+            const first = call.arguments[0];
+            if (!first || first.type === "SpreadElement") return;
+            if (first.type === "StringLiteral" || first.type === "TemplateLiteral") return;
+            if (!taint.isTainted(first)) return;
+            if (matches.some((m) => m.line === line)) return;
+            matches.push(
+              astMatch(
+                content,
+                filePath,
+                line,
+                sqlInjection,
+                "Use parameterized queries instead of building SQL from user input in a variable. Example: db.query('SELECT * FROM users WHERE login = ?', [req.body.login])"
+              )
+            );
+          }
+        );
+      }
+    }
     return matches;
   }
 };
@@ -1227,9 +1262,10 @@ var xssVulnerability = {
   category: "Injection",
   description: "Rendering user input without sanitization allows attackers to inject malicious scripts.",
   check(content, filePath) {
+    const hasSanitizerBypass = /bypassSecurityTrust(?:Html|Script|Style|Url|ResourceUrl)\s*\(/.test(content);
     if (/(?:sanitize|purify|escape|xss)/i.test(filePath)) return [];
-    if (/DOMPurify\.sanitize|sanitizeHtml|xss\(|escapeHtml/i.test(content)) return [];
-    if (/(?:import|require)\s*\(?.*(?:DOMPurify|dompurify|sanitize|sanitizer)/i.test(content)) return [];
+    if (!hasSanitizerBypass && /DOMPurify\.sanitize|sanitizeHtml|xss\(|escapeHtml/i.test(content)) return [];
+    if (!hasSanitizerBypass && /(?:import|require)\s*\(?.*(?:DOMPurify|dompurify|sanitize|sanitizer)/i.test(content)) return [];
     const patterns = [
       // React dangerouslySetInnerHTML
       /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/g,
@@ -1240,7 +1276,12 @@ var xssVulnerability = {
       // v-html in Vue
       /v-html\s*=/g,
       // {@html} in Svelte
-      /\{@html\s/g
+      /\{@html\s/g,
+      // Angular DomSanitizer escape hatches — bypassSecurityTrustHtml /
+      // bypassSecurityTrustScript / ...Url / ...ResourceUrl / ...Style. These
+      // mark a value as trusted and skip Angular's built-in sanitization;
+      // passing user input through one is the canonical Angular DOM-XSS sink.
+      /bypassSecurityTrust(?:Html|Script|Style|Url|ResourceUrl)\s*\(/g
     ];
     const allLines = content.split("\n");
     const matches = [];
@@ -2461,12 +2502,12 @@ var ssrfVulnerability = {
       filePath,
       () => "Validate URLs against an allowlist before fetching. Block internal IPs: 127.0.0.1, 10.x, 172.16-31.x, 192.168.x, 169.254.169.254 (cloud metadata). Use: const url = new URL(input); if (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error('Blocked');"
     ));
-    if (!/\b(?:fetch|axios|got|request|http\.get|https\.get)\b/.test(content)) return matches;
+    if (!/\b(?:fetch|axios|got|request|needle|superagent|undici|http\.get|https\.get)\b/.test(content)) return matches;
     const ctx = tryParse(content, filePath);
     if (!ctx) return matches;
     const { parsed, taint } = ctx;
-    const FETCH_CALLEES = /* @__PURE__ */ new Set(["fetch", "axios", "got", "request"]);
-    const FETCH_METHODS = /* @__PURE__ */ new Set(["get", "post", "put", "patch", "delete", "request"]);
+    const FETCH_CALLEES = /* @__PURE__ */ new Set(["fetch", "axios", "got", "request", "needle", "superagent", "undici"]);
+    const FETCH_METHODS = /* @__PURE__ */ new Set(["get", "post", "put", "patch", "delete", "request", "head"]);
     visitCalls(
       parsed,
       (callee) => {
@@ -2475,7 +2516,7 @@ var ssrfVulnerability = {
           if (!FETCH_METHODS.has(callee.property.name)) return false;
           const obj = callee.object;
           if (obj.type === "Identifier") {
-            return obj.name === "axios" || obj.name === "got" || obj.name === "http" || obj.name === "https";
+            return obj.name === "axios" || obj.name === "got" || obj.name === "http" || obj.name === "https" || obj.name === "needle" || obj.name === "superagent" || obj.name === "undici";
           }
         }
         return false;
@@ -3983,17 +4024,37 @@ var ssti = {
       (call, line) => {
         const first = call.arguments[0];
         if (!first || first.type === "SpreadElement") return;
-        if (!taint.isTainted(first)) return;
-        if (matches.some((m) => m.line === line)) return;
-        matches.push(
-          astMatch(
-            content,
-            filePath,
-            line,
-            ssti,
-            "Compile templates from a trusted, static source (a file path or a constant string). Pass user data only as context values."
-          )
-        );
+        if (taint.isTainted(first)) {
+          if (matches.some((m) => m.line === line)) return;
+          matches.push(
+            astMatch(
+              content,
+              filePath,
+              line,
+              ssti,
+              "Compile templates from a trusted, static source (a file path or a constant string). Pass user data only as context values."
+            )
+          );
+          return;
+        }
+        const opts = call.arguments[1];
+        if (opts && opts.type === "ObjectExpression") {
+          const hasTaintedSpread = opts.properties.some(
+            (p) => p.type === "SpreadElement" && taint.isTainted(p.argument)
+          );
+          if (hasTaintedSpread) {
+            if (matches.some((m) => m.line === line)) return;
+            matches.push(
+              astMatch(
+                content,
+                filePath,
+                line,
+                ssti,
+                "Don't spread req.body/req.query into template locals \u2014 an attacker can inject reserved view options (e.g. `layout`) to load arbitrary templates. Pass only the specific values the view needs: render('view', { name: req.body.name })."
+              )
+            );
+          }
+        }
       }
     );
     return filterSilenced(matches, content, "VC082");
@@ -4256,16 +4317,61 @@ var unprotectedDownload = {
     if (!/(?:download|sendFile|send_file)/i.test(content)) return [];
     if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
-    if (/(?:sendFile|download|send_file)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/i.test(content)) {
-      const hasValidation = /path\.resolve|path\.normalize|path\.join.*__dirname|realpath|includes\s*\(\s*["']\.\./i.test(content);
-      if (!hasValidation) {
-        matches.push(...findMatches(
-          content,
-          /(?:sendFile|download|send_file)\s*\(/gi,
-          unprotectedDownload,
-          filePath,
-          () => "Validate file paths: const safePath = path.resolve(DOWNLOAD_DIR, filename); if (!safePath.startsWith(DOWNLOAD_DIR)) throw new Error('Invalid path');"
-        ));
+    const hasContainmentCheck = /\.startsWith\s*\(/.test(content) || /realpath/i.test(content) || /includes\s*\(\s*["']\.\./.test(content);
+    if (/(?:sendFile|download|send_file)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/i.test(content) && !hasContainmentCheck) {
+      matches.push(...findMatches(
+        content,
+        /(?:sendFile|download|send_file)\s*\(/gi,
+        unprotectedDownload,
+        filePath,
+        () => "Validate file paths: const safePath = path.resolve(DOWNLOAD_DIR, filename); if (!safePath.startsWith(DOWNLOAD_DIR + path.sep)) throw new Error('Invalid path');"
+      ));
+    }
+    if (!hasContainmentCheck && /\b(?:sendFile|download)\s*\(/.test(content)) {
+      const ctx = tryParse(content, filePath);
+      if (ctx) {
+        const { parsed, taint } = ctx;
+        const readsUserInput = /\b(?:req|request)\s*\.\s*(?:params|query|body|headers|cookies)\b/.test(content) || /\bparams\s*\.\s*\w/.test(content) || /\bquery\s*\.\s*\w/.test(content) || /\breq\.body\b/.test(content);
+        const isUnsafePathBuild = (node) => {
+          if (node.type !== "CallExpression") return false;
+          const callee = node.callee;
+          const isPathBuild = callee.type === "MemberExpression" && callee.object.type === "Identifier" && callee.object.name === "path" && callee.property.type === "Identifier" && (callee.property.name === "resolve" || callee.property.name === "join");
+          if (!isPathBuild) return false;
+          const rootedAtDirname = node.arguments.some(
+            (a) => a.type === "Identifier" && (a.name === "__dirname" || a.name === "__filename")
+          );
+          if (rootedAtDirname) return false;
+          return node.arguments.some(
+            (a) => a.type !== "SpreadElement" && a.type !== "StringLiteral" && a.type !== "TemplateLiteral"
+          );
+        };
+        const argIsTainted = (node) => {
+          if (taint.isTainted(node)) return true;
+          if (readsUserInput && isUnsafePathBuild(node)) return true;
+          if (node.type === "CallExpression") {
+            return node.arguments.some((a) => a.type !== "SpreadElement" && argIsTainted(a));
+          }
+          return false;
+        };
+        visitCalls(
+          parsed,
+          (callee) => callee.type === "MemberExpression" && callee.property.type === "Identifier" && (callee.property.name === "sendFile" || callee.property.name === "download"),
+          (call, line) => {
+            const first = call.arguments[0];
+            if (!first || first.type === "SpreadElement") return;
+            if (!argIsTainted(first)) return;
+            if (matches.some((m) => m.line === line)) return;
+            matches.push(
+              astMatch(
+                content,
+                filePath,
+                line,
+                unprotectedDownload,
+                "Validate file paths: const safePath = path.resolve(DOWNLOAD_DIR, filename); if (!safePath.startsWith(DOWNLOAD_DIR + path.sep)) throw new Error('Invalid path');"
+              )
+            );
+          }
+        );
       }
     }
     return matches;
@@ -5153,7 +5259,7 @@ var pathTraversal = {
       while ((m = pat.exec(content)) !== null) {
         if (isCommentLine(content, m.index)) continue;
         const surrounding = content.substring(Math.max(0, m.index - 200), m.index + 200);
-        if (/path\.normalize|sanitize|\.replace\(\s*['"]\.\./i.test(surrounding)) continue;
+        if (/path\.normalize|sanitize|\.replace\(\s*['"]\.\.|\.startsWith\s*\(|realpath/i.test(surrounding)) continue;
         const lineNum = content.substring(0, m.index).split("\n").length;
         findings.push({
           rule: "VC117",