npm - xploitscan-shared-rules - Versions diffs - 1.12.0 → 1.13.0 - Mend

xploitscan-shared-rules 1.12.0 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js CHANGED Viewed

@@ -815,7 +815,7 @@ var SERVER_SIDE_PATH_RE = new RegExp(
   ].join("|"),
   "i"
 );
-var SERVER_SIDE_CONTENT_RE = /\b(?:req|request)\.(?:body|query|params|headers|cookies)\b|\b(?:app|router)\.(?:get|post|put|patch|delete|use|all)\s*\(|\bctx\.request\b|\bevent\.(?:body|queryStringParameters|pathParameters)\b|\(\s*req\s*,\s*res\b/;
+var SERVER_SIDE_CONTENT_RE = /\b(?:req|request)\.(?:body|query|params|headers|cookies)\b|\b(?:app|router)\.(?:get|post|put|patch|delete|use|all)\s*\(|\bctx\.request\b|\bevent\.(?:body|queryStringParameters|pathParameters)\b|\(\s*req\s*,\s*res\b|(?:import|require)\b[^;\n]*['"]express['"]|\bNextFunction\b/;
 function isServerSideFile(filePath, content) {
   if (isTestFile(filePath)) return false;
   if (SERVER_SIDE_PATH_RE.test(filePath)) return true;
@@ -1262,9 +1262,10 @@ var xssVulnerability = {
   category: "Injection",
   description: "Rendering user input without sanitization allows attackers to inject malicious scripts.",
   check(content, filePath) {
+    const hasSanitizerBypass = /bypassSecurityTrust(?:Html|Script|Style|Url|ResourceUrl)\s*\(/.test(content);
     if (/(?:sanitize|purify|escape|xss)/i.test(filePath)) return [];
-    if (/DOMPurify\.sanitize|sanitizeHtml|xss\(|escapeHtml/i.test(content)) return [];
-    if (/(?:import|require)\s*\(?.*(?:DOMPurify|dompurify|sanitize|sanitizer)/i.test(content)) return [];
+    if (!hasSanitizerBypass && /DOMPurify\.sanitize|sanitizeHtml|xss\(|escapeHtml/i.test(content)) return [];
+    if (!hasSanitizerBypass && /(?:import|require)\s*\(?.*(?:DOMPurify|dompurify|sanitize|sanitizer)/i.test(content)) return [];
     const patterns = [
       // React dangerouslySetInnerHTML
       /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/g,
@@ -1275,7 +1276,12 @@ var xssVulnerability = {
       // v-html in Vue
       /v-html\s*=/g,
       // {@html} in Svelte
-      /\{@html\s/g
+      /\{@html\s/g,
+      // Angular DomSanitizer escape hatches — bypassSecurityTrustHtml /
+      // bypassSecurityTrustScript / ...Url / ...ResourceUrl / ...Style. These
+      // mark a value as trusted and skip Angular's built-in sanitization;
+      // passing user input through one is the canonical Angular DOM-XSS sink.
+      /bypassSecurityTrust(?:Html|Script|Style|Url|ResourceUrl)\s*\(/g
     ];
     const allLines = content.split("\n");
     const matches = [];
@@ -4018,17 +4024,37 @@ var ssti = {
       (call, line) => {
         const first = call.arguments[0];
         if (!first || first.type === "SpreadElement") return;
-        if (!taint.isTainted(first)) return;
-        if (matches.some((m) => m.line === line)) return;
-        matches.push(
-          astMatch(
-            content,
-            filePath,
-            line,
-            ssti,
-            "Compile templates from a trusted, static source (a file path or a constant string). Pass user data only as context values."
-          )
-        );
+        if (taint.isTainted(first)) {
+          if (matches.some((m) => m.line === line)) return;
+          matches.push(
+            astMatch(
+              content,
+              filePath,
+              line,
+              ssti,
+              "Compile templates from a trusted, static source (a file path or a constant string). Pass user data only as context values."
+            )
+          );
+          return;
+        }
+        const opts = call.arguments[1];
+        if (opts && opts.type === "ObjectExpression") {
+          const hasTaintedSpread = opts.properties.some(
+            (p) => p.type === "SpreadElement" && taint.isTainted(p.argument)
+          );
+          if (hasTaintedSpread) {
+            if (matches.some((m) => m.line === line)) return;
+            matches.push(
+              astMatch(
+                content,
+                filePath,
+                line,
+                ssti,
+                "Don't spread req.body/req.query into template locals \u2014 an attacker can inject reserved view options (e.g. `layout`) to load arbitrary templates. Pass only the specific values the view needs: render('view', { name: req.body.name })."
+              )
+            );
+          }
+        }
       }
     );
     return filterSilenced(matches, content, "VC082");
@@ -4291,16 +4317,61 @@ var unprotectedDownload = {
     if (!/(?:download|sendFile|send_file)/i.test(content)) return [];
     if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
-    if (/(?:sendFile|download|send_file)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/i.test(content)) {
-      const hasValidation = /path\.resolve|path\.normalize|path\.join.*__dirname|realpath|includes\s*\(\s*["']\.\./i.test(content);
-      if (!hasValidation) {
-        matches.push(...findMatches(
-          content,
-          /(?:sendFile|download|send_file)\s*\(/gi,
-          unprotectedDownload,
-          filePath,
-          () => "Validate file paths: const safePath = path.resolve(DOWNLOAD_DIR, filename); if (!safePath.startsWith(DOWNLOAD_DIR)) throw new Error('Invalid path');"
-        ));
+    const hasContainmentCheck = /\.startsWith\s*\(/.test(content) || /realpath/i.test(content) || /includes\s*\(\s*["']\.\./.test(content);
+    if (/(?:sendFile|download|send_file)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/i.test(content) && !hasContainmentCheck) {
+      matches.push(...findMatches(
+        content,
+        /(?:sendFile|download|send_file)\s*\(/gi,
+        unprotectedDownload,
+        filePath,
+        () => "Validate file paths: const safePath = path.resolve(DOWNLOAD_DIR, filename); if (!safePath.startsWith(DOWNLOAD_DIR + path.sep)) throw new Error('Invalid path');"
+      ));
+    }
+    if (!hasContainmentCheck && /\b(?:sendFile|download)\s*\(/.test(content)) {
+      const ctx = tryParse(content, filePath);
+      if (ctx) {
+        const { parsed, taint } = ctx;
+        const readsUserInput = /\b(?:req|request)\s*\.\s*(?:params|query|body|headers|cookies)\b/.test(content) || /\bparams\s*\.\s*\w/.test(content) || /\bquery\s*\.\s*\w/.test(content) || /\breq\.body\b/.test(content);
+        const isUnsafePathBuild = (node) => {
+          if (node.type !== "CallExpression") return false;
+          const callee = node.callee;
+          const isPathBuild = callee.type === "MemberExpression" && callee.object.type === "Identifier" && callee.object.name === "path" && callee.property.type === "Identifier" && (callee.property.name === "resolve" || callee.property.name === "join");
+          if (!isPathBuild) return false;
+          const rootedAtDirname = node.arguments.some(
+            (a) => a.type === "Identifier" && (a.name === "__dirname" || a.name === "__filename")
+          );
+          if (rootedAtDirname) return false;
+          return node.arguments.some(
+            (a) => a.type !== "SpreadElement" && a.type !== "StringLiteral" && a.type !== "TemplateLiteral"
+          );
+        };
+        const argIsTainted = (node) => {
+          if (taint.isTainted(node)) return true;
+          if (readsUserInput && isUnsafePathBuild(node)) return true;
+          if (node.type === "CallExpression") {
+            return node.arguments.some((a) => a.type !== "SpreadElement" && argIsTainted(a));
+          }
+          return false;
+        };
+        visitCalls(
+          parsed,
+          (callee) => callee.type === "MemberExpression" && callee.property.type === "Identifier" && (callee.property.name === "sendFile" || callee.property.name === "download"),
+          (call, line) => {
+            const first = call.arguments[0];
+            if (!first || first.type === "SpreadElement") return;
+            if (!argIsTainted(first)) return;
+            if (matches.some((m) => m.line === line)) return;
+            matches.push(
+              astMatch(
+                content,
+                filePath,
+                line,
+                unprotectedDownload,
+                "Validate file paths: const safePath = path.resolve(DOWNLOAD_DIR, filename); if (!safePath.startsWith(DOWNLOAD_DIR + path.sep)) throw new Error('Invalid path');"
+              )
+            );
+          }
+        );
       }
     }
     return matches;
@@ -5188,7 +5259,7 @@ var pathTraversal = {
       while ((m = pat.exec(content)) !== null) {
         if (isCommentLine(content, m.index)) continue;
         const surrounding = content.substring(Math.max(0, m.index - 200), m.index + 200);
-        if (/path\.normalize|sanitize|\.replace\(\s*['"]\.\./i.test(surrounding)) continue;
+        if (/path\.normalize|sanitize|\.replace\(\s*['"]\.\.|\.startsWith\s*\(|realpath/i.test(surrounding)) continue;
         const lineNum = content.substring(0, m.index).split("\n").length;
         findings.push({
           rule: "VC117",