STRLCPY/bearer

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/ruleLoader.go

		skipped 16 lines
17	17		const LATEST_RELEASE_URL = "https://api.github.com/repos/bearer/bearer-rules/releases/latest"
18	18		const BASE_RULE_FOLDER = "/"
19	19
20		-	func LoadRuleDefinitionsFromGitHub(ruleDefinitions map[string]RuleDefinition, builtInRuleDefinitions map[string]RuleDefinition) error {
	20	+	func LoadRuleDefinitionsFromGitHub(ruleDefinitions map[string]RuleDefinition) error {
21	21		resp, err := http.Get(LATEST_RELEASE_URL)
22	22		if err != nil {
23	23		return err
		skipped 70 lines
94	94		}
95	95
96	96		id := ruleDefinition.Metadata.ID
97		-	_, builtInRuleExists := builtInRuleDefinitions[id]
98	97		_, ruleExists := ruleDefinitions[id]
99		-	if builtInRuleExists \|\| ruleExists {
	98	+	if ruleExists {
100	99		return fmt.Errorf("duplicate built-in rule ID %s", id)
101	100		}
102		-
103		-	if strings.Contains(header.Name, "built_in_rules") {
104		-	builtInRuleDefinitions[id] = ruleDefinition
105		-	continue
106		-	}
107		-
108	101		ruleDefinitions[id] = ruleDefinition
109	102		}
110	103
		skipped 16 lines

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/code_injection/.snapshots/TestJavascriptAwsLambdaCodeInjection--code_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "94"
5	-	- "95"
6	-	id: javascript_aws_lambda_code_injection
7	-	description: Code injection detected.
8	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_code_injection
9	-	line_number: 5
10	-	filename: code_injection.js
11	-	parent_line_number: 5
12	-	snippet: vm.createContext(context)
13	-	fingerprint: b9e20a46d6fa9de4d6d74ee7f5dd33a3_0
14	-	- rule:
15	-	cwe_ids:
16	-	- "94"
17	-	- "95"
18	-	id: javascript_aws_lambda_code_injection
19	-	description: Code injection detected.
20	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_code_injection
21	-	line_number: 7
22	-	filename: code_injection.js
23	-	parent_line_number: 7
24	-	snippet: new vm.Script(event["query"])
25	-	fingerprint: b9e20a46d6fa9de4d6d74ee7f5dd33a3_1
26	-
27	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/code_injection/.snapshots/TestJavascriptAwsLambdaCodeInjection--ok_no_code_injection.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/code_injection/testdata/code_injection.js

1	-	const vm = require('node:vm');
2	-
3	-	exports.handler = async function(event, _context) {
4	-	const context = event["params"]["context"];
5	-	vm.createContext(context);
6	-
7	-	var bad = new vm.Script(event["query"])
8	-	}
9	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/code_injection/testdata/ok_no_code_injection.js

1	-	const vm = require('node:vm');
2	-
3	-	exports.handler = async function(event, _context) {
4	-	const context = event["params"]["context"];
5	-	vm.createContext("count");
6	-
7	-	var ok = new vm.Script("count += 1")
8	-	}
9	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/code_injection.yml

1	-	patterns:
2	-	- pattern: \|
3	-	vm.$<METHOD>($<...>$<RAW_INPUT>$<...>)
4	-	filters:
5	-	- variable: METHOD
6	-	values:
7	-	- createContext
8	-	- runInContext
9	-	- runInNewContext
10	-	- runInThisContext
11	-	- compileFunction
12	-	- variable: RAW_INPUT
13	-	detection: javascript_aws_lambda_code_injection_user_input
14	-	- pattern: \|
15	-	new vm.Script($<...>$<RAW_INPUT>$<...>)
16	-	filters:
17	-	- variable: RAW_INPUT
18	-	detection: javascript_aws_lambda_code_injection_user_input
19	-	- pattern: \|
20	-	eval($<RAW_INPUT>)
21	-	filters:
22	-	- variable: RAW_INPUT
23	-	detection: javascript_aws_lambda_code_injection_user_input
24	-	- pattern: \|
25	-	new Function($<RAW_INPUT>)
26	-	filters:
27	-	- variable: RAW_INPUT
28	-	detection: javascript_aws_lambda_code_injection_user_input
29	-	- pattern: \|
30	-	setTimeout($<RAW_INPUT>)
31	-	filters:
32	-	- variable: RAW_INPUT
33	-	detection: javascript_aws_lambda_code_injection_user_input
34	-	- pattern: \|
35	-	setInterval($<RAW_INPUT>)
36	-	filters:
37	-	- variable: RAW_INPUT
38	-	detection: javascript_aws_lambda_code_injection_user_input
39	-	auxiliary:
40	-	- id: javascript_aws_lambda_code_injection_user_input
41	-	patterns:
42	-	- event.$<_>
43	-	- event[$<_>]
44	-	languages:
45	-	- javascript
46	-	severity: high
47	-	metadata:
48	-	description: "Code injection detected."
49	-	remediation_message: \|
50	-	## Description
51	-	Running code that contains unsanitized data, such as user input or request data, makes your application vulnerable to injection attacks.
52	-
53	-	## Remediations
54	-	Think twice if user input is really needed there.
55	-
56	-	It might be possible to use dynamic hardcoded values:
57	-
58	-	```javascript
59	-	exports.handler = async (event) => {
60	-	let myFunc = "(a, b) => a + b"
61	-
62	-	if event["singleMember"] {
63	-	myFunc = "(a) => a"
64	-	}
65	-
66	-	vm.compileFunction(myFunc);
67	-	};
68	-	```
69	-
70	-	or pass user input to a compiled function, instead of compiling it with user input.
71	-
72	-	```javascript
73	-	exports.handler = async (event) => {
74	-	let myFunc = "(a, b) => a + b"
75	-
76	-	if event["singleMember"] {
77	-	myFunc = "(a) => a"
78	-	}
79	-
80	-	let compiledFunction = vm.compileFunction(myFunc);
81	-
82	-	compiledFunction(event)
83	-	};
84	-	```
85	-
86	-	## Resources
87	-	- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)
88	-	cwe_id:
89	-	- 94
90	-	- 95
91	-	id: "javascript_aws_lambda_code_injection"
92	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/os_command_injection/.snapshots/TestJavascriptAwsLambdaOsCommandInjection--ok_no_os_command_injection.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/os_command_injection/.snapshots/TestJavascriptAwsLambdaOsCommandInjection--os_command_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "78"
5	-	id: javascript_aws_lambda_os_command_injection
6	-	description: OS command injection vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_os_command_injection
8	-	line_number: 4
9	-	filename: os_command_injection.js
10	-	parent_line_number: 4
11	-	snippet: \|-
12	-	exec("ls "+event["user_dir"]+"\| wc -l", (err, stdout, stderr) => {
13	-	// do something
14	-	})
15	-	fingerprint: fdf91dd06466b2382d6174c5874a101b_0
16	-	- rule:
17	-	cwe_ids:
18	-	- "78"
19	-	id: javascript_aws_lambda_os_command_injection
20	-	description: OS command injection vulnerability detected.
21	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_os_command_injection
22	-	line_number: 8
23	-	filename: os_command_injection.js
24	-	parent_line_number: 8
25	-	snippet: \|-
26	-	execSync("ls "+event["user"]+"\| wc -l", (err, stdout, stderr) => {
27	-	// do something
28	-	})
29	-	fingerprint: fdf91dd06466b2382d6174c5874a101b_1
30	-	- rule:
31	-	cwe_ids:
32	-	- "78"
33	-	id: javascript_aws_lambda_os_command_injection
34	-	description: OS command injection vulnerability detected.
35	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_os_command_injection
36	-	line_number: 12
37	-	filename: os_command_injection.js
38	-	parent_line_number: 12
39	-	snippet: spawn(event["query"])
40	-	fingerprint: fdf91dd06466b2382d6174c5874a101b_2
41	-	- rule:
42	-	cwe_ids:
43	-	- "78"
44	-	id: javascript_aws_lambda_os_command_injection
45	-	description: OS command injection vulnerability detected.
46	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_os_command_injection
47	-	line_number: 14
48	-	filename: os_command_injection.js
49	-	parent_line_number: 14
50	-	snippet: spawnSync("grep " + event["tmp"])
51	-	fingerprint: fdf91dd06466b2382d6174c5874a101b_3
52	-
53	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/os_command_injection/testdata/ok_no_os_command_injection.js

1	-	const { exec, execSync, spawn, spawnSync } = require('node:child_process');
2	-
3	-	exports.handler = async (event) => {
4	-	exec("ls -lh /usr", (err, stdout, stderr) => {
5	-	// do something
6	-	});
7	-
8	-	execSync("ls -lh /usr", (err, stdout, stderr) => {
9	-	// do something
10	-	});
11	-
12	-	spawn("ls -lh /usr");
13	-	spawnSync("ls -lh /usr")
14	-	};

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/os_command_injection/testdata/os_command_injection.js

1	-	const { exec, execSync, spawn, spawnSync } = require('node:child_process');
2	-
3	-	exports.handler = async (event) => {
4	-	exec("ls "+event["user_dir"]+"\| wc -l", (err, stdout, stderr) => {
5	-	// do something
6	-	});
7	-
8	-	execSync("ls "+event["user"]+"\| wc -l", (err, stdout, stderr) => {
9	-	// do something
10	-	});
11	-
12	-	spawn(event["query"]);
13	-
14	-	spawnSync("grep " + event["tmp"])
15	-	};

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/os_command_injection.yml

1	-	patterns:
2	-	- pattern: \|
3	-	$<CHILD_PROCESS_PATTERN>($<...>$<AWS_EVENT>$<...>)
4	-	filters:
5	-	- variable: CHILD_PROCESS_PATTERN
6	-	values:
7	-	- exec
8	-	- execSync
9	-	- spawn
10	-	- spawnSync
11	-	- variable: AWS_EVENT
12	-	detection: javascript_aws_lambda_cross_site_scripting_event
13	-	auxiliary:
14	-	- id: javascript_aws_lambda_cross_site_scripting_event
15	-	patterns:
16	-	- event
17	-	languages:
18	-	- javascript
19	-	severity: high
20	-	metadata:
21	-	description: "OS command injection vulnerability detected."
22	-	remediation_message: \|
23	-	## Description
24	-	Using external or user-defined input directly in an OS command can allow attackers to perform dangerous commands on the operating system.
25	-
26	-	## Remediations
27	-
28	-	Think twice if user input is really needed there.
29	-
30	-	It might be possible to use dynamic hardcoded values:
31	-
32	-	```javascript
33	-	exports.handler = async (event) => {
34	-	let filePattern = "*.js"
35	-
36	-	if event["graphql"] {
37	-	filePattern = "*.gql"
38	-	}
39	-
40	-	cp.exec(`cp ${filePattern} foo`, (error, stdout, stderr) => {});
41	-	};
42	-	```
43	-
44	-	## Resources
45	-	- [OWASP command injection explained](https://owasp.org/www-community/attacks/Command_Injection)
46	-	cwe_id:
47	-	- 78
48	-	id: "javascript_aws_lambda_os_command_injection"
49	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/query_injection/.snapshots/TestJavascriptAwsLambdaQueryInjection--dynamodb_query_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "89"
5	-	id: javascript_aws_lambda_query_injection
6	-	description: Raw user input in data store query detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_query_injection
8	-	line_number: 10
9	-	filename: dynamodb_query_injection.js
10	-	parent_line_number: 10
11	-	snippet: new QueryCommand(params)
12	-	fingerprint: 66820ec309f9420978198526e6038a5f_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "89"
16	-	id: javascript_aws_lambda_query_injection
17	-	description: Raw user input in data store query detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_query_injection
19	-	line_number: 18
20	-	filename: dynamodb_query_injection.js
21	-	parent_line_number: 18
22	-	snippet: docClient.query(event["query"]["params"], function(err, data) {})
23	-	fingerprint: 66820ec309f9420978198526e6038a5f_1
24	-	- rule:
25	-	cwe_ids:
26	-	- "89"
27	-	id: javascript_aws_lambda_query_injection
28	-	description: Raw user input in data store query detected.
29	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_query_injection
30	-	line_number: 32
31	-	filename: dynamodb_query_injection.js
32	-	parent_line_number: 32
33	-	snippet: new QueryCommand(params)
34	-	fingerprint: 66820ec309f9420978198526e6038a5f_2
35	-
36	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/query_injection/.snapshots/TestJavascriptAwsLambdaQueryInjection--ok_no_injection.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/query_injection/testdata/dynamodb_query_injection.js

1	-	// AWS SDK V3
2	-	import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
3	-	import { QueryCommand } from "@aws-sdk/client-dynamodb";
4	-
5	-	const dynamodb = new DynamoDBClient({ region: "af-south-1" })
6	-
7	-	exports.handler = async function(event, _context) {
8	-	const params = event["query_params"];
9	-
10	-	const data = await ddbClient.send(new QueryCommand(params));
11	-	}
12	-
13	-	// AWS SDK V2
14	-	var AWS = require('aws-sdk');
15	-	var docClient = new AWS.DynamoDB.DocumentClient({apiVersion: '2012-12-20'});
16	-
17	-	exports.handler = async function(event, _context) {
18	-	docClient.query(event["query"]["params"], function(err, data) {});
19	-	}
20	-
21	-	exports.handler = async function(event, _context) {
22	-	const params = {
23	-	KeyConditionExpression: "Title = " + getTitle(),
24	-	FilterExpression: "contains (Author, :name)",
25	-	ExpressionAttributeValues: {
26	-	":name": { S: event["user"]["name"] },
27	-	},
28	-	ProjectionExpression: "Title, Author",
29	-	TableName: "BOOKS_TABLE",
30	-	};
31	-
32	-	const data = await ddbClient.send(new QueryCommand(params));
33	-	}

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/query_injection/testdata/ok_no_injection.js

1	-	import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
2	-	import { QueryCommand } from "@aws-sdk/client-dynamodb";
3	-
4	-	const dynamodb = new DynamoDBClient({ region: "af-south-1" })
5	-
6	-	exports.handler = async function(event, _context) {
7	-	const params = {
8	-	KeyConditionExpression: "Title = " + getTitle(),
9	-	FilterExpression: "contains (Author, :name)",
10	-	ExpressionAttributeValues: {
11	-	":name": { S: getAuthorName() },
12	-	},
13	-	ProjectionExpression: "Title, Author",
14	-	TableName: "BOOKS_TABLE",
15	-	};
16	-
17	-	const data = await ddbClient.send(new QueryCommand(params));
18	-	}

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/query_injection.yml

1	-	patterns:
2	-	- pattern: \| # AWS SDK V3 DynamoDB
3	-	new QueryCommand($<QUERY>)
4	-	filters:
5	-	- variable: QUERY
6	-	detection: javascript_aws_lambda_query_injection_raw_user_input
7	-	- pattern: \| # AWS SDK V2 DynamoDB
8	-	$<DYNAMODB_INIT>.query($<QUERY>, $<_>)
9	-	filters:
10	-	- variable: QUERY
11	-	detection: javascript_aws_lambda_query_injection_raw_user_input
12	-	- variable: DYNAMODB_INIT
13	-	detection: javascript_aws_lambda_query_injection_dynamodb_v2_init
14	-	auxiliary:
15	-	- id: javascript_aws_lambda_query_injection_user_input
16	-	patterns:
17	-	- event.$<_>
18	-	- event[$<_>]
19	-	- id: javascript_aws_lambda_query_injection_hash
20	-	patterns:
21	-	- \|
22	-	{$<...>}
23	-	- id: javascript_aws_lambda_query_injection_dynamodb_v2_init
24	-	patterns:
25	-	- new AWS.DynamoDB.DocumentClient()
26	-	- id: javascript_aws_lambda_query_injection_raw_user_input
27	-	patterns:
28	-	- pattern: $<USER_INPUT>
29	-	filters:
30	-	- variable: USER_INPUT
31	-	detection: javascript_aws_lambda_query_injection_user_input
32	-	- not:
33	-	variable: USER_INPUT
34	-	detection: javascript_aws_lambda_query_injection_hash
35	-	languages:
36	-	- javascript
37	-	severity: high
38	-	metadata:
39	-	description: "Raw user input in data store query detected."
40	-	remediation_message: \|
41	-	## Description
42	-	Including unsanitized data, such as user input or request data, in raw queries makes your application vulnerable to injection attacks.
43	-
44	-	## Remediations
45	-
46	-	Narrow down your query from the code instead of using unsanitzed user input to define it.
47	-
48	-	Example:
49	-
50	-	```javascript
51	-	exports.handler = async function(event, context) {
52	-	var params = {
53	-	Key: {
54	-	"artist": {"S": event.input },
55	-	"song": {"S": "Carrot Eton"}
56	-	},
57	-	TableName: "artists"
58	-	};
59	-	var result = await dynamodb.getItem(params).promise()
60	-	console.log(JSON.stringify(result))
61	-	}
62	-	```
63	-
64	-
65	-	## Resources
66	-	- [OWASP nosql injection explained](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
67	-
68	-	cwe_id:
69	-	- 89
70	-	id: "javascript_aws_lambda_query_injection"
71	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/.snapshots/TestJavascriptAwsLambdaSqlInjection--knex_sql_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "89"
5	-	id: javascript_aws_lambda_sql_injection
6	-	description: SQL injection vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_sql_injection
8	-	line_number: 6
9	-	filename: knex_sql_injection.js
10	-	parent_line_number: 6
11	-	snippet: \|-
12	-	knex.select('user.cart_details')
13	-	.from('users')
14	-	.whereRaw('name = '+ event.user.name)
15	-	fingerprint: a6be1e7b4f812b3709823c952fd60b64_0
16	-
17	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/.snapshots/TestJavascriptAwsLambdaSqlInjection--mysql2_sql_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "89"
5	-	id: javascript_aws_lambda_sql_injection
6	-	description: SQL injection vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_sql_injection
8	-	line_number: 5
9	-	filename: mysql2_sql_injection.js
10	-	category_groups:
11	-	- PII
12	-	parent_line_number: 5
13	-	snippet: connection.query("SELECT * FROM `user` WHERE name = " + event.customer.name)
14	-	fingerprint: 9f7eccaaec01b46a27078996b374cf28_0
15	-	- rule:
16	-	cwe_ids:
17	-	- "89"
18	-	id: javascript_aws_lambda_sql_injection
19	-	description: SQL injection vulnerability detected.
20	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_sql_injection
21	-	line_number: 7
22	-	filename: mysql2_sql_injection.js
23	-	category_groups:
24	-	- PII
25	-	parent_line_number: 7
26	-	snippet: asyncConn.execute("SELECT * FROM `admin_users` WHERE ID = " + event.admin.id)
27	-	fingerprint: 9f7eccaaec01b46a27078996b374cf28_1
28	-	- rule:
29	-	cwe_ids:
30	-	- "89"
31	-	id: javascript_aws_lambda_sql_injection
32	-	description: SQL injection vulnerability detected.
33	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_sql_injection
34	-	line_number: 11
35	-	filename: mysql2_sql_injection.js
36	-	category_groups:
37	-	- PII
38	-	parent_line_number: 11
39	-	snippet: \|-
40	-	pool.query("SELECT * FROM users WHERE name = " + event.user_name, function() {
41	-	// do something
42	-	})
43	-	fingerprint: 9f7eccaaec01b46a27078996b374cf28_2
44	-	- rule:
45	-	cwe_ids:
46	-	- "89"
47	-	id: javascript_aws_lambda_sql_injection
48	-	description: SQL injection vulnerability detected.
49	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_sql_injection
50	-	line_number: 15
51	-	filename: mysql2_sql_injection.js
52	-	category_groups:
53	-	- PII
54	-	parent_line_number: 15
55	-	snippet: \|-
56	-	conn.query("SELECT * FROM users WHERE name = " + event.user_name, function() {
57	-	// do something
58	-	})
59	-	fingerprint: 9f7eccaaec01b46a27078996b374cf28_3
60	-
61	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/.snapshots/TestJavascriptAwsLambdaSqlInjection--ok_no_injection.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/.snapshots/TestJavascriptAwsLambdaSqlInjection--pg_sql_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "89"
5	-	id: javascript_aws_lambda_sql_injection
6	-	description: SQL injection vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_sql_injection
8	-	line_number: 8
9	-	filename: pg_sql_injection.js
10	-	parent_line_number: 8
11	-	snippet: client.query('SELECT * FROM users WHERE user.name = ' + event.user.name)
12	-	fingerprint: 1dc8804ee672f7b9a89fb07cd25ca6cf_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/.snapshots/TestJavascriptAwsLambdaSqlInjection--sequelize_sql_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "89"
5	-	id: javascript_aws_lambda_sql_injection
6	-	description: SQL injection vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_aws_lambda_sql_injection
8	-	line_number: 6
9	-	filename: sequelize_sql_injection.js
10	-	parent_line_number: 6
11	-	snippet: sqlite.query(customerQuery)
12	-	fingerprint: 75c54fdb8ef95220030c12d02f1f3220_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/testdata/knex_sql_injection.js

1	-	const knex = require('knex')({
2	-	client: 'mysql',
3	-	})
4	-
5	-	exports.handler = async function(event, _context) {
6	-	var cartDetails = knex.select('user.cart_details')
7	-	.from('users')
8	-	.whereRaw('name = '+ event.user.name)
9	-
10	-	return cartDetails
11	-	}

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/testdata/mysql2_sql_injection.js

1	-	const connection = mysql.createConnection({});
2	-	const asyncConn = await mysql.createConnection({});
3	-
4	-	exports.handler = async function(event, _context) {
5	-	connection.query("SELECT * FROM `user` WHERE name = " + event.customer.name);
6	-
7	-	await asyncConn.execute("SELECT * FROM `admin_users` WHERE ID = " + event.admin.id)
8	-
9	-	// pool query
10	-	var pool = mysql.createPool()
11	-	pool.query("SELECT * FROM users WHERE name = " + event.user_name, function() {
12	-	// do something
13	-	})
14	-	pool.getConnection(function(_err, conn) {
15	-	conn.query("SELECT * FROM users WHERE name = " + event.user_name, function() {
16	-	// do something
17	-	})
18	-	pool.releaseConnection(conn)
19	-	})
20	-	}

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/testdata/ok_no_injection.js

1	-	const { Client } = require('pg')
2	-	const pgClient = new Client({
3	-	// pg client setup
4	-	})
5	-
6	-	const knex = require('knex')({
7	-	client: 'mysql',
8	-	})
9	-
10	-	const connection = mysql.createConnection({});
11	-	const asyncConn = await mysql.createConnection({});
12	-
13	-	exports.handler = async function(_event, _context) {
14	-	var user = getCurrentUser()
15	-	var userRes = pgClient.query('SELECT * FROM users WHERE user.name = ' + user.name)
16	-	var res = knex.select('user.cart_details')
17	-	.from('users')
18	-	.whereRaw('id = '+ userRes.id)
19	-
20	-	connection.query("SELECT * FROM `user` WHERE name = " + userRes.name);
21	-
22	-	return res
23	-	}
24	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/testdata/pg_sql_injection.js

1	-	const { Client } = require('pg')
2	-
3	-	const client = new Client({
4	-	// client setup
5	-	})
6	-
7	-	exports.handler = async function(event, _context) {
8	-	var user = client.query('SELECT * FROM users WHERE user.name = ' + event.user.name)
9	-
10	-	return user
11	-	}

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection/testdata/sequelize_sql_injection.js

1	-	import { Sequelize } from "sequelize";
2	-
3	-	exports.handler = async function(event, _context) {
4	-	var sqlite = new Sequelize('sqlite::memory:')
5	-	var customerQuery = "SELECT * FROM customers WHERE status = " + event.customer.status
6	-	sqlite.query(customerQuery)
7	-	}

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection.yml

1	-	patterns:
2	-	- pattern: \| # knex function calls
3	-	$<_>.$<METHOD>($<...>$<AWS_LAMBDA_EVENT>$<...>)
4	-	filters:
5	-	- variable: METHOD
6	-	values:
7	-	- raw
8	-	- whereRaw
9	-	- variable: AWS_LAMBDA_EVENT
10	-	detection: javascript_aws_lambda_sql_injection_event
11	-	- pattern: \|
12	-	$<PG_CLIENT>.query($<...>$<AWS_LAMBDA_EVENT>$<...>)
13	-	filters:
14	-	- variable: PG_CLIENT
15	-	detection: javascript_aws_lambda_sql_injection_pg_client
16	-	- variable: AWS_LAMBDA_EVENT
17	-	detection: javascript_aws_lambda_sql_injection_event
18	-	- pattern: \|
19	-	$<SEQUELIZE>.query($<...>$<AWS_LAMBDA_EVENT>$<...>)
20	-	filters:
21	-	- variable: SEQUELIZE
22	-	detection: javascript_aws_lambda_sql_injection_sequelize_init
23	-	- variable: AWS_LAMBDA_EVENT
24	-	detection: javascript_aws_lambda_sql_injection_event
25	-	- pattern: \|
26	-	$<MYSQL_CONN>.$<METHOD>($<...>$<AWS_LAMBDA_EVENT>$<...>)
27	-	filters:
28	-	- variable: MYSQL_CONN
29	-	detection: javascript_aws_lambda_sql_injection_mysql_conn
30	-	- variable: AWS_LAMBDA_EVENT
31	-	detection: javascript_aws_lambda_sql_injection_event
32	-	- variable: METHOD
33	-	values:
34	-	- query
35	-	- execute
36	-	- pattern: \|
37	-	$<MYSQL_POOL>.query($<...>$<AWS_LAMBDA_EVENT>$<...>)
38	-	filters:
39	-	- variable: MYSQL_POOL
40	-	detection: javascript_aws_lambda_sql_injection_mysql_pool
41	-	- variable: AWS_LAMBDA_EVENT
42	-	detection: javascript_aws_lambda_sql_injection_event
43	-	- pattern: \|
44	-	$<CONN>.query($<AWS_LAMBDA_EVENT>, $<_>)
45	-	filters:
46	-	- variable: CONN
47	-	detection: javascript_aws_lambda_sql_injection_pool_conn
48	-	- variable: AWS_LAMBDA_EVENT
49	-	detection: javascript_aws_lambda_sql_injection_event
50	-	auxiliary:
51	-	- id: javascript_aws_lambda_sql_injection_event
52	-	patterns:
53	-	- event.$<_>
54	-	- id: javascript_aws_lambda_sql_injection_pg_client
55	-	patterns:
56	-	- new Client()
57	-	- id: javascript_aws_lambda_sql_injection_sequelize_init
58	-	patterns:
59	-	- new Sequelize()
60	-	- id: javascript_aws_lambda_sql_injection_mysql_conn
61	-	patterns:
62	-	- mysql.createConnection()
63	-	- await mysql.createConnection()
64	-	- id: javascript_aws_lambda_sql_injection_mysql_pool
65	-	patterns:
66	-	- mysql.createPool()
67	-	- id: javascript_aws_lambda_sql_injection_pool_conn
68	-	patterns:
69	-	- pattern: $<MYSQL_POOL>.getConnection(function($<_>, $<!>$<CONN:identifier>) {})
70	-	filters:
71	-	- variable: MYSQL_POOL
72	-	detection: javascript_express_sql_injection_mysql_pool
73	-	languages:
74	-	- javascript
75	-	severity: high
76	-	metadata:
77	-	description: "SQL injection vulnerability detected."
78	-	remediation_message: \|
79	-	## Description
80	-	Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks.
81	-
82	-
83	-	## Remediations
84	-
85	-	Use safe sql libraries methods which sanitze user input
86	-
87	-	Sequelize example
88	-	```javascript
89	-	const { Op } = require("sequelize");
90	-
91	-	module.exports= async function(event, context) {
92	-	await Post.findAll({
93	-	where: {
94	-	[Op.or]: [
95	-	{ authorId: event.authorID },
96	-	{ authorId: 13 }
97	-	]
98	-	}
99	-	});
100	-	};
101	-	```
102	-
103	-	## Resources
104	-	- [OWASP sql injection explained](https://owasp.org/www-community/attacks/SQL_Injection)
105	-
106	-	cwe_id:
107	-	- 89
108	-	id: "javascript_aws_lambda_sql_injection"
109	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--no_xss.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_send_xss.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "79"
5	-	id: javascript_express_cross_site_scripting
6	-	description: Cross-site scripting (XSS) vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting
8	-	line_number: 9
9	-	filename: res_send_xss.js
10	-	parent_line_number: 9
11	-	snippet: res.send("<p>" + req.body.customer.name + "</p>")
12	-	fingerprint: 3eb1f59479c43941dd36d28f3c33335b_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "79"
16	-	id: javascript_express_cross_site_scripting
17	-	description: Cross-site scripting (XSS) vulnerability detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting
19	-	line_number: 13
20	-	filename: res_send_xss.js
21	-	parent_line_number: 13
22	-	snippet: res.send("<p>" + req.body["user_id"] + "</p>")
23	-	fingerprint: 3eb1f59479c43941dd36d28f3c33335b_1
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/.snapshots/TestJavascriptExpressCrossSiteScripting--res_write_xss.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "79"
5	-	id: javascript_express_cross_site_scripting
6	-	description: Cross-site scripting (XSS) vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting
8	-	line_number: 10
9	-	filename: res_write_xss.js
10	-	parent_line_number: 10
11	-	snippet: res.write("<h3> Greetings " + customerName + "</h3>")
12	-	fingerprint: 2493e1cfdee1e9a4cdbb36280df10d25_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/no_xss.js

1	-	const express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/good", (_, res) => {
9	-	return res.send("<p>hello world</p>")
10	-	})
11	-
12	-	app.get("/good-2", () => {
13	-	// don't match on req params within strings
14	-	return res.send({
15	-	success: false,
16	-	text: `User ${req.params.user_id} not found`,
17	-	})
18	-	})
19	-
20	-	app.get("/good-3", () => {
21	-	// don't match on custom req attributes
22	-	const userSettings = req.user.settings
23	-	return res.send(userSettings)
24	-	})
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_send_xss.js

1	-	const express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/bad", (req, res) => {
9	-	res.send("<p>" + req.body.customer.name + "</p>")
10	-	})
11	-
12	-	app.get("/bad-2", (req, res) => {
13	-	res.send("<p>" + req.body["user_id"] + "</p>")
14	-	})
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/cross_site_scripting/testdata/res_write_xss.js

1	-	const express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/bad", (req, res) => {
9	-	var customerName = req.body.customer.name
10	-	res.write("<h3> Greetings " + customerName + "</h3>")
11	-	})
12	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml

1	-	patterns:
2	-	- pattern: \|
3	-	res.write($<USER_INPUT>)
4	-	filters:
5	-	- variable: USER_INPUT
6	-	detection: javascript_express_cross_site_scripting_request_obj
7	-	- not:
8	-	variable: USER_INPUT
9	-	detection: javascript_express_cross_site_scripting_string_interpolation
10	-	- pattern: \|
11	-	res.send($<USER_INPUT>)
12	-	filters:
13	-	- variable: USER_INPUT
14	-	detection: javascript_express_cross_site_scripting_request_obj
15	-	- not:
16	-	variable: USER_INPUT
17	-	detection: javascript_express_cross_site_scripting_string_interpolation
18	-	languages:
19	-	- javascript
20	-	auxiliary:
21	-	- id: javascript_express_cross_site_scripting_request_obj
22	-	patterns:
23	-	- req.params
24	-	- req.query
25	-	- req.body
26	-	- req.cookies
27	-	- req.headers
28	-	- id: javascript_express_cross_site_scripting_string_interpolation
29	-	patterns:
30	-	- pattern: \|
31	-	{ $<...>$<_>: $<USER_INPUT>$<...> }
32	-	filters:
33	-	- variable: USER_INPUT
34	-	detection: javascript_express_cross_site_scripting_request_obj
35	-	severity: high
36	-	metadata:
37	-	description: "Cross-site scripting (XSS) vulnerability detected."
38	-	remediation_message: \|
39	-	## Description
40	-	Sending unsanitized user input in a response puts your application at risk of cross-site scripting attacks.
41	-
42	-
43	-	## Remediations
44	-	❌ Avoid including user input directly in a response:
45	-
46	-	```javascript
47	-	res.send(req.body.data)
48	-	```
49	-
50	-	## Resources
51	-	- [OWASP Cross-Site Scripting (XSS) Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
52	-	cwe_id:
53	-	- 79
54	-	id: "javascript_express_cross_site_scripting"
55	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_cookie_config/.snapshots/TestJavascriptExpressDefaultCookieConfig--default_cookie_session_config.yml

1	-	medium:
2	-	- rule:
3	-	cwe_ids:
4	-	- "523"
5	-	- "522"
6	-	id: express_default_cookie_config
7	-	description: Cookie with default config detected.
8	-	documentation_url: https://docs.bearer.com/reference/rules/express_default_cookie_config
9	-	line_number: 11
10	-	filename: default_cookie_session_config.js
11	-	parent_line_number: 11
12	-	snippet: \|-
13	-	{
14	-	domain: "example.com",
15	-	httpOnly: false,
16	-	secure: true,
17	-	maxAge: 24 * 60 * 60 * 1000,
18	-	}
19	-	fingerprint: 1ff98ac850681443899120830a7ed5c3_0
20	-
21	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_cookie_config/.snapshots/TestJavascriptExpressDefaultCookieConfig--default_express_session_cookie_config.yml

1	-	medium:
2	-	- rule:
3	-	cwe_ids:
4	-	- "523"
5	-	- "522"
6	-	id: express_default_cookie_config
7	-	description: Cookie with default config detected.
8	-	documentation_url: https://docs.bearer.com/reference/rules/express_default_cookie_config
9	-	line_number: 11
10	-	filename: default_express_session_cookie_config.js
11	-	parent_line_number: 11
12	-	snippet: '{}'
13	-	fingerprint: e114698a3e3b46f2392d491f2869fe33_0
14	-	- rule:
15	-	cwe_ids:
16	-	- "523"
17	-	- "522"
18	-	id: express_default_cookie_config
19	-	description: Cookie with default config detected.
20	-	documentation_url: https://docs.bearer.com/reference/rules/express_default_cookie_config
21	-	line_number: 17
22	-	filename: default_express_session_cookie_config.js
23	-	parent_line_number: 17
24	-	snippet: \|-
25	-	{
26	-	domain: "example.com",
27	-	secure: true,
28	-	httpOnly: false,
29	-	maxAge: 24 * 60 * 60 * 1000,
30	-	path: "/some-path",
31	-	}
32	-	fingerprint: e114698a3e3b46f2392d491f2869fe33_1
33	-	- rule:
34	-	cwe_ids:
35	-	- "523"
36	-	- "522"
37	-	id: express_default_cookie_config
38	-	description: Cookie with default config detected.
39	-	documentation_url: https://docs.bearer.com/reference/rules/express_default_cookie_config
40	-	line_number: 29
41	-	filename: default_express_session_cookie_config.js
42	-	parent_line_number: 29
43	-	snippet: \|-
44	-	{
45	-	domain: "example.com",
46	-	secure: true,
47	-	httpOnly: false,
48	-	name: "my-custom-cookie-name",
49	-	}
50	-	fingerprint: e114698a3e3b46f2392d491f2869fe33_2
51	-	- rule:
52	-	cwe_ids:
53	-	- "523"
54	-	- "522"
55	-	id: express_default_session_config
56	-	description: Session cookie with default config detected.
57	-	documentation_url: https://docs.bearer.com/reference/rules/express_default_session_config
58	-	line_number: 10
59	-	filename: default_express_session_cookie_config.js
60	-	parent_line_number: 10
61	-	snippet: \|-
62	-	{
63	-	cookie: {},
64	-	}
65	-	fingerprint: 13a07ed013ea7e6baa3a2a6dfe4a3d1c_0
66	-	- rule:
67	-	cwe_ids:
68	-	- "523"
69	-	- "522"
70	-	id: express_default_session_config
71	-	description: Session cookie with default config detected.
72	-	documentation_url: https://docs.bearer.com/reference/rules/express_default_session_config
73	-	line_number: 16
74	-	filename: default_express_session_cookie_config.js
75	-	parent_line_number: 16
76	-	snippet: \|-
77	-	{
78	-	cookie: {
79	-	domain: "example.com",
80	-	secure: true,
81	-	httpOnly: false,
82	-	maxAge: 24 * 60 * 60 * 1000,
83	-	path: "/some-path",
84	-	},
85	-	}
86	-	fingerprint: 13a07ed013ea7e6baa3a2a6dfe4a3d1c_1
87	-
88	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_cookie_config/.snapshots/TestJavascriptExpressDefaultCookieConfig--ok_cookie_configured.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_cookie_config/testdata/default_cookie_session_config.js

1	-	import { cookieSession } from "cookie-session"
2	-
3	-	const express = require("express")
4	-	var helmet = require("helmet")
5	-
6	-	var app = express()
7	-	app.use(helmet())
8	-	app.use(helmet.hidePoweredBy())
9	-
10	-	app.use(
11	-	cookieSession({
12	-	domain: "example.com",
13	-	httpOnly: false,
14	-	secure: true,
15	-	maxAge: 24 * 60 * 60 * 1000,
16	-	})
17	-	)
18	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_cookie_config/testdata/default_express_session_cookie_config.js

1	-	const session = require("express-session")
2	-	const express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.use(
10	-	session({
11	-	cookie: {},
12	-	})
13	-	)
14	-
15	-	app.use(
16	-	session({
17	-	cookie: {
18	-	domain: "example.com",
19	-	secure: true,
20	-	httpOnly: false,
21	-	maxAge: 24 * 60 * 60 * 1000,
22	-	path: "/some-path",
23	-	},
24	-	})
25	-	)
26	-
27	-	app.use(
28	-	session({
29	-	cookie: {
30	-	domain: "example.com",
31	-	secure: true,
32	-	httpOnly: false,
33	-	name: "my-custom-cookie-name",
34	-	},
35	-	})
36	-	)
37	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_cookie_config/testdata/ok_cookie_configured.js

1	-	const session = require("express-session")
2	-	const express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.use(
10	-	session({
11	-	cookie: {
12	-	domain: "example.com",
13	-	secure: true,
14	-	httpOnly: false,
15	-	maxAge: 24 * 60 * 60 * 1000,
16	-	path: "/some-path",
17	-	name: "my-custom-cookie-name",
18	-	},
19	-	})
20	-	)
21	-
22	-	// some other non-express cookie usage
23	-	var config = {
24	-	hello: "world",
25	-	cookie: "some-encrypted-string"
26	-	}
27	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_cookie_config.yml

1	-	patterns:
2	-	- pattern: \|
3	-	{
4	-	cookie: $<!>$<HASH_CONTENT>
5	-	}
6	-	filters:
7	-	- variable: HASH_CONTENT
8	-	detection: express_default_cookie_config_hash_val
9	-	- either:
10	-	- not:
11	-	variable: HASH_CONTENT
12	-	detection: express_default_cookie_config_name_attribute
13	-	- not:
14	-	variable: HASH_CONTENT
15	-	detection: express_default_cookie_config_expiry_attribute
16	-	- not:
17	-	variable: HASH_CONTENT
18	-	detection: express_default_cookie_config_path_attribute
19	-	- not:
20	-	variable: HASH_CONTENT
21	-	detection: express_default_cookie_config_domain_attribute
22	-	- not:
23	-	variable: HASH_CONTENT
24	-	detection: express_default_cookie_config_secure_attribute
25	-	- pattern: \|
26	-	cookieSession($<!>$<HASH_CONTENT>)
27	-	filters:
28	-	- variable: HASH_CONTENT
29	-	detection: express_default_cookie_config_hash_val
30	-	- either:
31	-	- not:
32	-	variable: HASH_CONTENT
33	-	detection: express_default_cookie_config_name_attribute
34	-	- not:
35	-	variable: HASH_CONTENT
36	-	detection: express_default_cookie_config_expiry_attribute
37	-	- not:
38	-	variable: HASH_CONTENT
39	-	detection: express_default_cookie_config_path_attribute
40	-	- not:
41	-	variable: HASH_CONTENT
42	-	detection: express_default_cookie_config_domain_attribute
43	-	- not:
44	-	variable: HASH_CONTENT
45	-	detection: express_default_cookie_config_secure_attribute
46	-	languages:
47	-	- javascript
48	-	auxiliary:
49	-	- id: express_default_cookie_config_hash_val
50	-	patterns:
51	-	- \|
52	-	{}
53	-	- id: express_default_cookie_config_name_attribute
54	-	patterns:
55	-	- \|
56	-	{ name: $<_> }
57	-	- id: express_default_cookie_config_expiry_attribute
58	-	patterns:
59	-	- \|
60	-	{ maxAge: $<_> }
61	-	- \|
62	-	{ expires: $<_> }
63	-	- id: express_default_cookie_config_path_attribute
64	-	patterns:
65	-	- \|
66	-	{ path: $<_> }
67	-	- id: express_default_cookie_config_domain_attribute
68	-	patterns:
69	-	- \|
70	-	{ domain: $<_> }
71	-	- id: express_default_cookie_config_secure_attribute
72	-	patterns:
73	-	- \|
74	-	{ secure: $<_> }
75	-	severity: medium
76	-	metadata:
77	-	description: "Cookie with default config detected."
78	-	remediation_message: \|
79	-	## Description
80	-	To make sure cookies don't open your application up to exploits or unauthorized access, don't use default cookie values.
81	-
82	-	## Remediations
83	-	✅ Instead of the default cookie name, use generic names.
84	-
85	-	✅ Always set a maxAge or expires value
86	-
87	-	## Resources
88	-	- [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely)
89	-	cwe_id:
90	-	- 523
91	-	- 522
92	-	id: "express_default_cookie_config"
93	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_session_config/.snapshots/TestJavascriptExpressDefaultSessionConfig--default_session_config.yml

1	-	medium:
2	-	- rule:
3	-	cwe_ids:
4	-	- "523"
5	-	- "522"
6	-	id: express_default_session_config
7	-	description: Session cookie with default config detected.
8	-	documentation_url: https://docs.bearer.com/reference/rules/express_default_session_config
9	-	line_number: 9
10	-	filename: default_session_config.js
11	-	parent_line_number: 9
12	-	snippet: '{}'
13	-	fingerprint: 6e2d08aeb03d99a4665c6b2cd7f7531d_0
14	-
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_session_config/.snapshots/TestJavascriptExpressDefaultSessionConfig--ok_session_configured.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_session_config/testdata/default_session_config.js

1	-	const session = require("express-session")
2	-	const express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.use(session({}))
10	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_session_config/testdata/ok_session_configured.js

1	-	const session = require("express-session")
2	-	const express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.use(session({ name: "my-custom-session-name" }))
10	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/default_session_config.yml

1	-	patterns:
2	-	- pattern: \|
3	-	session($<!>$<HASH_CONTENT>)
4	-	filters:
5	-	- not:
6	-	variable: HASH_CONTENT
7	-	detection: express_default_session_config_name_attribute
8	-	languages:
9	-	- javascript
10	-	auxiliary:
11	-	- id: express_default_session_config_name_attribute
12	-	patterns:
13	-	- \|
14	-	{ name: $<_> }
15	-	severity: medium
16	-	metadata:
17	-	description: "Session cookie with default config detected."
18	-	remediation_message: \|
19	-	## Description
20	-	To make sure session cookies don't open your application up to exploits or unauthorized access, don't use default cookie values.
21	-
22	-	## Remediations
23	-	✅ Instead of the default session name, use generic names.
24	-
25	-	## Resources
26	-	- [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely)
27	-	cwe_id:
28	-	- 523
29	-	- 522
30	-	id: "express_default_session_config"
31	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/.snapshots/TestJavascriptExpressEvalUserInput--eval.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "94"
5	-	- "95"
6	-	id: javascript_express_eval_user_input
7	-	description: Dangerous use of eval with user input detected
8	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_eval_user_input
9	-	line_number: 11
10	-	filename: eval.js
11	-	parent_line_number: 11
12	-	snippet: eval(command)
13	-	fingerprint: 4356bf19d1f018abcf6dc272a98faf3f_0
14	-
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/.snapshots/TestJavascriptExpressEvalUserInput--new_function.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "94"
5	-	- "95"
6	-	id: javascript_express_eval_user_input
7	-	description: Dangerous use of eval with user input detected
8	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_eval_user_input
9	-	line_number: 11
10	-	filename: new_function.js
11	-	parent_line_number: 11
12	-	snippet: new Function(command)
13	-	fingerprint: 1a3f60304bf0a691116875d6c12a647a_0
14	-
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/.snapshots/TestJavascriptExpressEvalUserInput--secure.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/.snapshots/TestJavascriptExpressEvalUserInput--set_interval.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "94"
5	-	- "95"
6	-	id: javascript_express_eval_user_input
7	-	description: Dangerous use of eval with user input detected
8	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_eval_user_input
9	-	line_number: 11
10	-	filename: set_interval.js
11	-	parent_line_number: 11
12	-	snippet: setInterval(command)
13	-	fingerprint: f21a44907bbf50441cfa9ee0cf591d8d_0
14	-
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/.snapshots/TestJavascriptExpressEvalUserInput--set_timeout.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "94"
5	-	- "95"
6	-	id: javascript_express_eval_user_input
7	-	description: Dangerous use of eval with user input detected
8	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_eval_user_input
9	-	line_number: 11
10	-	filename: set_timeout.js
11	-	parent_line_number: 11
12	-	snippet: setTimeout(command)
13	-	fingerprint: 5eef89bf95395a7573b889545a2c7f8e_0
14	-
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/testdata/eval.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.post("/:id", (req, res) => {
9	-	userInput = req.params.id
10	-	var command = "new Function('" + userInput + "')"
11	-	return eval(command)
12	-	})
13	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/testdata/new_function.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.post("/:id", (req, res) => {
9	-	userInput = req.params.id
10	-	var command = "new Function('" + userInput + "')"
11	-	new Function(command)()
12	-	})
13	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/testdata/secure.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.post("/:id", (req, res) => {
9	-	userInput = req.params.id
10	-	var command = "new Function('" + userInput + "')"
11	-	new Function(() => {
12	-	command
13	-	})()
14	-	})
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/testdata/set_interval.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.post("/:id", (req, res) => {
9	-	userInput = req.params.id
10	-	var command = "new Function('" + userInput + "')"
11	-	setInterval(command)
12	-	})
13	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input/testdata/set_timeout.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.post("/:id", (req, res) => {
9	-	userInput = req.params.id
10	-	var command = "new Function('" + userInput + "')"
11	-	setTimeout(command)
12	-	})
13	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/eval_user_input.yml

1	-	patterns:
2	-	- pattern: \|
3	-	eval($<USER_INPUT>)
4	-	filters:
5	-	- variable: USER_INPUT
6	-	detection: javascript_express_eval_user_input_req_object
7	-	- pattern: \|
8	-	new Function($<USER_INPUT>)
9	-	filters:
10	-	- variable: USER_INPUT
11	-	detection: javascript_express_eval_user_input_req_object
12	-	- pattern: \|
13	-	setTimeout($<USER_INPUT>)
14	-	filters:
15	-	- variable: USER_INPUT
16	-	detection: javascript_express_eval_user_input_req_object
17	-	- pattern: \|
18	-	setInterval($<USER_INPUT>)
19	-	filters:
20	-	- variable: USER_INPUT
21	-	detection: javascript_express_eval_user_input_req_object
22	-	- pattern: \|
23	-	vm.$<METHOD>($<...>$<USER_INPUT>$<...>)
24	-	filters:
25	-	- variable: METHOD
26	-	values:
27	-	- createContext
28	-	- runInContext
29	-	- runInNewContext
30	-	- runInThisContext
31	-	- compileFunction
32	-	- variable: USER_INPUT
33	-	detection: javascript_express_eval_user_input_req_object
34	-	- pattern: \|
35	-	new vm.Script($<...>$<USER_INPUT>$<...>)
36	-	filters:
37	-	- variable: USER_INPUT
38	-	detection: javascript_express_external_resource_req_object
39	-	auxiliary:
40	-	- id: javascript_express_eval_user_input_req_object
41	-	patterns:
42	-	- pattern: $<DATA>
43	-	filters:
44	-	- variable: DATA
45	-	detection: javascript_express_eval_user_input_user_input
46	-	- pattern: const { $<!>$<_> } = $<DATA>
47	-	filters:
48	-	- variable: DATA
49	-	detection: javascript_express_eval_user_input_user_input
50	-	- id: javascript_express_eval_user_input_user_input
51	-	patterns:
52	-	- req.params
53	-	- req.query
54	-	- req.body
55	-	- req.cookies
56	-	- req.headers
57	-	languages:
58	-	- javascript
59	-	severity: high
60	-	metadata:
61	-	description: "Dangerous use of eval with user input detected"
62	-	remediation_message: \|
63	-	## Description
64	-	Using `eval` (and similar code execution methods such as `setTimeout`) with user input is dangerous and can lead to remote code execution.
65	-
66	-	## Remediation
67	-	❌ As a general rule, avoid using `eval`.
68	-
69	-	❌ Avoid using code execution methods with unsanitized user input.
70	-
71	-	Instead, it might be possible to use dynamic hardcoded values:
72	-	```javascript
73	-	app.post("/:id", (req, res) => {
74	-	let myFunc = "(a, b) => a + b"
75	-	if req.params["single_item"] {
76	-	myFunc = "(a) => a"
77	-	}
78	-
79	-	setTimeout(myFunc);
80	-	};
81	-	```
82	-	or pass user input to a compiled function, instead of compiling it with user input.
83	-	```javascript
84	-	app.post("/:id", (req, res) => {
85	-	let myFunc = "(a, b) => a + b"
86	-	let compiledFunction = vm.compileFunction(myFunc);
87	-	compiledFunction(req.params["pageCount"], req.params["appendixPageCount"])
88	-	};
89	-	```
90	-
91	-	✅ Use JavaScript's strict mode as best practice and to minimize the reach of code execution methods
92	-
93	-	```javascript
94	-	"use strict"
95	-
96	-	app.post("/:id", (req, res) => {
97	-	...
98	-	})
99	-	```
100	-
101	-	## Resources
102	-	- [MDN JavaScript strict mode reference](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode)
103	-	cwe_id:
104	-	- 94
105	-	- 95
106	-	id: "javascript_express_eval_user_input"
107	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/exposed_dir_listing/.snapshots/TestJavascriptExpressExposedDirListing--ok_app_use.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/exposed_dir_listing/.snapshots/TestJavascriptExpressExposedDirListing--serve_index_in_app_use.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "548"
5	-	id: javascript_express_exposed_dir_listing
6	-	description: Missing access restriction to directory listing detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_exposed_dir_listing
8	-	line_number: 9
9	-	filename: serve_index_in_app_use.js
10	-	parent_line_number: 9
11	-	snippet: app.use("/public", serveIndex(__dirname + "files"))
12	-	fingerprint: efd43e5683e7db7fda30a3a810ebcabb_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/exposed_dir_listing/testdata/ok_app_use.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.use("/ftp", express.static("public/ftp"))
9	-
10	-	app.listen(3000)
11	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/exposed_dir_listing/testdata/serve_index_in_app_use.js

1	-	var serveIndex = require("serve-index")
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.use("/public", serveIndex(__dirname + "files"))
10	-
11	-	app.listen(3000)
12	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/exposed_dir_listing.yml

1	-	patterns:
2	-	- pattern: \|
3	-	app.use($<...>serveIndex()$<...>)
4	-	languages:
5	-	- javascript
6	-	metadata:
7	-	description: "Missing access restriction to directory listing detected."
8	-	remediation_message: \|
9	-	## Description
10	-	Inappropriate exposure of a directory listing could give attackers access to sensitive data or source code, either directly or through exploitation of an exposed file structure.
11	-
12	-	## Remediations
13	-	✅ Restrict access to sensitive directories and files
14	-
15	-	## Resources
16	-	- [Express Serve index middleware](https://expressjs.com/en/resources/middleware/serve-index.html)
17	-	cwe_id:
18	-	- 548
19	-	id: "javascript_express_exposed_dir_listing"
20	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_file_upload/.snapshots/TestJavascriptExpressExternalFileUpload--ok_send_file.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_file_upload/.snapshots/TestJavascriptExpressExternalFileUpload--send_file_with_external_input.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "22"
5	-	id: javascript_express_path_traversal
6	-	description: Possible path traversal vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_path_traversal
8	-	line_number: 13
9	-	filename: send_file_with_external_input.js
10	-	parent_line_number: 13
11	-	snippet: path.resolve(file)
12	-	fingerprint: 0f96ceab826cffb4000a8469699f0a26_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "22"
16	-	id: javascript_express_path_traversal
17	-	description: Possible path traversal vulnerability detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_path_traversal
19	-	line_number: 15
20	-	filename: send_file_with_external_input.js
21	-	parent_line_number: 15
22	-	snippet: path.join(__dirname, req.params.root)
23	-	fingerprint: 0f96ceab826cffb4000a8469699f0a26_1
24	-	low:
25	-	- rule:
26	-	cwe_ids:
27	-	- "73"
28	-	id: javascript_express_external_file_upload
29	-	description: External control of filename or path detected.
30	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_external_file_upload
31	-	line_number: 12
32	-	filename: send_file_with_external_input.js
33	-	parent_line_number: 12
34	-	snippet: res.sendFile(file)
35	-	fingerprint: 594fb35e8692ca06ee83e8313e32ec58_0
36	-	- rule:
37	-	cwe_ids:
38	-	- "73"
39	-	id: javascript_express_external_file_upload
40	-	description: External control of filename or path detected.
41	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_external_file_upload
42	-	line_number: 13
43	-	filename: send_file_with_external_input.js
44	-	parent_line_number: 13
45	-	snippet: res.sendFile(path.resolve(file))
46	-	fingerprint: 594fb35e8692ca06ee83e8313e32ec58_1
47	-	- rule:
48	-	cwe_ids:
49	-	- "73"
50	-	id: javascript_express_external_file_upload
51	-	description: External control of filename or path detected.
52	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_external_file_upload
53	-	line_number: 14
54	-	filename: send_file_with_external_input.js
55	-	parent_line_number: 14
56	-	snippet: res.sendFile(req.params.file, {}, () => {})
57	-	fingerprint: 594fb35e8692ca06ee83e8313e32ec58_2
58	-	- rule:
59	-	cwe_ids:
60	-	- "73"
61	-	id: javascript_express_external_file_upload
62	-	description: External control of filename or path detected.
63	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_external_file_upload
64	-	line_number: 15
65	-	filename: send_file_with_external_input.js
66	-	parent_line_number: 15
67	-	snippet: 'res.sendFile("file.txt", { root: path.join(__dirname, req.params.root) })'
68	-	fingerprint: 594fb35e8692ca06ee83e8313e32ec58_3
69	-
70	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_file_upload/testdata/ok_send_file.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/", function (_, res) {
9	-	res.sendFile("index.js")
10	-	res.sendFile(req.params.file, { root: path.join(__dirname, "public") })
11	-	})
12	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_file_upload/testdata/send_file_with_external_input.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-	var path = require("path")
8	-
9	-	app.get("/", function (req, res) {
10	-	var file = req.params.file
11	-
12	-	res.sendFile(file)
13	-	res.sendFile(path.resolve(file))
14	-	res.sendFile(req.params.file, {}, () => {})
15	-	res.sendFile("file.txt", { root: path.join(__dirname, req.params.root) })
16	-	})
17	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_file_upload.yml

1	-	patterns:
2	-	- pattern: res.sendFile($<EXPRESS_REQ>)
3	-	filters:
4	-	- variable: EXPRESS_REQ
5	-	detection: javascript_express_external_file_upload_request_obj
6	-	- pattern: res.sendFile($<EXPRESS_REQ>, $<OPTIONS>$<...>)
7	-	filters:
8	-	- not:
9	-	variable: OPTIONS
10	-	detection: javascript_express_external_file_upload_root_option_not_request_obj
11	-	- pattern: res.sendFile($<_>, $<EXPRESS_REQ>$<...>)
12	-	filters:
13	-	- variable: EXPRESS_REQ
14	-	detection: javascript_express_external_file_upload_request_obj
15	-	languages:
16	-	- javascript
17	-	auxiliary:
18	-	- id: javascript_express_external_file_upload_request_obj
19	-	patterns:
20	-	- req.$<_>
21	-	- id: javascript_express_external_file_upload_root_option
22	-	patterns:
23	-	- \|
24	-	{ root: $<_> }
25	-	- id: javascript_express_external_file_upload_root_option_not_request_obj
26	-	patterns:
27	-	- pattern: $<OPTIONS>
28	-	filters:
29	-	- variable: OPTIONS
30	-	detection: javascript_express_external_file_upload_root_option
31	-	- not:
32	-	variable: OPTIONS
33	-	detection: javascript_express_external_file_upload_request_obj
34	-	metadata:
35	-	description: "External control of filename or path detected."
36	-	remediation_message: \|
37	-	## Description
38	-	Passing unsanitized user input to the sendFile API is bad practice and can lead to path manipulation, by which attackers can gain access to resources and data outside of the intended scope.
39	-
40	-	## Remediations
41	-	✅ Set the root option to be an absolute path to a directory
42	-
43	-	```javascript
44	-	app.post("/upload", (req, res) => {
45	-	var options = {
46	-	root: path.join(__dirname, "upload")
47	-	}
48	-	res.sendFile(req.params.filename, options)
49	-	}
50	-	```
51	-
52	-	## Resources
53	-	- [Express sendFile API reference](http://expressjs.com/en/5x/api.html#res.sendFile)
54	-	cwe_id:
55	-	- 73
56	-	id: "javascript_express_external_file_upload"
57	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_resource/.snapshots/TestJavascriptExpressExternalResource--ok_known_resource.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_resource/.snapshots/TestJavascriptExpressExternalResource--render_external_resource.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "706"
5	-	id: javascript_express_external_resource
6	-	description: Rendering of resources resolved from external name or reference detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_external_resource
8	-	line_number: 9
9	-	filename: render_external_resource.js
10	-	parent_line_number: 9
11	-	snippet: 'res.render(req.query.path + "/results", { page: 1 })'
12	-	fingerprint: 2f7ac51ec38f8eabaefac03b062ee2a5_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_resource/.snapshots/TestJavascriptExpressExternalResource--require_destructured_resource.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "706"
5	-	id: javascript_express_external_resource
6	-	description: Rendering of resources resolved from external name or reference detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_external_resource
8	-	line_number: 7
9	-	filename: require_destructured_resource.js
10	-	parent_line_number: 7
11	-	snippet: require(path)
12	-	fingerprint: 51966377a661b135eca899b43ac2c343_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_resource/.snapshots/TestJavascriptExpressExternalResource--require_external_resource.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "706"
5	-	id: javascript_express_external_resource
6	-	description: Rendering of resources resolved from external name or reference detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_external_resource
8	-	line_number: 10
9	-	filename: require_external_resource.js
10	-	parent_line_number: 10
11	-	snippet: require(req.query.user.path)
12	-	fingerprint: 243b0f1b2464343e18b09e3adb02d4fa_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_resource/testdata/ok_known_resource.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/good", (_req, res) => {
9	-	var internalPath = "/safe-resource"
10	-	try {
11	-	require(internalPath)
12	-	} catch (err) {
13	-	// handle error
14	-	}
15	-
16	-	return res.render(internalPath + "/results", { page: res.params.page })
17	-	})
18	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_resource/testdata/render_external_resource.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/bad", (req, res) => {
9	-	return res.render(req.query.path + "/results", { page: 1 })
10	-	})
11	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_resource/testdata/require_destructured_resource.js

1	-	require(path);
2	-
3	-	app.get("/bad", (req, _res) => {
4	-	try {
5	-	const { path } = req.query;
6	-
7	-	require(path);
8	-	} catch (err) {
9	-	// handle error
10	-	}
11	-	});
12	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_resource/testdata/require_external_resource.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/bad", (req, _res) => {
9	-	try {
10	-	require(req.query.user.path)
11	-	} catch (err) {
12	-	// handle error
13	-	}
14	-	})
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/external_resource.yml

1	-	patterns:
2	-	- pattern: \|
3	-	require($<USER_INPUT>)
4	-	filters:
5	-	- variable: USER_INPUT
6	-	detection: javascript_express_external_resource_req_object
7	-	- pattern: \|
8	-	res.render($<USER_INPUT>$<...>)
9	-	filters:
10	-	- variable: USER_INPUT
11	-	detection: javascript_express_external_resource_req_object
12	-	languages:
13	-	- javascript
14	-	auxiliary:
15	-	- id: javascript_express_external_resource_req_object
16	-	patterns:
17	-	- pattern: $<DATA>
18	-	filters:
19	-	- variable: DATA
20	-	detection: javascript_express_external_resource_user_input
21	-	- pattern: const { $<!>$<_> } = $<DATA>
22	-	filters:
23	-	- variable: DATA
24	-	detection: javascript_express_external_resource_user_input
25	-	- id: javascript_express_external_resource_user_input
26	-	patterns:
27	-	- req.params
28	-	- req.query
29	-	- req.body
30	-	- req.cookies
31	-	- req.headers
32	-	metadata:
33	-	description: "Rendering of resources resolved from external name or reference detected."
34	-	remediation_message: \|
35	-	## Description
36	-	Using raw unsanitized input when rendering resources is bad practice.
37	-
38	-	## Remediations
39	-	❌ Avoid passing user or request input to res.render() or require().
40	-
41	-	✅ Sanitize the input or use a safelist
42	-
43	-	Where it is unavoidable to rely on user input, sanitize the input or use a safelist to keep the rendered resources within the expected scope.
44	-
45	-	```javascript
46	-	var path = req.body.path
47	-	if (['users', 'posts', 'pages'].includes(path)) {
48	-	return res.render(`${path}/success`)
49	-	}
50	-	```
51	-	cwe_id:
52	-	- 706
53	-	id: "javascript_express_external_resource"
54	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/hardcoded_secret/.snapshots/TestJavascriptExpressHardCodedSecret--hardcoded_secret_in_jwt.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "798"
5	-	id: javascript_express_hardcoded_secret
6	-	description: Hard-coded secret detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_hardcoded_secret
8	-	line_number: 13
9	-	filename: hardcoded_secret_in_jwt.js
10	-	parent_line_number: 13
11	-	snippet: 'expressjwt({ secret: "my-hardcoded-secret" })'
12	-	fingerprint: 2cc672715c780e2810ceae27cfb8da28_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "798"
16	-	id: javascript_express_hardcoded_secret
17	-	description: Hard-coded secret detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_hardcoded_secret
19	-	line_number: 21
20	-	filename: hardcoded_secret_in_jwt.js
21	-	parent_line_number: 21
22	-	snippet: 'jwt({ secret: secret })'
23	-	fingerprint: 2cc672715c780e2810ceae27cfb8da28_1
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/hardcoded_secret/.snapshots/TestJavascriptExpressHardCodedSecret--hardcoded_secret_in_session.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "798"
5	-	id: javascript_express_hardcoded_secret
6	-	description: Hard-coded secret detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_hardcoded_secret
8	-	line_number: 12
9	-	filename: hardcoded_secret_in_session.js
10	-	parent_line_number: 12
11	-	snippet: \|-
12	-	session({
13	-	name: "my-custom-session-name",
14	-	secret: "my-hardcoded-secret",
15	-	})
16	-	fingerprint: c6a20f6353ebb42121ee05d097e00c27_0
17	-	- rule:
18	-	cwe_ids:
19	-	- "798"
20	-	id: javascript_express_hardcoded_secret
21	-	description: Hard-coded secret detected.
22	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_hardcoded_secret
23	-	line_number: 23
24	-	filename: hardcoded_secret_in_session.js
25	-	parent_line_number: 23
26	-	snippet: session(sessionConfig)
27	-	fingerprint: c6a20f6353ebb42121ee05d097e00c27_1
28	-
29	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/hardcoded_secret/.snapshots/TestJavascriptExpressHardCodedSecret--ok_no_hardcoded_secrets.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/hardcoded_secret/testdata/hardcoded_secret_in_jwt.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-	const jwt = expressjwt
8	-
9	-	app = express.app()
10	-
11	-	app.get(
12	-	"/bad",
13	-	expressjwt({ secret: "my-hardcoded-secret" }),
14	-	function (_req, res) {
15	-	res.sendStatus(200)
16	-	}
17	-	)
18	-
19	-	var secret = "my-hardcoded-secret"
20	-
21	-	app.get("/bad-2", jwt({ secret: secret }), function (_req, res) {
22	-	res.sendStatus(200)
23	-	})
24	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/hardcoded_secret/testdata/hardcoded_secret_in_session.js

1	-	import { session } from "express-session"
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app = express.app()
10	-
11	-	app.use(
12	-	session({
13	-	name: "my-custom-session-name",
14	-	secret: "my-hardcoded-secret",
15	-	})
16	-	)
17	-
18	-	var sessionConfig = {
19	-	name: "my-custom-session-name",
20	-	secret: "hardcoded-secret",
21	-	}
22	-
23	-	app.use(session(sessionConfig))
24	-
25	-	var sessionConfig = {
26	-	name: "my-custom-session-name",
27	-	secret: "",
28	-	}
29	-
30	-	app.use(session(sessionConfig))
31	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/hardcoded_secret/testdata/ok_no_hardcoded_secrets.js

1	-	import { jwt } from "express-jwt"
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app = express.app()
10	-
11	-	app.get("/ok", jwt({ secret: config.get("my-secret") }), function (_req, res) {
12	-	res.sendStatus(200)
13	-	})
14	-
15	-	var secret = process.env.SAFE_SECRET
16	-
17	-	app.get("/ok", jwt({ secret: secret }), function (_req, res) {
18	-	res.sendStatus(200)
19	-	})
20	-
21	-	app.use(
22	-	session({
23	-	secret: config.secret,
24	-	name: "my-custom-session-name",
25	-	})
26	-	)
27	-
28	-	var sessionConfig = {
29	-	name: "my-custom-session-name",
30	-	secret: process.env.SAFE_SECRET,
31	-	}
32	-
33	-	app.use(session(sessionConfig))
34	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/hardcoded_secret.yml

1	-	patterns:
2	-	- pattern: \|
3	-	$<MODULE>($<HARDCODED_SECRET_IN_HASH>)
4	-	filters:
5	-	- variable: MODULE
6	-	values:
7	-	- jwt
8	-	- expressjwt
9	-	- session
10	-	- variable: HARDCODED_SECRET_IN_HASH
11	-	detection: javascript_express_hardcoded_secret_in_hash
12	-	languages:
13	-	- javascript
14	-	auxiliary:
15	-	- id: javascript_express_hardcoded_secret_in_hash
16	-	patterns:
17	-	- pattern: \|
18	-	{ secret: $<STRING_LITERAL> }
19	-	filters:
20	-	- variable: STRING_LITERAL
21	-	detection: string_literal
22	-	contains: false
23	-	severity: high
24	-	metadata:
25	-	description: "Hard-coded secret detected."
26	-	remediation_message: \|
27	-	## Description
28	-	Code is not a secure place to store hard-coded secrets. Use environment variables instead.
29	-
30	-	## Remediations
31	-	✅ Use environment variables and a secret management system instead
32	-
33	-	```javascript
34	-	app.use(
35	-	session({
36	-	secret: process.env.secret,
37	-	name: "my-custom-session-name",
38	-	})
39	-	)
40	-	```
41	-
42	-	## Resources
43	-	- [OWASP hardcoded passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
44	-	cwe_id:
45	-	- 798
46	-	id: "javascript_express_hardcoded_secret"
47	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/helmet_missing/.snapshots/TestJavascriptHelmetMissing--secure.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/helmet_missing/.snapshots/TestJavascriptHelmetMissing--unsecure.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "693"
5	-	id: javascript_express_helmet_missing
6	-	description: Security misconfiguration detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_helmet_missing
8	-	line_number: 4
9	-	filename: unsecure.js
10	-	parent_line_number: 4
11	-	snippet: express()
12	-	fingerprint: 11025b35d18975e9334681b65859fe26_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/helmet_missing/testdata/secure.js

1	-	const express = require("express")
2	-	const helmet = require("helmet")
3	-
4	-	const app = express()
5	-	app.use(helmet())
6	-	// app.use(helmet.contentSecurityPolicy());
7	-	// app.use(helmet.crossOriginEmbedderPolicy());
8	-	// app.use(helmet.crossOriginOpenerPolicy());
9	-	// app.use(helmet.crossOriginResourcePolicy());
10	-	// app.use(helmet.dnsPrefetchControl());
11	-	// app.use(helmet.frameguard());
12	-	// app.use(helmet.hsts());
13	-	// app.use(helmet.ieNoOpen());
14	-	// app.use(helmet.noSniff());
15	-	// app.use(helmet.originAgentCluster());
16	-	// app.use(helmet.permittedCrossDomainPolicies());
17	-	// app.use(helmet.referrerPolicy());
18	-	// app.use(helmet.xssFilter());
19	-	// app.use(helmet.hidePoweredBy());
20	-
21	-	app.disable("x-powered-by")
22	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/helmet_missing/testdata/unsecure.js

1	-	const express = require("express")
2	-	const cors = require("cors")
3	-
4	-	const app = express()
5	-	app.use(express.json())
6	-	app.use(cors())
7	-	// app.use(helmet.contentSecurityPolicy());
8	-	// app.use(helmet.crossOriginEmbedderPolicy());
9	-	// app.use(helmet.crossOriginOpenerPolicy());
10	-	// app.use(helmet.crossOriginResourcePolicy());
11	-	// app.use(helmet.dnsPrefetchControl());
12	-	// app.use(helmet.frameguard());
13	-	// app.use(helmet.hsts());
14	-	// app.use(helmet.ieNoOpen());
15	-	// app.use(helmet.noSniff());
16	-	// app.use(helmet.originAgentCluster());
17	-	// app.use(helmet.permittedCrossDomainPolicies());
18	-	// app.use(helmet.referrerPolicy());
19	-	// app.use(helmet.xssFilter());
20	-
21	-	// app.use(helmet.hidePoweredBy());
22	-	app.disable("x-powered-by")
23	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/helmet_missing.yml

1	-	patterns:
2	-	- pattern: \|
3	-	$<EXPRESS>.use($<FUNCTION_CALL>)
4	-	filters:
5	-	- variable: EXPRESS
6	-	detection: javascript_express_helmet_express_init
7	-	- variable: FUNCTION_CALL
8	-	detection: javascript_express_helmet_configuration
9	-	auxiliary:
10	-	- id: javascript_express_helmet_express_init
11	-	patterns:
12	-	- express()
13	-	- id: javascript_express_helmet_configuration
14	-	patterns:
15	-	- helmet()
16	-	- helmet.$<_>()
17	-	languages:
18	-	- javascript
19	-	trigger:
20	-	match_on: absence
21	-	required_detection: javascript_express_helmet_express_init
22	-	metadata:
23	-	description: "Security misconfiguration detected."
24	-	remediation_message: \|
25	-	## Description
26	-
27	-	Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.
28	-
29	-	## Remediations
30	-
31	-	✅ Use Helmet middleware
32	-
33	-	```javascript
34	-	const helmet = require("helmet")
35	-	app.use(helmet())
36	-	```
37	-
38	-	## Resources
39	-
40	-	- [Express Security Best Practices: Use Helmet](https://expressjs.com/en/advanced/best-practice-security.html#use-helmet)
41	-	cwe_id:
42	-	- 693
43	-	id: javascript_express_helmet_missing
44	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/https_protocol_missing/.snapshots/TestJavascriptExpressHttpsProtocolMissing--secure.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/https_protocol_missing/.snapshots/TestJavascriptExpressHttpsProtocolMissing--unsecure.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "693"
5	-	id: javascript_express_https_protocol_missing
6	-	description: Missing https protocol detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_https_protocol_missing
8	-	line_number: 1
9	-	filename: unsecure.js
10	-	parent_line_number: 1
11	-	snippet: http.createServer(app)
12	-	fingerprint: 9dbac220e51ce9ebb2d92d094a8767b0_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/https_protocol_missing/testdata/secure.js

1	-	https.createServer(httpsOptions, app).listen(port, () => {
2	-	console.log("hello world");
3	-	});

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/https_protocol_missing/testdata/unsecure.js

1	-	http.createServer(app).listen(port, () => {
2	-	console.log("hello world");
3	-	});

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/https_protocol_missing.yml

1	-	patterns:
2	-	- pattern: \|
3	-	https.createServer()
4	-	auxiliary:
5	-	- id: javascript_express_https_protocol_missing_http_server
6	-	patterns:
7	-	- $<_>.createServer()
8	-	languages:
9	-	- javascript
10	-	trigger:
11	-	match_on: absence
12	-	required_detection: javascript_express_https_protocol_missing_http_server
13	-	metadata:
14	-	description: "Missing https protocol detected."
15	-	remediation_message: \|
16	-	## Description
17	-	Use HTTPS wherever possible. HTTPS uses the TLS (Transport Layer Security) protocol to encrypt communication, making it more secure than HTTP.
18	-
19	-	## Remediations
20	-	✅ Use the `https` module when calling `createServer()`
21	-
22	-	```javascript
23	-	var https = require('https');
24	-	var express = require('express');
25	-	var app = express();
26	-
27	-	var httpsServer = https.createServer(app)
28	-	httpsServer.listen(8080);
29	-	```
30	-
31	-	## Resources
32	-	- [Express Security Best Practices: use TLS](https://expressjs.com/en/advanced/best-practice-security.html#use-tls)
33	-	cwe_id:
34	-	- 693
35	-	id: javascript_express_https_protocol_missing
36	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_allow_origin/.snapshots/TestJavascriptExpressInsecureAllowOrigin--insecure_allow_origin.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "346"
5	-	id: javascript_express_insecure_allow_origin
6	-	description: Insecure Access-Control-Allow-Origin detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_allow_origin
8	-	line_number: 10
9	-	filename: insecure_allow_origin.js
10	-	parent_line_number: 10
11	-	snippet: 'res.writeHead(200, { "Access-Control-Allow-Origin": req.params.origin })'
12	-	fingerprint: 19c05a0d479a5540caf71df5e2429b58_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "346"
16	-	id: javascript_express_insecure_allow_origin
17	-	description: Insecure Access-Control-Allow-Origin detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_allow_origin
19	-	line_number: 11
20	-	filename: insecure_allow_origin.js
21	-	parent_line_number: 11
22	-	snippet: res.set("access-control-allow-origin", origin)
23	-	fingerprint: 19c05a0d479a5540caf71df5e2429b58_1
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_allow_origin/.snapshots/TestJavascriptExpressInsecureAllowOrigin--secure.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_allow_origin/testdata/insecure_allow_origin.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/insecure", (req, res) => {
9	-	var origin = req.params.origin
10	-	res.writeHead(200, { "Access-Control-Allow-Origin": req.params.origin })
11	-	res.set("access-control-allow-origin", origin)
12	-	})
13	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_allow_origin/testdata/secure.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/secure", (req, res) => {
9	-	var origin = "https://some-origin"
10	-	res.writeHead(200, { "Access-Control-Allow-Origin": "https://mish.bear" })
11	-	res.set("access-control-allow-origin", origin)
12	-	})
13	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_allow_origin.yml

1	-	patterns:
2	-	- pattern: \|
3	-	res.$<METHOD>($<ORIGIN>, $<USER_INPUT>)
4	-	filters:
5	-	- variable: METHOD
6	-	values:
7	-	- set
8	-	- header
9	-	- variable: ORIGIN
10	-	regex: (?i)['"]access-control-allow-origin["']
11	-	- variable: USER_INPUT
12	-	detection: javascript_express_insecure_allow_origin_req_object
13	-	- pattern: \|
14	-	res.writeHead($<_>, $<INSECURE_CORS_HASH>)
15	-	filters:
16	-	- variable: INSECURE_CORS_HASH
17	-	detection: javascript_express_insecure_allow_origin_insecure_cors_hash
18	-	languages:
19	-	- javascript
20	-	auxiliary:
21	-	- id: javascript_express_insecure_allow_origin_req_object
22	-	patterns:
23	-	- pattern: $<DATA>
24	-	filters:
25	-	- variable: DATA
26	-	detection: javascript_express_insecure_allow_origin_user_input
27	-	- pattern: const { $<!>$<_> } = $<DATA>
28	-	filters:
29	-	- variable: DATA
30	-	detection: javascript_express_insecure_allow_origin_user_input
31	-	- id: javascript_express_insecure_allow_origin_user_input
32	-	patterns:
33	-	- req.params
34	-	- req.query
35	-	- req.body
36	-	- req.cookies
37	-	- req.headers
38	-	- id: javascript_express_insecure_allow_origin_insecure_cors_hash
39	-	patterns:
40	-	- pattern: \|
41	-	{ $<ORIGIN>: $<USER_INPUT> }
42	-	filters:
43	-	- variable: ORIGIN
44	-	regex: (?i)['"]access-control-allow-origin["']
45	-	- variable: USER_INPUT
46	-	detection: javascript_express_external_resource_req_object
47	-	metadata:
48	-	description: "Insecure Access-Control-Allow-Origin detected."
49	-	remediation_message: \|
50	-	## Description
51	-	Do not use unverified user-defined input to define Access-Control-Allow-Origin. This can lead to unintended user access to sensitive data.
52	-
53	-	## Remediations
54	-	❌ Avoid defining origins with user input wherever possible.
55	-
56	-	✅ If unavoidable, be sure to verify the input or to use a safe-list.
57	-
58	-	## Resources
59	-	- [OWASP Origin & Access-Control-Allow-Origin](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing)
60	-	cwe_id:
61	-	- 346
62	-	id: "javascript_express_insecure_allow_origin"
63	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_cookie/.snapshots/TestJavascriptExpressSecureCookie--http_only.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1004"
5	-	- "614"
6	-	id: express_insecure_cookie
7	-	description: Missing secure options for cookie detected.
8	-	documentation_url: https://docs.bearer.com/reference/rules/express_insecure_cookie
9	-	line_number: 13
10	-	filename: http_only.js
11	-	parent_line_number: 13
12	-	snippet: 'httpOnly: true'
13	-	fingerprint: 2c50605bef820829b7d58a87086381c9_0
14	-
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_cookie/.snapshots/TestJavascriptExpressSecureCookie--insecure_cookie.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1004"
5	-	- "614"
6	-	id: express_insecure_cookie
7	-	description: Missing secure options for cookie detected.
8	-	documentation_url: https://docs.bearer.com/reference/rules/express_insecure_cookie
9	-	line_number: 13
10	-	filename: insecure_cookie.js
11	-	parent_line_number: 13
12	-	snippet: 'secure: false'
13	-	fingerprint: 3ac343dca7dba133306532aab2d23303_0
14	-
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_cookie/.snapshots/TestJavascriptExpressSecureCookie--insecure_cookie_session.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1004"
5	-	- "614"
6	-	id: express_insecure_cookie
7	-	description: Missing secure options for cookie detected.
8	-	documentation_url: https://docs.bearer.com/reference/rules/express_insecure_cookie
9	-	line_number: 13
10	-	filename: insecure_cookie_session.js
11	-	parent_line_number: 13
12	-	snippet: 'httpOnly: true'
13	-	fingerprint: f1043a5d5d5062f66a3ce0d67fa3a9c8_0
14	-
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_cookie/testdata/http_only.js

1	-	const session = require("express-session")
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.use(
10	-	session({
11	-	cookie: {
12	-	domain: "example.com",
13	-	httpOnly: true,
14	-	secure: true,
15	-	name: "my-custom-cookie-name",
16	-	maxAge: 24 * 60 * 60 * 1000,
17	-	path: "/some-path",
18	-	},
19	-	})
20	-	)
21	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_cookie/testdata/insecure_cookie.js

1	-	const session = require("express-session")
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.use(
10	-	session({
11	-	cookie: {
12	-	domain: "example.com",
13	-	secure: false, // Ensures the browser only sends the cookie over HTTPS.
14	-	httpOnly: false,
15	-	name: "my-custom-cookie-name",
16	-	maxAge: 24 * 60 * 60 * 1000,
17	-	path: "/some-path",
18	-	},
19	-	})
20	-	)
21	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_cookie/testdata/insecure_cookie_session.js

1	-	import { cookieSession } from "cookie-session"
2	-
3	-	var express = require("express")
4	-	var helmet = require("helmet")
5	-
6	-	var app = express()
7	-	app.use(helmet())
8	-	app.use(helmet.hidePoweredBy())
9	-
10	-	app.use(
11	-	cookieSession({
12	-	domain: "example.com",
13	-	httpOnly: true,
14	-	secure: true,
15	-	name: "my-custom-cookie-name",
16	-	maxAge: 24 * 60 * 60 * 1000,
17	-	path: "/some-path",
18	-	})
19	-	)
20	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_cookie.yml

1	-	patterns:
2	-	- pattern: \|
3	-	{
4	-	cookie: {
5	-	$<!>secure: false
6	-	}
7	-	}
8	-	- pattern: \|
9	-	{
10	-	cookie: {
11	-	$<!>httpOnly: true
12	-	}
13	-	}
14	-	- pattern: \|
15	-	cookieSession({
16	-	$<!>secure: false
17	-	})
18	-	- pattern: \|
19	-	cookieSession({
20	-	$<!>httpOnly: true
21	-	})
22	-	languages:
23	-	- javascript
24	-	metadata:
25	-	description: "Missing secure options for cookie detected."
26	-	remediation_message: \|
27	-	## Description
28	-	To make sure cookies don't open your application up to exploits or unauthorized access, make sure to set security options appropriately.
29	-
30	-	## Remediations
31	-	✅ Set cookie security values to use HTTP(S) instead of client-side javascript.
32	-
33	-	✅ Set `secure` values to `true` to force cookies to only send over HTTPS.
34	-
35	-	## Resources
36	-	- [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely)
37	-	cwe_id:
38	-	- 1004
39	-	- 614
40	-	id: "express_insecure_cookie"
41	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_dot_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 11
9	-	filename: insecure_dot_template.js
10	-	parent_line_number: 11
11	-	snippet: doT.template(req.params.template)
12	-	fingerprint: 0f8f283606c409ca80b84f947751fc31_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_ejs_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 11
9	-	filename: insecure_ejs_template.js
10	-	parent_line_number: 11
11	-	snippet: ejs.compile(req.body.user, options)
12	-	fingerprint: e77e3991805c5dddd3dbadf5173a120a_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "1336"
16	-	id: javascript_express_insecure_template_rendering
17	-	description: Insecure template rendering detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
19	-	line_number: 16
20	-	filename: insecure_ejs_template.js
21	-	parent_line_number: 16
22	-	snippet: ejs.render(req.params.name, data, options)
23	-	fingerprint: e77e3991805c5dddd3dbadf5173a120a_1
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_eta_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 12
9	-	filename: insecure_eta_template.js
10	-	parent_line_number: 12
11	-	snippet: 'Eta.render(req.params, { name: "insecure" })'
12	-	fingerprint: c480cdfce4e8383eacfbe5e53bb95e0d_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_express_hbs_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 13
9	-	filename: insecure_express_hbs_template.js
10	-	parent_line_number: 13
11	-	snippet: hbs.renderView(req.params.viewPath, options, (err) => {})
12	-	fingerprint: b81dcff685fe53ed72ee08efc5b4e328_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_handlebars_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 12
9	-	filename: insecure_handlebars_template.js
10	-	parent_line_number: 12
11	-	snippet: Handlebars.precompile(req.body.user, options)
12	-	fingerprint: 4dfd8eaea7a8c770cafac211038919a1_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "1336"
16	-	id: javascript_express_insecure_template_rendering
17	-	description: Insecure template rendering detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
19	-	line_number: 13
20	-	filename: insecure_handlebars_template.js
21	-	parent_line_number: 13
22	-	snippet: Handlebars.compile(req.body.user, options)
23	-	fingerprint: 4dfd8eaea7a8c770cafac211038919a1_1
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_hoganjs_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 13
9	-	filename: insecure_hoganjs_template.js
10	-	parent_line_number: 13
11	-	snippet: 'Hogan.compile(template, { name: "insecure" })'
12	-	fingerprint: cfa6f91ee78560eda9ce58135d63419d_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_html_express_js_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 6
9	-	filename: insecure_html_express_js_template.js
10	-	parent_line_number: 6
11	-	parent_content: htmlExpress.render(req.params.viewPath, {})
12	-
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_liquid_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 13
9	-	filename: insecure_liquid_template.js
10	-	parent_line_number: 13
11	-	snippet: 'engine.render(req.params.text, { hello: "world" })'
12	-	fingerprint: 7264f489a10dbe0c262bab1338d087a1_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_lodash_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 11
9	-	filename: insecure_lodash_template.js
10	-	parent_line_number: 11
11	-	snippet: _.template(req.params.body)
12	-	fingerprint: dade516e6cf2d55d71e1f9510e39fc65_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_mustache_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 12
9	-	filename: insecure_mustache_template.js
10	-	parent_line_number: 12
11	-	snippet: 'Mustache.render(req.params, { name: "insecure" })'
12	-	fingerprint: 75b3fbdac13e6131ab5e8bae47184caa_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_nunjucks_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 11
9	-	filename: insecure_nunjucks_template.js
10	-	parent_line_number: 11
11	-	snippet: nunjucks.render(req.params.body)
12	-	fingerprint: ee737993ece149bb0dea94ff3b80bb5e_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "1336"
16	-	id: javascript_express_insecure_template_rendering
17	-	description: Insecure template rendering detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
19	-	line_number: 12
20	-	filename: insecure_nunjucks_template.js
21	-	parent_line_number: 12
22	-	snippet: nunjucks.renderString(req.params.body)
23	-	fingerprint: ee737993ece149bb0dea94ff3b80bb5e_1
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_pug_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 12
9	-	filename: insecure_pug_template.js
10	-	parent_line_number: 12
11	-	snippet: pug.render(req.params.name, merge(options, locals))
12	-	fingerprint: 87443edd915dd8aa74d4cbefbd1706e2_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "1336"
16	-	id: javascript_express_insecure_template_rendering
17	-	description: Insecure template rendering detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
19	-	line_number: 16
20	-	filename: insecure_pug_template.js
21	-	parent_line_number: 16
22	-	snippet: pug.compile(req.params.name)
23	-	fingerprint: 87443edd915dd8aa74d4cbefbd1706e2_1
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_squirrelly_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 12
9	-	filename: insecure_squirrelly_template.js
10	-	parent_line_number: 12
11	-	snippet: 'Sqrl.render(req.params.text, { name: "alvin" })'
12	-	fingerprint: f631e641891b1191cfe28d07d6302b1a_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--insecure_whiskers_template.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1336"
5	-	id: javascript_express_insecure_template_rendering
6	-	description: Insecure template rendering detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_insecure_template_rendering
8	-	line_number: 13
9	-	filename: insecure_whiskers_template.js
10	-	parent_line_number: 13
11	-	snippet: whiskers.render(req.params.text, context)
12	-	fingerprint: de0693f04775ac94a3204bec8ceb6b99_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/.snapshots/TestJavascriptExpressInsecureTemplateRendering--secure.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_dot_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	const doT = require('dot');
9	-
10	-	app.get("/bad", (req, _res) => {
11	-	doT.template(req.params.template)
12	-	})

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_ejs_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	const ejs = require('ejs');
9	-
10	-	app.get("/bad", (req, _res) => {
11	-	let template = ejs.compile(req.body.user, options);
12	-	template(data);
13	-	})
14	-
15	-	app.get("/bad-2", (req, _res) => {
16	-	ejs.render(req.params.name, data, options);
17	-	})
18	-
19	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_eta_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-
9	-	import * as Eta from "eta";
10	-
11	-	app.get("/bad", (_req, _res) => {
12	-	Eta.render(req.params, { name: "insecure" })
13	-	})

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_express_hbs_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-
9	-	import { create } from 'express-handlebars';
10	-
11	-	const hbs = create();
12	-	app.get("/bad", (req, _res) => {
13	-	hbs.renderView(req.params.viewPath, options, (err) => {})
14	-	})

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_handlebars_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-
9	-	import * as Handlebars from "handlebars";
10	-
11	-	app.get("/bad", (req, _res) => {
12	-	Handlebars.precompile(req.body.user, options)
13	-	Handlebars.compile(req.body.user, options)
14	-	})

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_hoganjs_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-
9	-	const Hogan = require("hogan.js");
10	-
11	-	app.get("/bad", (req, _res) => {
12	-	var template = req.params.text
13	-	Hogan.compile(template, { name: "insecure" })
14	-	})

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_liquid_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-
9	-	import { Liquid } from 'liquidjs'
10	-	const engine = new Liquid()
11	-
12	-	app.get("/bad", (req, _res) => {
13	-	engine.render(req.params.text, { hello: "world" })
14	-	})

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_lodash_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	const _ = require('lodash');
9	-
10	-	app.get("/bad", (req, _res) => {
11	-	var compiled = _.template(req.params.body);
12	-	})
13	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_mustache_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-
9	-	const Mustache = require('mustache');
10	-
11	-	app.get("/bad", (_req, _res) => {
12	-	Mustache.render(req.params, { name: "insecure" })
13	-	})

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_nunjucks_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	const nunjucks = require('nunjucks');
9	-
10	-	app.get("/bad", (req, _res) => {
11	-	nunjucks.render(req.params.body);
12	-	nunjucks.renderString(req.params.body);
13	-	})
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_pug_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-
9	-	var pug = require('pug');
10	-
11	-	app.get("/bad", (req, res) => {
12	-	pug.render(req.params.name, merge(options, locals))
13	-	})
14	-
15	-	app.get("/bad-2", (req, res) => {
16	-	pug.compile(req.params.name)
17	-	})

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_squirrelly_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-
9	-	var Sqrl = require("squirrelly");
10	-
11	-	app.get("/bad", (req, _res) => {
12	-	Sqrl.render(req.params.text, { name: "alvin" })
13	-	})
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/insecure_whiskers_template.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-
9	-	var whiskers = require("whiskers");
10	-
11	-	app.get("/bad", (req, _res) => {
12	-	var context = {}
13	-	whiskers.render(req.params.text, context)
14	-	})
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering/testdata/secure.js

1	-	const express = require("express");
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	// pug
9	-	var pug = require('pug');
10	-	app.get("/good-2", (_req, _res) => {
11	-	pug.render("/mish")
12	-	})
13	-
14	-	// ejs
15	-	var ejs = require('ejs');
16	-	app.get("/good-3", (_req, _res) => {
17	-	let template = ejs.compile(this.pageName(), options);
18	-	template(data);
19	-	})
20	-
21	-	// lodash
22	-	const _ = require('lodash');
23	-	app.get("/good-4", (_req, _res) => {
24	-	var compiled = _.template('<b>secure template</b>');
25	-	})
26	-
27	-	// mustache
28	-	const Mustache = require('mustache');
29	-	app.get("/good-5", (_req, _res) => {
30	-	Mustache.render("<p>hi {{ name }} </p>", { name: "secure" })
31	-	})
32	-
33	-	// hogan.js
34	-	const Hogan = require("hogan.js");
35	-	app.get("/good-6", (_req, _res) => {
36	-	var template = "<b>hello world</b>"
37	-	Hogan.compile(template, { name: "secure" })
38	-	})
39	-
40	-	// squirrelly
41	-	var Sqrl = require("squirrelly");
42	-	app.get("/good-7", (_req, _res) => {
43	-	Sqrl.render("some template", { name: "alvin" })
44	-	})
45	-
46	-	// liquid
47	-	import { Liquid } from 'liquidjs'
48	-	const engine = new Liquid()
49	-
50	-	app.get("/good-8", (_req, _res) => {
51	-	engine.render("<h3>Hello, {{name}}!</h3>", { name: "world" })
52	-	})

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering.yml

1	-	patterns:
2	-	- pattern: \|
3	-	$<MODULE>.precompile($<USER_INPUT>$<...>)
4	-	filters:
5	-	- variable: MODULE
6	-	values:
7	-	- Handlebars
8	-	- handlebars
9	-	- variable: USER_INPUT
10	-	detection: javascript_express_insecure_template_rendering_req_object
11	-	- pattern: \|
12	-	$<MODULE>.compile($<USER_INPUT>$<...>)
13	-	filters:
14	-	- variable: MODULE
15	-	values:
16	-	- pug
17	-	- ejs
18	-	- Handlebars
19	-	- handlebars
20	-	- Hogan
21	-	- variable: USER_INPUT
22	-	detection: javascript_express_insecure_template_rendering_req_object
23	-	- pattern: \|
24	-	$<MODULE>.render($<USER_INPUT>$<...>)
25	-	filters:
26	-	- variable: MODULE
27	-	values:
28	-	- pug
29	-	- ejs
30	-	- eta
31	-	- Eta
32	-	- nunjucks
33	-	- Mustache
34	-	- Sqrl
35	-	- whiskers
36	-	- hbs
37	-	- variable: USER_INPUT
38	-	detection: javascript_express_insecure_template_rendering_req_object
39	-	- pattern: \|
40	-	$<MODULE>.renderString($<USER_INPUT>$<...>)
41	-	filters:
42	-	- variable: MODULE
43	-	values:
44	-	- nunjucks
45	-	- variable: USER_INPUT
46	-	detection: javascript_express_insecure_template_rendering_req_object
47	-	- pattern: \|
48	-	$<MODULE>.renderView($<USER_INPUT>$<...>)
49	-	filters:
50	-	- variable: MODULE
51	-	values:
52	-	- hbs
53	-	- variable: USER_INPUT
54	-	detection: javascript_express_insecure_template_rendering_req_object
55	-	- pattern: \|
56	-	$<MODULE>.template($<USER_INPUT>$<...>)
57	-	filters:
58	-	- variable: MODULE
59	-	values:
60	-	- _
61	-	- doT
62	-	- variable: USER_INPUT
63	-	detection: javascript_express_insecure_template_rendering_req_object
64	-	- pattern: \|
65	-	$<LIQUID_INIT>.render($<USER_INPUT>$<...>)
66	-	filters:
67	-	- variable: LIQUID_INIT
68	-	detection: javascript_express_insecure_template_rendering_liquid_init
69	-	- variable: USER_INPUT
70	-	detection: javascript_express_insecure_template_rendering_req_object
71	-	languages:
72	-	- javascript
73	-	auxiliary:
74	-	- id: javascript_express_insecure_template_rendering_req_object
75	-	patterns:
76	-	- req.params
77	-	- req.query
78	-	- req.body
79	-	- req.cookies
80	-	- req.headers
81	-	- id: javascript_express_insecure_template_rendering_liquid_init
82	-	patterns:
83	-	- new Liquid()
84	-	metadata:
85	-	description: "Insecure template rendering detected."
86	-	remediation_message: \|
87	-	## Description
88	-	Do not include externally influenced or user-given input data in rendered templates. This is bad practice and can lead to code injection attacks.
89	-
90	-	## Remediations
91	-	✅ Always validate external data (for example, with a safe list) before rendering it in a template.
92	-
93	-	✅ Sanitize external data before rendering it in a template to remove special characters that could introduce an injection attack.
94	-
95	-	## Resources
96	-	- [OWASP Injection prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html#injection-prevention-rules)
97	-	cwe_id:
98	-	- 1336
99	-	id: "javascript_express_insecure_template_rendering"
100	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked/.snapshots/TestJavascriptExpressJwtNotRevoked--express_jwt_not_revoked.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "525"
5	-	id: javascript_express_jwt_not_revoked
6	-	description: Unrevoked JWT detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_jwt_not_revoked
8	-	line_number: 11
9	-	filename: express_jwt_not_revoked.js
10	-	parent_line_number: 11
11	-	snippet: 'expressjwt({ secret: config.secret, algorithms: ["HS256"] })'
12	-	fingerprint: cb3095d58d2370a77337a035ba6f7493_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked/.snapshots/TestJavascriptExpressJwtNotRevoked--ok_express_jwt_revoked.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked/testdata/express_jwt_not_revoked.js

1	-	import { expressjwt } from "express-jwt"
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.get(
10	-	"/unrevoked",
11	-	expressjwt({ secret: config.secret, algorithms: ["HS256"] }),
12	-	function (req, res) {
13	-	if (!req.auth.admin) return res.sendStatus(401)
14	-	res.sendStatus(200)
15	-	}
16	-	)
17	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked/testdata/ok_express_jwt_revoked.js

1	-	import { expressjwt } from "express-jwt"
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.get(
10	-	"/revoked",
11	-	expressjwt({
12	-	secret: config.secret,
13	-	isRevoked: this.customRevokeCall(),
14	-	algorithms: ["HS256"],
15	-	}),
16	-	function (req, res) {
17	-	if (!req.auth.admin) return res.sendStatus(401)
18	-	res.sendStatus(200)
19	-	}
20	-	)
21	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked.yml

1	-	patterns:
2	-	- pattern: \|
3	-	expressjwt($<HASH_CONTENT>)
4	-	filters:
5	-	- variable: HASH_CONTENT
6	-	detection: javascript_express_jwt_not_revoked_secret_datatype
7	-	- not:
8	-	variable: HASH_CONTENT
9	-	detection: javascript_express_jwt_not_revoked_is_revoked
10	-	languages:
11	-	- javascript
12	-	auxiliary:
13	-	- id: javascript_express_jwt_not_revoked_secret_datatype
14	-	patterns:
15	-	- pattern: \|
16	-	{ $<...>secret: $<DATA_TYPE>$<...> }
17	-	filters:
18	-	- variable: DATA_TYPE
19	-	detection: datatype
20	-	- id: javascript_express_jwt_not_revoked_is_revoked
21	-	patterns:
22	-	- pattern: \|
23	-	{ $<...>isRevoked: $<_>$<...> }
24	-	severity: low
25	-	metadata:
26	-	description: "Unrevoked JWT detected."
27	-	remediation_message: \|
28	-	## Description
29	-	The best practice caching policy is to revoke JWTs especially when these contain senstitive information.
30	-
31	-	## Remediations
32	-	✅ Ensure JWTs are short-lived by revoking them
33	-
34	-	```javascript
35	-	expressjwt({
36	-	...
37	-	isRevoked: this.customRevokeCall(),
38	-	...
39	-	})
40	-	```
41	-
42	-	## Resources
43	-	- [ExpressJWT documentation on revoking tokens](https://github.com/auth0/express-jwt#revoked-tokens)
44	-	cwe_id:
45	-	- 525
46	-	id: "javascript_express_jwt_not_revoked"
47	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/open_redirect/.snapshots/TestJavascriptExpressOpenRedirect--ok_no_open_redirect.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/open_redirect/.snapshots/TestJavascriptExpressOpenRedirect--open_redirect.yml

1	-	medium:
2	-	- rule:
3	-	cwe_ids:
4	-	- "601"
5	-	id: javascript_express_open_redirect
6	-	description: Open redirect detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_open_redirect
8	-	line_number: 2
9	-	filename: open_redirect.js
10	-	parent_line_number: 2
11	-	snippet: res.redirect(req.params.url)
12	-	fingerprint: 4e437d5d0ff71e600352157c6a240eb5_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "601"
16	-	id: javascript_express_open_redirect
17	-	description: Open redirect detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_open_redirect
19	-	line_number: 3
20	-	filename: open_redirect.js
21	-	parent_line_number: 3
22	-	snippet: res.redirect(req.query.url + "/bar")
23	-	fingerprint: 4e437d5d0ff71e600352157c6a240eb5_1
24	-	- rule:
25	-	cwe_ids:
26	-	- "601"
27	-	id: javascript_express_open_redirect
28	-	description: Open redirect detected.
29	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_open_redirect
30	-	line_number: 4
31	-	filename: open_redirect.js
32	-	parent_line_number: 4
33	-	snippet: res.redirect("https://" + req.params.url + "/bar")
34	-	fingerprint: 4e437d5d0ff71e600352157c6a240eb5_2
35	-	- rule:
36	-	cwe_ids:
37	-	- "601"
38	-	id: javascript_express_open_redirect
39	-	description: Open redirect detected.
40	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_open_redirect
41	-	line_number: 5
42	-	filename: open_redirect.js
43	-	parent_line_number: 5
44	-	snippet: res.redirect("http://" + req.params.path + "/bar")
45	-	fingerprint: 4e437d5d0ff71e600352157c6a240eb5_3
46	-
47	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/open_redirect/testdata/ok_no_open_redirect.js

1	-	module.exports.foo = function (_req, res) {
2	-	res.redirect("https://google.com")
3	-	}
4	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/open_redirect/testdata/open_redirect.js

1	-	module.exports.foo = function(req, res){
2	-	res.redirect(req.params.url)
3	-	res.redirect(req.query.url + "/bar")
4	-	res.redirect("https://" + req.params.url + "/bar")
5	-	res.redirect("http://" + req.params.path + "/bar")
6	-	}
7	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/open_redirect.yml

1	-	patterns:
2	-	- pattern: \|
3	-	res.redirect($<USER_INPUT>$<...>)
4	-	filters:
5	-	- variable: USER_INPUT
6	-	detection: javascript_express_open_redirect_req_object
7	-	auxiliary:
8	-	- id: javascript_express_open_redirect_req_object
9	-	patterns:
10	-	- pattern: $<DATA>
11	-	filters:
12	-	- variable: DATA
13	-	detection: javascript_express_open_redirect_user_input
14	-	- pattern: const { $<!>$<_> } = $<DATA>
15	-	filters:
16	-	- variable: DATA
17	-	detection: javascript_express_open_redirect_user_input
18	-	- id: javascript_express_open_redirect_user_input
19	-	patterns:
20	-	- req.params
21	-	- req.query
22	-	- req.body
23	-	- req.cookies
24	-	- req.headers
25	-	languages:
26	-	- javascript
27	-	severity: medium
28	-	metadata:
29	-	description: "Open redirect detected."
30	-	remediation_message: \|
31	-	## Description
32	-	A redirect using unsanitized user input is bad practice and puts your application at greater risk of phishing attacks.
33	-
34	-	## Remediations
35	-	❌ Do not use unsanitized user input when constructing URLs
36	-
37	-	✅ Instead, ensure the input is validated by using a safe list or a mapping when constructing URLs
38	-
39	-	```javascript
40	-	var map = {
41	-	"1": "/planes",
42	-	"2": "/trains",
43	-	"3": "/automobiles",
44	-	}
45	-
46	-	res.redirect(map[req.body.transport])
47	-	```
48	-	## Resources
49	-	- [OWASP open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
50	-	cwe_id:
51	-	- 601
52	-	id: "javascript_express_open_redirect"
53	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/path_traversal/.snapshots/TestJavascriptExpressPathTraversal--ok_no_path_traversal_vulnerability.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/path_traversal/.snapshots/TestJavascriptExpressPathTraversal--path_traversal_vulnerability.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "22"
5	-	id: javascript_express_path_traversal
6	-	description: Possible path traversal vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_path_traversal
8	-	line_number: 9
9	-	filename: path_traversal_vulnerability.js
10	-	parent_line_number: 9
11	-	snippet: path.join("/public/", req.query.path)
12	-	fingerprint: 84e934af8c2135f6ce968eda8b515dbd_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "22"
16	-	id: javascript_express_path_traversal
17	-	description: Possible path traversal vulnerability detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_path_traversal
19	-	line_number: 10
20	-	filename: path_traversal_vulnerability.js
21	-	parent_line_number: 10
22	-	snippet: path.resolve(req.query.path)
23	-	fingerprint: 84e934af8c2135f6ce968eda8b515dbd_1
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/path_traversal/testdata/ok_no_path_traversal_vulnerability.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/ok", (_req, _res) => {
9	-	path.join("public", "/user/1")
10	-	path.resolve("public/tmp/images")
11	-
12	-	var folder = req.params.path.replace(/^(\.\.(\/\|\\\|$))+/, "")
13	-	path.resolve("public/" + folder)
14	-	})
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/path_traversal/testdata/path_traversal_vulnerability.js

1	-	var express = require("express")
2	-	var helmet = require("helmet")
3	-
4	-	var app = express()
5	-	app.use(helmet())
6	-	app.use(helmet.hidePoweredBy())
7	-
8	-	app.get("/bad", (req, _res) => {
9	-	path.join("/public/", req.query.path)
10	-	path.resolve(req.query.path)
11	-	})
12	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/path_traversal.yml

1	-	patterns:
2	-	- pattern: \|
3	-	path.$<METHOD>($<...>$<USER_INPUT>$<...>)
4	-	filters:
5	-	- variable: METHOD
6	-	values:
7	-	- join
8	-	- resolve
9	-	- variable: USER_INPUT
10	-	detection: javascript_express_path_traversal_request_obj
11	-	- not:
12	-	variable: USER_INPUT
13	-	detection: javascript_express_path_traversal_sanitized_user_input
14	-	auxiliary:
15	-	- id: javascript_express_path_traversal_request_obj
16	-	patterns:
17	-	- pattern: $<DATA>
18	-	filters:
19	-	- variable: DATA
20	-	detection: javascript_express_path_traversal_user_input
21	-	- pattern: const { $<!>$<_> } = $<DATA>
22	-	filters:
23	-	- variable: DATA
24	-	detection: javascript_express_path_traversal_user_input
25	-	- id: javascript_express_path_traversal_user_input
26	-	patterns:
27	-	- req.params
28	-	- req.query
29	-	- req.body
30	-	- req.cookies
31	-	- req.headers
32	-	- id: javascript_express_path_traversal_sanitized_user_input
33	-	patterns:
34	-	- $<_>.replace($<_>, "")
35	-	- $<_>.replace($<_>, '')
36	-	languages:
37	-	- javascript
38	-	severity: high
39	-	metadata:
40	-	description: "Possible path traversal vulnerability detected."
41	-	remediation_message: \|
42	-	## Description
43	-	Allowing unsanitized user input in path resolution methods means an attacker could gain access to files and folders outside of the intended scope.
44	-
45	-	## Remediations
46	-	❌ Avoid wherever possible
47	-
48	-	✅ Sanitize user input when resolving paths, for example:
49	-	- Use `replace()` to mitigate against unwanted patterns in the path (such as `\..\..`)
50	-	- Actively guard against paths that end in "%00" (poison NULL byte attacks)
51	-	- Use path concatenation to ensure the intended scope is respected
52	-
53	-	```javascript
54	-	const path = require("path");
55	-
56	-	app.get("/", (req, res) => {
57	-	if (req.params.path.indexOf('\0')) !== -1 {
58	-	// prevent access
59	-	}
60	-
61	-	var folder = req.params.path.replace(/^(\.\.(\/\|\\\|$))+/, '')
62	-
63	-	var pathname = path.join("/public/", folder)
64	-	if pathname.indexOf("/public/") !== 0 {
65	-	// prevent access
66	-	}
67	-
68	-	path.resolve(pathname)
69	-	})
70	-	```
71	-
72	-	## Resources
73	-	- [OWASP path traversal](https://owasp.org/www-community/attacks/Path_Traversal)
74	-	cwe_id:
75	-	- 22
76	-	id: "javascript_express_path_traversal"
77	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint/.snapshots/TestJavascriptReduceFingerprint--secure_app_disable.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "693"
5	-	id: javascript_express_helmet_missing
6	-	description: Security misconfiguration detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_helmet_missing
8	-	line_number: 3
9	-	filename: secure_app_disable.js
10	-	parent_line_number: 3
11	-	snippet: express()
12	-	fingerprint: ed6ed8b54708fe870dd883878474bc75_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint/.snapshots/TestJavascriptReduceFingerprint--secure_helmet.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint/.snapshots/TestJavascriptReduceFingerprint--unsecure.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "693"
5	-	id: javascript_express_helmet_missing
6	-	description: Security misconfiguration detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_helmet_missing
8	-	line_number: 4
9	-	filename: unsecure.js
10	-	parent_line_number: 4
11	-	snippet: express()
12	-	fingerprint: 11025b35d18975e9334681b65859fe26_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "693"
16	-	id: javascript_express_reduce_fingerprint
17	-	description: Security misconfiguration detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_reduce_fingerprint
19	-	line_number: 4
20	-	filename: unsecure.js
21	-	parent_line_number: 4
22	-	snippet: express()
23	-	fingerprint: 2b159b374c0927680a0bff40b713473f_0
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint/testdata/secure_app_disable.js

1	-	const express = require("express")
2	-
3	-	const app = express()
4	-	app.disable("x-powered-by")
5	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint/testdata/secure_helmet.js

1	-	const express = require("express")
2	-	const helmet = require("helmet")
3	-
4	-	const app = express()
5	-	app.use(helmet.hidePoweredBy())
6	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint/testdata/unsecure.js

1	-	const express = require("express")
2	-	const cors = require("cors")
3	-
4	-	const app = express()
5	-	app.use(express.json())
6	-	app.use(cors())
7	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint.yml

1	-	patterns:
2	-	- pattern: \|
3	-	$<EXPRESS>.disable($<POWERED_BY>)
4	-	filters:
5	-	- variable: EXPRESS
6	-	detection: javascript_express_reduce_fingerprint_express_init
7	-	- variable: POWERED_BY
8	-	regex: (?i)['"]x-powered-by['"]
9	-	- pattern: \|
10	-	$<EXPRESS>.use($<FUNCTION_CALL>)
11	-	filters:
12	-	- variable: EXPRESS
13	-	detection: javascript_express_reduce_fingerprint_express_init
14	-	- variable: FUNCTION_CALL
15	-	detection: javascript_express_reduce_fingerprint_helmet_configuration
16	-	auxiliary:
17	-	- id: javascript_express_reduce_fingerprint_express_init
18	-	patterns:
19	-	- express()
20	-	- id: javascript_express_reduce_fingerprint_helmet_configuration
21	-	patterns:
22	-	- helmet.hidePoweredBy()
23	-	languages:
24	-	- javascript
25	-	trigger:
26	-	match_on: absence
27	-	required_detection: javascript_express_reduce_fingerprint_express_init
28	-	metadata:
29	-	description: "Security misconfiguration detected."
30	-	remediation_message: \|
31	-	## Description
32	-
33	-	It can help to provide an extra layer of security to reduce server fingerprinting. Though not a security issue itself, a method to improve the overall posture of a web server is to take measures to reduce the ability to fingerprint the software being used on the server. Server software can be fingerprinted by quirks in how they respond to specific requests.
34	-
35	-	By default, Express.js sends the X-Powered-By response header banner. This can be disabled using the app.disable() method:
36	-
37	-	```
38	-	app.disable('x-powered-by')
39	-	```
40	-
41	-	## Resources
42	-
43	-	- [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html)
44	-	cwe_id:
45	-	- 693
46	-	id: javascript_express_reduce_fingerprint
47	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery/.snapshots/TestJavascriptExpressServerSideRequestForgery--axios_ssrf_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "918"
5	-	id: javascript_express_server_side_request_forgery
6	-	description: Risk of server-side request forgery detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_server_side_request_forgery
8	-	line_number: 10
9	-	filename: axios_ssrf_injection.js
10	-	parent_line_number: 10
11	-	snippet: axios.get(req.query.path)
12	-	fingerprint: 662372a5481e8accee0a46239d4590e8_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery/.snapshots/TestJavascriptExpressServerSideRequestForgery--node_fetch_ssrf_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "918"
5	-	id: javascript_express_server_side_request_forgery
6	-	description: Risk of server-side request forgery detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_server_side_request_forgery
8	-	line_number: 12
9	-	filename: node_fetch_ssrf_injection.js
10	-	parent_line_number: 12
11	-	snippet: fetch("https://" + req.query.path)
12	-	fingerprint: 26b9f4665fdfcaba8db99af878e8b501_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery/.snapshots/TestJavascriptExpressServerSideRequestForgery--ok_no_ssrf.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery/.snapshots/TestJavascriptExpressServerSideRequestForgery--puppeteer_ssrf_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "918"
5	-	id: javascript_express_server_side_request_forgery
6	-	description: Risk of server-side request forgery detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_server_side_request_forgery
8	-	line_number: 15
9	-	filename: puppeteer_ssrf_injection.js
10	-	parent_line_number: 15
11	-	snippet: page.setContent(content)
12	-	fingerprint: 318f87254f8f0e44e6139b5ef12abc3f_0
13	-	- rule:
14	-	cwe_ids:
15	-	- "918"
16	-	id: javascript_express_server_side_request_forgery
17	-	description: Risk of server-side request forgery detected.
18	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_server_side_request_forgery
19	-	line_number: 16
20	-	filename: puppeteer_ssrf_injection.js
21	-	parent_line_number: 16
22	-	snippet: page.goto("https://" + req.query.path)
23	-	fingerprint: 318f87254f8f0e44e6139b5ef12abc3f_1
24	-
25	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery/testdata/axios_ssrf_injection.js

1	-	import axios from "axios"
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.get("/inject", async (req, res) => {
10	-	axios.get(req.query.path).then((response) => res.json(response.data))
11	-	})
12	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery/testdata/node_fetch_ssrf_injection.js

1	-	import fetch from "node-fetch"
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	const app = express()
10	-
11	-	app.get("/inject", async (req, res) => {
12	-	response = await fetch("https://" + req.query.path)
13	-	res.json(response.data)
14	-	})
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery/testdata/ok_no_ssrf.js

1	-	import puppeteer from "puppeteer"
2	-	var express = require("express")
3	-	var helmet = require("helmet")
4	-
5	-	var app = express()
6	-	app.use(helmet())
7	-	app.use(helmet.hidePoweredBy())
8	-
9	-	app.get("/safety", async (_req, res) => {
10	-	const browser = await puppeteer.launch()
11	-	const page = await browser.newPage()
12	-	await page.goto("https://mish.bearer.com")
13	-
14	-	res.send("success")
15	-	})
16	-
17	-	app.get("/safety-2", async (req, res) => {
18	-	var token = req.user.tokens.find((token) => token.kind === "safe")
19	-	axios.get(`https://mish.com/bears?access_token=${token.accessToken}`)
20	-	axios.get("https://mish.com/bears?access_token=" + token.accessToken)
21	-
22	-	res.send("success")
23	-	})
24	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery/testdata/puppeteer_ssrf_injection.js

1	-	import puppeteer from "puppeteer"
2	-
3	-	var express = require("express")
4	-	var helmet = require("helmet")
5	-
6	-	var app = express()
7	-	app.use(helmet())
8	-	app.use(helmet.hidePoweredBy())
9	-
10	-	app.get("/inject", async (req, res) => {
11	-	const browser = await puppeteer.launch()
12	-	const page = await browser.newPage()
13	-
14	-	var content = req.body.content
15	-	await page.setContent(content)
16	-	await page.goto("https://" + req.query.path)
17	-
18	-	res.send("success")
19	-	})
20	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery.yml

1	-	patterns:
2	-	- pattern: \|
3	-	fetch($<USER_INPUT>)
4	-	filters:
5	-	- variable: USER_INPUT
6	-	detection: javascript_express_ssrf_request_obj
7	-	- pattern: \|
8	-	axios.get($<USER_INPUT>)
9	-	filters:
10	-	- variable: USER_INPUT
11	-	detection: javascript_express_ssrf_request_obj
12	-	- pattern: \|
13	-	$<PUPPETEER_PAGE>.$<METHOD>($<USER_INPUT>)
14	-	filters:
15	-	- variable: PUPPETEER_PAGE
16	-	detection:
17	-	- variable: METHOD
18	-	values:
19	-	- goto
20	-	- setContent
21	-	- evaluate
22	-	- evaluateOnNewDocument
23	-	- variable: USER_INPUT
24	-	detection: javascript_express_ssrf_request_obj
25	-	auxiliary:
26	-	- id: javascript_express_ssrf_request_obj
27	-	patterns:
28	-	- req.params
29	-	- req.query
30	-	- req.body
31	-	- req.cookies
32	-	- req.headers
33	-	- id: javascript_puppeteer_page
34	-	patterns:
35	-	- $<PUPPETEER_BROWSER>.newPage()
36	-	filters:
37	-	- variable: PUPPETEER_BROWSER
38	-	detection: javascript_puppeteer_browser
39	-	- id: javascript_puppeteer_browser
40	-	patterns:
41	-	- puppeteer.launch()
42	-	languages:
43	-	- javascript
44	-	severity: high
45	-	metadata:
46	-	description: "Risk of server-side request forgery detected."
47	-	remediation_message: \|
48	-	## Description
49	-	Using unsanitized URLs from the request object when retrieving data puts your application at risk of server-side request forgery (SSRF) attacks.
50	-	This rule checks for URLs containing user-supplied data.
51	-
52	-	## Remediations
53	-
54	-	❌ Avoid using user input in URLs:
55	-
56	-	```javascript
57	-	axios.get(`https://${req.params.host}`)
58	-	```
59	-
60	-	✅ Use user input indirectly to form a URL:
61	-
62	-	```javascript
63	-	var host = "default-api.com"
64	-	if req.params.host == "something-else" {
65	-	host = "other-api.com"
66	-	}
67	-
68	-	axios.get(`https://${host}`)
69	-	```
70	-
71	-	## Resources
72	-	- [OWASP - Server-Side Request Forgery (SSRF) prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)
73	-	cwe_id:
74	-	- 918
75	-	id: "javascript_express_server_side_request_forgery"
76	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/.snapshots/TestJavascriptExpressSqlInjection--knex_sql_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "79"
5	-	id: javascript_express_cross_site_scripting
6	-	description: Cross-site scripting (XSS) vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_cross_site_scripting
8	-	line_number: 11
9	-	filename: knex_sql_injection.js
10	-	parent_line_number: 11
11	-	snippet: res.send(prepareJson(cartDetails))
12	-	fingerprint: 4facc1afc53beec979a800a78f0096d6_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/.snapshots/TestJavascriptExpressSqlInjection--mysql2_sql_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "89"
5	-	id: javascript_express_sql_injection
6	-	description: SQL injection vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_sql_injection
8	-	line_number: 12
9	-	filename: mysql2_sql_injection.js
10	-	parent_line_number: 12
11	-	snippet: \|-
12	-	connection.query(
13	-	"SELECT * FROM `user` WHERE name = " + req.params.customer.name
14	-	)
15	-	fingerprint: 6ab447a0217cef645dfc88f86abb0c3a_0
16	-	- rule:
17	-	cwe_ids:
18	-	- "89"
19	-	id: javascript_express_sql_injection
20	-	description: SQL injection vulnerability detected.
21	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_sql_injection
22	-	line_number: 18
23	-	filename: mysql2_sql_injection.js
24	-	parent_line_number: 18
25	-	snippet: \|-
26	-	pool.query(
27	-	"SELECT * FROM users WHERE name = " + req.params.user_name,
28	-	function () {}
29	-	)
30	-	fingerprint: 6ab447a0217cef645dfc88f86abb0c3a_1
31	-	- rule:
32	-	cwe_ids:
33	-	- "89"
34	-	id: javascript_express_sql_injection
35	-	description: SQL injection vulnerability detected.
36	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_sql_injection
37	-	line_number: 23
38	-	filename: mysql2_sql_injection.js
39	-	parent_line_number: 23
40	-	snippet: conn.query("SELECT * FROM users WHERE name = " + req.params.user_name, function () {})
41	-	fingerprint: 6ab447a0217cef645dfc88f86abb0c3a_2
42	-
43	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/.snapshots/TestJavascriptExpressSqlInjection--ok_no_sql_injection.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/.snapshots/TestJavascriptExpressSqlInjection--pg_sql_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "89"
5	-	id: javascript_express_sql_injection
6	-	description: SQL injection vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_sql_injection
8	-	line_number: 8
9	-	filename: pg_sql_injection.js
10	-	parent_line_number: 8
11	-	snippet: \|-
12	-	client.query(
13	-	"SELECT * FROM users WHERE user.name = " + req.params.user.name
14	-	)
15	-	fingerprint: c586d90217bd23f25dd04b101a799cbd_0
16	-
17	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/.snapshots/TestJavascriptExpressSqlInjection--sequelize_sql_injection.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "89"
5	-	id: javascript_express_sql_injection
6	-	description: SQL injection vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_sql_injection
8	-	line_number: 7
9	-	filename: sequelize_sql_injection.js
10	-	parent_line_number: 7
11	-	snippet: sqlite.query(customerQuery)
12	-	fingerprint: 517438dfc8bb854de841ed83af94969d_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/testdata/knex_sql_injection.js

1	-	const knex = require("knex")({
2	-	client: "mysql",
3	-	});
4	-
5	-	module.exports.badQuery = function (req, res) {
6	-	var cartDetails = knex
7	-	.select("user.cart_details")
8	-	.from("users")
9	-	.whereRaw("name = " + req.query.user.name);
10	-
11	-	res.send(prepareJson(cartDetails));
12	-	};
13	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/testdata/mysql2_sql_injection.js

1	-	const connection = mysql.createConnection({});
2	-	const asyncConn = await mysql.createConnection({});
3	-
4	-	module.exports.asyncFooBar = async function (req, res) {
5	-	await asyncConn.execute(
6	-	"SELECT * FROM `admin_users` WHERE ID = " + req.admin.id
7	-	);
8	-	res.send("ok");
9	-	};
10	-
11	-	module.exports.fooBar = function (req, _res) {
12	-	connection.query(
13	-	"SELECT * FROM `user` WHERE name = " + req.params.customer.name
14	-	);
15	-
16	-	// pool query
17	-	var pool = mysql.createPool();
18	-	pool.query(
19	-	"SELECT * FROM users WHERE name = " + req.params.user_name,
20	-	function () {}
21	-	);
22	-	pool.getConnection(function (_err, conn) {
23	-	conn.query("SELECT * FROM users WHERE name = " + req.params.user_name, function () {});
24	-	pool.releaseConnection(conn);
25	-	});
26	-
27	-	res.send("ok");
28	-	};
29	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/testdata/ok_no_sql_injection.js

1	-	import { Sequelize } from "sequelize";
2	-	const { Client } = require('pg')
3	-	const client = new Client({
4	-	// pg client setup
5	-	})
6	-
7	-	const connection = mysql.createConnection({});
8	-
9	-	module.exports.fooBar = function(req, _res) {
10	-	var sqlite = new Sequelize('sqlite::memory:')
11	-	var customerQuery = "SELECT * FROM customers WHERE status = ACTIVE"
12	-	sqlite.query(customerQuery)
13	-
14	-	client.query('SELECT * FROM users WHERE user.name = ' + getUser().name)
15	-
16	-	connection.query("SELECT * FROM `user` WHERE name = " + currentUser().name);
17	-	}
18	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/testdata/pg_sql_injection.js

1	-	const { Client } = require("pg");
2	-
3	-	const client = new Client({
4	-	// client setup
5	-	});
6	-
7	-	module.exports.fooBar = function (req, _res) {
8	-	var user = client.query(
9	-	"SELECT * FROM users WHERE user.name = " + req.params.user.name
10	-	);
11	-
12	-	return user;
13	-	};
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection/testdata/sequelize_sql_injection.js

1	-	import { Sequelize } from "sequelize";
2	-
3	-	module.exports.fooBar = function (req, _res) {
4	-	var sqlite = new Sequelize("sqlite::memory:");
5	-	var customerQuery =
6	-	"SELECT * FROM customers WHERE status = " + req.params.customer.status;
7	-	sqlite.query(customerQuery);
8	-	};
9	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection.yml

1	-	patterns:
2	-	- pattern: \|
3	-	$<KNEX_CLIENT>.$<METHOD>($<...>$<USER_INPUT>$<...>)
4	-	filters:
5	-	- variable: USER_INPUT
6	-	detection: javascript_express_sql_injection_request_input
7	-	- variable: KNEX_CLIENT
8	-	values:
9	-	- knex
10	-	- knexClient
11	-	- client
12	-	- variable: METHOD
13	-	values:
14	-	- fromRaw
15	-	- whereRaw
16	-	- raw
17	-	- pattern: \|
18	-	$<PG_CLIENT>.query($<...>$<USER_INPUT>$<...>)
19	-	filters:
20	-	- variable: PG_CLIENT
21	-	detection: javascript_express_sql_injection_pg_client
22	-	- variable: USER_INPUT
23	-	detection: javascript_express_sql_injection_request_input
24	-	- pattern: \|
25	-	$<SEQUELIZE>.query($<USER_INPUT>)
26	-	filters:
27	-	- variable: SEQUELIZE
28	-	detection: javascript_express_sql_injection_sequelize_init
29	-	- variable: USER_INPUT
30	-	detection: javascript_express_sql_injection_request_input
31	-	- pattern: \|
32	-	$<MYSQL_CONN>.$<METHOD>($<...>$<USER_INPUT>$<...>)
33	-	filters:
34	-	- variable: MYSQL_CONN
35	-	detection: javascript_express_sql_injection_mysql_conn
36	-	- variable: USER_INPUT
37	-	detection: javascript_express_sql_injection_request_input
38	-	- variable: METHOD
39	-	values:
40	-	- query
41	-	- execute
42	-	- pattern: \|
43	-	$<MYSQL_POOL>.query($<...>$<USER_INPUT>$<...>)
44	-	filters:
45	-	- variable: MYSQL_POOL
46	-	detection: javascript_express_sql_injection_mysql_pool
47	-	- variable: USER_INPUT
48	-	detection: javascript_express_sql_injection_request_input
49	-	- pattern: \|
50	-	$<CONN>.query($<USER_INPUT>, $<_>)
51	-	filters:
52	-	- variable: CONN
53	-	detection: javascript_express_sql_injection_pool_conn
54	-	- variable: USER_INPUT
55	-	detection: javascript_express_sql_injection_request_input
56	-	auxiliary:
57	-	- id: javascript_express_sql_injection_request_input
58	-	patterns:
59	-	- req.params
60	-	- req.query
61	-	- req.body
62	-	- req.cookies
63	-	- req.headers
64	-	- id: javascript_express_sql_injection_pg_client
65	-	patterns:
66	-	- new Client()
67	-	- id: javascript_express_sql_injection_sequelize_init
68	-	patterns:
69	-	- new Sequelize()
70	-	- id: javascript_express_sql_injection_mysql_conn
71	-	patterns:
72	-	- mysql.createConnection()
73	-	- await mysql.createConnection()
74	-	- id: javascript_express_sql_injection_mysql_pool
75	-	patterns:
76	-	- mysql.createPool()
77	-	- id: javascript_express_sql_injection_pool_conn
78	-	patterns:
79	-	- pattern: $<MYSQL_POOL>.getConnection(function($<_>, $<!>$<CONN:identifier>) {})
80	-	filters:
81	-	- variable: MYSQL_POOL
82	-	detection: javascript_express_sql_injection_mysql_pool
83	-	languages:
84	-	- javascript
85	-	severity: high
86	-	metadata:
87	-	description: "SQL injection vulnerability detected."
88	-	remediation_message: \|
89	-	## Description
90	-	Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks.
91	-
92	-	## Remediations
93	-
94	-	❌ Avoid raw queries, especially those that contain unsanitized user input
95	-
96	-	```javascript
97	-	var sqlite = new Sequelize("sqlite::memory:");
98	-	sqlite.query("SELECT * FROM users WHERE ID = " + req.params.userId);
99	-	```
100	-
101	-	Instead, consider the following approaches when writing SQL queries
102	-
103	-	✅ Validate query input wherever possible
104	-
105	-	```javascript
106	-	var rawId = req.params.userId
107	-	if !(/[0-9]+/.test(rawId)) {
108	-	// input is unexpected; don't make the query
109	-	}
110	-	```
111	-
112	-	✅ Use prepared (or parameterized) statements when querying
113	-
114	-	Sequelize example -
115	-	```javascript
116	-	var sqlite = new Sequelize("sqlite::memory:");
117	-	sqlite.query(
118	-	"SELECT * FROM users WHERE ID = ?",
119	-	{ replacements: [req.params.userId] },
120	-	type: sequelize.QueryTypes.SELECT
121	-	)
122	-	```
123	-
124	-	## Resources
125	-	- [OWASP SQL injection explained](https://owasp.org/www-community/attacks/SQL_Injection)
126	-	- [OWASP SQL injection prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)
127	-	cwe_id:
128	-	- 89
129	-	id: "javascript_express_sql_injection"
130	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/static_asset_with_session/.snapshots/TestJavascriptExpressStaticAssetWithSession--ok.yml

1	-	medium:
2	-	- rule:
3	-	cwe_ids:
4	-	- "523"
5	-	- "522"
6	-	id: express_default_session_config
7	-	description: Session cookie with default config detected.
8	-	documentation_url: https://docs.bearer.com/reference/rules/express_default_session_config
9	-	line_number: 2
10	-	filename: ok.js
11	-	parent_line_number: 2
12	-	snippet: '{}'
13	-	fingerprint: 86893356122363645f8f0d0427a9704b_0
14	-
15	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/static_asset_with_session/.snapshots/TestJavascriptExpressStaticAssetWithSession--unsafe.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "352"
5	-	- "668"
6	-	id: javascript_express_static_asset_with_session
7	-	description: Static asset with active session detected.
8	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_static_asset_with_session
9	-	line_number: 3
10	-	filename: unsafe.js
11	-	parent_line_number: 3
12	-	snippet: app.use(express.static(__dirname + "/public"))
13	-	fingerprint: 28d21916f3114061f8bd21bed81e2429_0
14	-	medium:
15	-	- rule:
16	-	cwe_ids:
17	-	- "523"
18	-	- "522"
19	-	id: express_default_session_config
20	-	description: Session cookie with default config detected.
21	-	documentation_url: https://docs.bearer.com/reference/rules/express_default_session_config
22	-	line_number: 1
23	-	filename: unsafe.js
24	-	parent_line_number: 1
25	-	snippet: '{}'
26	-	fingerprint: 4ddd326ab62f572775eb70f4bae2ef96_0
27	-
28	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/static_asset_with_session/testdata/ok.js

1	-	app.use(express.static(__dirname + "/public"))
2	-	app.use(session({}))
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/static_asset_with_session/testdata/unsafe.js

1	-	app.use(session({}))
2	-	app.use(other())
3	-	app.use(express.static(__dirname + "/public"))
4	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/static_asset_with_session.yml

1	-	patterns:
2	-	- pattern: \|
3	-	{
4	-	$<SESSION>
5	-	$<!>$<STATIC>
6	-	}
7	-	filters:
8	-	- variable: SESSION
9	-	detection: javascript_express_static_asset_with_session_session
10	-	- variable: STATIC
11	-	detection: javascript_express_static_asset_with_session_static
12	-	auxiliary:
13	-	- id: javascript_express_static_asset_with_session_session
14	-	patterns:
15	-	- pattern: app.use($<MIDDLEWARE>)
16	-	filters:
17	-	- variable: MIDDLEWARE
18	-	detection: javascript_express_static_asset_with_session_session_init
19	-	- id: javascript_express_static_asset_with_session_session_init
20	-	patterns:
21	-	- session()
22	-	- id: javascript_express_static_asset_with_session_static
23	-	patterns:
24	-	- pattern: app.use($<MIDDLEWARE>)
25	-	filters:
26	-	- variable: MIDDLEWARE
27	-	detection: javascript_express_static_asset_with_session_static_init
28	-	- id: javascript_express_static_asset_with_session_static_init
29	-	patterns:
30	-	- express.static()
31	-	languages:
32	-	- javascript
33	-	metadata:
34	-	description: Static asset with active session detected.
35	-	remediation_message: \|
36	-	## Description
37	-	Static assets are often cached by services in front of the application
38	-	(eg. CDNs). Serving static assets with sessions enabled may lead to
39	-	Cross-Site Request Forgery (CSRF) attacks that can hijack a user's session.
40	-
41	-	## Remediations
42	-
43	-	✅ Ensure static resources are handled prior to session initialization:
44	-
45	-	```javascript
46	-	// static middleware should be added before session middleware
47	-	app.use(express.static(__dirname + "/public"))
48	-
49	-	app.use(session())
50	-	```
51	-	cwe_id:
52	-	- 352
53	-	- 668
54	-	id: javascript_express_static_asset_with_session
55	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/ui_redress/.snapshots/TestJavascriptExpressUiRedress--ok_no_ui_redress.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/ui_redress/.snapshots/TestJavascriptExpressUiRedress--ui_redress_vulnerability.yml

1	-	low:
2	-	- rule:
3	-	cwe_ids:
4	-	- "1021"
5	-	id: javascript_express_ui_redress
6	-	description: User Interface (UI) redress vulnerability (clickjacking) detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_ui_redress
8	-	line_number: 9
9	-	filename: ui_redress_vulnerability.js
10	-	parent_line_number: 9
11	-	snippet: res.set("X-Frame-Options", req.query.options)
12	-	fingerprint: dc8d27767d942ab052ecc13a85754186_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/ui_redress/testdata/ok_no_ui_redress.js

1	-	const express = require("express")
2	-	const app = express()
3	-	const helmet = require("helmet")
4	-
5	-	app.use(helmet())
6	-	app.disable("x-powered-by")
7	-
8	-	var config = require(global.baseUrl + "/config.js")
9	-
10	-	app.get("/good", (_req, res) => {
11	-	res.set("X-Frame-Options", config.options)
12	-	res.send(200)
13	-	})
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/ui_redress/testdata/ui_redress_vulnerability.js

1	-	const express = require("express")
2	-	const app = express()
3	-	const helmet = require("helmet")
4	-
5	-	app.use(helmet())
6	-	app.disable("x-powered-by")
7	-
8	-	app.get("/bad", (req, res) => {
9	-	res.set("X-Frame-Options", req.query.options)
10	-	res.send(200)
11	-	})
12	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/ui_redress.yml

1	-	patterns:
2	-	- pattern: \|
3	-	res.set($<HEADERS>, $<USER_INPUT>)
4	-	filters:
5	-	- variable: HEADERS
6	-	regex: (?i)['"](x-frame-options\|content-security-policy)["']
7	-	- variable: USER_INPUT
8	-	detection: javascript_express_ui_redress_request_obj
9	-	auxiliary:
10	-	- id: javascript_express_ui_redress_request_obj
11	-	patterns:
12	-	- pattern: $<DATA>
13	-	filters:
14	-	- variable: DATA
15	-	detection: javascript_express_ui_redress_user_input
16	-	- pattern: const { $<!>$<_> } = $<DATA>
17	-	filters:
18	-	- variable: DATA
19	-	detection: javascript_express_ui_redress_user_input
20	-	- id: javascript_express_ui_redress_user_input
21	-	patterns:
22	-	- req.params
23	-	- req.query
24	-	- req.body
25	-	- req.cookies
26	-	- req.headers
27	-	languages:
28	-	- javascript
29	-	metadata:
30	-	description: "User Interface (UI) redress vulnerability (clickjacking) detected."
31	-	remediation_message: \|
32	-	## Description
33	-	Using unsanitized user input to set X-Frame-Options or Content-Security-Policy HTTP headers puts your application at risk for UI redress attacks (clickjacking).
34	-
35	-	## Remediations
36	-	✅ Prefer the most secure values when setting these headers
37	-
38	-	```javascript
39	-	res.set('X-Frame-Options', 'DENY')
40	-	res.set('Content-Security-Policy', "frame-ancestors 'none'")
41	-	```
42	-
43	-	✅ Avoid using user input directly to set the headers, or use a safelist to guard against clickjacking
44	-
45	-	```javascript
46	-	if (req.query.options === 'same') {
47	-	res.set('X-Frame-Options', 'SAME')
48	-	}
49	-
50	-	// safelist
51	-	if (['deny', 'sameorigin'].includes(req.query.options.toLowerCase)) {
52	-	res.set('X-Frame-Options', req.query.options)
53	-	}
54	-	```
55	-
56	-	## Resources
57	-	- [OWASP Clickjacking attack explained](https://owasp.org/www-community/attacks/Clickjacking)
58	-	- [OWASP Clickjacking defense cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)
59	-	cwe_id:
60	-	- 1021
61	-	id: "javascript_express_ui_redress"
62	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization/.snapshots/TestJavascriptExpressUnsafeDeserialization--node_serialize.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "502"
5	-	id: javascript_express_unsafe_deserialization
6	-	description: Deserialization of untrusted data detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_unsafe_deserialization
8	-	line_number: 5
9	-	filename: node_serialize.js
10	-	parent_line_number: 5
11	-	snippet: nodeSerialize.unserialize(userStr)
12	-	fingerprint: d3679cd2207e725d42e98cd097bd1ccb_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization/.snapshots/TestJavascriptExpressUnsafeDeserialization--ok_safe_deserialization.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization/.snapshots/TestJavascriptExpressUnsafeDeserialization--serialize_error.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "502"
5	-	id: javascript_express_unsafe_deserialization
6	-	description: Deserialization of untrusted data detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_unsafe_deserialization
8	-	line_number: 4
9	-	filename: serialize_error.js
10	-	parent_line_number: 4
11	-	snippet: \|-
12	-	deserializeError({
13	-	name: "MyCustomError",
14	-	message: req.params.error
15	-	})
16	-	fingerprint: 6a5dfee75fcbe696dcfb98d2c9f41309_0
17	-
18	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization/testdata/node_serialize.js

1	-	var nodeSerialize = require("node-serialize")
2	-
3	-	module.exports.unsafeDeserialize = function(req, _res){
4	-	var userStr = new Buffer.from(req.cookies.user, "utf8").toString();
5	-	nodeSerialize.unserialize(userStr)
6	-	}
7	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization/testdata/ok_safe_deserialization.js

1	-	import deserializeError from 'serialize-error';
2	-	var nodeSerialize = require("node-serialize")
3	-
4	-	module.exports.safeDeserialization = function(req, _res) {
5	-	deserializeError({
6	-	name: "MyCustomError",
7	-	message: "Something went wrong"
8	-	})
9	-
10	-	nodeSerialize.unserialize({ hello: "world" })
11	-	}
12	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization/testdata/serialize_error.js

1	-	import deserializeError from 'serialize-error';
2	-
3	-	module.exports.deserializedError = function(req, _res) {
4	-	deserializeError({
5	-	name: "MyCustomError",
6	-	message: req.params.error
7	-	})
8	-	}

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization.yml

1	-	patterns:
2	-	- pattern: \|
3	-	$<LIB_METHOD>($<USER_INPUT>)
4	-	filters:
5	-	- variable: LIB_METHOD
6	-	values:
7	-	- deserializeError
8	-	- deserialize_error
9	-	- either:
10	-	- variable: USER_INPUT
11	-	detection: javascript_express_insecure_deserialization_request_obj
12	-	- variable: USER_INPUT
13	-	detection: javascript_express_deserialization_buffer
14	-	- pattern: \|
15	-	$<LIB>.unserialize($<USER_INPUT>)
16	-	filters:
17	-	- variable: LIB
18	-	values:
19	-	- nodeSerialize
20	-	- node_serialize
21	-	- either:
22	-	- variable: USER_INPUT
23	-	detection: javascript_express_insecure_deserialization_request_obj
24	-	- variable: USER_INPUT
25	-	detection: javascript_express_deserialization_buffer
26	-	auxiliary:
27	-	- id: javascript_express_insecure_deserialization_request_obj
28	-	patterns:
29	-	- pattern: $<DATA>
30	-	filters:
31	-	- variable: DATA
32	-	detection: javascript_express_insecure_deserialization_user_input
33	-	- pattern: const { $<!>$<_> } = $<DATA>
34	-	filters:
35	-	- variable: DATA
36	-	detection: javascript_express_insecure_deserialization_user_input
37	-	- id: javascript_express_insecure_deserialization_user_input
38	-	patterns:
39	-	- req.params
40	-	- req.query
41	-	- req.body
42	-	- req.cookies
43	-	- req.headers
44	-	- id: javascript_express_deserialization_buffer
45	-	patterns:
46	-	- pattern: \|
47	-	Buffer.from($<USER_INPUT>).toString()
48	-	filters:
49	-	- variable: USER_INPUT
50	-	detection: javascript_express_insecure_deserialization_request_obj
51	-	languages:
52	-	- javascript
53	-	severity: high
54	-	metadata:
55	-	description: "Deserialization of untrusted data detected."
56	-	remediation_message: \|
57	-	## Description
58	-	It is bad practice to deserialize (unmarshal) untrusted data, such as data direct from the request object.
59	-	Attackers can transfer payloads or malicious code via serialized data, and deserializing such data puts your application at risk.
60	-
61	-	## Remediations
62	-	❌ Do not deserialize untrusted data
63	-
64	-	✅ Prefer pure (data-only) and language-agnostic (de)serialization formats such as JSON or XML
65	-
66	-	Avoiding language-specific (de)serialization formats reduces the risk of attackers manipulating the deserialization process for malicious purposes.
67	-
68	-	```javascript
69	-	JSON.parse(req.params)
70	-	```
71	-
72	-	## Resources
73	-	- [OWASP Deserialization cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
74	-	cwe_id:
75	-	- 502
76	-	id: "javascript_express_unsafe_deserialization"
77	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/xml_external_entity_vulnerability/.snapshots/TestJavascriptExpressXXEVulnerability--lib_xml_with_noent_true.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "611"
5	-	id: javascript_express_xxe_vulnerability
6	-	description: XML External Entity vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_xxe_vulnerability
8	-	line_number: 4
9	-	filename: lib_xml_with_noent_true.js
10	-	parent_line_number: 4
11	-	snippet: 'noent: true'
12	-	fingerprint: 8d0aa7266ebfd9ebc5d6eb6c53815a59_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/xml_external_entity_vulnerability/.snapshots/TestJavascriptExpressXXEVulnerability--ok_lib_xml_with_noent_false.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/xml_external_entity_vulnerability/.snapshots/TestJavascriptExpressXXEVulnerability--ok_no_xxe_vuln_present.yml

1	-	{}
2	-
3	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/xml_external_entity_vulnerability/.snapshots/TestJavascriptExpressXXEVulnerability--xxe_vuln_with_node_expat.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "611"
5	-	id: javascript_express_xxe_vulnerability
6	-	description: XML External Entity vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_xxe_vulnerability
8	-	line_number: 6
9	-	filename: xxe_vuln_with_node_expat.js
10	-	parent_line_number: 6
11	-	snippet: parser.parse(req.body.user, false)
12	-	fingerprint: 13432eadcabdd8e7dd0a215e21087ad3_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/xml_external_entity_vulnerability/.snapshots/TestJavascriptExpressXXEVulnerability--xxe_vuln_with_xml2js.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "611"
5	-	id: javascript_express_xxe_vulnerability
6	-	description: XML External Entity vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_xxe_vulnerability
8	-	line_number: 5
9	-	filename: xxe_vuln_with_xml2js.js
10	-	parent_line_number: 5
11	-	snippet: parser.parseString(req.body.data, function(_err, _result) {})
12	-	fingerprint: fe8173ede5201eeb7df79a78fa97fd93_0
13	-
14	-

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/xml_external_entity_vulnerability/.snapshots/TestJavascriptExpressXXEVulnerability--xxe_vuln_with_xml2json.yml

1	-	high:
2	-	- rule:
3	-	cwe_ids:
4	-	- "611"
5	-	id: javascript_express_xxe_vulnerability
6	-	description: XML External Entity vulnerability detected.
7	-	documentation_url: https://docs.bearer.com/reference/rules/javascript_express_xxe_vulnerability
8	-	line_number: 4
9	-	filename: xxe_vuln_with_xml2json.js
10	-	parent_line_number: 4
11	-	snippet: 'parser.toXml(req.body, { ignoreNull: true })'
12	-	fingerprint: a5e6d984dd3693cd851072b9e8d19c00_0
13	-
14	-

feat: remove rules folder