crash.software
Projects
Pull Requests
Issues
Builds
bearer
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY bearer Commits ab277176
🤬

  • docs(fix): JS rules formatting (#775)

    * fix: fix express rules formatting

* fix: fix js lang rules formatting
  • Loading...
  • elsapet committed with GitHub 1 year ago
    ab277176
    1 parent 00bd0ca6
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/eval_user_input.yml
    skipped 56 lines
    57 57   
    58 58   ## Remediation
    59 59   ❌ As a general rule, avoid using `eval`.
     60 + 
    60 61   ❌ Avoid using code execution methods with unsanitized user input.
    61 62   
    62 63   Instead, it might be possible to use dynamic hardcoded values:
    skipped 14 lines
    77 78   let compiledFunction = vm.compileFunction(myFunc);
    78 79   compiledFunction(req.params["pageCount"], req.params["appendixPageCount"])
    79 80   };
     81 + ```
    80 82   
    81 83   ✅ Use JavaScript's strict mode as best practice and to minimize the reach of code execution methods
     84 + 
    82 85   ```javascript
    83 86   "use strict"
    84 87   
    skipped 12 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/external_resource.yml
    skipped 29 lines
    30 30   ❌ Avoid passing user or request input to res.render() or require().
    31 31   
    32 32   ✅ Sanitize the input or use a safelist
     33 + 
    33 34   Where it is unavoidable to rely on user input, sanitize the input or use a safelist to keep the rendered resources within the expected scope.
    34 35   
    35 36   ```javascript
    skipped 9 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/insecure_allow_origin.yml
    skipped 42 lines
    43 43   
    44 44   ## Remediations
    45 45   ❌ Avoid defining origins with user input wherever possible.
     46 + 
    46 47   ✅ If unavoidable, be sure to verify the input or to use a safe-list.
    47 48   
    48 49   ## Resources
    skipped 5 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/insecure_cookie.yml
    skipped 29 lines
    30 30   
    31 31   ## Remediations
    32 32   ✅ Set cookie security values to use HTTP(S) instead of client-side javascript.
     33 + 
    33 34   ✅ Set `secure` values to `true` to force cookies to only send over HTTPS.
    34 35   
    35 36   ## Resources
    skipped 6 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering.yml
    skipped 89 lines
    90 90   
    91 91   ## Remediations
    92 92   ✅ Always validate external data (for example, with a safe list) before rendering it in a template.
     93 + 
    93 94   ✅ Sanitize external data before rendering it in a template to remove special characters that could introduce an injection attack.
    94 95   
    95 96   ## Resources
    skipped 5 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint.yml
    skipped 28 lines
    29 29   remediation_message: |
    30 30   ## Description
    31 31   
    32  - It can help to provide an extra layer of security to reduce server fingerprinting. Though not a security issue itself, a method to improve the overall posture of a web server is to take measures to reduce the ability to fingerprint the software being used on the server. Server software can be fingerprinted by kwirks in how they respond to specific requests.
     32 + It can help to provide an extra layer of security to reduce server fingerprinting. Though not a security issue itself, a method to improve the overall posture of a web server is to take measures to reduce the ability to fingerprint the software being used on the server. Server software can be fingerprinted by quirks in how they respond to specific requests.
     33 + 
    33 34   By default, Express.js sends the X-Powered-By response header banner. This can be disabled using the app.disable() method:
    34 35   
    35 36   ```
    skipped 10 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/sql_injection.yml
    skipped 93 lines
    94 94   ## Remediations
    95 95   
    96 96   ❌ Avoid raw queries, especially those that contain unsanitized user input
     97 + 
    97 98   ```javascript
    98 99   var sqlite = new Sequelize("sqlite::memory:");
    99 100   sqlite.query("SELECT * FROM users WHERE ID = " + req.params.userId);
    skipped 32 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization.yml
    skipped 50 lines
    51 51   
    52 52   ## Remediations
    53 53   ❌ Do not deserialize untrusted data
     54 + 
    54 55   ✅ Prefer pure (data-only) and language-agnostic (de)serialization formats such as JSON or XML
     56 + 
    55 57   Avoiding language-specific (de)serialization formats reduces the risk of attackers manipulating the deserialization process for malicious purposes.
    56 58   
    57 59   ```javascript
    skipped 9 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/jwt_hardcoded_secret.yml
    skipped 28 lines
    29 29   
    30 30   ## Remediations
    31 31   
    32  - Use environment variables
     32 + Use environment variables
    33 33   
    34  - ```javascript
    35  - var jwt = require("jsonwebtoken");
     34 + ```javascript
     35 + var jwt = require("jsonwebtoken");
    36 36   
    37  - var token = jwt.sign({ foo: "bar" }, process.env.JWT_SECRET);
    38  - ```
     37 + var token = jwt.sign({ foo: "bar" }, process.env.JWT_SECRET);
     38 + ```
    39 39   
    40 40   ## Resources
    41 41   - [OWASP hardcoded passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
    skipped 6 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/logger.yml
    skipped 85 lines
    86 86   logger.info(`User is: ${user.uuid}`)
    87 87   ```
    88 88   ## Resources
    89  - - [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
    90  - 
     89 + - [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
    91 90   cwe_id:
    92 91   - 1295
    93 92   - 532
    skipped 2 lines
  • ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/session.yml
    skipped 25 lines
    26 26   localStorage.setItem('user', email)
    27 27   ```
    28 28   
    29  - ✅ Instead, use a unique identifier:
     29 + ✅ Instead, use a unique identifier:
    30 30   
    31 31   ```javascript
    32 32   localStorage.setItem('user', user.uuid)
    skipped 8 lines
Please wait...
Page is in error, reload to recover