commit
9c5be87266
|
@ -0,0 +1,22 @@
|
|||
id: admzip-path-overwrite
|
||||
|
||||
info:
|
||||
name: Admzip Path Overwrite
|
||||
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
||||
severity: info
|
||||
description: Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.
|
||||
tags: file,nodejs,admzip
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "require\\\\('adm-zip'\\\\)"
|
||||
- "\\.forEach\\(function .*\\(.*, \\.\\*\\) \\{"
|
||||
- "\\.createWriteStream\\(.*\\) \\}, \\.\\*\\)"
|
||||
- "\\.writeFile\\(.*\\)"
|
||||
- "\\.writeFileSync\\(.*\\) \\}, \\.\\*\\)"
|
||||
condition: or
|
|
@ -0,0 +1,20 @@
|
|||
id: express-lfr
|
||||
|
||||
info:
|
||||
name: Express LFR
|
||||
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
||||
severity: info
|
||||
description: Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
|
||||
tags: file,nodejs,express,lfr
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)"
|
||||
- "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+?\\.\\$[\\w\\W]+? [\\w\\W]+? >\\)"
|
||||
- "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)"
|
||||
condition: or
|
|
@ -0,0 +1,21 @@
|
|||
id: generic-path-traversal
|
||||
|
||||
info:
|
||||
name: Generic Path Traversal
|
||||
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
||||
severity: info
|
||||
description: Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.
|
||||
tags: file,nodejs
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "[^\\.]*\\.createReadStream\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
|
||||
- "[^\\.]*\\.readFile\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
|
||||
- "[^\\.]*\\.readFileSync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
|
||||
- "[^\\.]*\\.readFileAsync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
|
||||
condition: or
|
|
@ -0,0 +1,21 @@
|
|||
id: tar-path-overwrite
|
||||
|
||||
info:
|
||||
name: Tar Path Overwrite
|
||||
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
||||
severity: info
|
||||
description: Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection.
|
||||
tags: file,nodejs
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "require\\('tar-stream'\\)"
|
||||
- "[\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\, [\\w\\W]*?\\)"
|
||||
- "[\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\, [\\w\\W]*?\\)"
|
||||
- "[\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\, [\\w\\W]*?\\)"
|
||||
condition: or
|
|
@ -0,0 +1,17 @@
|
|||
id: xss-disable-mustache-escape
|
||||
|
||||
info:
|
||||
name: XSS Disable Mustache Escape
|
||||
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
||||
severity: info
|
||||
description: Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
|
||||
tags: file,nodejs,mustache,xss
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "[\\w\\W]+?\\.escapeMarkup = false"
|
|
@ -0,0 +1,26 @@
|
|||
id: xss-serialize-javascript
|
||||
|
||||
info:
|
||||
name: XSS Serialize Javascript
|
||||
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
||||
severity: info
|
||||
description: Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
|
||||
tags: file,nodejs,serialize,xss
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "require\\('serialize-javascript'\\)"
|
||||
- "\\$S\\(\\.\\*?, \\{unsafe: true\\}\\)"
|
||||
condition: or
|
||||
|
||||
- type: regex
|
||||
negative: true
|
||||
regex:
|
||||
- "escape\\(.*?\\)"
|
||||
- "encodeURI\\(.*?\\)"
|
||||
condition: or
|
|
@ -0,0 +1,28 @@
|
|||
id: zip-path-overwrite
|
||||
|
||||
info:
|
||||
name: Zip Path Overwrite
|
||||
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
||||
severity: info
|
||||
description: Insecure ZIP archive extraction can result in arbitrary path overwrite and can result in code injection.
|
||||
tags: file,nodejs
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "require\\('unzip'\\)"
|
||||
- "require\\('unzipper'\\)"
|
||||
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.Parse\\([\\w\\W]*?\\)\\)\\.on\\('entry', function [\\w\\W]*?\\([\\w\\W]*?\\) \\{"
|
||||
- "[\\w\\W]+? = [\\w\\W]+?\\.indexOf\\([\\w\\W]*?\\)"
|
||||
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\)\\)"
|
||||
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\)\\)"
|
||||
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\)\\)"
|
||||
- "[\\w\\W]+?\\.Parse\\([\\w\\W]*?\\)\\.on\\('entry', function [\\w\\W]*?\\([\\w\\W]*?\\) \\{"
|
||||
- "[\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\)"
|
||||
- "[\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\)"
|
||||
- "[\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\)"
|
||||
condition: or
|
Loading…
Reference in New Issue