Merge pull request #6413 from projectdiscovery/nodejs-file-audit

Nodejs File templates
patch-1
Prince Chaddha 2023-06-28 10:59:53 +05:30 committed by GitHub
commit 9c5be87266
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 155 additions and 0 deletions

View File

@ -0,0 +1,22 @@
id: admzip-path-overwrite
info:
name: Admzip Path Overwrite
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
severity: info
description: Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.
tags: file,nodejs,admzip
file:
- extensions:
- all
matchers:
- type: regex
regex:
- "require\\\\('adm-zip'\\\\)"
- "\\.forEach\\(function .*\\(.*, \\.\\*\\) \\{"
- "\\.createWriteStream\\(.*\\) \\}, \\.\\*\\)"
- "\\.writeFile\\(.*\\)"
- "\\.writeFileSync\\(.*\\) \\}, \\.\\*\\)"
condition: or

View File

@ -0,0 +1,20 @@
id: express-lfr
info:
name: Express LFR
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
severity: info
description: Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
tags: file,nodejs,express,lfr
file:
- extensions:
- all
matchers:
- type: regex
regex:
- "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)"
- "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+?\\.\\$[\\w\\W]+? [\\w\\W]+? >\\)"
- "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)"
condition: or

View File

@ -0,0 +1,21 @@
id: generic-path-traversal
info:
name: Generic Path Traversal
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
severity: info
description: Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.
tags: file,nodejs
file:
- extensions:
- all
matchers:
- type: regex
regex:
- "[^\\.]*\\.createReadStream\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
- "[^\\.]*\\.readFile\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
- "[^\\.]*\\.readFileSync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
- "[^\\.]*\\.readFileAsync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
condition: or

View File

@ -0,0 +1,21 @@
id: tar-path-overwrite
info:
name: Tar Path Overwrite
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
severity: info
description: Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection.
tags: file,nodejs
file:
- extensions:
- all
matchers:
- type: regex
regex:
- "require\\('tar-stream'\\)"
- "[\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\, [\\w\\W]*?\\)"
- "[\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\, [\\w\\W]*?\\)"
- "[\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\, [\\w\\W]*?\\)"
condition: or

View File

@ -0,0 +1,17 @@
id: xss-disable-mustache-escape
info:
name: XSS Disable Mustache Escape
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
severity: info
description: Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
tags: file,nodejs,mustache,xss
file:
- extensions:
- all
matchers:
- type: regex
regex:
- "[\\w\\W]+?\\.escapeMarkup = false"

View File

@ -0,0 +1,26 @@
id: xss-serialize-javascript
info:
name: XSS Serialize Javascript
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
severity: info
description: Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
tags: file,nodejs,serialize,xss
file:
- extensions:
- all
matchers:
- type: regex
regex:
- "require\\('serialize-javascript'\\)"
- "\\$S\\(\\.\\*?, \\{unsafe: true\\}\\)"
condition: or
- type: regex
negative: true
regex:
- "escape\\(.*?\\)"
- "encodeURI\\(.*?\\)"
condition: or

View File

@ -0,0 +1,28 @@
id: zip-path-overwrite
info:
name: Zip Path Overwrite
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
severity: info
description: Insecure ZIP archive extraction can result in arbitrary path overwrite and can result in code injection.
tags: file,nodejs
file:
- extensions:
- all
matchers:
- type: regex
regex:
- "require\\('unzip'\\)"
- "require\\('unzipper'\\)"
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.Parse\\([\\w\\W]*?\\)\\)\\.on\\('entry', function [\\w\\W]*?\\([\\w\\W]*?\\) \\{"
- "[\\w\\W]+? = [\\w\\W]+?\\.indexOf\\([\\w\\W]*?\\)"
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\)\\)"
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\)\\)"
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\)\\)"
- "[\\w\\W]+?\\.Parse\\([\\w\\W]*?\\)\\.on\\('entry', function [\\w\\W]*?\\([\\w\\W]*?\\) \\{"
- "[\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\)"
- "[\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\)"
- "[\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\)"
condition: or