From d4c537af20f857b9c9b082ee3c471d7a31acc110 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 16:24:01 +0530 Subject: [PATCH 01/22] Create zip-path-overwrite.yaml --- file/nodejs/zip-path-overwrite.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 file/nodejs/zip-path-overwrite.yaml diff --git a/file/nodejs/zip-path-overwrite.yaml b/file/nodejs/zip-path-overwrite.yaml new file mode 100644 index 0000000000..341deb715d --- /dev/null +++ b/file/nodejs/zip-path-overwrite.yaml @@ -0,0 +1,28 @@ +id: zip-path-overwrite + +info: + name: Zip Path Overwrite + author: me_dheeraj (https://twitter.com/Dheerajmadhukar) + severity: info + description: Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection. + tags: file,nodejs + +file: + - extensions: + - all + + extractors: + - type: regex + regex: + - "\\$X = require\\('unzip'\\)" + - "\\$X = require\\('unzipper'\\)" + - "\\$Y\\.pipe\\(\\$UNZIP\\.Parse\\(...\\)\\)\\.on\\('entry', function $FUNC\\(...\\) {" + - "\\$X = \\$FILENAME\\.indexOf\\(...\\)" + - "\\$FUNC\\.pipe\\(\\$FS\\.createWriteStream\\(\\$FIL, ...\\)\\)" + - "\\$FUNC\\.pipe\\(\\$FS\\.writeFile\\(\\$FIL, ...\\)\\)" + - "\\$FUNC\\.pipe\\(\\$FS\\.writeFileSync\\(\\$FIL, ...\\)\\)" + - "\\$UNZIP\\.Parse\\(...\\)\\.on\\('entry', function \\$FUNC\\(\\$ENTRY\\) {" + - "\\$FS\\.createWriteStream\\(\\$FIL, ...\\)" + - "\\$FS\\.writeFile\\(\\$FIL, ...\\)" + - "\\$FS\\.writeFileSync\\(\\$FIL, ...\\)" + condition: or From 2328a044b22331c2757e3014d6236bda32a2d1d4 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 16:27:14 +0530 Subject: [PATCH 02/22] fixed-indent --- file/nodejs/zip-path-overwrite.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/file/nodejs/zip-path-overwrite.yaml b/file/nodejs/zip-path-overwrite.yaml index 341deb715d..1ac8f4e113 100644 --- a/file/nodejs/zip-path-overwrite.yaml +++ b/file/nodejs/zip-path-overwrite.yaml @@ -14,15 +14,15 @@ file: extractors: - type: regex regex: - - "\\$X = require\\('unzip'\\)" - - "\\$X = require\\('unzipper'\\)" - - "\\$Y\\.pipe\\(\\$UNZIP\\.Parse\\(...\\)\\)\\.on\\('entry', function $FUNC\\(...\\) {" - - "\\$X = \\$FILENAME\\.indexOf\\(...\\)" - - "\\$FUNC\\.pipe\\(\\$FS\\.createWriteStream\\(\\$FIL, ...\\)\\)" - - "\\$FUNC\\.pipe\\(\\$FS\\.writeFile\\(\\$FIL, ...\\)\\)" - - "\\$FUNC\\.pipe\\(\\$FS\\.writeFileSync\\(\\$FIL, ...\\)\\)" - - "\\$UNZIP\\.Parse\\(...\\)\\.on\\('entry', function \\$FUNC\\(\\$ENTRY\\) {" - - "\\$FS\\.createWriteStream\\(\\$FIL, ...\\)" - - "\\$FS\\.writeFile\\(\\$FIL, ...\\)" - - "\\$FS\\.writeFileSync\\(\\$FIL, ...\\)" + - "\\$X = require\\('unzip'\\)" + - "\\$X = require\\('unzipper'\\)" + - "\\$Y\\.pipe\\(\\$UNZIP\\.Parse\\(...\\)\\)\\.on\\('entry', function $FUNC\\(...\\) {" + - "\\$X = \\$FILENAME\\.indexOf\\(...\\)" + - "\\$FUNC\\.pipe\\(\\$FS\\.createWriteStream\\(\\$FIL, ...\\)\\)" + - "\\$FUNC\\.pipe\\(\\$FS\\.writeFile\\(\\$FIL, ...\\)\\)" + - "\\$FUNC\\.pipe\\(\\$FS\\.writeFileSync\\(\\$FIL, ...\\)\\)" + - "\\$UNZIP\\.Parse\\(...\\)\\.on\\('entry', function \\$FUNC\\(\\$ENTRY\\) {" + - "\\$FS\\.createWriteStream\\(\\$FIL, ...\\)" + - "\\$FS\\.writeFile\\(\\$FIL, ...\\)" + - "\\$FS\\.writeFileSync\\(\\$FIL, ...\\)" condition: or From a3be11f92d1f445418f0298c2a913624d7e3e599 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 16:27:38 +0530 Subject: [PATCH 03/22] Create tar-path-overwrite.yaml --- file/nodejs/tar-path-overwrite.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 file/nodejs/tar-path-overwrite.yaml diff --git a/file/nodejs/tar-path-overwrite.yaml b/file/nodejs/tar-path-overwrite.yaml new file mode 100644 index 0000000000..396971e8df --- /dev/null +++ b/file/nodejs/tar-path-overwrite.yaml @@ -0,0 +1,22 @@ +id: tar-path-overwrite + +info: + name: Tar Path Overwrite + author: me_dheeraj (https://twitter.com/Dheerajmadhukar) + severity: info + description: Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection. + tags: file,nodejs + +file: + - extensions: + - all + + extractors: + - type: regex + regex: + - "\\$X = require\\('tar-stream'\\)" + - "\\$EXTRACT\\.on\\('entry', function \\$FUNC\\(...\\) {" + - "\\$FS\\.createWriteStream\\(\\$FIL, ...\\)" + - "\\$FS\\.writeFile\\(\\$FIL, ...\\)" + - "\\$FS\\.writeFileSync\\(\\$FIL, ...\\)" + condition: or From 206e6730b26e11c831051420801d4723532e0478 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 16:29:18 +0530 Subject: [PATCH 04/22] Create generic-path-traversal.yaml --- file/nodejs/generic-path-traversal.yaml | 39 +++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 file/nodejs/generic-path-traversal.yaml diff --git a/file/nodejs/generic-path-traversal.yaml b/file/nodejs/generic-path-traversal.yaml new file mode 100644 index 0000000000..a7370b2487 --- /dev/null +++ b/file/nodejs/generic-path-traversal.yaml @@ -0,0 +1,39 @@ +id: generic-path-traversal + +info: + name: Generic Path Traversal + author: me_dheeraj (https://twitter.com/Dheerajmadhukar) + severity: info + description: Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks. + tags: file,nodejs + +file: + - extensions: + - all + + extractors: + - type: regex + regex: + - "function \\(\\$REQ, \\$RES, ...\\) {...}" + - "function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}" + - "\\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}" + - "var \\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...};" + - "\\$APP.\\$METHOD\\(..., function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}\\)" + - "\\$X\\.createReadStream\\(..., <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>, ...\\)" + - "\\$X\\.createReadStream\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" + - "\\$X\\.readFile\\(..., <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>, ...\\)" + - "\\$X\\.readFile\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" + - "\\$X\\.readFileSync\\(..., <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>, ...\\)" + - "\\$X\\.readFileSync\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" + - "\\$X\\.readFileAsync\\(..., <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>, ...\\)" + - "\\$X\\.readFileAsync\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" + - "\\$INP = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;" + - "\\$X\\.createReadStream\\(..., <... \\$INP ...>, ...\\)" + - "\\$INP = <... \\$REQ\\.\\$QUERY ...>\\;" + - "\\$X\\.readFile\\(..., <... \\$INP ...>, ...\\)" + - "\\$X\\.readFileSync\\(..., <... \\$INP ...>, ...\\)" + - "\\$Y = \\$REQ\\.\\$QUERY\\.\\$VAR\\;" + - "\\$INP = <... \\$Y ...>\\;" + - "\\$Y = \\$REQ\\.\\$QUERY\\;" + - "\\$X\\.readFileAsync\\(..., <... \\$INP ...>, ...\\)" + condition: or From df72420cb0f2213df05919458d6f1d6f2e450d0a Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 16:33:46 +0530 Subject: [PATCH 05/22] Create xss-serialize-javascript.yaml --- file/nodejs/xss-serialize-javascript.yaml | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 file/nodejs/xss-serialize-javascript.yaml diff --git a/file/nodejs/xss-serialize-javascript.yaml b/file/nodejs/xss-serialize-javascript.yaml new file mode 100644 index 0000000000..c6944bb728 --- /dev/null +++ b/file/nodejs/xss-serialize-javascript.yaml @@ -0,0 +1,26 @@ +id: xss-serialize-javascript + +info: + name: XSS Serialize Javascript + author: me_dheeraj (https://twitter.com/Dheerajmadhukar) + severity: info + description: Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS). + tags: file,nodejs,serialize,xss + +file: + - extensions: + - all + + matchers: + - type: regex + regex: + - "\\$S = require\\('serialize-javascript'\\)" + - "\\$S\\(..., {unsafe: true}\\)" + condition: or + + - type: regex + negative: true + regex: + - "escape\\(...\\)" + - "encodeURI\\(...\\)" + condition: or From 419aebda71ca044b6190d11d1fbe3ec16a9501bf Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 16:35:54 +0530 Subject: [PATCH 06/22] Create express-xss.yaml --- file/nodejs/express-xss.yaml | 48 ++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 file/nodejs/express-xss.yaml diff --git a/file/nodejs/express-xss.yaml b/file/nodejs/express-xss.yaml new file mode 100644 index 0000000000..7b184935d9 --- /dev/null +++ b/file/nodejs/express-xss.yaml @@ -0,0 +1,48 @@ +id: express-xss + +info: + name: Express XSS + author: me_dheeraj (https://twitter.com/Dheerajmadhukar) + severity: info + description: Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. + tags: file,nodejs,express,xss + +file: + - extensions: + - all + + matchers: + - type: regex + regex: + - "function \\($REQ, $RES, ...\\) {...}" + - "function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}" + - "\\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}" + - "var \\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}\\;" + - "\\$APP\\.\\$METHOD\\(..., function \\$FUNC\\(\\$REQ, \\$RES, ...\\)" + - "\\$RES\\.write\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" + - "\\$RES\\.write\\(..., <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>, ...\\)" + - "\\$RES\\.send\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" + - "\\$RES\\.send\\(..., <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>, ...\\)" + - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;" + - "\\$RES\\.write\\(..., <... $LOCALVAR ...>, ...\\)" + - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>\\;" + - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;" + - "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>\\;" + - "\\$RES\\.write\\(..., <... \\$LOCALVAR ...>, ...\\)" + - "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;" + - "\\$RES\\.send\\(..., <... \\$LOCALVAR ...>, ...\\)" + - "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY ...>\\;" + - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY ...>}\\;" + - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>}\\;" + - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>}\\;" + - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY ...>}\\;" + - "\\$LOCALVAR\\.push\\(<... \\$REQ\\.\\$QUERY ...>\\)" + - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;" + - "\\$ARR\\.push\\(<... \\$LOCALVAR ...>\\)" + - "\\$RES\\.write\\(..., <... \\$ARR ...>, ...\\)" + - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;" + - "\\$RES\\.send\\(..., <... \\$ARR ...>, ...\\)" + - "\\$RES\\.write\\(..., <... \\$OUT ...>, ...\\)" + - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;" + - "\\$OUT = <... \\$LOCALVAR ...>\\;" + condition: or From cd2bc9219126e1626eeefceb25b424fd74f1087e Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 16:55:24 +0530 Subject: [PATCH 07/22] Create admzip-path-overwrite.yaml --- file/nodejs/admzip-path-overwrite.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 file/nodejs/admzip-path-overwrite.yaml diff --git a/file/nodejs/admzip-path-overwrite.yaml b/file/nodejs/admzip-path-overwrite.yaml new file mode 100644 index 0000000000..a432a9d681 --- /dev/null +++ b/file/nodejs/admzip-path-overwrite.yaml @@ -0,0 +1,22 @@ +id: admzip-path-overwrite + +info: + name: Admzip Path Overwrite + author: me_dheeraj (https://twitter.com/Dheerajmadhukar) + severity: info + description: Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection. + tags: file,nodejs,admzip + +file: + - extensions: + - all + + matchers: + - type: regex + regex: + - "\\$X = require\\('adm-zip'\\)" + - "\\$ZIPENTZ\\.forEach\\(function \\$FUNC\\(\\$ENTRY, ...\\) {" + - "\\$FS\\.createWriteStream\\(...\\) }, ...\\)" + - "\\$FS\\.writeFile\\(...\\)" + - "\\$FS\\.writeFileSync\\(...\\) }, ...\\)" + condition: or From d58633485a9d84f284aeb27bb9ab9bb36c52c67e Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 16:56:45 +0530 Subject: [PATCH 08/22] Create express-lfr.yaml --- file/nodejs/express-lfr.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 file/nodejs/express-lfr.yaml diff --git a/file/nodejs/express-lfr.yaml b/file/nodejs/express-lfr.yaml new file mode 100644 index 0000000000..47125c5149 --- /dev/null +++ b/file/nodejs/express-lfr.yaml @@ -0,0 +1,21 @@ +id: express-lfr + +info: + name: Express LFR + author: me_dheeraj (https://twitter.com/Dheerajmadhukar) + severity: info + description: Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used. + tags: file,nodejs,express,lfr + +file: + - extensions: + - all + + matchers: + - type: regex + regex: + - "$INP = <... \\$REQ\\.\\$QUERY ...>\\;" + - "$RES\\.render\\(\\$VIEW, <... \\$INP ...>\\)" + - "$RES.render\\($VIEW, <... $REQ.$QUERY.$FOO ...>\\)" + - "$RES\\.render\\(\\$VIEW, <... \\$REQ\\.\\$BODY ...>\\)" + condition: or From 32b78b7c25a45d2fb5b69eed4cb499a9168ed4c1 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 17:00:56 +0530 Subject: [PATCH 09/22] Create xss-disable-mustache-escape.YAML --- file/nodejs/xss-disable-mustache-escape.YAML | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 file/nodejs/xss-disable-mustache-escape.YAML diff --git a/file/nodejs/xss-disable-mustache-escape.YAML b/file/nodejs/xss-disable-mustache-escape.YAML new file mode 100644 index 0000000000..6a10401311 --- /dev/null +++ b/file/nodejs/xss-disable-mustache-escape.YAML @@ -0,0 +1,17 @@ +id: xss-disable-mustache-escape + +info: + name: XSS Disable Mustache Escape + author: me_dheeraj (https://twitter.com/Dheerajmadhukar) + severity: info + description: Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks. + tags: file,nodejs,mustache,xss + +file: + - extensions: + - all + + matchers: + - type: regex + regex: + - "\\$OBJ\\.escapeMarkup = false" From 9c3428cc5c625d3534f3498773022901dcbba867 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 17:06:43 +0530 Subject: [PATCH 10/22] updated extractor to matcher --- file/nodejs/generic-path-traversal.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file/nodejs/generic-path-traversal.yaml b/file/nodejs/generic-path-traversal.yaml index a7370b2487..348692ab43 100644 --- a/file/nodejs/generic-path-traversal.yaml +++ b/file/nodejs/generic-path-traversal.yaml @@ -11,7 +11,7 @@ file: - extensions: - all - extractors: + matchers: - type: regex regex: - "function \\(\\$REQ, \\$RES, ...\\) {...}" From db956401fc2b92c8e4afded2aa29b24a7f649aa4 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 17:07:04 +0530 Subject: [PATCH 11/22] updated extractor to matcher --- file/nodejs/zip-path-overwrite.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file/nodejs/zip-path-overwrite.yaml b/file/nodejs/zip-path-overwrite.yaml index 1ac8f4e113..af09e76002 100644 --- a/file/nodejs/zip-path-overwrite.yaml +++ b/file/nodejs/zip-path-overwrite.yaml @@ -11,7 +11,7 @@ file: - extensions: - all - extractors: + matchers: - type: regex regex: - "\\$X = require\\('unzip'\\)" From 6f0d8062fec400881a3d05a676e72816987664fb Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 22 Dec 2022 17:07:08 +0530 Subject: [PATCH 12/22] updated extractor to matcher --- file/nodejs/tar-path-overwrite.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file/nodejs/tar-path-overwrite.yaml b/file/nodejs/tar-path-overwrite.yaml index 396971e8df..6d4d2f1f67 100644 --- a/file/nodejs/tar-path-overwrite.yaml +++ b/file/nodejs/tar-path-overwrite.yaml @@ -11,7 +11,7 @@ file: - extensions: - all - extractors: + matchers: - type: regex regex: - "\\$X = require\\('tar-stream'\\)" From 7246b17ecddecf03343c012dd9d5ee90c23531be Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:36:23 +0530 Subject: [PATCH 13/22] Update zip-path-overwrite.yaml --- file/nodejs/zip-path-overwrite.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/file/nodejs/zip-path-overwrite.yaml b/file/nodejs/zip-path-overwrite.yaml index af09e76002..6feb0c66d4 100644 --- a/file/nodejs/zip-path-overwrite.yaml +++ b/file/nodejs/zip-path-overwrite.yaml @@ -4,7 +4,7 @@ info: name: Zip Path Overwrite author: me_dheeraj (https://twitter.com/Dheerajmadhukar) severity: info - description: Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection. + description: Insecure ZIP archive extraction can result in arbitrary path overwrite and can result in code injection. tags: file,nodejs file: @@ -14,15 +14,15 @@ file: matchers: - type: regex regex: - - "\\$X = require\\('unzip'\\)" - - "\\$X = require\\('unzipper'\\)" - - "\\$Y\\.pipe\\(\\$UNZIP\\.Parse\\(...\\)\\)\\.on\\('entry', function $FUNC\\(...\\) {" - - "\\$X = \\$FILENAME\\.indexOf\\(...\\)" - - "\\$FUNC\\.pipe\\(\\$FS\\.createWriteStream\\(\\$FIL, ...\\)\\)" - - "\\$FUNC\\.pipe\\(\\$FS\\.writeFile\\(\\$FIL, ...\\)\\)" - - "\\$FUNC\\.pipe\\(\\$FS\\.writeFileSync\\(\\$FIL, ...\\)\\)" - - "\\$UNZIP\\.Parse\\(...\\)\\.on\\('entry', function \\$FUNC\\(\\$ENTRY\\) {" - - "\\$FS\\.createWriteStream\\(\\$FIL, ...\\)" - - "\\$FS\\.writeFile\\(\\$FIL, ...\\)" - - "\\$FS\\.writeFileSync\\(\\$FIL, ...\\)" + - "require\\('unzip'\\)" + - "require\\('unzipper'\\)" + - "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.Parse\\([\\w\\W]*?\\)\\)\\.on\\('entry', function [\\w\\W]*?\\([\\w\\W]*?\\) \\{" + - "[\\w\\W]+? = [\\w\\W]+?\\.indexOf\\([\\w\\W]*?\\)" + - "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\)\\)" + - "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\)\\)" + - "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\)\\)" + - "[\\w\\W]+?\\.Parse\\([\\w\\W]*?\\)\\.on\\('entry', function [\\w\\W]*?\\([\\w\\W]*?\\) \\{" + - "[\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\)" + - "[\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\)" + - "[\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\)" condition: or From d4f2312cc5c32fee8ea3f6ed0f6bf6f605f635e6 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:37:29 +0530 Subject: [PATCH 14/22] Update xss-disable-mustache-escape.YAML --- file/nodejs/xss-disable-mustache-escape.YAML | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file/nodejs/xss-disable-mustache-escape.YAML b/file/nodejs/xss-disable-mustache-escape.YAML index 6a10401311..8d8918dbb8 100644 --- a/file/nodejs/xss-disable-mustache-escape.YAML +++ b/file/nodejs/xss-disable-mustache-escape.YAML @@ -14,4 +14,4 @@ file: matchers: - type: regex regex: - - "\\$OBJ\\.escapeMarkup = false" + - "[\\w\\W]+?\\.escapeMarkup = false" From 5a98340f2bb04865a16c1d39c007f84f7d972c4d Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:39:08 +0530 Subject: [PATCH 15/22] Update xss-serialize-javascript.yaml --- file/nodejs/xss-serialize-javascript.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/file/nodejs/xss-serialize-javascript.yaml b/file/nodejs/xss-serialize-javascript.yaml index c6944bb728..bd924bb702 100644 --- a/file/nodejs/xss-serialize-javascript.yaml +++ b/file/nodejs/xss-serialize-javascript.yaml @@ -14,13 +14,13 @@ file: matchers: - type: regex regex: - - "\\$S = require\\('serialize-javascript'\\)" - - "\\$S\\(..., {unsafe: true}\\)" + - "require\\('serialize-javascript'\\)" + - "\\\$S\(\.\*?, \\{unsafe: true\\}\)" condition: or - type: regex negative: true regex: - - "escape\\(...\\)" - - "encodeURI\\(...\\)" + - "escape\\(.*?\\)" + - "encodeURI\\(.*?\\)" condition: or From 9a179323ff42479a9d4409acf025e72158aaf749 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:41:36 +0530 Subject: [PATCH 16/22] Update generic-path-traversal.yaml --- file/nodejs/generic-path-traversal.yaml | 26 ++++--------------------- 1 file changed, 4 insertions(+), 22 deletions(-) diff --git a/file/nodejs/generic-path-traversal.yaml b/file/nodejs/generic-path-traversal.yaml index 348692ab43..87ba851bda 100644 --- a/file/nodejs/generic-path-traversal.yaml +++ b/file/nodejs/generic-path-traversal.yaml @@ -14,26 +14,8 @@ file: matchers: - type: regex regex: - - "function \\(\\$REQ, \\$RES, ...\\) {...}" - - "function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}" - - "\\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}" - - "var \\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...};" - - "\\$APP.\\$METHOD\\(..., function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}\\)" - - "\\$X\\.createReadStream\\(..., <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>, ...\\)" - - "\\$X\\.createReadStream\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" - - "\\$X\\.readFile\\(..., <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>, ...\\)" - - "\\$X\\.readFile\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" - - "\\$X\\.readFileSync\\(..., <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>, ...\\)" - - "\\$X\\.readFileSync\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" - - "\\$X\\.readFileAsync\\(..., <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>, ...\\)" - - "\\$X\\.readFileAsync\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" - - "\\$INP = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;" - - "\\$X\\.createReadStream\\(..., <... \\$INP ...>, ...\\)" - - "\\$INP = <... \\$REQ\\.\\$QUERY ...>\\;" - - "\\$X\\.readFile\\(..., <... \\$INP ...>, ...\\)" - - "\\$X\\.readFileSync\\(..., <... \\$INP ...>, ...\\)" - - "\\$Y = \\$REQ\\.\\$QUERY\\.\\$VAR\\;" - - "\\$INP = <... \\$Y ...>\\;" - - "\\$Y = \\$REQ\\.\\$QUERY\\;" - - "\\$X\\.readFileAsync\\(..., <... \\$INP ...>, ...\\)" + - "[^\\.]*\\.createReadStream\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)" + - "[^\\.]*\\.readFile\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)" + - "[^\\.]*\\.readFileSync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)" + - "[^\\.]*\\.readFileAsync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)" condition: or From 2823ea226e2715e3d4f9c5edbc4f6a95bbadf450 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:44:19 +0530 Subject: [PATCH 17/22] Update tar-path-overwrite.yaml --- file/nodejs/tar-path-overwrite.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/file/nodejs/tar-path-overwrite.yaml b/file/nodejs/tar-path-overwrite.yaml index 6d4d2f1f67..241491c97c 100644 --- a/file/nodejs/tar-path-overwrite.yaml +++ b/file/nodejs/tar-path-overwrite.yaml @@ -14,9 +14,8 @@ file: matchers: - type: regex regex: - - "\\$X = require\\('tar-stream'\\)" - - "\\$EXTRACT\\.on\\('entry', function \\$FUNC\\(...\\) {" - - "\\$FS\\.createWriteStream\\(\\$FIL, ...\\)" - - "\\$FS\\.writeFile\\(\\$FIL, ...\\)" - - "\\$FS\\.writeFileSync\\(\\$FIL, ...\\)" + - "require\\('tar-stream'\\)" + - "[\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\, [\\w\\W]*?\\)" + - "[\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\, [\\w\\W]*?\\)" + - "[\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\, [\\w\\W]*?\\)" condition: or From 9c07d92e4e84fde07ddbef524ace3c13a3291951 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:45:48 +0530 Subject: [PATCH 18/22] Update admzip-path-overwrite.yaml --- file/nodejs/admzip-path-overwrite.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/file/nodejs/admzip-path-overwrite.yaml b/file/nodejs/admzip-path-overwrite.yaml index a432a9d681..7a3ac521b0 100644 --- a/file/nodejs/admzip-path-overwrite.yaml +++ b/file/nodejs/admzip-path-overwrite.yaml @@ -14,9 +14,9 @@ file: matchers: - type: regex regex: - - "\\$X = require\\('adm-zip'\\)" - - "\\$ZIPENTZ\\.forEach\\(function \\$FUNC\\(\\$ENTRY, ...\\) {" - - "\\$FS\\.createWriteStream\\(...\\) }, ...\\)" - - "\\$FS\\.writeFile\\(...\\)" - - "\\$FS\\.writeFileSync\\(...\\) }, ...\\)" + - "require\\('adm-zip'\\)" + - "\.forEach\\(function .*\\(.*, \.\*\\) \{" + - "\.createWriteStream\\(.*\) \}, \.\*\\)" + - "\.writeFile\\(.*\)" + - "\.writeFileSync\\(.*\) \}, \.\*\\)" condition: or From 15ca31a15f5a6603217094b09290d965f3758e2e Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:49:55 +0530 Subject: [PATCH 19/22] Update admzip-path-overwrite.yaml --- file/nodejs/admzip-path-overwrite.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/file/nodejs/admzip-path-overwrite.yaml b/file/nodejs/admzip-path-overwrite.yaml index 7a3ac521b0..dbf7ea5442 100644 --- a/file/nodejs/admzip-path-overwrite.yaml +++ b/file/nodejs/admzip-path-overwrite.yaml @@ -14,9 +14,9 @@ file: matchers: - type: regex regex: - - "require\\('adm-zip'\\)" - - "\.forEach\\(function .*\\(.*, \.\*\\) \{" - - "\.createWriteStream\\(.*\) \}, \.\*\\)" - - "\.writeFile\\(.*\)" - - "\.writeFileSync\\(.*\) \}, \.\*\\)" + - "require\\\\('adm-zip'\\\\)" + - "\\.forEach\\(function .*\\(.*, \\.\\*\\) \\{" + - "\\.createWriteStream\\(.*\\) \\}, \\.\\*\\)" + - "\\.writeFile\\(.*\\)" + - "\\.writeFileSync\\(.*\\) \\}, \\.\\*\\)" condition: or From 4cec45fdb4c9816a6986ab0a69119d8f2dbbe9ef Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:52:51 +0530 Subject: [PATCH 20/22] Update express-lfr.yaml --- file/nodejs/express-lfr.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/file/nodejs/express-lfr.yaml b/file/nodejs/express-lfr.yaml index 47125c5149..d499b5843d 100644 --- a/file/nodejs/express-lfr.yaml +++ b/file/nodejs/express-lfr.yaml @@ -14,8 +14,7 @@ file: matchers: - type: regex regex: - - "$INP = <... \\$REQ\\.\\$QUERY ...>\\;" - - "$RES\\.render\\(\\$VIEW, <... \\$INP ...>\\)" - - "$RES.render\\($VIEW, <... $REQ.$QUERY.$FOO ...>\\)" - - "$RES\\.render\\(\\$VIEW, <... \\$REQ\\.\\$BODY ...>\\)" + - "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)" + - "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+?\\.\\$[\\w\\W]+? [\\w\\W]+? >\\)" + - "(\\$[\\w\\W]+?)\\.render\\(\\$[\\w\\W]+?, <[\\w\\W]+? \\\\$[\\w\\W]+? [\\w\\W]+? >\\)" condition: or From 961aadc9f376e1c4b6fcbfb8cda5d397b498beb4 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:54:07 +0530 Subject: [PATCH 21/22] Update xss-serialize-javascript.yaml --- file/nodejs/xss-serialize-javascript.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file/nodejs/xss-serialize-javascript.yaml b/file/nodejs/xss-serialize-javascript.yaml index bd924bb702..011b11c797 100644 --- a/file/nodejs/xss-serialize-javascript.yaml +++ b/file/nodejs/xss-serialize-javascript.yaml @@ -15,7 +15,7 @@ file: - type: regex regex: - "require\\('serialize-javascript'\\)" - - "\\\$S\(\.\*?, \\{unsafe: true\\}\)" + - "\\$S\\(\\.\\*?, \\{unsafe: true\\}\\)" condition: or - type: regex From a5496d3184dd7a6c2aecb774ea6bec9816a7fb0d Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 28 Jun 2023 10:55:50 +0530 Subject: [PATCH 22/22] Delete express-xss.yaml --- file/nodejs/express-xss.yaml | 48 ------------------------------------ 1 file changed, 48 deletions(-) delete mode 100644 file/nodejs/express-xss.yaml diff --git a/file/nodejs/express-xss.yaml b/file/nodejs/express-xss.yaml deleted file mode 100644 index 7b184935d9..0000000000 --- a/file/nodejs/express-xss.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: express-xss - -info: - name: Express XSS - author: me_dheeraj (https://twitter.com/Dheerajmadhukar) - severity: info - description: Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. - tags: file,nodejs,express,xss - -file: - - extensions: - - all - - matchers: - - type: regex - regex: - - "function \\($REQ, $RES, ...\\) {...}" - - "function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}" - - "\\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}" - - "var \\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}\\;" - - "\\$APP\\.\\$METHOD\\(..., function \\$FUNC\\(\\$REQ, \\$RES, ...\\)" - - "\\$RES\\.write\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" - - "\\$RES\\.write\\(..., <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>, ...\\)" - - "\\$RES\\.send\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)" - - "\\$RES\\.send\\(..., <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>, ...\\)" - - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;" - - "\\$RES\\.write\\(..., <... $LOCALVAR ...>, ...\\)" - - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>\\;" - - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;" - - "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>\\;" - - "\\$RES\\.write\\(..., <... \\$LOCALVAR ...>, ...\\)" - - "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;" - - "\\$RES\\.send\\(..., <... \\$LOCALVAR ...>, ...\\)" - - "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY ...>\\;" - - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY ...>}\\;" - - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>}\\;" - - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>}\\;" - - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY ...>}\\;" - - "\\$LOCALVAR\\.push\\(<... \\$REQ\\.\\$QUERY ...>\\)" - - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;" - - "\\$ARR\\.push\\(<... \\$LOCALVAR ...>\\)" - - "\\$RES\\.write\\(..., <... \\$ARR ...>, ...\\)" - - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;" - - "\\$RES\\.send\\(..., <... \\$ARR ...>, ...\\)" - - "\\$RES\\.write\\(..., <... \\$OUT ...>, ...\\)" - - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;" - - "\\$OUT = <... \\$LOCALVAR ...>\\;" - condition: or