Create xss-serialize-javascript.yaml

file/nodejs/xss-serialize-javascript.yaml

@@ -0,0 +1,26 @@
+id: xss-serialize-javascript
+
+info:
+  name: XSS Serialize Javascript
+  author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
+  severity: info
+  description: Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
+  tags: file,nodejs,serialize,xss
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: regex
+        regex:
+          - "\\$S = require\\('serialize-javascript'\\)"
+          - "\\$S\\(..., {unsafe: true}\\)"
+        condition: or
+
+      - type: regex
+        negative: true
+        regex:
+          - "escape\\(...\\)"
+          - "encodeURI\\(...\\)"
+        condition: or