-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnode_baseline.yaml
144 lines (130 loc) · 4.69 KB
/
node_baseline.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# ==========================================================
# Semgrep Ruleset for Node.js Security
# Created by: Conviso
# Description: This ruleset is designed to detect common vulnerabilities
# in Node.js applications, including SQL Injection, Insecure
# File Operations, Insecure HTTP Requests, and Hardcoded Secrets.
# ==========================================================
rules:
- id: detect-sql-injection-nodejs
languages: [javascript, typescript]
message: |
Possible SQL Injection vulnerability. Avoid using unsanitized user input in SQL queries.
severity: ERROR
patterns:
- pattern: |
db.query("SELECT * FROM users WHERE username = '" + $USER_INPUT + "'")
fix: |
Use parameterized queries to avoid SQL Injection. Example:
```javascript
db.query("SELECT * FROM users WHERE username = ?", [userInput])
```
metadata:
cwe: CWE-89
owasp: A1 Injection
- id: detect-insecure-file-operations-nodejs
languages: [javascript, typescript]
message: |
Insecure file operation detected. Avoid using unsanitized user input in file paths, which can lead to path traversal attacks.
severity: ERROR
patterns:
- pattern: |
fs.readFile($USER_INPUT, $CALLBACK)
- pattern: |
fs.writeFile($USER_INPUT, $DATA, $CALLBACK)
fix: |
Use `path.join` or `path.resolve` to sanitize file paths before performing file operations. Example:
```javascript
const safePath = path.join(__dirname, sanitize(userInput));
fs.readFile(safePath, callback);
```
metadata:
cwe: CWE-22
owasp: A5 Broken Access Control
- id: detect-insecure-http-nodejs
languages: [javascript, typescript]
message: |
Insecure HTTP request detected. Avoid making HTTP requests without proper SSL/TLS validation.
severity: WARNING
patterns:
- pattern: |
http.get($URL)
fix: |
Use `https` module instead of `http` for secure communication. Example:
```javascript
https.get($URL);
```
metadata:
cwe: CWE-295
owasp: A3 Sensitive Data Exposure
- id: detect-hardcoded-secrets-nodejs
languages: [javascript, typescript]
message: |
Hardcoded secrets detected. Avoid storing sensitive information like API keys or passwords directly in the source code.
severity: WARNING
patterns:
- pattern: |
const password = "$PASSWORD"
- pattern: |
const apiKey = "$API_KEY"
fix: |
Use environment variables or secret management tools to store sensitive data. Example:
```javascript
const password = process.env.PASSWORD;
```
metadata:
cwe: CWE-798
owasp: A3 Sensitive Data Exposure
- id: detect-insecure-jwt-signing-nodejs
languages: [javascript, typescript]
message: |
Insecure JWT signing detected. Avoid using weak signing algorithms such as `none` or `HS256` without proper key management.
severity: ERROR
patterns:
- pattern: |
jwt.sign($PAYLOAD, $SECRET, { algorithm: 'HS256' })
- pattern-not: |
jwt.sign($PAYLOAD, $SECRET, { algorithm: 'RS256' })
fix: |
Use stronger algorithms like `RS256` for signing JWTs and ensure key management practices are in place. Example:
```javascript
jwt.sign($PAYLOAD, $SECRET, { algorithm: 'RS256' });
```
metadata:
cwe: CWE-347
owasp: A2 Broken Authentication
- id: detect-unsafe-use-of-eval-nodejs
languages: [javascript, typescript]
message: |
Unsafe use of `eval` detected. Avoid using `eval` with user-controlled input as it can lead to code injection.
severity: ERROR
patterns:
- pattern: |
eval($USER_INPUT)
fix: |
Avoid using `eval` or use safer alternatives such as `JSON.parse()` for processing user input. Example:
```javascript
const safeData = JSON.parse($USER_INPUT);
```
metadata:
cwe: CWE-94
owasp: A1 Injection
- id: detect-unsafe-csrf-protection-nodejs
languages: [javascript, typescript]
message: |
Missing or incorrect CSRF protection in Node.js application. Ensure CSRF tokens are implemented and verified for state-changing requests.
severity: ERROR
patterns:
- pattern: |
app.post($ENDPOINT, $MIDDLEWARE)
- pattern-not: |
csrf({ cookie: true })
fix: |
Implement CSRF protection using middleware such as `csurf`. Example:
```javascript
const csrf = require('csurf');
app.use(csrf({ cookie: true }));
```
metadata:
cwe: CWE-352
owasp: A8 Cross-Site Request Forgery (CSRF)