diff --git a/assets/semgrep_rules/web/nodejs-insecure-url-parse b/assets/semgrep_rules/web/nodejs-insecure-url-parse.yaml similarity index 78% rename from assets/semgrep_rules/web/nodejs-insecure-url-parse rename to assets/semgrep_rules/web/nodejs-insecure-url-parse.yaml index cef83451..f21669f4 100644 --- a/assets/semgrep_rules/web/nodejs-insecure-url-parse +++ b/assets/semgrep_rules/web/nodejs-insecure-url-parse.yaml @@ -6,7 +6,10 @@ rules: assignees: | thypon fmarier - pattern: url.parse(...) + pattern-either: + - pattern: url.parse(...) + - pattern: require('url').parse(...) message: Avoid using url.parse() as it may cause security issues. Consider using the URL class instead. + severity: ERROR languages: - javascript diff --git a/t3sts/semgrep_rules/nodejs-insecure-url-parse.js b/t3sts/semgrep_rules/nodejs-insecure-url-parse.js index 9c377d44..e9d421d0 100644 --- a/t3sts/semgrep_rules/nodejs-insecure-url-parse.js +++ b/t3sts/semgrep_rules/nodejs-insecure-url-parse.js @@ -1,2 +1,17 @@ // ruleid: nodejs-insecure-url-parse url.parse("here lies dragons"); +// ruleid: nodejs-insecure-url-parse +require('url').parse("here lies dragons"); + +var uparser = require('url'); + +// ruleid: nodejs-insecure-url-parse +uparser.parse("here lies dragons"); + +function() { + // ruleid: nodejs-insecure-url-parse + uparser.parse("here lies dragons"); +} + +// ruleid: nodejs-insecure-url-parse +setTimeout(()=> uparser.parse("here lies dragons"), 1000);