From 9f4cec14cf59cd0766e0dae8d6a36667151dbaee Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Fri, 4 Aug 2023 14:10:51 +0200 Subject: [PATCH 1/3] nodejs-insecure-url-parse: add inline require('url') --- assets/semgrep_rules/web/nodejs-insecure-url-parse | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/assets/semgrep_rules/web/nodejs-insecure-url-parse b/assets/semgrep_rules/web/nodejs-insecure-url-parse index cef83451..8a3e3ae5 100644 --- a/assets/semgrep_rules/web/nodejs-insecure-url-parse +++ b/assets/semgrep_rules/web/nodejs-insecure-url-parse @@ -6,7 +6,9 @@ rules: assignees: | thypon fmarier - pattern: url.parse(...) + pattern-either: + - pattern: url.parse(...) + - pattern: require('url').parse(...) message: Avoid using url.parse() as it may cause security issues. Consider using the URL class instead. languages: - javascript From 8bd065a6381c86fd86b47c5facf8821997351737 Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Fri, 4 Aug 2023 14:13:22 +0200 Subject: [PATCH 2/3] nodejs-insecure-url-parse.js test: add more t cases --- t3sts/semgrep_rules/nodejs-insecure-url-parse.js | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/t3sts/semgrep_rules/nodejs-insecure-url-parse.js b/t3sts/semgrep_rules/nodejs-insecure-url-parse.js index 9c377d44..e9d421d0 100644 --- a/t3sts/semgrep_rules/nodejs-insecure-url-parse.js +++ b/t3sts/semgrep_rules/nodejs-insecure-url-parse.js @@ -1,2 +1,17 @@ // ruleid: nodejs-insecure-url-parse url.parse("here lies dragons"); +// ruleid: nodejs-insecure-url-parse +require('url').parse("here lies dragons"); + +var uparser = require('url'); + +// ruleid: nodejs-insecure-url-parse +uparser.parse("here lies dragons"); + +function() { + // ruleid: nodejs-insecure-url-parse + uparser.parse("here lies dragons"); +} + +// ruleid: nodejs-insecure-url-parse +setTimeout(()=> uparser.parse("here lies dragons"), 1000); From 13bc3a3179cc1b3d5913dbc2215d4471f32ca657 Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Fri, 4 Aug 2023 14:22:23 +0200 Subject: [PATCH 3/3] nodejs-insecure-url-parse: rename and fix --- ...{nodejs-insecure-url-parse => nodejs-insecure-url-parse.yaml} | 1 + 1 file changed, 1 insertion(+) rename assets/semgrep_rules/web/{nodejs-insecure-url-parse => nodejs-insecure-url-parse.yaml} (96%) diff --git a/assets/semgrep_rules/web/nodejs-insecure-url-parse b/assets/semgrep_rules/web/nodejs-insecure-url-parse.yaml similarity index 96% rename from assets/semgrep_rules/web/nodejs-insecure-url-parse rename to assets/semgrep_rules/web/nodejs-insecure-url-parse.yaml index 8a3e3ae5..f21669f4 100644 --- a/assets/semgrep_rules/web/nodejs-insecure-url-parse +++ b/assets/semgrep_rules/web/nodejs-insecure-url-parse.yaml @@ -10,5 +10,6 @@ rules: - pattern: url.parse(...) - pattern: require('url').parse(...) message: Avoid using url.parse() as it may cause security issues. Consider using the URL class instead. + severity: ERROR languages: - javascript