Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate and possibly integrate NodeJsScan #16

Open
jborrey opened this issue Nov 5, 2018 · 2 comments
Open

Investigate and possibly integrate NodeJsScan #16

jborrey opened this issue Nov 5, 2018 · 2 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@jborrey
Copy link
Contributor

jborrey commented Nov 5, 2018

/~https://github.com/ajinabraham/NodeJsScan

Vuln scannner for JS.
Test it out on some codebases and determine if it's worth integrating.
If so, make the module and open a PR.

@jborrey jborrey added enhancement New feature or request good first issue Good for newcomers labels Nov 5, 2018
@tutasla
Copy link

tutasla commented Jan 21, 2019

This scanner seems to beautify source code and then run checks against this list /~https://github.com/ajinabraham/NodeJsScan/blob/master/core/rules.xml

Instead of integrating the whole app, it should be possible to convert these rules to PatternSearch regex rules (however I am not sure about the beautification part). A naive approach would be something like:

      - regex: eval\\s*\\(\\s*.{0,150}req\\.
        message: User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).

@jborrey
Copy link
Contributor Author

jborrey commented Jan 27, 2019

Interesting, so you're suggesting that we parse the XML rules files and then appropriate it for the PatternSearch module? Pretty cool idea!

In general I don't like forking projects, or doing something similar, because it creates a higher maintenance workload - for example, if the rules are updated, you need to do more than just bump the version of the app to get the most recent set of rules. You could at least get this down to a script that is run a build time and references a version number.

I would say, that if the app performs poorly (e.g. throws lots of exceptions) but the rules are useful, then this would be worth it. Otherwise we could just try the usual approach of integrating the scanner directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers
Development

No branches or pull requests

3 participants
@jborrey @tutasla and others