njsscan v0.3.6 releases: find insecure code patterns in your Node.js applications

by do son · Published May 31, 2020 · Updated August 31, 2023

njsscan

njsscan is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using a simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.

Changelog v0.3.6

Huge Performance Improvement from libsast bump

Installation

pip3 install njsscan

Use

$ njsscan
usage: njsscan [-h] [–json] [–sarif] [–sonarqube] [–html] [-o OUTPUT] [-c CONFIG] [–missing-controls] [-w] [-v] [path …]

positional arguments:
path Path can be file(s) or directories with source code

optional arguments:
-h, –help show this help message and exit
–json set output format as JSON
–sarif set output format as SARIF 2.1.0
–sonarqube set output format compatible with SonarQube
–html set output format as HTML
-o OUTPUT, –output OUTPUT
output filename to save the result
-c CONFIG, –config CONFIG
Location to .njsscan config file
–missing-controls enable missing security controls check
-w, –exit-warning non zero exit code on warning
-v, –version show njsscan version

Example

$ njsscan xss_node.js

- Pattern Match ████████████████████████████████████████████████████████████ 1

- Semantic Grep ████████████████████████████████████████████████████████████ 53



======================================================================================================

RULE ID: express_xss

OWASP: A1: Injection

CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

DESCRIPTION: Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.

SEVERITY: ERROR

======================================================================================================



__________________FILES___________________________





File: xss_node.js

Match Position: 5 - 37

Line Number(s): 5: 6

Match String:     var html = "Hello" + req.query.name + ". How are you?"



    res.write('Response</br>' + html);

Python API

>>> from njsscan.njsscan import NJSScan

>>> node_source = '/node_source/true_positives/sqli_node.js'

>>> scanner = NJSScan([node_source], json=True, check_controls=False)

>>> scanner.scan()

{

    'templates': {},

    'nodejs': {

        'node_sqli_injection': {

            'files': [{

                'file_path': '/node_source/true_positives/sqli_node.js',

                'match_position': (1, 24),

                'match_lines': (4, 11),

                'match_string': 'var employeeId = req.foo;\n\nvar sql = "SELECT * FROM trn_employee WHERE employee_id = " + employeeId;\n\n\n\nconnection.query(sql, function (error, results, fields) {\n\n    if (error) {\n\n        throw error;\n\n    }\n\n    console.log(results);'

            }],

            'metadata': {

                'owasp': 'A1: Injection',

                'cwe': "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",

                'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',

                'severity': 'ERROR'

            }

        }

    },

    'errors': []

}

Github Action

Add the following file at .github/workflows/njsscan.yml:

Suppress Findings

You can suppress findings from javascript source files by adding the comment //ignore: rule_id1, rule_id2 to the line that triggers the findings.

Example:

app.get('/some/redirect', function (req, res) {

    var target = req.param("target");

    res.redirect(target); //ignore: express_open_redirect

});