njsscan is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using a simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.
positional arguments:
path Path can be file(s) or directories with source code
optional arguments:
-h, –help show this help message and exit
–json set output format as JSON
–sarif set output format as SARIF 2.1.0
–sonarqube set output format compatible with SonarQube
–html set output format as HTML
-o OUTPUT, –output OUTPUT
output filename to save the result
-c CONFIG, –config CONFIG
Location to .njsscan config file
–missing-controls enable missing security controls check
-w, –exit-warning non zero exit code on warning
-v, –version show njsscan version
Example
$ njsscan xss_node.js
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep ████████████████████████████████████████████████████████████ 53
======================================================================================================
RULE ID: express_xss
OWASP: A1: Injection
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DESCRIPTION: Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
SEVERITY: ERROR
======================================================================================================
__________________FILES___________________________
File: xss_node.js
Match Position: 5 - 37
Line Number(s): 5: 6
Match String: var html = "Hello" + req.query.name + ". How are you?"
res.write('Response</br>' + html);
Python API
>>> from njsscan.njsscan import NJSScan
>>> node_source = '/node_source/true_positives/sqli_node.js'
>>> scanner = NJSScan([node_source], json=True, check_controls=False)
>>> scanner.scan()
{
'templates': {},
'nodejs': {
'node_sqli_injection': {
'files': [{
'file_path': '/node_source/true_positives/sqli_node.js',
'match_position': (1, 24),
'match_lines': (4, 11),
'match_string': 'var employeeId = req.foo;\n\nvar sql = "SELECT * FROM trn_employee WHERE employee_id = " + employeeId;\n\n\n\nconnection.query(sql, function (error, results, fields) {\n\n if (error) {\n\n throw error;\n\n }\n\n console.log(results);'
}],
'metadata': {
'owasp': 'A1: Injection',
'cwe': "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',
'severity': 'ERROR'
}
}
},
'errors': []
}
Github Action
Add the following file at .github/workflows/njsscan.yml:
Suppress Findings
You can suppress findings from javascript source files by adding the comment //ignore: rule_id1, rule_id2 to the line that triggers the findings.
Example:
app.get('/some/redirect', function (req, res) {
var target = req.param("target");
res.redirect(target); //ignore: express_open_redirect
});
