javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: express-check-directory-listing
    message: Directory listing/indexing is enabled, which may lead to disclosure of
      sensitive directories and files. It is recommended to disable directory
      listing unless it is a public resource. If you need directory listing,
      ensure that sensitive files are inaccessible when querying the resource.
    options:
      interfile: true
    metadata:
      interfile: true
      cwe:
        - "CWE-548: Exposure of Information Through Directory Listing"
      owasp:
        - A06:2017 - Security Misconfiguration
        - A01:2021 - Broken Access Control
      category: security
      technology:
        - express
      references:
        - https://www.npmjs.com/package/serve-index
        - https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern: |
              $APP.use(require('serve-index')(...))
          - patterns:
              - pattern-either:
                  - pattern-inside: |
                      $SERVEINDEX = require('serve-index')
                      ...
                  - pattern-inside: |
                      import $SERVEINDEX from 'serve-index'
                      ...
                  - pattern-inside: |
                      import * as $SERVEINDEX from 'serve-index'
                      ...
              - pattern-either:
                  - patterns:
                      - pattern-inside: |
                          $VALUE = $SERVEINDEX(...)
                          ...
                      - pattern: |
                          $VALUE(...)
                  - pattern: |
                      $APP.use(..., $SERVEINDEX(...), ...)

Examples

express-check-directory-listing.js

const serveIndex = require('serve-index');
var express = require('express');
var app = express();

var serve = serveIndex('public/ftp', {
    icons: true
})

var server = http.createServer(function onRequest(req, res) {
    var done = finalhandler(req, res)
    // ruleid: express-check-directory-listing
    serve(req, res, function onNext(err) {
        if (err) return done(err)
        index(req, res, done)
    })
})

// ruleid: express-check-directory-listing
app.use('/ftp', serveIndex('ftp', {
    icons: true
}));

// ok
app.use(bodyParser.text({
    type: '*/*'
}));