javascript.express.security.express-phantom-injection.express-phantom-injection

profile photo of semgrepsemgrep
Author
3,077
Download Count*
LGPL Commons Clause
License

If unverified user data can reach the phantom methods it can result in Server-Side Request Forgery vulnerabilities

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: express-phantom-injection
    message: If unverified user data can reach the `phantom` methods it can result
      in Server-Side Request Forgery vulnerabilities
    metadata:
      owasp:
        - A10:2021 - Server-Side Request Forgery (SSRF)
      cwe:
        - "CWE-918: Server-Side Request Forgery (SSRF)"
      category: security
      technology:
        - express
      references:
        - https://phantomjs.org/page-automation.html
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Server-Side Request Forgery (SSRF)
    languages:
      - javascript
      - typescript
    severity: ERROR
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern-inside: function ... ($REQ, $RES) {...}
              - pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
              - patterns:
                  - pattern-either:
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
                  - metavariable-regex:
                      metavariable: $METHOD
                      regex: ^(get|post|put|head|delete|options)$
          - pattern-either:
              - pattern: $REQ.query
              - pattern: $REQ.body
              - pattern: $REQ.params
              - pattern: $REQ.cookies
              - pattern: $REQ.headers
      - patterns:
          - pattern-either:
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
                  {...}
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response) => {...}
          - focus-metavariable: $REQ
          - pattern-either:
              - pattern: params
              - pattern: query
              - pattern: cookies
              - pattern: headers
              - pattern: body
    pattern-sinks:
      - patterns:
          - pattern-either:
              - pattern-inside: |
                  require('phantom');
                  ...
              - pattern-inside: |
                  import 'phantom';
                  ...
          - pattern-either:
              - pattern: $PAGE.open($SINK,...)
              - pattern: $PAGE.setContent($SINK,...)
              - pattern: $PAGE.openUrl($SINK,...)
              - pattern: $PAGE.evaluateJavaScript($SINK,...)
              - pattern: $PAGE.property("content",$SINK,...)
          - focus-metavariable: $SINK

Examples

express-phantom-injection.js

const express = require('express')
const app = express()
const port = 3000
const phantom = require('phantom');

app.get('/test', async (req, res) => {
    const instance = await phantom.create();
    const page = await instance.createPage();
    await page.on('onResourceRequested', function(requestData) {
        console.info('Requesting', requestData.url);
    });

    // ruleid: express-phantom-injection
    const status = await page.property('content', req.headers['name']);

    // ruleid: express-phantom-injection
    await page.setContent(req.query.q);

    res.send('Hello World!')
})

app.post('/test2', async (req, res) => {
    const instance = await phantom.create();
    const page = await instance.createPage();
    await page.on('onResourceRequested', function(requestData) {
        console.info('Requesting', requestData.url);
    });

    // ruleid: express-phantom-injection
    const status = await page.property('content', req.query.q);

    // ruleid: express-phantom-injection
    await page.setContent(req.body);

    // ok: express-phantom-injection
    var html = '<html>123</html>'
    const status = await page.property('content', html);

    const content = await page.property('content');
    console.log(content);

    await instance.exit();

    res.send('Hello World!')
})

app.post('/test3', async (req, res) => {
    const instance = await phantom.create();
    const page = await instance.createPage();
    await page.on('onResourceRequested', function(requestData) {
        console.info('Requesting', requestData.url);
    });

    // ruleid: express-phantom-injection
    const status = await page.openUrl(req.params.url, {}, {});

    // ruleid: express-phantom-injection
    await page.evaluateJavaScript(req.body.script);

    // ok: express-phantom-injection
    var url = 'https://stackoverflow.com/'
    const status = await page.openUrl(url, {}, {});

    const content = await page.property('content');
    console.log(content);

    await instance.exit();

    res.send('Hello World!')
})


app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))