javascript.express.security.require-request.require-request

profile photo of returntocorpreturntocorp
Author
3,077
Download Count*
LGPL Commons Clause
License

If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: require-request
    message: If an attacker controls the x in require(x) then they can cause code to
      load that was not intended to run on the server.
    metadata:
      interfile: true
      owasp:
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-706: Use of Incorrectly-Resolved Name or Reference"
      source-rule-url: https://nodesecroadmap.fyi/chapter-1/threat-UIR.html
      category: security
      technology:
        - express
      references:
        - https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    severity: ERROR
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern-inside: function ... ($REQ, $RES) {...}
              - pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
              - patterns:
                  - pattern-either:
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
                  - metavariable-regex:
                      metavariable: $METHOD
                      regex: ^(get|post|put|head|delete|options)$
          - pattern-either:
              - pattern: $REQ.query
              - pattern: $REQ.body
              - pattern: $REQ.params
              - pattern: $REQ.cookies
              - pattern: $REQ.headers
      - patterns:
          - pattern-either:
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
                  {...}
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response) => {...}
          - focus-metavariable: $REQ
          - pattern-either:
              - pattern: params
              - pattern: query
              - pattern: cookies
              - pattern: headers
              - pattern: body
    pattern-sinks:
      - patterns:
          - pattern: require($SINK)
          - focus-metavariable: $SINK

Examples

require-request.js

const express = require('express')
const app = express()
const port = 3000

const hardcodedPath = 'lib/func.js'

function testController1(req, res) {
    try {
        // ruleid: require-request
        require(req.query.controllerFullPath)(req, res);
    } catch (err) {
        this.log.error(err);
    }
    res.end('ok')
};
app.get('/test1', testController1)

let testController2 = function (req, res) {
    // ruleid: require-request
    const func = require(req.body)
    return res.send(func())
}
app.get('/test2', testController2)

var testController3 = null;
testController3 = function (req, res) {
    // ruleid: require-request
    const func = require(req.body)
    return res.send(func())
}
app.get('/test3', testController3)

(function (req, res) {
    // ruleid: require-request
    const func = require(req.body)
    return res.send(func())
})(req, res)

app.get('/ok-test', (req, res) => {
    // ok: require-request
    const func = require(hardcodedPath)
    return res.send(func())
})

let okController = function (req, res) {
    // ok: require-request
    const func = require('lib/func.js')
    return res.send(func())
}
app.get('/ok-test2', okController)

app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))