javascript.express.security.require-request.require-request
semgrepAuthor
3,077
Download Count*
License
If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.
Run Locally
Run in CI
Defintion
rules:
- id: require-request
message: If an attacker controls the x in require(x) then they can cause code to
load that was not intended to run on the server.
options:
interfile: true
metadata:
interfile: true
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-706: Use of Incorrectly-Resolved Name or Reference"
source-rule-url: https://nodesecroadmap.fyi/chapter-1/threat-UIR.html
category: security
technology:
- express
references:
- https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- javascript
- typescript
severity: ERROR
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern-inside: function ... ($REQ, $RES) {...}
- pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
- patterns:
- pattern-either:
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
- metavariable-regex:
metavariable: $METHOD
regex: ^(get|post|put|head|delete|options)$
- pattern-either:
- pattern: $REQ.query
- pattern: $REQ.body
- pattern: $REQ.params
- pattern: $REQ.cookies
- pattern: $REQ.headers
- patterns:
- pattern-either:
- pattern-inside: |
({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
{...}
- pattern-inside: |
({ $REQ }: Request,$RES: Response) => {...}
- focus-metavariable: $REQ
- pattern-either:
- pattern: params
- pattern: query
- pattern: cookies
- pattern: headers
- pattern: body
pattern-sinks:
- patterns:
- pattern: require($SINK)
- focus-metavariable: $SINK
Examples
require-request.js
const express = require('express')
const app = express()
const port = 3000
const hardcodedPath = 'lib/func.js'
function testController1(req, res) {
try {
// ruleid: require-request
require(req.query.controllerFullPath)(req, res);
} catch (err) {
this.log.error(err);
}
res.end('ok')
};
app.get('/test1', testController1)
let testController2 = function (req, res) {
// ruleid: require-request
const func = require(req.body)
return res.send(func())
}
app.get('/test2', testController2)
var testController3 = null;
testController3 = function (req, res) {
// ruleid: require-request
const func = require(req.body)
return res.send(func())
}
app.get('/test3', testController3)
(function (req, res) {
// ruleid: require-request
const func = require(req.body)
return res.send(func())
})(req, res)
app.get('/ok-test', (req, res) => {
// ok: require-request
const func = require(hardcodedPath)
return res.send(func())
})
let okController = function (req, res) {
// ok: require-request
const func = require('lib/func.js')
return res.send(func())
}
app.get('/ok-test2', okController)
app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))
Short Link: https://sg.run/jRbl