javascript.express.security.require-request.require-request

profile photo of returntocorpreturntocorp
Author
3,077
Download Count*

If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.

Run Locally

Run in CI

Defintion

rules:
  - id: require-request
    message: If an attacker controls the x in require(x) then they can cause code to
      load that was not intended to run on the server.
    metadata:
      deepsemgrep: true
      owasp:
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-706: Use of Incorrectly-Resolved Name or Reference"
      source-rule-url: https://nodesecroadmap.fyi/chapter-1/threat-UIR.html
      category: security
      technology:
        - express
      references:
        - https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    severity: ERROR
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern-inside: function ... ($REQ, $RES) {...}
              - pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
              - patterns:
                  - pattern-either:
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
                  - metavariable-regex:
                      metavariable: $METHOD
                      regex: ^(get|post|put|head|delete|options)$
          - pattern-either:
              - pattern: $REQ.query
              - pattern: $REQ.body
              - pattern: $REQ.params
              - pattern: $REQ.cookies
              - pattern: $REQ.headers
      - patterns:
          - pattern-either:
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
                  {...}
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response) => {...}
          - focus-metavariable: $REQ
          - pattern-either:
              - pattern: params
              - pattern: query
              - pattern: cookies
              - pattern: headers
              - pattern: body
    pattern-sinks:
      - patterns:
          - pattern: require($SINK)
          - focus-metavariable: $SINK

Examples

require-request.js

const express = require('express')
const app = express()
const port = 3000

const hardcodedPath = 'lib/func.js'

function testController1(req, res) {
    try {
        // ruleid: require-request
        require(req.query.controllerFullPath)(req, res);
    } catch (err) {
        this.log.error(err);
    }
    res.end('ok')
};
app.get('/test1', testController1)

let testController2 = function (req, res) {
    // ruleid: require-request
    const func = require(req.body)
    return res.send(func())
}
app.get('/test2', testController2)

var testController3 = null;
testController3 = function (req, res) {
    // ruleid: require-request
    const func = require(req.body)
    return res.send(func())
}
app.get('/test3', testController3)

(function (req, res) {
    // ruleid: require-request
    const func = require(req.body)
    return res.send(func())
})(req, res)

app.get('/ok-test', (req, res) => {
    // ok: require-request
    const func = require(hardcodedPath)
    return res.send(func())
})

let okController = function (req, res) {
    // ok: require-request
    const func = require('lib/func.js')
    return res.send(func())
}
app.get('/ok-test2', okController)

app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))