javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection

profile photo of semgrepsemgrep
Author
3,078
Download Count*

If unverified user data can reach the evaluate method it can result in Server-Side Request Forgery vulnerabilities

Run Locally

Run in CI

Defintion

rules:
  - id: playwright-evaluate-arg-injection
    message: If unverified user data can reach the `evaluate` method it can result
      in Server-Side Request Forgery vulnerabilities
    metadata:
      owasp:
        - A10:2021 - Server-Side Request Forgery (SSRF)
      cwe:
        - "CWE-918: Server-Side Request Forgery (SSRF)"
      category: security
      technology:
        - playwright
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Server-Side Request Forgery (SSRF)
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-inside: |
          require('playwright');
          ...
      - pattern-either:
          - pattern-inside: function $FUNC (...,$INPUT,...) {...}
          - pattern-inside: function (...,$INPUT,...) {...}
      - pattern-either:
          - pattern: $PAGE.evaluate($CODE,...,<... $INPUT ...>,...)
          - pattern: $PAGE.evaluateHandle($CODE,...,<... $INPUT ...>,...)

Examples

playwright-evaluate-arg-injection.js

const { chromium } = require('playwright');

async function test3(userInput) {

  const browser = await chromium.launch();
  const page = await browser.newPage();

// ok
  await page.evaluate(x => console.log(x), 5);

  // ruleid:playwright-evaluate-arg-injection
  await page.evaluate(x => fetch(x), userInput);

  await page.screenshot({path: 'example.png'});
  await browser.close();
}