javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection
semgrep
Author
3,078
Download Count*
License
If unverified user data can reach the evaluate
method it can result in Server-Side Request Forgery vulnerabilities
Run Locally
Run in CI
Defintion
rules:
- id: playwright-evaluate-arg-injection
message: If unverified user data can reach the `evaluate` method it can result
in Server-Side Request Forgery vulnerabilities
metadata:
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
category: security
technology:
- playwright
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Server-Side Request Forgery (SSRF)
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-inside: |
require('playwright');
...
- pattern-either:
- pattern-inside: function $FUNC (...,$INPUT,...) {...}
- pattern-inside: function (...,$INPUT,...) {...}
- pattern-either:
- pattern: $PAGE.evaluate($CODE,...,<... $INPUT ...>,...)
- pattern: $PAGE.evaluateHandle($CODE,...,<... $INPUT ...>,...)
Examples
playwright-evaluate-arg-injection.js
const { chromium } = require('playwright');
async function test3(userInput) {
const browser = await chromium.launch();
const page = await browser.newPage();
// ok
await page.evaluate(x => console.log(x), 5);
// ruleid:playwright-evaluate-arg-injection
await page.evaluate(x => fetch(x), userInput);
await page.screenshot({path: 'example.png'});
await browser.close();
}
Short Link: https://sg.run/ndgr