javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection

profile photo of semgrepsemgrep
Author
3,078
Download Count*
LGPL Commons Clause
License

If unverified user data can reach the evaluate method it can result in Server-Side Request Forgery vulnerabilities

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: playwright-evaluate-code-injection
    message: If unverified user data can reach the `evaluate` method it can result
      in Server-Side Request Forgery vulnerabilities
    metadata:
      owasp:
        - A10:2021 - Server-Side Request Forgery (SSRF)
      cwe:
        - "CWE-918: Server-Side Request Forgery (SSRF)"
      category: security
      technology:
        - playwright
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Server-Side Request Forgery (SSRF)
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-inside: |
          require('playwright');
          ...
      - pattern-not-inside: |
          var $INPUT = function $FNAME(...){...};
          ...
      - pattern-either:
          - pattern: $PAGE.evaluate($INPUT,...)
          - pattern: $PAGE.evaluateHandle($INPUT,...)
          - pattern: $PAGE.evaluateOnNewDocument($INPUT,...)
      - pattern-not: $PAGE.evaluate("...",...)
      - pattern-not: $PAGE.evaluate(function(...){...},...)
      - pattern-not: $PAGE.evaluateHandle("...",...)
      - pattern-not: $PAGE.evaluateHandle(function(...){...},...)
      - pattern-not: $PAGE.evaluateOnNewDocument("...",...)
      - pattern-not: $PAGE.evaluateOnNewDocument(function(...){...},...)

Examples

playwright-evaluate-code-injection.js

const { chromium } = require('playwright');

async function test2(userInput) {

  const browser = await chromium.launch();
  const page = await browser.newPage();

  // ok:playwright-evaluate-code-injection
  await page.evaluate(x => console.log(x), 5);

  // ruleid:playwright-evaluate-code-injection
  await page.evaluate(`fetch(${userInput})`);

  await page.screenshot({path: 'example.png'});
  await browser.close();
}