javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools
semgrep
Author
3,406
Download Count*
License
Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.
Run Locally
Run in CI
Defintion
rules:
- id: playwright-exposed-chrome-devtools
message: Remote debugging protocol does not perform any authentication, so
exposing it too widely can be a security risk.
metadata:
owasp:
- A03:2021 - Injection
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
category: security
technology:
- playwright
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-inside: |
require('playwright');
...
- pattern-either:
- pattern-regex: --remote-debugging-address
- pattern-regex: --remote-debugging-port
- pattern-regex: --remote-debugging-socket-name
- pattern-regex: --remote-debugging-targets
Examples
playwright-exposed-chrome-devtools.js
const { chromium } = require('playwright');
(async () => {
// ruleid:playwright-exposed-chrome-devtools
const browser = await chromium.launch({args:['--remote-debugging-address=123','--somethin-else']});
const page = await browser.newPage();
await page.goto('https://example.com');
await browser.close();
})();
(async () => {
var port = 9222;
// ruleid:playwright-exposed-chrome-devtools
const browser = await chromium.launch({args:[`--remote-debugging-port=${port}`,'--somethin-else']});
const page = await browser.newPage();
await page.goto('https://example.com');
await browser.close();
})();
(async () => {
// ok:playwright-exposed-chrome-devtools
const browser = await chromium.launch({args:['--somethin-else', '--more-examples']});
const page = await browser.newPage();
await page.goto('https://example.com');
await browser.close();
})();
Short Link: https://sg.run/7oEQ