javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript
semgrepAuthor
3,098
Download Count*
License
serialize-javascript used with unsafe parameter, this could be vulnerable to XSS.
Run Locally
Run in CI
Defintion
rules:
- id: unsafe-serialize-javascript
message: "`serialize-javascript` used with `unsafe` parameter, this could be
vulnerable to XSS."
metadata:
owasp:
- A03:2021 - Injection
cwe:
- "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web
Page (Basic XSS)"
category: security
technology:
- serialize-javascript
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-inside: |
$S = require('serialize-javascript');
...
- pattern-not-inside: escape(...)
- pattern-not-inside: encodeURI(...)
- pattern: |
$S(..., {unsafe: true});
Examples
unsafe-serialize-javascript.js
var serialize = require('serialize-javascript');
function test(userInput) {
// ruleid: unsafe-serialize-javascript
const result = serialize({foo: userInput}, {unsafe: true, space: 2})
return result
}
function test2() {
// ruleid: unsafe-serialize-javascript
const result = serialize({foo: '<img src=x />'}, {unsafe: true, space: 2})
return result
}
function testOk() {
// ok: unsafe-serialize-javascript
const result = serialize({foo: '<img src=x />'}, {space: 2})
return result
}
function testOk2() {
// ok: unsafe-serialize-javascript
const result = escape(serialize({foo: '<img src=x />'}, {space: 2}))
return result
}
function testOk3() {
// ok: unsafe-serialize-javascript
const result = encodeURI(escape(serialize({foo: '<img src=x />'}, {space: 2})))
return result
}
Short Link: https://sg.run/Ro6N