Javascript Analyzer Update: June 2021

New in DeepSource
, ,
1

In the latest release of the JavaScript analyzer, we have added support for 4 new security issues and 6 new autofixes.

Here is the detailed changelog:

New Security Issues

1. JS-S1001 : Avoid insecure HTTP header configuration for no-sniffing header

It is recommended to Implement X-Content-Type-Options header with nosniff value (the only existing value for this header) which is supported by all modern browsers and will prevent browsers from performing MIME type sniffing, so that in case of Content-Type header mismatch, the resource is not interpreted.

This issue reports when when noSniff is set to false for [helmet](https://helmetjs.github.io/)

Examples of Invalid code


const express = require('express')

const helmet = require('helmet')

let app = express()

app.use(

    helmet({

        noSniff: false // Sensitive

    })

)

2. JS-S1002 : Avoid insecure HTTP strict transport security

When implementing a Strict-Transport-Security policy header using [helmet](), it is recommended to apply this policy to all subdomains (includeSubDomains).

This issue reports when includeSubDomains is set as false for [helmet](https://helmetjs.github.io/)

Examples of Invalid code


const express = require('express')

const helmet = require('helmet')

let app = express()

app.use(

    helmet.hsts({

        includeSubDomains: false // Sensitive

    })

)

3. JS-S1004 : Information Disclosure using x-powered-header

Disclosing technology fingerprints allows an attacker to gather information about the technologies used to develop the web application and to perform relevant security assessments more quickly (like the identification of known vulnerable components).

It’s recommended to not disclose technologies used on a website, with x-powered-by HTTP header for example. In addition, it’s better to completely disable this HTTP header rather than setting it a random value.

This issue reports when x-powered-by is not disabled for [expressjs](https://expressjs.com/) and if you are using helmet with expressjs , prefer using hidePoweredBy method of helment

Examples of Invalid code


let express = require('express');

let app = express(); // Sensitive

app.get('/', function (req, res) {

    res.send('hello')

});

4. JS-S1003: Avoid insecure dns prefetch control configuration

Implement X-DNS-Prefetch-Control header with an off value but this could significantly degrade website performances.

This issue reports when allow is set as true for [helmet](https://helmetjs.github.io/)

Examples of Invalid code


const express = require('express')

const helmet = require('helmet')

let app = express()

app.use(

helmet.dnsPrefetchControl({

    allow: true // Sensitive: allowing DNS prefetching is security-sensitive

})

)

New Autofixes

1. JS-0502 : Type annotation missing in variable declarator

Adds most accurate type for the variable.

Original Code


var foo = 'bar'

var foo1 = 1

var fooarr = [1, 3, 4]

var fooobj = { key1: 'str', key2: false }

var foo2 = function (ar) {}

Autofixed Output


var foo: string = 'bar'

var foo1: number = 1

var fooarr: number[] = [1, 3, 4]

var fooobj: { key1: string; key2: boolean } = { key1: 'str', key2: false }

var foo2: any = function (ar) {}

2. JS-0419 : Avoid duplicate properties in JSX

Removes the duplicate occurrence of the props

Original Code


<Hello name="John" name="John" />;

Autofixed Output


<Hello name="John"/>;

3. JS-0495 : Indexers must be declared with key name for flowtype

Adds a key for the object type

Original Code


type foo = { [string]: number };

Autofixed Output


type foo = { [key: string]: number };

4. JS-0271 : Suggest correct usage of shebang for nodejs

It adds the shebang i.e #!/usr/bin/env node when the file is added in bin property of package.json else if the file is not added in bin but still has the shebang then it removes that.

Original Code


// this file is added on `bin` field in package.json

console.log("hello");

Autofixed Output


#!/usr/bin/env node

console.log("hello");

5. JS-0487 : Prefer the use of $ReadOnlyArray instead of just Array for flow-type

Replaces Array with $ReadOnlyArray

Original Code


type X = Array<string>

Autofixed Output


type X = $ReadOnlyArray<string>

6. JS-0034 : Duplicate conditions in if-else-if chains

Removes the duplicate if statement

Original Code


if (isSomething(x)) {

    func();

} else if (isSomething(x)) {

    handler();

}

Autofixed Output


if (isSomething(x)) {

    func();

}