JavaScript Analyzer Updates -- April 2021

The JavaScript analyzer can now detect 9 new security issues and can automatically fix 10 more issues!

Here is the detailed changelog:

New Issues:

• JS-D017 : Unsafe permissions set on a file

const fs = require('fs')
const process = require('process');

fs.chmodSync("/tmp/fs", 0o777);  // File has been given read, write and execute permission, needs audit.
  // ...
})
process.umask(0o777);  // Issue here

• JS-D015 : Audit: Insecure cookie

This is raised when an insecure cookie is created.
DeepSource flags this as an audit issue to avoid false negatives. At the moment, cookies from the following libraries are checked:
→ [cookie-session](<https://github.com/expressjs/cookie-session>)
→ [express-session](<https://github.com/expressjs/session>)
→ [cookies](<https://github.com/pillarjs/cookies>)
→ [csurf](<https://github.com/expressjs/csurf>)

const express = require('express')
const session = require('express-session')

let app = express()
app.use(
  session({
    cookie: {
      secure: false // Sensitive
    }
  })
)

• JS-D018 : Audit: Forwarding IP while setting proxies in the HTTP server

This issue is raised when node-http-proxy and http-proxy-middleware are configured in a way that may lead to the IP forwarding.

var httpProxy = require('http-proxy')

httpProxy.createProxyServer({ target: 'http://localhost:9000', xfwd: true }).listen(8000)

• JS-D019 : Audit: Insecure clear text protocol

This issue reports when the secure options for ftp and nodemailer modules are set to false.

var Client = require('ftp')
var c = new Client()
c.connect({
  secure: false
})

• JS-D020 : Audit: Allowing dotfiles during static file serving can be sensitive

const serveStatic = require('serve-static')
let serveStaticMiddleware = serveStatic('public', {
  index: false,
  dotfiles: 'allow'  // not safe
})

• JS-D022 : XML parsing may be vulnerable to XXE attacks

const libxmljs = require('libxmljs')
var fs = require('fs')

var xml = fs.readFileSync('xxe.xml', 'utf8')

var xmlDoc = libxmljs.parseXmlString(xml, { noblanks: true, noent: true, nocdata: true })  // Setting `noent` to `true` can allow this to parse external entities.

• JS-D024 : Unsafe Content Security Policy

This issue is raised when the frameAncestors directive is not configured properly.

const express = require('express')
const helmet = require('helmet')

let app = express()

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      // other directives
      frameAncestors: ["'none'"]   // frameAncestors  is set to none
    }
  })
)

• JS-D023 : Avoid Command Injection in Node.js

This issue is raised for child_process.exec, which makes a call to /bin/sh rather than executing the target program.

var path = 'user input'
child_process.exec('ls -l ' + path, function (err, data) {
  console.log(data)
})

• JS-D025 : Avoid Buffer() and Buffer#allocUnsafe() for NodeJS

In NodeJS, the behavior of the Buffer constructor is different depending on the type of its argument. Passing an argument from user input to Buffer() without validating its type can lead to security vulnerabilities such as remote memory disclosure and denial of service. As a result, the Buffer constructor has been deprecated and should not be used.

Errors in handling buffers allocated with Buffer.allocUnsafe() could result in various issues, ranging from undefined behavior of your code to sensitive data (user input, passwords, certs) leaking to the remote attacker.

Buffer([1, 2, 3])
new Buffer([1, 2, 3])
Buffer.allocUnsafe(5)

Note: Since most of the issues here are marked as Audit, please refer to this post if you’re not already familiar with audit issues.

New Autofixes:

• JS-0005 : Debugger activation detected

The autofix will remove all the debugger statements from the code.

• JS-0002: Avoid using console in code that runs on the browser

The autofix will remove the console expressions.

• JS-0059 : Null comparisons without type-checking operators may not work as intended

The autofix will replace == / != with === / !== respectively.

• JS-0570 : Check for common misspellings of $on(‘destroy’, …) for angular

The autofix will replace destroy with $destroy

• JS-0576 : Missing ChangeDetectionStrategy.OnPush for angular codebase

The autofix will replace ChangeDetectionStrategy.Default with ChangeDetectionStrategy.OnPush.

• JS-0530 : Use $cookies instead of $cookieStore for angular codebase

The autofix will replace $cookieStore with $cookies.

• JS-0513: Avoid typos when naming methods defined on the scope object for angular codebase

The autofix will replace the incorrect names with the correct ones.

• JS-0575: Found impure pipes

The autofix will convert the impure pipes to pure pipes by explicitly setting pure to true.

• JS-0021: Object.prototype builtins should not be used directly

The autofix will replace built-in prototype method with Object.prototype equivalent.

• JS-0117 : Prefer adding u flag in regular expressions

The autofix will add a u flag in the regular expressions. This enables the correct handling of UTF-16 surrogate pairs and ensures the correct behavior of regex character ranges.