Does it support to scan CSRF issue? thanks.

So, our company uses gitlab ci pipelines, in the pipeline it runs gitlabs standard sast scan, among many other things.
One piece of our .gitlab-ci.yml files:

include:
  - https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
# https://docs.gitlab.com/ee/user/application_security/sast/

In gitlabs sast scan it uses NodeJsScan - this project. We are developing SPA's with create-react-app, NodeJsScan runs on our minified code.

It generates confusing errors like this:

+----------------------------------------------------------------------------------------+
|            | NodeJsScan | build/static/js/1.bab07cdc.chunk.js:1                        |
|                                                                                        |
| Password Hardcoded                                                                     |
+----------------------------------------------------------------------------------------+

What it needs to do is use sourcemaps, and/or, format/beautify the minified javascript before running, so there is an actual line number. (webpack chunk files omit newlines entirely, everything is on one line). Another improvement would be to include a column number.

I've also had issue trying to use stage 3 ecmascript proposals like optional chaining causing syntax errors. This is yet another reason to upgrade the javascript formatting tool to babel. I am not sure how to use babel to create formatted/beautified output, but should not be hard.

I have what I believe to be valid files but this regex is not considering them to be:

https://github.com/ajinabraham/NodeJsScan/blob/master/core/scanner.py#L19-L20

Anything we can do to just consider all *.js files as valid rather than subjecting them to this regex?

Pug rule is incorrectly considers #{variableName} to be unescaped.
Search for pug in https://github.com/ajinabraham/NodeJsScan/blob/master/core/rules.xml to see it.
Here's the actual pug docs that explain that # is for escaped variable and ! is for unescaped:
https://pugjs.org/language/interpolation.html

Is it possible to add SailsJS support?

The issue with SailsJS is that we do not add express middleware with app.use as stated here.

My config/http.js looks like this:

const helmet = require('helmet')
module.exports.http = {
  ...
  middleware: {
    order: [
      ...
      'helmetProtection',
      ...
    ],
    helmetProtection: function helmetProtection(req, res, next) {
      return helmet({
        frameguard: {
          action: 'deny',
        },
        ...
      })(req, res, next)
    },
  },

Security headers are well set but NodeJsScan don't think so (because does not find .use if I understand well) and that makes my CI test fail...

After spending a bit of time testing this library with some sample dataset such as this one, I have come to the unfortunate conclusion that using just regex embedded in a xml is a serious limitation for this tool.

I think we should get inspiration from tools such as bandit and gosec:

• They cleverly use AST to parse source code into a machine-readable format
• Rules are expressed as code so that there could be advanced logic for any lookups and filtering

I am not sure what the current state of AST is for JavaScript and Node.js. Till the time we have a solid ast library we may have to stick with just regex or un-friendly services such as lgtm :(

I used those commands:

docker build -t nodejsscan .
docker run -it -p 9090:9090 nodejsscan

Zipped the .js file uploaded but no output, instead I got this error:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>500 Internal Server Error</title> <h1>Internal Server Error</h1> <p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

Is there a way to ignore a single line in a file?

For example with PHP_CodeSniffer you can make a comment such as this and it will cause the CoderSniffer to not check the next line:
// @codingStandardsIgnoreLine

I am not very familiar with this tool, so there may be some way that I don't know about?

Hey man. Great project. Thank you for your work on this.

I was testing this out and bumped in to an XSS.

1. Create a zip file with a file named: ');alert(document.domain);('.txt
2. Upload the zip.
3. Under "All Files" link under location for the file.
4. You should see a popup with the xss.

This gets converted into the following HTML:

<a href="javascript:view('e9ce45f4ef683fb3130c00e93a96fd92c63010b0597249012d47c4f80863663d/tester/&#39;);alert(document.domain);(&#39;.txt','0','tester&#39;);alert(document.domain);(&#39;.txt','e9ce45f4ef683fb3130c00e93a96fd92c63010b0597249012d47c4f80863663d');">

The single quote is being html encoded instead of properly escaped for javascript.

hi

docker run -it -p 9090:9090 opensecurity/nodejsscan

[INFO] Table entries created!
[2018-11-17 12:56:33 +0000] [58] [INFO] Starting gunicorn 19.9.0
[2018-11-17 12:56:33 +0000] [58] [INFO] Listening at: http://0.0.0.0:9090 (58)
[2018-11-17 12:56:33 +0000] [58] [INFO] Using worker: sync
[2018-11-17 12:56:33 +0000] [61] [INFO] Booting worker with pid: 61

[INFO] Unzipping from Zip File

[INFO] Running Static Analyzer on - /root/.NodeJsScan/142848ec9c2c23957711c807a5589b8e35cd5a359b32579305c178279657416d/

[2018-11-17 12:57:58 +0000] [58] [CRITICAL] WORKER TIMEOUT (pid:61)
[2018-11-17 12:57:58 +0000] [61] [INFO] Worker exiting (pid: 61)
[2018-11-17 12:57:58 +0000] [64] [INFO] Booting worker with pid: 64

why?

thanks

.js files with ECMAScript may not contain require or modules.export
Due to below regex in Core/scanner.py file it is not considering file with contents of ECMAScript. Failure in below regex will skip file and will not scan code for rules.

NODE_RGX = re.compile(
    r"require\(('|\")(.+?)('|\")\)|module\.exports {0,5}= {0,5}") 

I guess regex should be updated and should have import,export also to support ECMAScript.

Is there any limit for files to be scanned. I tried .zip files over 100MB and seems like it's not working... scanner uploads them and sits there and does nothing for hours. Can you please advise?

Any idea on why?

After running nodejsscan in my project directory it will end up with changes in some files (shown when performing git diff)

Hi

Could you please provide steps to scan nodejs code from CLI available in svn repository or git with creadentials.

Thanks,
TK

sudo docker build -t nodejsscan .
Sending build context to Docker daemon 836.1kB
Step 1/11 : FROM postgres:9.6.2-alpine
---> bf72189a3c51
Step 2/11 : LABEL authors="Cristobal Infantes [email protected]" maintainer="Ajin Abraham [email protected]" description="Static Security Code Scanner for Node.js Applications"
---> Using cache
---> b0cfa155c49c
Step 3/11 : EXPOSE 9090
---> Using cache
---> 49d162b1674b
Step 4/11 : ENV POSTGRES_USER root
---> Using cache
---> c5c6dd6fc6ef
Step 5/11 : ENV POSTGRES_DB nodejsscan
---> Using cache
---> d45117b70fd7
Step 6/11 : WORKDIR /usr/src/NodeJsScan
---> Using cache
---> fa63cc2aec3a
Step 7/11 : COPY requirements.txt requirements.txt
---> Using cache
---> 51aa28b28702
Step 8/11 : COPY ./core/settings.py ./core/settings.py
---> Using cache
---> cf4507e833ea
Step 9/11 : RUN apk add --no-cache python3=3.5.6-r0 python3-dev=3.5.6-r0 build-base=0.4-r1 && python3 -m ensurepip && sed -i -e s/postgresql:\/\/localhost\/nodejsscan/postgresql:\/\/127.0.0.1\/nodejsscan/g core/settings.py && pip3 install -r requirements.txt && apk del python3-dev build-base
---> Running in 6c08f0e74b27
fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/main/x86_64/APKINDEX.tar.gz
WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.5/main/x86_64/APKINDEX.tar.gz: operation timed out
fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/community/x86_64/APKINDEX.tar.gz
WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.5/community/x86_64/APKINDEX.tar.gz: operation timed out
ERROR: unsatisfiable constraints:
build-base (missing):
required by: world[build-base=0.4-r1]
python3 (missing):
required by: world[python3=3.5.6-r0]
python3-dev (missing):
required by: world[python3-dev=3.5.6-r0]
The command '/bin/sh -c apk add --no-cache python3=3.5.6-r0 python3-dev=3.5.6-r0 build-base=0.4-r1 && python3 -m ensurepip && sed -i -e s/postgresql:\/\/localhost\/nodejsscan/postgresql:\/\/127.0.0.1\/nodejsscan/g core/settings.py && pip3 install -r requirements.txt && apk del python3-dev build-base' returned a non-zero code: 3

Rule for Security Header Check for "X-Content-Type-Options" is wrongly set.

It is failing
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Download-Options','noopen');

But passess
res.setHeader('X-Content-Type-Options', '""nosniff');
res.setHeader('X-Download-Options','""noopen');

The bug is due wrong value in rules.xml

<signature>helmet.noSniff|require\(('|")dont-sniff-mimetype('|")\)|nosniff\(\)|X-Content-Type-Options('|")*(\s)*(:|,)(\s)*('\"")*nosniff</signature>

<signature>require\(('|")ienoopen('|")\)|ienoopen\(|helmet.ienoopen\(|X-Download-Options('|")*(\s)*(:|,)(\s)*('\"")*noopen</signature>

The correct value should be

<signature>helmet.noSniff|require\(('|")dont-sniff-mimetype('|")\)|nosniff\(\)|X-Content-Type-Options('|")*(\s)*(:|,)(\s)*('|")*nosniff</signature>

<signature>require\(('|")ienoopen('|")\)|ienoopen\(|helmet.ienoopen\(|X-Download-Options('|")*(\s)*(:|,)(\s)*('|")*noopen</signature>

I'm trying to test this out for the first time. I'm getting the error below after uploading a small zipped js file.

Below is part of the stack trace. Looks like it can't find the results table.

ERROR: relation "results" does not exist at character 661

STATEMENT: SELECT count(*) AS count_1

FROM (SELECT results.id AS results_id, results.scan_file AS results_scan_file, results.scan_hash AS results_scan_hash, results.locations AS results_locations, results.sha2_hashes AS results_sha2_hashes, results.hash_of_sha2 AS results_hash_of_sha2, results.sec_issues AS results_sec_issues, results.good_finding AS results_good_finding, results.missing_sec_header AS results_missing_sec_header, results.files AS results_files, results.total_count AS results_total_count, results.vuln_count AS results_vuln_count, results.resolved AS results_resolved, results.invalid AS results_invalid, results.timestamp AS results_timestamp

FROM results

WHERE results.scan_hash = '4a92755d5a8734d81327170efa8caec09d6f7fea6d189b9b4e93f6e41f0da749') AS anon_1

[2020-03-13 22:42:19 +0000] [34] [ERROR] Error handling request /upload/

Hi Ajin,
It seems a very useful tool tfor the node.js project. I am currently working on the node js project and new to it.

can you please let me know exactly the steps how we can use it for the local code. In readme section its not specified.

It would be better and useful to have details steps to tool's execution.

Thanks and Regards,
Bhushan Joshi

scan only sanitized data in multi regex, currently scanning original data with comments.
also make sure dyn_regex is checking in sanitized lines
limit line in dyn_regex as well

It's not possible to build the CLI image in most corperate environments.
It would be great if you can publish the CLI image on dockerhub.

Very promising static code analyzer for node.js. However, I was very surprised to find that it modified some of my files and corrupted them no less. The issue seems to be related to files with names like index.json.hbs this is a Handlebars template that outputs JSON.

After running nodejsscan, these files where modified and it appears that it attempted to format the Handlebars as JSON, so the double curly braces get line breaks and indented.

Please fix. I'd like to add this to our build step, but it cannot modify files.

Hi.
Thanks for your awesome work with this tool.
I'd be a excellent feature to scan directly a git repo from a URL with the web version.

Greetings from the Caribbean!

Getting the following false positives:

            {
                "description": "Remove the X-Powered-By header to prevent information gathering.",
                "tag": "web",
                "title": "Information Disclosure - X-Powered-By"
            }

An app uses Koa and doesn't show the subject header upon checking (see the attached image). Moreover, for testing, added to specifically remove it but to no avail, still getting the false positive:

> grep -r "X-Powered-By" my-lib/
my-lib//index.js:    ctx.remove("X-Powered-By");

https://www.npmjs.com/package/js-yaml

Hi.

I like the test tool that much that I would like to implement it into a build process or pre-commit hook or so. For that it would be useful if I could set an array of files. Right now I can set -d /path/to/whatever.

An -f [/path/to/file.js, /path/to/file2.js] would be perfect for those use-cases mentioned above.

Any chance to extend nodeJsScan to accept on file-level?

Thanks in advance

Stefan

Could you make it possible to upload multiple packages in a single go?

Let's say that I have 20 different packages to analyse, uploading them individually takes too long. Therefore, this feature would be useful for my use case and make life easier. :)

I am looking to experiment with NodeJsScan, but I am having trouble following the setup steps. Is it possible to add more explicit steps to getting started?

Hey, well done 👍
Any plans to add i18n support? Or you may give some hints about the how-to.
That will be appreciated.

Helmet allows for running defaults using app.use(helmet());

This runs the default middleware:

var DEFAULT_MIDDLEWARE = [
  'dnsPrefetchControl',
  'frameguard',
  'hidePoweredBy',
  'hsts',
  'ieNoOpen',
  'noSniff',
  'xssFilter'
]

Perhaps we should add helmet\(\) regex to those checks so that I don't need to enumerate those 7 helmet method calls to cover those checks:

app.use(helmet.dnsPrefetchControl());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.xssFilter());

Also, the CSP check does not include the Helmet method call helmet.contentSecurityPolicy.

Finally, for some reason my line app.use(helmet.xssFilter()); is not clearing the missing header X-XSS-Protection:1 flag. Checking the regex directly says it should work, but in practice it isn't working... I will keep working on this, though.

We have some projects that use TypeScript and need to use NodeJsScan.

As you know, before scan TypeScript, we should compile them to JavaScript firstly and this process would generate some intermediate files which would influence the scan result.

Do you guys have any idea about it?

https://github.com/nodesecurity/eslint-plugin-security

Currently we have:

HOST = '0.0.0.0'
PORT = 9090
DEBUG = False
# Postgres DB Connection URL
SQLALCHEMY_DATABASE_URI = 'postgresql://localhost/nodejsscan'

would be handy to use env vars with fallback to defaults

Thanks for this excellent project. As mentioned here I am working on a SARIF convertor for this project.

To make the result more useful will you be able to add the following:

• severity for each finding
• rule id
• Optional a rule url with remediation tips etc. Eg: https://security.openstack.org/guidelines/dg_using-temporary-files-securely.html

Thanks in advance.

Example sarif report . Remove .txt extn and use a suitable viewer.

Having issues - I'm following the instructions but those are vague:
Namely what URI I should put in settings.py?
Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/settings.py

When I open settings.py it has the following line for SQLALCHEMY:

SQLALCHEMY_DATABASE_URI = 'postgresql://localhost/nodejsscan'

When I run:
python createdb.py

It gives me whole bunch of errors and the configuration end there:

Traceback (most recent call last):
File "createdb.py", line 3, in
from database import init_db
File "/home/vlad/Downloads/NodeJsScan-master/database.py", line 3, in
from sqlalchemy import create_engine
ImportError: No module named sqlalchemy

Any suggestions, pls?

Hi All,

Is there a Jenkins Plugin for this tool ?

Many Thanks.

I am not able to see the data in results.json file after running the below command.
docker run -v /path-to-source-dir:/src nodejsscan-cli -d /src -o /src/results.json

OS : macOS Mojave

Why doesn't the file path appear in the "Missing Security Response Header" category?

How do I fix a file to get a file path?

I beg you.

Got this when uploading a zip file, OS macOS Sierra 10.12.1.

Each line has \n and \t If selected json out for scan results. Will be nice to have strip and pretty print option.

how many flaws does it support？and how can I get it.

Hey @ajinabraham ,

is it possible to post a result.json generated by the cli.py command to the application and get the visualization from it. I love the cli option but i dont want to implement the html rendering of the output myself.

Thanks

Hey, it doesn't seem to be detecting SQL Injection even though there's a core rule for it?

I set a SQL statement and didn't escape, and it didn't pick it up.

I got this error

[2017-03-06 12:07:18]
Error Performing Code Analysis
FILE: /home/samdon/NodeJsScan/core/scanner.py
LINE: 232 - str(finding["lines"]))
DESC: 'ascii' codec can't encode characters in position 29-39: ordinal not in range(128)

how to fix it ?

Hi,
Cool project :)

It would be cool if you could run nodejsscan from the command line and just get all the results of a scan in a json. This way it could be integrated to automatic static source code analysis pipelines and continuously scan repos.
Just throwing this out as a potential usability improvement.

Keep up the good work.

Hi i was trying to import results into defectdojo. But scan_type does not have option for NodeJsScan. Is it a bug in defectdojo or NodeJsScan is not supported anymore?. But it is mentioned in the docs that NodeJsScan is supported.