Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exclude hugo specific safe* keyword from squirrelly analysis #118

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Exclude hugo specific safe* keyword from squirrelly analysis #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a84fcd6
feat: exclude hugo framework safeURL, safeHTML keyword from squirrell…
heurtematte Apr 4, 2024
38a10ab
feat: adding hugo template pattern matcher
heurtematte Apr 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion njsscan/rules/pattern_matcher/template_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,13 +69,25 @@
message: The Squirrelly.js template has an unescaped variable. Untrusted user input
passed to this variable results in Cross Site Scripting (XSS)
type: Regex
pattern: '{{.+\|.*safe.*}}'
pattern: '{{(?!.*(?:safeURL|safeHTML|safeCSS|safeJS|safeJSStr|safeHTMLAttr)).*\|.*safe.*}}'
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a problem with this regex, it will skip variable names with safeURL/.. in them.

https://regex101.com/r/a3QdmS/1

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have excluded all Hugo-related keywords from this rule and used those keywords in the specific Hugo rule. Otherwise I'll still have error on hugo SAFE keyword instead of the warning.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you need to move the Hugo specific keywords after .*\| so that it ignores something like {{ foo | safeURL }} but still catch{{ safeURL | safe }} for this Squirrelly.js rule.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch.

I propose a new way this regex could work.

WDYT of this: {{[\s\S]*?\|\s*\bsafe\b[\s\S]*?}}

severity: ERROR
input_case: exact
metadata:
cwe: cwe-79
owasp-web: a1

- id: hugo_template
message: The Hugo framework has an unescaped variable. Untrusted user input
passed to this variable results in Cross Site Scripting (XSS).
It may be worth adding that Hugo is a static site generator with no concept of dynamic user input.
type: Regex
pattern: '{{.+\|.*(?:safeURL|safeHTML|safeCSS|safeJS|safeJSStr|safeHTMLAttr).*}}'
heurtematte marked this conversation as resolved.
Show resolved Hide resolved
severity: WARNING
input_case: exact
metadata:
cwe: cwe-79
owasp-web: a1

- id: electronjs_node_integration
message: Node integration exposes node.js APIs to the electron app and this
can introduce remote code execution vulnerabilities to the application if the
Expand Down
3 changes: 3 additions & 0 deletions tests/assets/templates/true_negatives/hugo.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<ul>
<li><a href="{{ .URL }}">{{ .Name }}</a></li>
</ul>
3 changes: 3 additions & 0 deletions tests/assets/templates/true_positives/hugo.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<ul>
<li><a href="{{ .URL | safeHTML }}">{{ .Name }}</a></li>
</ul>