Update description 3 rules: regex_injection_dos, generic_header_injection and generic_path_traversal

njsscan/rules/semantic_grep/dos/regex_injection.yaml

@@ -57,11 +57,13 @@ rules:
           - pattern: |
               $STR.split(<... $REQ.$PARAM.$BAR ...>)
     message: >-
-      User controlled data in RegExp() can make the application vulnerable to
-      layer 7 DoS.
+      User controlled data in RegExp() can make the application vulnerable to layer 7 DoS.
+      If user input is used to create a regular expression without validation, it can be exploited to create a complex regular expression that takes an excessive amount of time to evaluate. This can lead to a Denial of Service (DoS) attack where the application becomes unresponsive.
+      Even if a ReDoS attack is not intended, poorly crafted or complex regular expressions from user input can cause performance issues that impact the responsiveness of an application.
+      Always sanitize and validate user input to ensure that only safe, expected characters are used in the pattern. This can be done by whitelisting known safe characters and escaping potentially harmful ones.
     languages:
       - javascript
     severity: ERROR
     metadata:
       owasp-web: a1
-      cwe: cwe-400
+      cwe: cwe-400

njsscan/rules/semantic_grep/headers/header_injection.yaml

@@ -45,11 +45,16 @@ rules:
         - pattern: |
             $RES.writeHead(..., { $X: <... $REQ.$QUERY.$FOO ...> }, ...)
     message: >-
-      Untrusted user input in response header will result in HTTP Header
-      Injection or Response Splitting Attacks.
+      If user input is not properly sanitized, an attacker can insert malicious data into response headers. 
+      This can lead to HTTP response splitting, where an attacker injects additional headers or even full HTTP responses, 
+      potentially altering how clients or intermediaries (e.g., proxies) handle the request. 
+      This can lead to vulnerabilities like Cross-Site Scripting (XSS) and cache poisoning.
+      Always sanitize and validate user inputs to ensure they do not contain characters or data that could alter the header structure (e.g., newline characters, control characters). 
+      Another good option is to leverage well-established libraries or frameworks that handle headers securely. 
+      Many frameworks offer built-in methods for setting headers that ensure they are correctly formatted and safe.
     languages:
       - javascript
     severity: ERROR
     metadata:
       owasp-web: a1
-      cwe: cwe-644
+      cwe: cwe-644

njsscan/rules/semantic_grep/traversal/path_traversal.yaml

@@ -118,11 +118,13 @@ rules:
               ...
               $X.readFileAsync(..., <... $INP ...>, ...)
     message: >-
-      Untrusted user input in readFile()/readFileSync() can endup in Directory
-      Traversal Attacks.
+      Untrusted user input in createReadStream()/readFile()/readFileSync()/readFileAsync() can end up in Directory Traversal Attack.
+      A Directory Traversal Attack (also known as Path Traversal Attack) is a type of security vulnerability that occurs when an attacker is able to access files or directories on a server that are outside the intended directory structure. This attack leverages insufficient validation or sanitization of user inputs in applications that interact with the file system.
+      Strictly validate user inputs. Ensure that user-supplied paths do not include sequences like ../ or ..\\ that could traverse directories.
+      In Node.js, use the path module to safely handle and resolve file paths. The path.normalize() function can be used to ensure that paths do not go outside the intended directory.
     languages:
       - javascript
     severity: ERROR
     metadata:
       owasp-web: a5
-      cwe: cwe-23
+      cwe: cwe-23