Skip to main content

njsscan is a SAST tool that can find insecure code patterns in your Node.js applications.

Project description

njsscan

njsscan is a SAST CLI tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and powerful syntax-aware semantic code pattern search tool semgrep.

PyPI version platform License python

Language grade: Python Requirements Status Build

Install

pip install njsscan

Supports only Mac and Linux

Command line options

$ njsscan
usage: njsscan [-h] [--json] [-o OUTPUT] [--missing-controls] [-v]
               [path [path ...]]

positional arguments:
  path                  Path can be file(s) or directories with Node.js source
                        code

optional arguments:
  -h, --help            show this help message and exit
  --json                Print JSON output
  -o OUTPUT, --output OUTPUT
                        Output filename to save JSON report.
  --missing-controls    Enable missing security controls check.
  -v, --version         Show njsscan version

Sample Usage

$ njsscan xss_node.js
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep ████████████████████████████████████████████████████████████ 53

======================================================================================================
RULE ID: express_xss
OWASP: A1: Injection
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DESCRIPTION: Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
SEVERITY: ERROR
======================================================================================================

__________________FILES___________________________


File: xss_node.js
Match Position: 5 - 37
Line Number(s): 5: 6
Match String:     var html = "Hello" + req.query.name + ". How are you?"

    res.write('Response</br>' + html);

Python API

>>> from njsscan.njsscan import NJSScan
>>> node_source = '/node_source/true_positives/sqli_node.js'
>>> scanner = NJSScan([node_source], json=True, check_controls=False)
>>> scanner.scan()
{
    'templates': {},
    'nodejs': {
        'node_sqli_injection': {
            'files': [{
                'file_path': '/node_source/true_positives/sqli_node.js',
                'match_position': (1, 24),
                'match_lines': (4, 11),
                'match_string': 'var employeeId = req.foo;\n\nvar sql = "SELECT * FROM trn_employee WHERE employee_id = " + employeeId;\n\n\n\nconnection.query(sql, function (error, results, fields) {\n\n    if (error) {\n\n        throw error;\n\n    }\n\n    console.log(results);'
            }],
            'metadata': {
                'owasp': 'A1: Injection',
                'cwe': "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',
                'severity': 'ERROR'
            }
        }
    },
    'errors': []
}

Configure njsscan

A .njsscan file in the root directory allows you to configure the scan.

---
- nodejs-extensions:
  - .js

  template-extensions:
  - .new
  - .hbs
  - ''

  ignore-filenames:
  - skip.js

  ignore-paths:
  - __MACOSX
  - skip_dir
  - node_modules

  ignore-extensions:
  - .jsx

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for njsscan, version 0.0.2
Filename, size File type Python version Upload date Hashes
Filename, size njsscan-0.0.2-py3.7.egg (40.7 kB) File type Egg Python version 3.7 Upload date Hashes View
Filename, size njsscan-0.0.2-py3-none-any.whl (45.6 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size njsscan-0.0.2.tar.gz (21.2 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page