You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Instead of integrating the whole app, it should be possible to convert these rules to PatternSearch regex rules (however I am not sure about the beautification part). A naive approach would be something like:
- regex: eval\\s*\\(\\s*.{0,150}req\\.
message: User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).
Interesting, so you're suggesting that we parse the XML rules files and then appropriate it for the PatternSearch module? Pretty cool idea!
In general I don't like forking projects, or doing something similar, because it creates a higher maintenance workload - for example, if the rules are updated, you need to do more than just bump the version of the app to get the most recent set of rules. You could at least get this down to a script that is run a build time and references a version number.
I would say, that if the app performs poorly (e.g. throws lots of exceptions) but the rules are useful, then this would be worth it. Otherwise we could just try the usual approach of integrating the scanner directly.
https://github.com/ajinabraham/NodeJsScan
Vuln scannner for JS.
Test it out on some codebases and determine if it's worth integrating.
If so, make the module and open a PR.
The text was updated successfully, but these errors were encountered: