Using unsanitized untrusted data in an external API can cause a variety of security issues. This query reports +external APIs that use untrusted data. The results are not filtered so that you can audit all examples. The query provides data for security reviews of the application and you can also use it to identify external APIs that should be modeled as either taint steps, or sinks for specific problems.
+ +An external API is defined as a method call to a method that is not defined in the source code, not overridden +in the source code, and is not modeled as a taint step in the default taint library. External APIs may be from the +third-party dependencies or from internal dependencies. The query reports uses of +untrusted data one of the arguments of external API call or in the return value from a callback passed to an external API.
+ +For each result:
+ +Otherwise, the result is likely uninteresting. Custom versions of this query can extend the SafeExternalAPIMethod
+class to exclude known safe external APIs from future analysis.
In this first example, a query parameter is read from the req parameter and then ultimately used in a call to the
+res.send external API:
This is a reflected XSS sink. The XSS query should therefore be reviewed to confirm that this sink is appropriately modeled, +and if it is, to confirm that the query reports this particular result, or that the result is a false positive due to +some existing sanitization.
+ +In this second example, again a query parameter is read from req.
If the query reported the call to path.join on line 4, this would suggest that this external API is
+not currently modeled as a taint step in the taint tracking library. The next step would be to model this as a taint step, then
+re-run the query to determine what additional results might be found. In this example, it seems the result of the
+path.join will be used as a file path, leading to a path traversal vulnerability.
Note that both examples are correctly handled by the standard taint tracking library and security queries.
+Using unsanitized untrusted data in an external API can cause a variety of security issues. This query reports -external APIs that use untrusted data. The results are not filtered so that you can audit all examples. The query provides data for security reviews of the application and you can also use it to identify external APIs that should be modeled as either taint steps, or sinks for specific problems.
- -An external API is defined as a method call to a method that is not defined in the source code, not overridden -in the source code, and is not modeled as a taint step in the default taint library. External APIs may be from the -third-party dependencies or from internal dependencies. The query reports uses of -untrusted data one of the arguments of external API call or in the return value from a callback passed to an external API.
- -For each result:
- -Otherwise, the result is likely uninteresting. Custom versions of this query can extend the SafeExternalAPIMethod
-class to exclude known safe external APIs from future analysis.
In this first example, a query parameter is read from the req parameter and then ultimately used in a call to the
-res.send external API:
This is a reflected XSS sink. The XSS query should therefore be reviewed to confirm that this sink is appropriately modeled, -and if it is, to confirm that the query reports this particular result, or that the result is a false positive due to -some existing sanitization.
- -In this second example, again a query parameter is read from req.
If the query reported the call to path.join on line 4, this would suggest that this external API is
-not currently modeled as a taint step in the taint tracking library. The next step would be to model this as a taint step, then
-re-run the query to determine what additional results might be found. In this example, it seems the result of the
-path.join will be used as a file path, leading to a path traversal vulnerability.
Note that both examples are correctly handled by the standard taint tracking library and security queries.
-Code that passes user input directly to
+require('child_process').exec, or some other library
+routine that executes a command, allows the user to execute malicious
+code.
If possible, use hard-coded string literals to specify the command to run +or library to load. Instead of passing the user input directly to the +process or library function, examine the user input and then choose +among hard-coded string literals.
+ +If the applicable libraries or commands cannot be determined at +compile time, then add code to verify that the user input string is +safe before using it.
+ +The following example shows code that takes a shell script that can be changed
+maliciously by a user, and passes it straight to child_process.exec
+without examining it first.
Code that passes user input directly to
-require('child_process').exec, or some other library
-routine that executes a command, allows the user to execute malicious
-code.
If possible, use hard-coded string literals to specify the command to run -or library to load. Instead of passing the user input directly to the -process or library function, examine the user input and then choose -among hard-coded string literals.
- -If the applicable libraries or commands cannot be determined at -compile time, then add code to verify that the user input string is -safe before using it.
- -The following example shows code that takes a shell script that can be changed
-maliciously by a user, and passes it straight to child_process.exec
-without examining it first.
+Directly writing user input (for example, a URL query parameter) to a webpage +without properly sanitizing the input first, allows for a cross-site scripting vulnerability. +
++This kind of vulnerability is also called DOM-based cross-site scripting, to distinguish +it from other types of cross-site scripting. +
++To guard against cross-site scripting, consider using contextual output encoding/escaping before +writing user input to the page, or one of the other solutions that are mentioned in the +references. +
++The following example shows part of the page URL being written directly to the document, +leaving the website vulnerable to cross-site scripting. +
+-Directly writing user input (for example, a URL query parameter) to a webpage -without properly sanitizing the input first, allows for a cross-site scripting vulnerability. -
--This kind of vulnerability is also called DOM-based cross-site scripting, to distinguish -it from other types of cross-site scripting. -
--To guard against cross-site scripting, consider using contextual output encoding/escaping before -writing user input to the page, or one of the other solutions that are mentioned in the -references. -
--The following example shows part of the page URL being written directly to the document, -leaving the website vulnerable to cross-site scripting. -
-+If a database query (such as a SQL or NoSQL query) is built from +user-provided data without sufficient sanitization, a malicious user +may be able to run malicious database queries. +
++Most database connector libraries offer a way of safely +embedding untrusted data into a query by means of query parameters +or prepared statements. +
+
+For NoSQL queries, make use of an operator like MongoDB's $eq
+to ensure that untrusted data is interpreted as a literal value and not as
+a query object.
+
+In the following example, assume the function handler is
+an HTTP request handler in a web application, whose parameter
+req contains the request object.
+
+The handler constructs two copies of the same SQL query involving +user input taken from the request object, once unsafely using +string concatenation, and once safely using query parameters. +
+ +
+In the first case, the query string query1 is built by
+directly concatenating a user-supplied request parameter with some
+string literals. The parameter may include quote characters, so this
+code is vulnerable to a SQL injection attack.
+
+In the second case, the parameter is embedded into the query string
+query2 using query parameters. In this example, we use
+the API offered by the pg Postgres database connector
+library, but other libraries offer similar features. This version is
+immune to injection attacks.
+
-If a database query (such as a SQL or NoSQL query) is built from -user-provided data without sufficient sanitization, a malicious user -may be able to run malicious database queries. -
--Most database connector libraries offer a way of safely -embedding untrusted data into a query by means of query parameters -or prepared statements. -
-
-For NoSQL queries, make use of an operator like MongoDB's $eq
-to ensure that untrusted data is interpreted as a literal value and not as
-a query object.
-
-In the following example, assume the function handler is
-an HTTP request handler in a web application, whose parameter
-req contains the request object.
-
-The handler constructs two copies of the same SQL query involving -user input taken from the request object, once unsafely using -string concatenation, and once safely using query parameters. -
- -
-In the first case, the query string query1 is built by
-directly concatenating a user-supplied request parameter with some
-string literals. The parameter may include quote characters, so this
-code is vulnerable to a SQL injection attack.
-
-In the second case, the parameter is embedded into the query string
-query2 using query parameters. In this example, we use
-the API offered by the pg Postgres database connector
-library, but other libraries offer similar features. This version is
-immune to injection attacks.
-
+Directly evaluating user input (for example, an HTTP request parameter) as code without properly +sanitizing the input first allows an attacker arbitrary code execution. This can occur when user +input is treated as JavaScript, or passed to a framework which interprets it as an expression to be +evaluated. Examples include AngularJS expressions or JQuery selectors. +
++Avoid including user input in any expression which may be dynamically evaluated. If user input must +be included, use context-specific escaping before +including it. It is important that the correct escaping is used for the type of evaluation that will +occur. +
++The following example shows part of the page URL being evaluated as JavaScript code. This allows an +attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link +to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, +for example, steal cookies containing session information. +
+ +
+The following example shows a Pug template being constructed from user input, allowing attackers to run
+arbitrary code via a payload such as #{global.process.exit(1)}.
+
+Below is an example of how to use a template engine without any risk of template injection.
+The user input is included via an interpolation expression #{username} whose value is provided
+as an option to the template, instead of being part of the template string itself:
+
-Directly evaluating user input (for example, an HTTP request parameter) as code without properly -sanitizing the input first allows an attacker arbitrary code execution. This can occur when user -input is treated as JavaScript, or passed to a framework which interprets it as an expression to be -evaluated. Examples include AngularJS expressions or JQuery selectors. -
--Avoid including user input in any expression which may be dynamically evaluated. If user input must -be included, use context-specific escaping before -including it. It is important that the correct escaping is used for the type of evaluation that will -occur. -
--The following example shows part of the page URL being evaluated as JavaScript code. This allows an -attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link -to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, -for example, steal cookies containing session information. -
- -
-The following example shows a Pug template being constructed from user input, allowing attackers to run
-arbitrary code via a payload such as #{global.process.exit(1)}.
-
-Below is an example of how to use a template engine without any risk of template injection.
-The user input is included via an interpolation expression #{username} whose value is provided
-as an option to the template, instead of being part of the template string itself:
-
If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.
+ +Forgery can occur if a user provides some input with characters that are interpreted +when the log output is displayed. If the log is displayed as a plain text file, then new +line characters can be used by a malicious user. If the log is displayed as HTML, then +arbitrary HTML may be included to spoof log entries.
++User input should be suitably sanitized before it is logged. +
+
+If the log entries are in plain text then line breaks should be removed from user input, using
+String.prototype.replace or similar. Care should also be taken that user input is clearly marked
+in log entries.
+
+For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and +other forms of HTML injection. +
+ +In the first example, a username, provided by the user, is logged using `console.info`. In +the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using `console.error`. +If a malicious user provides `username=Guest%0a[INFO]+User:+Admin%0a` as a username parameter, +the log entry will be splitted in two different lines, where the second line will be `[INFO]+User:+Admin`. +
+ In the second example, String.prototype.replace is used to ensure no line endings are present in the user input.
If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.
- -Forgery can occur if a user provides some input with characters that are interpreted -when the log output is displayed. If the log is displayed as a plain text file, then new -line characters can be used by a malicious user. If the log is displayed as HTML, then -arbitrary HTML may be included to spoof log entries.
--User input should be suitably sanitized before it is logged. -
-
-If the log entries are in plain text then line breaks should be removed from user input, using
-String.prototype.replace or similar. Care should also be taken that user input is clearly marked
-in log entries.
-
-For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and -other forms of HTML injection. -
- -In the first example, a username, provided by the user, is logged using `console.info`. In -the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using `console.error`. -If a malicious user provides `username=Guest%0a[INFO]+User:+Admin%0a` as a username parameter, -the log entry will be splitted in two different lines, where the second line will be `[INFO]+User:+Admin`. -
- In the second example, String.prototype.replace is used to ensure no line endings are present in the user input.
+Functions like the Node.js standard library function util.format accept a
+format string that is used to format the remaining arguments by providing inline format
+specifiers. If the format string contains unsanitized input from an untrusted source,
+then that string may contain unexpected format specifiers that cause garbled output.
+
+Either sanitize the input before including it in the format string, or use a
+%s specifier in the format string, and pass the untrusted data as corresponding
+argument.
+
+The following program snippet logs information about an unauthorized access attempt. The
+log message includes the user name, and the user's IP address is passed as an additional
+argument to console.log to be appended to the message:
+
+However, if a malicious user provides %d as their user name, console.log
+will instead attempt to format the ip argument as a number. Since IP addresses are
+not valid numbers, the result of this conversion is NaN. The resulting log message
+will read "Unauthorized access attempt by NaN", missing all the information that it was trying to
+log in the first place.
+
+Instead, the user name should be included using the %s specifier:
+
-Functions like the Node.js standard library function util.format accept a
-format string that is used to format the remaining arguments by providing inline format
-specifiers. If the format string contains unsanitized input from an untrusted source,
-then that string may contain unexpected format specifiers that cause garbled output.
-
-Either sanitize the input before including it in the format string, or use a
-%s specifier in the format string, and pass the untrusted data as corresponding
-argument.
-
-The following program snippet logs information about an unauthorized access attempt. The
-log message includes the user name, and the user's IP address is passed as an additional
-argument to console.log to be appended to the message:
-
-However, if a malicious user provides %d as their user name, console.log
-will instead attempt to format the ip argument as a number. Since IP addresses are
-not valid numbers, the result of this conversion is NaN. The resulting log message
-will read "Unauthorized access attempt by NaN", missing all the information that it was trying to
-log in the first place.
-
-Instead, the user name should be included using the %s specifier:
-
+
+ A server can send the
+ "Access-Control-Allow-Credentials" CORS header to control
+ when a browser may send user credentials in Cross-Origin HTTP
+ requests.
+
+
+
+ When the Access-Control-Allow-Credentials header
+ is "true", the Access-Control-Allow-Origin
+ header must have a value different from "*" in order to
+ make browsers accept the header. Therefore, to allow multiple origins
+ for Cross-Origin requests with credentials, the server must
+ dynamically compute the value of the
+ "Access-Control-Allow-Origin" header. Computing this
+ header value from information in the request to the server can
+ therefore potentially allow an attacker to control the origins that
+ the browser sends credentials to.
+
+
+
+ When the Access-Control-Allow-Credentials header
+ value is "true", a dynamic computation of the
+ Access-Control-Allow-Origin header must involve
+ sanitization if it relies on user-controlled input.
+
+
+
+
+ Since the "null" origin is easy to obtain for an
+ attacker, it is never safe to use "null" as the value of
+ the Access-Control-Allow-Origin header when the
+ Access-Control-Allow-Credentials header value is
+ "true".
+
+
+
+ In the example below, the server allows the browser to send
+ user credentials in a Cross-Origin request. The request header
+ origins controls the allowed origins for such a
+ Cross-Origin request.
+
+
+
+ This is not secure, since an attacker can choose the value of
+ the origin request header to make the browser send
+ credentials to their own server. The use of a whitelist containing
+ allowed origins for the Cross-Origin request fixes the issue:
+
+
-
- A server can send the
- "Access-Control-Allow-Credentials" CORS header to control
- when a browser may send user credentials in Cross-Origin HTTP
- requests.
-
-
-
- When the Access-Control-Allow-Credentials header
- is "true", the Access-Control-Allow-Origin
- header must have a value different from "*" in order to
- make browsers accept the header. Therefore, to allow multiple origins
- for Cross-Origin requests with credentials, the server must
- dynamically compute the value of the
- "Access-Control-Allow-Origin" header. Computing this
- header value from information in the request to the server can
- therefore potentially allow an attacker to control the origins that
- the browser sends credentials to.
-
-
-
- When the Access-Control-Allow-Credentials header
- value is "true", a dynamic computation of the
- Access-Control-Allow-Origin header must involve
- sanitization if it relies on user-controlled input.
-
-
-
-
- Since the "null" origin is easy to obtain for an
- attacker, it is never safe to use "null" as the value of
- the Access-Control-Allow-Origin header when the
- Access-Control-Allow-Credentials header value is
- "true".
-
-
-
- In the example below, the server allows the browser to send
- user credentials in a Cross-Origin request. The request header
- origins controls the allowed origins for such a
- Cross-Origin request.
-
-
-
- This is not secure, since an attacker can choose the value of
- the origin request header to make the browser send
- credentials to their own server. The use of a whitelist containing
- allowed origins for the Cross-Origin request fixes the issue:
-
-
+ Dynamically computing object property names from untrusted input
+ may have multiple undesired consequences. For example,
+ if the property access is used as part of a write, an
+ attacker may overwrite vital properties of objects, such as
+ __proto__. This attack is known as prototype
+ pollution attack and may serve as a vehicle for denial-of-service
+ attacks. A similar attack vector, is to replace the
+ toString property of an object with a primitive.
+ Whenever toString is then called on that object, either
+ explicitly or implicitly as part of a type coercion, an exception
+ will be raised.
+
+ Moreover, if the name of an HTTP header is user-controlled,
+ an attacker may exploit this to overwrite security-critical headers
+ such as Access-Control-Allow-Origin or
+ Content-Security-Policy.
+
+ The most common case in which prototype pollution vulnerabilities arise
+ is when JavaScript objects are used for implementing map data
+ structures. This case should be avoided whenever possible by using the
+ ECMAScript 2015 Map instead. When this is not possible, an
+ alternative fix is to prepend untrusted input with a marker character
+ such as $, before using it in properties accesses. In this way,
+ the attacker does not have access to built-in properties which do not
+ start with the chosen character.
+
+ When using user input as part of a header name, a sanitization
+ step should be performed on the input to ensure that the name does not
+ clash with existing header names such as
+ Content-Security-Policy.
+
+ In the example below, the dynamically computed property
+ prop is accessed on myObj using a
+ user-controlled value.
+
+ This is not secure since an attacker may exploit this code to
+ overwrite the property __proto__ with an empty function.
+ If this happens, the concatenation in the console.log
+ argument will fail with a confusing message such as
+ "Function.prototype.toString is not generic". If the application does
+ not properly handle this error, this scenario may result in a serious
+ denial-of-service attack. The fix is to prepend the user-controlled
+ string with a marker character such as $ which will
+ prevent arbitrary property names from being overwritten.
+
- Dynamically computing object property names from untrusted input
- may have multiple undesired consequences. For example,
- if the property access is used as part of a write, an
- attacker may overwrite vital properties of objects, such as
- __proto__. This attack is known as prototype
- pollution attack and may serve as a vehicle for denial-of-service
- attacks. A similar attack vector, is to replace the
- toString property of an object with a primitive.
- Whenever toString is then called on that object, either
- explicitly or implicitly as part of a type coercion, an exception
- will be raised.
-
- Moreover, if the name of an HTTP header is user-controlled,
- an attacker may exploit this to overwrite security-critical headers
- such as Access-Control-Allow-Origin or
- Content-Security-Policy.
-
- The most common case in which prototype pollution vulnerabilities arise
- is when JavaScript objects are used for implementing map data
- structures. This case should be avoided whenever possible by using the
- ECMAScript 2015 Map instead. When this is not possible, an
- alternative fix is to prepend untrusted input with a marker character
- such as $, before using it in properties accesses. In this way,
- the attacker does not have access to built-in properties which do not
- start with the chosen character.
-
- When using user input as part of a header name, a sanitization
- step should be performed on the input to ensure that the name does not
- clash with existing header names such as
- Content-Security-Policy.
-
- In the example below, the dynamically computed property
- prop is accessed on myObj using a
- user-controlled value.
-
- This is not secure since an attacker may exploit this code to
- overwrite the property __proto__ with an empty function.
- If this happens, the concatenation in the console.log
- argument will fail with a confusing message such as
- "Function.prototype.toString is not generic". If the application does
- not properly handle this error, this scenario may result in a serious
- denial-of-service attack. The fix is to prepend the user-controlled
- string with a marker character such as $ which will
- prevent arbitrary property names from being overwritten.
-
+Deserializing untrusted data using any deserialization framework that +allows the construction of arbitrary functions is easily exploitable +and, in many cases, allows an attacker to execute arbitrary code. +
++Avoid deserialization of untrusted data if at all possible. If the +architecture permits it, then use formats like JSON or XML that cannot +represent functions. When using YAML or other formats that support the +serialization and deserialization of functions, ensure that the parser +is configured to disable deserialization of arbitrary functions. +
+
+The following example calls the load function of the popular
+js-yaml package on data that comes from an HTTP request and
+hence is inherently unsafe.
+
+Using the safeLoad function instead (which does not deserialize
+YAML-encoded functions) removes the vulnerability.
+
-Deserializing untrusted data using any deserialization framework that -allows the construction of arbitrary functions is easily exploitable -and, in many cases, allows an attacker to execute arbitrary code. -
--Avoid deserialization of untrusted data if at all possible. If the -architecture permits it, then use formats like JSON or XML that cannot -represent functions. When using YAML or other formats that support the -serialization and deserialization of functions, ensure that the parser -is configured to disable deserialization of arbitrary functions. -
-
-The following example calls the load function of the popular
-js-yaml package on data that comes from an HTTP request and
-hence is inherently unsafe.
-
-Using the safeLoad function instead (which does not deserialize
-YAML-encoded functions) removes the vulnerability.
-
+Parsing untrusted XML files with a weakly configured XML parser may lead to an +XML External Entity (XXE) attack. This type of attack uses external entity references +to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side +request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible +and out-of-band data retrieval techniques may allow attackers to steal sensitive data. +
+
+The easiest way to prevent XXE attacks is to disable external entity handling when
+parsing untrusted data. How this is done depends on the library being used. Note that some
+libraries, such as recent versions of libxml, disable entity expansion by default,
+so unless you have explicitly enabled entity expansion, no further action needs to be taken.
+
+The following example uses the libxml XML parser to parse a string xmlSrc.
+If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since
+the parser is invoked with the noent option set to true:
+
+To guard against XXE attacks, the noent option should be omitted or set to
+false. This means that no entity expansion is undertaken at all, not even for standard
+internal entities such as & or >. If desired, these
+entities can be expanded in a separate step using utility functions provided by libraries such
+as underscore,
+lodash or
+he.
+
-Parsing untrusted XML files with a weakly configured XML parser may lead to an -XML External Entity (XXE) attack. This type of attack uses external entity references -to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side -request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible -and out-of-band data retrieval techniques may allow attackers to steal sensitive data. -
-
-The easiest way to prevent XXE attacks is to disable external entity handling when
-parsing untrusted data. How this is done depends on the library being used. Note that some
-libraries, such as recent versions of libxml, disable entity expansion by default,
-so unless you have explicitly enabled entity expansion, no further action needs to be taken.
-
-The following example uses the libxml XML parser to parse a string xmlSrc.
-If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since
-the parser is invoked with the noent option set to true:
-
-To guard against XXE attacks, the noent option should be omitted or set to
-false. This means that no entity expansion is undertaken at all, not even for standard
-internal entities such as & or >. If desired, these
-entities can be expanded in a separate step using utility functions provided by libraries such
-as underscore,
-lodash or
-he.
-
+If an XPath expression is built using string concatenation, and the components of the concatenation +include user input, it makes it very easy for a user to create a malicious XPath expression. +
++If user input must be included in an XPath expression, either sanitize the data or use variable +references to safely embed it without altering the structure of the expression. +
+
+In this example, the code accepts a user name specified by the user, and uses this
+unvalidated and unsanitized value in an XPath expression constructed using the xpath
+package. This is vulnerable to the user providing special characters or string sequences
+that change the meaning of the XPath expression to search for different values.
+
+Instead, embed the user input using the variable replacement mechanism offered
+by xpath:
+
-If an XPath expression is built using string concatenation, and the components of the concatenation -include user input, it makes it very easy for a user to create a malicious XPath expression. -
--If user input must be included in an XPath expression, either sanitize the data or use variable -references to safely embed it without altering the structure of the expression. -
-
-In this example, the code accepts a user name specified by the user, and uses this
-unvalidated and unsanitized value in an XPath expression constructed using the xpath
-package. This is vulnerable to the user providing special characters or string sequences
-that change the meaning of the XPath expression to search for different values.
-
-Instead, embed the user input using the variable replacement mechanism offered
-by xpath:
-
+Constructing a regular expression with unsanitized user input is dangerous as a malicious user may +be able to modify the meaning of the expression. In particular, such a user may be able to provide +a regular expression fragment that takes exponential time in the worst case, and use that to +perform a Denial of Service attack. +
+
+Before embedding user input into a regular expression, use a sanitization function such as
+lodash's _.escapeRegExp to escape meta-characters that have special meaning.
+
+The following example shows a HTTP request parameter that is used to construct a regular expression +without sanitizing it first: +
+
+Instead, the request parameter should be sanitized first, for example using the function
+_.escapeRegExp from the lodash package. This ensures that the user cannot insert
+characters which have a special meaning in regular expressions.
+
-Constructing a regular expression with unsanitized user input is dangerous as a malicious user may -be able to modify the meaning of the expression. In particular, such a user may be able to provide -a regular expression fragment that takes exponential time in the worst case, and use that to -perform a Denial of Service attack. -
-
-Before embedding user input into a regular expression, use a sanitization function such as
-lodash's _.escapeRegExp to escape meta-characters that have special meaning.
-
-The following example shows a HTTP request parameter that is used to construct a regular expression -without sanitizing it first: -
-
-Instead, the request parameter should be sanitized first, for example using the function
-_.escapeRegExp from the lodash package. This ensures that the user cannot insert
-characters which have a special meaning in regular expressions.
-
+ + Applications are constrained by how many resources they can make use + of. Failing to respect these constraints may cause the application to + be unresponsive or crash. It is therefore problematic if attackers + can control the sizes or lifetimes of allocated objects. + +
+ ++ + Ensure that attackers can not control object sizes and their + lifetimes. If object sizes and lifetimes must be controlled by + external parties, ensure you restrict the object sizes and lifetimes so that + they are within acceptable ranges. + +
+ ++ + The following example allocates a buffer with a user-controlled + size. + +
+ ++ + This is problematic since an attacker can choose a size + that makes the application run out of memory. Even worse, in older + versions of Node.js, this could leak confidential memory. + + To prevent such attacks, limit the buffer size: + +
+ ++ + As another example, consider an application that allocates an + array with a user-controlled size, and then fills it with values: + +
+ ++ The allocation of the array itself is not problematic since arrays are + allocated sparsely, but the subsequent filling of the array will take + a long time, causing the application to be unresponsive, or even run + out of memory. + + Again, a limit on the size will prevent the attack: + +
+ ++ + Finally, the following example lets a user choose a delay after + which a function is executed: + +
+ ++ + This is problematic because a large delay essentially makes the + application wait indefinitely before executing the function. Repeated + registrations of such delays will therefore use up all of the memory + in the application. + + A limit on the delay will prevent the attack: + +
+ +- - Applications are constrained by how many resources they can make use - of. Failing to respect these constraints may cause the application to - be unresponsive or crash. It is therefore problematic if attackers - can control the sizes or lifetimes of allocated objects. - -
- -- - Ensure that attackers can not control object sizes and their - lifetimes. If object sizes and lifetimes must be controlled by - external parties, ensure you restrict the object sizes and lifetimes so that - they are within acceptable ranges. - -
- -- - The following example allocates a buffer with a user-controlled - size. - -
- -- - This is problematic since an attacker can choose a size - that makes the application run out of memory. Even worse, in older - versions of Node.js, this could leak confidential memory. - - To prevent such attacks, limit the buffer size: - -
- -- - As another example, consider an application that allocates an - array with a user-controlled size, and then fills it with values: - -
- -- The allocation of the array itself is not problematic since arrays are - allocated sparsely, but the subsequent filling of the array will take - a long time, causing the application to be unresponsive, or even run - out of memory. - - Again, a limit on the size will prevent the attack: - -
- -- - Finally, the following example lets a user choose a delay after - which a function is executed: - -
- -- - This is problematic because a large delay essentially makes the - application wait indefinitely before executing the function. Repeated - registrations of such delays will therefore use up all of the memory - in the application. - - A limit on the delay will prevent the attack: - -
- -+Parsing untrusted XML files with a weakly configured XML parser may be vulnerable to +denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion. +
++In XML, so-called internal entities are a mechanism for introducing an abbreviation +for a piece of text or part of a document. When a parser that has been configured +to expand entities encounters a reference to an internal entity, it replaces the entity +by the data it represents. The replacement text may itself contain other entity references, +which are expanded recursively. This means that entity expansion can increase document size +dramatically. +
++If untrusted XML is parsed with entity expansion enabled, a malicious attacker could +submit a document that contains very deeply nested entity definitions, causing the parser +to take a very long time or use large amounts of memory. This is sometimes called an +XML bomb attack. +
+
+The safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted
+data. How this is done depends on the library being used. Note that some libraries, such as
+recent versions of libxmljs (though not its SAX parser API), disable entity expansion
+by default, so unless you have explicitly enabled entity expansion, no further action is needed.
+
+The following example uses the XML parser provided by the node-expat package to
+parse a string xmlSrc. If that string is from an untrusted source, this code may be
+vulnerable to a DoS attack, since node-expat expands internal entities by default:
+
+At the time of writing, node-expat does not provide a way of controlling entity
+expansion, but the example could be rewritten to use the sax package instead,
+which only expands standard entities such as &:
+
-Parsing untrusted XML files with a weakly configured XML parser may be vulnerable to -denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion. -
--In XML, so-called internal entities are a mechanism for introducing an abbreviation -for a piece of text or part of a document. When a parser that has been configured -to expand entities encounters a reference to an internal entity, it replaces the entity -by the data it represents. The replacement text may itself contain other entity references, -which are expanded recursively. This means that entity expansion can increase document size -dramatically. -
--If untrusted XML is parsed with entity expansion enabled, a malicious attacker could -submit a document that contains very deeply nested entity definitions, causing the parser -to take a very long time or use large amounts of memory. This is sometimes called an -XML bomb attack. -
-
-The safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted
-data. How this is done depends on the library being used. Note that some libraries, such as
-recent versions of libxmljs (though not its SAX parser API), disable entity expansion
-by default, so unless you have explicitly enabled entity expansion, no further action is needed.
-
-The following example uses the XML parser provided by the node-expat package to
-parse a string xmlSrc. If that string is from an untrusted source, this code may be
-vulnerable to a DoS attack, since node-expat expands internal entities by default:
-
-At the time of writing, node-expat does not provide a way of controlling entity
-expansion, but the example could be rewritten to use the sax package instead,
-which only expands standard entities such as &:
-
+ + Using user-controlled data in a permissions check may + allow a user to gain unauthorized access to protected functionality or + data. + +
+ +- - Using user-controlled data in a permissions check may - allow a user to gain unauthorized access to protected functionality or - data. - -
- -
+ Most JavaScript objects inherit the properties of the built-in Object.prototype object.
+ Prototype pollution is a type of vulnerability in which an attacker is able to modify Object.prototype.
+ Since most objects inherit from the compromised Object.prototype object, the attacker can use this
+ to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.
+
+ One way to cause prototype pollution is by modifying an object obtained via a user-controlled property name.
+ Most objects have a special __proto__ property that refers to Object.prototype.
+ An attacker can abuse this special property to trick the application into performing unintended modifications
+ of Object.prototype.
+
+ Use an associative data structure that is resilient to untrusted key values, such as a Map. + In some cases, a prototype-less object created with Object.create(null) + may be preferable. +
++ Alternatively, restrict the computed property name so it can't clash with a built-in property, either by + prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format. +
+
+ In the example below, the untrusted value req.params.id is used as the property name
+ req.session.todos[id]. If a malicious user passes in the ID value __proto__,
+ the variable todo will then refer to Object.prototype.
+ Finally, the modification of todo then allows the attacker to inject arbitrary properties
+ onto Object.prototype.
+
+ One way to fix this is to use Map objects to associate key/value pairs + instead of regular objects, as shown below: +
+ +
- Most JavaScript objects inherit the properties of the built-in Object.prototype object.
- Prototype pollution is a type of vulnerability in which an attacker is able to modify Object.prototype.
- Since most objects inherit from the compromised Object.prototype object, the attacker can use this
- to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.
-
- One way to cause prototype pollution is by modifying an object obtained via a user-controlled property name.
- Most objects have a special __proto__ property that refers to Object.prototype.
- An attacker can abuse this special property to trick the application into performing unintended modifications
- of Object.prototype.
-
- Use an associative data structure that is resilient to untrusted key values, such as a Map. - In some cases, a prototype-less object created with Object.create(null) - may be preferable. -
-- Alternatively, restrict the computed property name so it can't clash with a built-in property, either by - prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format. -
-
- In the example below, the untrusted value req.params.id is used as the property name
- req.session.todos[id]. If a malicious user passes in the ID value __proto__,
- the variable todo will then refer to Object.prototype.
- Finally, the modification of todo then allows the attacker to inject arbitrary properties
- onto Object.prototype.
-
- One way to fix this is to use Map objects to associate key/value pairs - instead of regular objects, as shown below: -
- -