search

ajinabraham / nodejsscan

nodejsscan is a static security code scanner for Node.js applications.
https://opensecurity.in
GNU General Public License v3.0
2.4k stars 327 forks source link

[Feature] Add code to run nodejsscan from cli #44

Closed uberspot closed 6 years ago

uberspot commented 6 years ago

Hi, Cool project :)

It would be cool if you could run nodejsscan from the command line and just get all the results of a scan in a json. This way it could be integrated to automatic static source code analysis pipelines and continuously scan repos. Just throwing this out as a potential usability improvement.

Keep up the good work.

ajinabraham commented 6 years ago

Thanks, will consider this.

ajinabraham commented 6 years ago

Feature Added.

$ python cli.py -d /Users/ajin/Code/Node.Js-Security-Course/

[INFO] Running Static Analyzer Running on - /Users/ajin/Code/Node.Js-Security-Course/

{"files": [{"LICENSE": "/Users/ajin/Code/Node.Js-Security-Course/LICENSE"}, {"dir_traversal.js": "/Users/ajin/Code/Node.Js-Security-Course/dir_traversal.js"}, {"node-mongo.js": "/Users/ajin/Code/Node.Js-Security-Course/node-mongo.js"}, {"hpp.js": "/Users/ajin/Code/Node.Js-Security-Course/hpp.js"}, {"nodejsshell.py": "/Users/ajin/Code/Node.Js-Security-Course/nodejsshell.py"}, {"README.md": "/Users/ajin/Code/Node.Js-Security-Course/README.md"}, {"eval.js": "/Users/ajin/Code/Node.Js-Security-Course/eval.js"}, {".gitignore": "/Users/ajin/Code/Node.Js-Security-Course/.gitignore"}, {"global_scope.js": "/Users/ajin/Code/Node.Js-Security-Course/global_scope.js"}, {"simple_server.js": "/Users/ajin/Code/Node.Js-Security-Course/simple_server.js"}, {"redos.js": "/Users/ajin/Code/Node.Js-Security-Course/redos.js"}, {"command execution.js": "/Users/ajin/Code/Node.Js-Security-Course/command execution.js"}, {"deserialization.js": "/Users/ajin/Code/Node.Js-Security-Course/deserialization.js"}, {"fs.js": "/Users/ajin/Code/Node.Js-Security-Course/fs.js"}, {".gitORIG_HEAD": "/Users/ajin/Code/Node.Js-Security-Course/.git/ORIG_HEAD"}, {".gitconfig": "/Users/ajin/Code/Node.Js-Security-Course/.git/config"}, {".gitHEAD": "/Users/ajin/Code/Node.Js-Security-Course/.git/HEAD"}, {".gitdescription": "/Users/ajin/Code/Node.Js-Security-Course/.git/description"}, {".gitindex": "/Users/ajin/Code/Node.Js-Security-Course/.git/index"}, {".gitpacked-refs": "/Users/ajin/Code/Node.Js-Security-Course/.git/packed-refs"}, {".gitCOMMIT_EDITMSG": "/Users/ajin/Code/Node.Js-Security-Course/.git/COMMIT_EDITMSG"}, {".gitFETCH_HEAD": "/Users/ajin/Code/Node.Js-Security-Course/.git/FETCH_HEAD"}, {".gitobjects/59/d842baa84c8bf4a041873b61233d12a585816c": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/59/d842baa84c8bf4a041873b61233d12a585816c"}, {".gitobjects/57/e2fca634ae1f0ccf490c8667de95ae9f0d8aa1": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/57/e2fca634ae1f0ccf490c8667de95ae9f0d8aa1"}, {".gitobjects/35/50ea1a08aca5b43cbd97b985b0fc7f52d60079": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/35/50ea1a08aca5b43cbd97b985b0fc7f52d60079"}, {".gitobjects/9d/b17f139e7a17ade977ddb49723a64ddbfd9426": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/9d/b17f139e7a17ade977ddb49723a64ddbfd9426"}, {".gitobjects/a3/54af12aa468a31f8a896e74feb80a162b800f6": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/a3/54af12aa468a31f8a896e74feb80a162b800f6"}, {".gitobjects/b2/1a28e9bbe0622bb2f812fdecd1b5fabafbcc15": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/b2/1a28e9bbe0622bb2f812fdecd1b5fabafbcc15"}, {".gitobjects/b3/5dc667c6812c61b787e7298410cc8d621fe386": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/b3/5dc667c6812c61b787e7298410cc8d621fe386"}, {".gitobjects/a2/c6521db8739a15266df69e3f44c68faacc10d5": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/a2/c6521db8739a15266df69e3f44c68faacc10d5"}, {".gitobjects/d1/addaa5b523bbb77c5719fa1db80bdeab48df2a": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/d1/addaa5b523bbb77c5719fa1db80bdeab48df2a"}, {".gitobjects/ab/f7c42e3d997ba5734e0652ca02d4ff2240ed0f": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/ab/f7c42e3d997ba5734e0652ca02d4ff2240ed0f"}, {".gitobjects/eb/e7ab7878eb30647b551eee34adee4a3b4e2211": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/eb/e7ab7878eb30647b551eee34adee4a3b4e2211"}, {".gitobjects/e4/76ed726be25c30da47922c7bc42c829105b988": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/e4/76ed726be25c30da47922c7bc42c829105b988"}, {".gitobjects/ec/17d33eae793c680abefb376c1bcf34fe36bc9d": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/ec/17d33eae793c680abefb376c1bcf34fe36bc9d"}, {".gitobjects/20/de7c109528986d928db4beef5e7f53b4bd220b": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/20/de7c109528986d928db4beef5e7f53b4bd220b"}, {".gitobjects/4b/0e17362821dcff5fd9b1da68440f74f8ce55f1": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/4b/0e17362821dcff5fd9b1da68440f74f8ce55f1"}, {".gitobjects/28/d188c183720837d00ca64866141bdb21fc3813": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/28/d188c183720837d00ca64866141bdb21fc3813"}, {".gitobjects/17/0300613ff0a0793982dcf47fa4ecb56491c4d3": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/17/0300613ff0a0793982dcf47fa4ecb56491c4d3"}, {".gitobjects/2f/120d5221f2dd82c9b494a1fe1fc3db6f3ff695": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/2f/120d5221f2dd82c9b494a1fe1fc3db6f3ff695"}, {".gitobjects/6b/156fe1db9c5cd21ca1c68b7025bae40d0c5764": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/6b/156fe1db9c5cd21ca1c68b7025bae40d0c5764"}, {".gitobjects/3f/6e830ff5ee4e059b639698e6c24b7b724f2db7": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/3f/6e830ff5ee4e059b639698e6c24b7b724f2db7"}, {".gitobjects/37/82636e8058ac848c16ccc174013f5949e5c9ed": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/37/82636e8058ac848c16ccc174013f5949e5c9ed"}, {".gitobjects/08/5f5bac1765b33c23f4f0df03a49bd6ed3e7c48": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/08/5f5bac1765b33c23f4f0df03a49bd6ed3e7c48"}, {".gitobjects/01/b41367a87294b12faf274b4c31396ec1fe116c": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/01/b41367a87294b12faf274b4c31396ec1fe116c"}, {".gitobjects/0a/ef667eecd9623cb7282e6a25c532b843d8de94": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/0a/ef667eecd9623cb7282e6a25c532b843d8de94"}, {".gitobjects/90/9c621b9516e3f2b8fc3c74bbff56f2a0e70243": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/90/9c621b9516e3f2b8fc3c74bbff56f2a0e70243"}, {".gitobjects/b0/160266e7a5ce946723146c4794163b21de7c82": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/b0/160266e7a5ce946723146c4794163b21de7c82"}, {".gitobjects/ea/1eaba9fb8343b8cc715193111f6b44baf510e3": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/ea/1eaba9fb8343b8cc715193111f6b44baf510e3"}, {".gitobjects/e9/81c6edd6ed10410bce85c5fba48ac33d44e8a9": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/e9/81c6edd6ed10410bce85c5fba48ac33d44e8a9"}, {".gitobjects/f1/fd947483ea6fb0109a065f5386414fe41988a4": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/f1/fd947483ea6fb0109a065f5386414fe41988a4"}, {".gitobjects/2c/4b1b814498865e4c77d44869e2ccc57aae72b4": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/2c/4b1b814498865e4c77d44869e2ccc57aae72b4"}, {".gitobjects/8d/b46a333ce8e63f9efb77b9b20c928f1b15127c": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/8d/b46a333ce8e63f9efb77b9b20c928f1b15127c"}, {".gitobjects/8e/c9f14468c4a3746d1385cbdd193066fda97fbc": "/Users/ajin/Code/Node.Js-Security-Course/.git/objects/8e/c9f14468c4a3746d1385cbdd193066fda97fbc"}, {".gitinfo/exclude": "/Users/ajin/Code/Node.Js-Security-Course/.git/info/exclude"}, {".gitlogs/HEAD": "/Users/ajin/Code/Node.Js-Security-Course/.git/logs/HEAD"}, {".gitlogs/refs/heads/master": "/Users/ajin/Code/Node.Js-Security-Course/.git/logs/refs/heads/master"}, {".gitlogs/refs/remotes/origin/HEAD": "/Users/ajin/Code/Node.Js-Security-Course/.git/logs/refs/remotes/origin/HEAD"}, {".gitlogs/refs/remotes/origin/master": "/Users/ajin/Code/Node.Js-Security-Course/.git/logs/refs/remotes/origin/master"}, {".githooks/commit-msg.sample": "/Users/ajin/Code/Node.Js-Security-Course/.git/hooks/commit-msg.sample"}, {".githooks/pre-rebase.sample": "/Users/ajin/Code/Node.Js-Security-Course/.git/hooks/pre-rebase.sample"}, {".githooks/pre-commit.sample": "/Users/ajin/Code/Node.Js-Security-Course/.git/hooks/pre-commit.sample"}, {".githooks/applypatch-msg.sample": "/Users/ajin/Code/Node.Js-Security-Course/.git/hooks/applypatch-msg.sample"}, {".githooks/prepare-commit-msg.sample": "/Users/ajin/Code/Node.Js-Security-Course/.git/hooks/prepare-commit-msg.sample"}, {".githooks/post-update.sample": "/Users/ajin/Code/Node.Js-Security-Course/.git/hooks/post-update.sample"}, {".githooks/pre-applypatch.sample": "/Users/ajin/Code/Node.Js-Security-Course/.git/hooks/pre-applypatch.sample"}, {".githooks/pre-push.sample": "/Users/ajin/Code/Node.Js-Security-Course/.git/hooks/pre-push.sample"}, {".githooks/update.sample": "/Users/ajin/Code/Node.Js-Security-Course/.git/hooks/update.sample"}, {".gitrefs/heads/master": "/Users/ajin/Code/Node.Js-Security-Course/.git/refs/heads/master"}, {".gitrefs/remotes/origin/HEAD": "/Users/ajin/Code/Node.Js-Security-Course/.git/refs/remotes/origin/HEAD"}, {".gitrefs/remotes/origin/master": "/Users/ajin/Code/Node.Js-Security-Course/.git/refs/remotes/origin/master"}], "good_finding": {}, "total_count": {"mis": 8, "good": 0, "sec": 3}, "sec_issues": {"Remote Code Injection": [{"sha2": "c852c46da2ff4300ecc5df666328ca54151aa715a883abbc28fac84c37a9b2be", "description": "User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).", "title": "Server Side Injection(SSI) - eval()", "lines": "var express = require('express');\nvar app = express();\napp.get('/', function(req, res) {\n    var resp = eval(\"(\" + req.query.name + \")\");\n    res.send('Response</br>' + resp);\n});\napp.listen(8000);", "filename": "eval.js", "tag": "rci", "path": "/Users/ajin/Code/Node.Js-Security-Course/eval.js", "line": 4}, {"sha2": "06f3f0ff3deed27aeb95955a17abc7722895d3538c14648af97789d8777cee50", "description": "User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.", "title": "Deserialization Remote Code Injection", "lines": "app.use(cookieParser())\n\napp.get('/', function(req, res) {\n            if (req.cookies.profile) {\n                var str = new Buffer(req.cookies.profile, 'base64').toString();\n                var obj = serialize.unserialize(str);\n                if (obj.username) {\n                    res.send(\"Hello \" + escape(obj.username));\n                }\n            } else {", "filename": "deserialization.js", "tag": "rci", "path": "/Users/ajin/Code/Node.Js-Security-Course/deserialization.js", "line": 11}], "Cross Site Scripting (XSS)": [{"sha2": "ea2354a755f62f5bf3ac2e2283e52b8b95898844e4aec455efe1cdb4ff739835", "description": "Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability", "title": "XSS - Reflected Cross Site Scripting", "lines": "var express = require('express');\nvar app = express();\napp.get('/', function(req, res) {\n    res.send('id: ' + req.query.id);\n    console.log(\"GET / id=\" + req.query.id);\n});\napp.listen(3000);", "filename": "hpp.js", "tag": "xss", "path": "/Users/ajin/Code/Node.Js-Security-Course/hpp.js", "line": 4}]}, "vuln_count": {"Deserialization Remote Code Injection": 1, "Server Side Injection(SSI) - eval()": 1, "XSS - Reflected Cross Site Scripting": 1}, "missing_sec_header": {"Web Security": [{"tag": "web", "description": "X-Frame-Options (XFO) header provides protection against Clickjacking attacks.", "title": "Missing Security Header - X-Frame-Options (XFO)"}, {"tag": "web", "description": "Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.", "title": "Missing Security Header - Content-Security-Policy (CSP)"}, {"tag": "web", "description": "Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.", "title": "Missing Security Header - Strict-Transport-Security (HSTS)"}, {"tag": "web", "description": "Remove the X-Powered-By header to prevent information gathering.", "title": "Infromation Disclosure - X-Powered-By"}, {"tag": "web", "description": "X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.", "title": "Missing Security Header - X-Content-Type-Options"}, {"tag": "web", "description": "X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.", "title": "Missing Security Header - X-Download-Options: noopen"}, {"tag": "web", "description": "X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers.", "title": "Missing Security Header - X-XSS-Protection:1"}, {"tag": "web", "description": "Public-Key-Pins (HPKP) ensures that certificate is Pinned.", "title": "Missing Security Header - Public-Key-Pins (HPKP)"}]}}
uberspot commented 6 years ago

Noice 👍