Mr. Audit validates secure code guidelines and security best practices for JavaScript projects.
About
gulp-mraudit is a gulp plugin that ties into the build process and will scan specified JavaScript files to ensure that they conform with security best practices.
This gulp plugin extends gulp-contains for searching specific strings in files.
Example
Add to your Gulpfile a task called securecode
that ensures there is no use of insecure functions like eval
or child_process.exec
in your source code:
gulp;
Then run the task as part of your build process to enforce it:
$ gulp securecode lirantal:~/workspace $ gulp securecode[07:10:58] Using gulpfile ~/workspace/gulpfile.js[07:10:58] Starting 'securecode'...[07:10:58] Finished 'securecode' after 12 ms events.js:141 throw er; // Unhandled 'error' event ^Error: Your file contains "eval(", it should not.
Gulp Example
The project itself includes a gulpfile.js in the root directory as an example of an operational Gulpfile.
Install
npm install gulp-mraudit --save
Configuration
The plugin expects to receive an object with two properties: warnList
and an errList
.
This granularity is provided so that project owners can provide callbacks, and warnings when a match is found in the file for any string in the warnList
, and can entirely break the build if the errList
is matched.
Simple object example:
var options = warnList: search: ' req.body.' errList: search: 'eval(' 'child_process.exec(' 'setTimeout(' 'setInterval(' ;
It is also possible to provide an onFound
property for each of the errList
and warnList
properties so that you can completely customize any kind of callback function trigger that happens when a match is found in either case.
Security Best Practices
Out of the box Mr Audit is configured to assert the following list of security best practices:
Option | Description |
---|---|
req.body. |
Potential noSQ injection with directly using parsed JSON objects in ExpressJS's req.body . This warning can be wavered if the object being accessed was already sanitized and filtered before. Or if ExpressJS does not use the bodyParser middleware for json or urlencoded options. |
child_process.exec( |
Potential OS command injection due to the use of directly calling a command line option with .exec where the first argument is the name of a command, which could potentially be originated from user manipulated input. |
eval( |
Interpreting JavaScript code in real-time on potential user manipulated input could result in malicious JavaScript code executed in the context of the application and complete access to the user's browser. |
setTimeout( , setInterval( |
Both of these functions can result in malicious JavaScript injection similar to how eval( is dangerous to use. |
Author
Liran Tal liran.tal@gmail.com