Linting For Bugs & Vulnerabilities
So, what is Linting:
Now if you come from a web developer background, you may already be intrigued. But if you don’t, what this can do is help you find DOM issues, like XSS & Arbitrary Redirects.
So first we need to set up a few things. You need to install npm, eslint and a number of other libraries and security plugins.
Since I’m on OSX I’ll be using brew, but if you have another operating system, check out the npm download page(https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) for instructions.
brew install npm
npm i -g eslint eslint-plugin-standard eslint-plugin-import eslint-plugin-node eslint-plugin-promise eslint-config-standard eslint-config-semistandard eslint-plugin-scanjs-rules eslint-plugin-no-unsanitized eslint-plugin-prototype-pollution-security-rules eslint-plugin-angularjs-security-rules eslint-plugin-react eslint-plugin-security eslint-plugin-no-wildcard-postmessage
Next download my custom config files which configure which issues ESLint will report on:
git clone https://github.com/Greenwolf/eslint-security-scanner-configs
Use ctrl-a to select every script, then Export scripts in the top right. This brings up an export window where we can rename our file and remove duplicates.
So, let’s make our lives a little easier. All these huge blocks of minified code are public libraries, which have already been audited and reviewed many times. So, let’s just get rid of them.
Press enter multiple times to choose default for everything and it will create a file called package.json.
Next we run eslint using the custom configuration files you downloaded earlier. There are 2 versions, a light and a heavy scan. The heavy one flags more issues but contains more false positives. I always start with the light scan.
Nice, we have some results. We start looking through the file and see that the first few are false positives. But then:
A DOM XSS flagged because of an unsafe assignment to innerHTML on line 170 & 174:
Followed by a DOM Arbitrary Redirect flagged because assignments to location can be unsafe on line 185:
Now both of these are quite impractical attacks as they are based on cookie values and wouldn’t even get you a bug bounty payment (P5 😭). However, I just wanted to demonstrate some of the issues that static analysis techniques can help you find, on real-world code, not an intentionally vulnerable project. Even if they were quite trivial.
I hope you enjoyed this getting started with security linting blogpost, and it encourages you to try some new tools and techniques. If you have any questions or comments, please feel free to leave a response below!