From 6d7d5034587a808ec35e5e269eca7f6dffa32c03 Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 26 Nov 2024 14:11:33 +0100 Subject: [PATCH 1/3] Improve FPs in react-insecure-request --- .../security/react-insecure-request.yaml | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/typescript/react/security/react-insecure-request.yaml b/typescript/react/security/react-insecure-request.yaml index 7933cd1625..dc6356a1d8 100644 --- a/typescript/react/security/react-insecure-request.yaml +++ b/typescript/react/security/react-insecure-request.yaml @@ -23,39 +23,39 @@ rules: - typescript - javascript severity: ERROR - pattern-either: - - patterns: + patterns: - pattern-either: - - pattern-inside: | - import $AXIOS from 'axios'; - ... - $AXIOS.$METHOD(...) - - pattern-inside: | - $AXIOS = require('axios'); - ... - $AXIOS.$METHOD(...) - - pattern-either: - - pattern: $AXIOS.get("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) - - pattern: $AXIOS.post("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) - - pattern: $AXIOS.delete("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) - - pattern: $AXIOS.head("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) - - pattern: $AXIOS.patch("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) - - pattern: $AXIOS.put("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) - - pattern: $AXIOS.options("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) - - patterns: - - pattern-either: - - pattern-inside: | - import $AXIOS from 'axios'; - ... - $AXIOS(...) - - pattern-inside: | - $AXIOS = require('axios'); - ... - $AXIOS(...) - - pattern-either: - - pattern: '$AXIOS({url: "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"}, ...)' - - pattern: | - $OPTS = {url: "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"} - ... - $AXIOS($OPTS, ...) - - pattern: fetch("=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...) + - patterns: + - pattern-either: + - pattern-inside: | + import $AXIOS from 'axios'; + ... + $AXIOS.$METHOD(...) + - pattern-inside: | + $AXIOS = require('axios'); + ... + $AXIOS.$METHOD(...) + - pattern: $AXIOS.$VERB("$URL",...) + - metavariable-regex: + metavariable: $VERB + regex: ^(get|post|delete|head|patch|put|options) + - patterns: + - pattern-either: + - pattern-inside: | + import $AXIOS from 'axios'; + ... + $AXIOS(...) + - pattern-inside: | + $AXIOS = require('axios'); + ... + $AXIOS(...) + - pattern-either: + - pattern: '$AXIOS({url: "$URL"}, ...)' + - pattern: | + $OPTS = {url: "$URL"} + ... + $AXIOS($OPTS, ...) + - pattern: fetch("$URL", ...) + - metavariable-regex: + metavariable: $URL + regex: ^([Hh][Tt][Tt][Pp]:\/\/(?!localhost).*) From 5cbdf6a3ac230bd7ae7cc68988bd5fcd12b31e11 Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 26 Nov 2024 14:12:36 +0100 Subject: [PATCH 2/3] Update react-insecure-request.tsx --- typescript/react/security/react-insecure-request.tsx | 3 +++ 1 file changed, 3 insertions(+) diff --git a/typescript/react/security/react-insecure-request.tsx b/typescript/react/security/react-insecure-request.tsx index b36619c4c5..a8c33d43f2 100644 --- a/typescript/react/security/react-insecure-request.tsx +++ b/typescript/react/security/react-insecure-request.tsx @@ -34,3 +34,6 @@ const options = { url: 'https://www.example.com', }; axios(options); + +// ok: react-insecure-request +axios.get('http://localhost/foo'); From 81be9da13aa6b79e14ded33a876917f63f0fa934 Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 26 Nov 2024 14:12:58 +0100 Subject: [PATCH 3/3] Update react-insecure-request.jsx --- typescript/react/security/react-insecure-request.jsx | 3 +++ 1 file changed, 3 insertions(+) diff --git a/typescript/react/security/react-insecure-request.jsx b/typescript/react/security/react-insecure-request.jsx index b36619c4c5..a8c33d43f2 100644 --- a/typescript/react/security/react-insecure-request.jsx +++ b/typescript/react/security/react-insecure-request.jsx @@ -34,3 +34,6 @@ const options = { url: 'https://www.example.com', }; axios(options); + +// ok: react-insecure-request +axios.get('http://localhost/foo');