JavaScript analyzer detects Express's bad security configuration practices and XXE vulnerabilities

Hello JavaScript developers,

We did not talk about new JavaScript rules for a while so it’s time to fix this. Today we are proud to announce that 8 new rules detecting Express’s bad security configuration practices and XXE vulnerabilities were released. This is the result of a first iteration and more rules are in the pipe to help you write secure JavaScript code.

Here is the full list of the new rules:

  • S2755: XML parsers should not be vulnerable to XXE attacks
  • S2598: File uploads should be restricted
  • S4502: Disabling CSRF protections is security-sensitive
  • S5689: Recovering fingerprints from web application technologies should not be possible
  • S5122: Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
  • S4507: Delivering code in production with debug features activated is security-sensitive
  • S5691: Statically serving hidden files is security-sensitive
  • S5693: Allowing requests with excessive content length is security-sensitive

These rules are already available on SonarCloud, and will be included in SonarQube 8.5.

Node.js 8 environment is deprecated
As mentioned already by @Martin_Bednorz, it will be soon required to rely on Node.js 10+ to scan your JavaScript or TypeScript code.