JavaScript and TypeScript analyzers help to detect non-encrypted communications, zip bomb attacks sensitive code

Hello JavaScript and TypeScript developers,

The JS and TS analyzers were upgraded to detect 6 additional Security Hotspots. With these rules, SonarCloud will guide you to review your code looking for:

  • the use of clear-text protocols such as as ftp , telnet or non secure http lacking encryption of transported data
  • code expanding untrusted archive files without controlling the size of the expanded data (potential zip bomb attacks)
  • not enough restricted file permissions leading to unintended access to files

Here is the list of Security Hotspots added:

  • S5332: Using clear-text protocols is security-sensitive
  • S1313: Using hardcoded IP addresses is security-sensitive
  • S5042: Expanding archive files without controlling resource consumption is security-sensitive
  • S5443: Using publicly writable directories is security-sensitive
  • S2612: Setting loose POSIX file permissions is security-sensitive
  • S5876: A new session should be created during user authentication

These rules are available now for both JavaScript and TypeScript on SonarCloud, and will be included in SonarQube 8.7.

Alex

3 Likes