|
| 1 | +--- |
| 2 | +description: Enforces security best practices for JavaScript and Node.js applications. |
| 3 | +globs: **/*.js, **/*.ts |
| 4 | +alwaysApply: false |
| 5 | +--- |
| 6 | +- As a security-aware developer, generate secure JavaScript code using Node.js that inherently prevents top security weaknesses. |
| 7 | +- Focus on making the implementation inherently safe rather than merely renaming methods with "secure_" prefixes. |
| 8 | +- Use inline comments to clearly highlight critical security controls, implemented measures, and any security assumptions made in the code. |
| 9 | +- Adhere strictly to best practices from OWASP, with particular consideration for the OWASP ASVS guidelines. |
| 10 | +- **Avoid Slopsquatting**: Be careful when referencing or importing packages. Do not guess if a package exists. Comment on any low reputation or uncommon packages you have included. |
| 11 | + |
| 12 | +### CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| 13 | +**Summary:** Cross-site Scripting (XSS) occurs when untrusted data is displayed in a web browser without proper sanitization, allowing attackers to inject malicious client-side scripts. |
| 14 | +**Mitigation Rule:** Always perform context-aware output encoding or sanitization for all user-supplied data before rendering it into HTML, JavaScript, URL parameters, or other client-side contexts. For HTML, consider using a library like `DOMPurify` for sanitization, and for templating engines, ensure automatic escaping is enabled or manually escape data for the specific output context. |
| 15 | + |
| 16 | +### CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| 17 | +**Summary:** SQL Injection allows attackers to manipulate database queries by injecting malicious SQL code into input fields, potentially leading to unauthorized data access or modification. |
| 18 | +**Mitigation Rule:** Always use parameterized queries, prepared statements, or ORMs with built-in query sanitization (e.g., Prisma, Sequelize) when interacting with SQL databases. Never concatenate user-supplied input directly into SQL query strings. |
| 19 | + |
| 20 | +### CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| 21 | +**Summary:** OS Command Injection allows attackers to execute arbitrary operating system commands via an application by manipulating inputs used in system calls. |
| 22 | +**Mitigation Rule:** When executing external commands using Node.js `child_process` module, prefer `child_process.spawn()` with an array of arguments over `child_process.exec()` or `child_process.execSync()`. Never pass unsanitized or untrusted user input directly to command execution functions. If input must be used, validate it rigorously against a whitelist or escape it for the specific shell. |
| 23 | + |
| 24 | +### CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| 25 | +**Summary:** Path Traversal allows attackers to access restricted files or directories by manipulating file paths, often by injecting ".." sequences. |
| 26 | +**Mitigation Rule:** Sanitize all user-supplied file paths by validating them against a whitelist of allowed characters and patterns, and use `path.resolve()` or `path.join()` with a fixed base directory to ensure the final path remains within an intended, restricted location. Never directly concatenate user input into file system access functions (e.g., `fs.readFile`, `fs.writeFile`). |
| 27 | + |
| 28 | +### CWE-502: Deserialization of Untrusted Data |
| 29 | +**Summary:** Deserialization of untrusted data can lead to arbitrary code execution, denial of service, or other vulnerabilities by processing malicious serialized objects. |
| 30 | +**Mitigation Rule:** Avoid deserializing untrusted or user-controlled data directly, especially from formats that allow arbitrary object creation or code execution (e.g., `eval()`, or custom deserialization logic). If deserialization is unavoidable, rigorously validate the structure and content of the deserialized data against an expected schema, and do not use `JSON.parse` with a `reviver` function on untrusted input. |
| 31 | + |
| 32 | +### CWE-400: Uncontrolled Resource Consumption ('Denial of Service') |
| 33 | +**Summary:** Uncontrolled Resource Consumption occurs when an application fails to properly limit the resources (e.g., memory, CPU, network connections) consumed by an attacker, leading to service degradation or unavailability. |
| 34 | +**Mitigation Rule:** Implement appropriate resource limits such as rate limiting for API endpoints (e.g., using `express-rate-limit`), validate and limit the size of all incoming payloads (e.g., request body size, file uploads), impose timeouts on external network requests, and manage concurrent processes to prevent resource exhaustion. |
| 35 | + |
| 36 | +### CWE-798: Use of Hard-coded Credentials / Hardcoded Secrets |
| 37 | +**Summary:** Hard-coded secrets and credentials expose sensitive information directly within the source code, making them easily discoverable and compromising security. |
| 38 | +**Mitigation Rule:** Never hardcode secrets, API keys, database credentials, cryptographic keys, or other sensitive information directly into the source code. Instead, store all secrets securely using environment variables (e.g., managed by `dotenv` for local development), a dedicated secrets management service (e.g., AWS Secrets Manager, HashiCorp Vault), or a secure configuration system. Ensure secrets are not committed to version control. |
| 39 | + |
| 40 | +### Memory Safety Consideration (Node.js/JavaScript) |
| 41 | +**Mitigation Rule:** JavaScript and Node.js are memory-managed languages with garbage collection. As such, direct memory safety vulnerabilities (e.g., buffer overflows, use-after-free) are largely mitigated by the runtime. Focus security efforts on logical vulnerabilities, input validation, and secure API usage rather than low-level memory management. |
0 commit comments