Fix nodejs rule c/with-primary-identifiers/gl-sast-report.json
This was an issue filed by a user with Customer Support. Other users have also noted this issue in gitlab-org/security-products/demos/custom-rulesets-for-semgrep#2
The nodejs_scan.javascript-xml-rule-node_xpath_injection
rule added in commit gitlab-org/security-products/analyzers/semgrep@32754ca3 to c/with-primary-identifiers/gl-sast-report.json is generating false positives for code using json.parse() in their code. As pointed out by @aine-rb and @mmerrel3 anything.parse(req.whatever) matches while the rule is reporting for XML xpath.parse() commands.
We should update this rule to ensure we're only matching on relevant xpath.parse calls
See @mmerrel3's comment for relevant code
gitlab-org/security-products/demos/custom-rulesets-for-semgrep#2 (comment 1899806742)
Reproduction
@tmike and I were able to reproduce the issue with the following code
export const Blah = (one, two) => {
let heyyy
if (one['hi']) {
heyyy = JSON.parse(one['hi'])
}
}
And executing the command
docker run \
--interactive --tty --rm \
--volume "$PWD":/tmp/app \
--env CI_PROJECT_DIR=/tmp/app \
--env SECURE_LOG_LEVEL=debug \
-w /tmp/app \
registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:latest /analyzer run
This could also be reproduced in the docker shell by executing the semgrep command
/usr/local/bin/semgrep -f /rules -o /tmp/app/semgrep.sarif --sarif --no-rewrite-rule-ids --strict --disable-version-check --no-git-ignore --metrics on --verbos
The issue is not reproduced when running the GitLab analyser with v4.13.5
instead of latest.