惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Security Affairs
N
News and Events Feed by Topic
T
Tenable Blog
P
Proofpoint News Feed
W
WeLiveSecurity
Simon Willison's Weblog
Simon Willison's Weblog
Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
Help Net Security
Help Net Security
I
Intezer
T
Threat Research - Cisco Blogs
S
Secure Thoughts
C
Cyber Attacks, Cyber Crime and Cyber Security
L
Lohrmann on Cybersecurity
AWS News Blog
AWS News Blog
Google Online Security Blog
Google Online Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Project Zero
Project Zero
The Hacker News
The Hacker News
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Tor Project blog
N
News | PayPal Newsroom
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Hacker News - Newest:
Hacker News - Newest: "LLM"
A
Arctic Wolf
Forbes - Security
Forbes - Security
O
OpenAI News
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Security Latest
Security Latest
P
Palo Alto Networks Blog
S
Schneier on Security
S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
H
Heimdal Security Blog
V
Vulnerabilities – Threatpost
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园_首页
T
Troy Hunt's Blog
Latest news
Latest news
Recent Announcements
Recent Announcements
MyScale Blog
MyScale Blog
人人都是产品经理
人人都是产品经理
L
LINUX DO - 热门话题
M
MIT News - Artificial intelligence
N
Netflix TechBlog - Medium
V
Visual Studio Blog
H
Hacker News: Front Page

NodeJS Security & NodeJS Secure Coding's Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud Argument Injection vulnerability in git-blame@1.4.0 Argument Injection vulnerability in `gits@0.1.8` Command Injection vulnerability in `@fab1o/git@1.4.0` Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments Command Injection vulnerability in `git-q@0.0.3` Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone Command Injection vulnerability in `willitmerge@0.2.1` A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server Mastering NPX: A Cheatsheet for npm and Node.js Power Users Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development The Tale of the Vulnerable MCP Database Server Bad Security Defaults in Mastra AI Frameworks Templates SQL Injection and Bypassing "Read-Only" Mode in Xata's MCP Server Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users How to Mitigate SQL Bypass in MCP Servers Enhancing MCP Server Security: A Guide to Using execFile Argument Injection Vulnerability in ggit How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection Command Injection Flaws in ggit: Unveiling a Vulnerability Command Injection Vulnerability in Create MCP Server STDIO Tool Exposes System Monitoring Functions GitHub Kanban MCP Server Command Injection Vulnerability Threatens Developer Workflows Critical Command Injection Flaw in iOS Simulator MCP Server Exposes Development Environments Command Injection Vulnerability Discovered in Codehooks MCP Server: A Critical Security Analysis SSRF Shenanigans in safe-axios: Redirects Open the Backdoor SSRF Vulnerability in safe-axios: Unintended Public Address Classification Bypassing SSRF Safeguards in ssrfcheck: A Case of Incomplete Denylists Don't Be Fooled by Multicast, SSRF Bypass in private-ip Node.js Authentication from Lucia to Better Auth Bypassing SSRF Protection in nossrf: When Your Safeguards Become Loopholes Vue CLI Security Fix to Mitigate NPM Binary Planting Node.js API Security Vulnerabilities with Path Traversal in files-bucket-server Will You Accept These GPT 4o Secure Coding Recommendations? Command Injection Vulnerability in interactive-git-checkout npm package An Introduction to SSRF Bypasses and Denylist Failures Disclosing a Command Injection Vulnerability in `git-checkout-tool` Prisma Raw Query Leads to SQL Injection? Yes and No Flawed Git Promises Library on npm Leads to Command Injection Vulnerability Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App How I found an XSS in the Nuxt MDC Library for Markdown Content Holes in the Safety Net: Bypassing SSRF Protection in safe-axios How to Parse URLs from Markdown to HTML Securely? NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages Where to find npm vulnerabilities? How to Hunt for IDOR Vulnerabilities To Exploit Security Misconfiguration? How to Avoid JWT Security Mistakes in Node.js Can a Node.js Secure Code Review Find Future Vulnerabilities? The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design NodeJS Path Traversal Vulnerability Scanner Do not use secrets in environment variables and here's how to do it better How to use npm audit How to use yarn audit Raw SQL Queries are Actually Better for Security Than ORMs? Node API Security Is Node.js Secure? URL Regex Validation: what can go wrong? Uncovering a Prototype Pollution Regression in the core Node.js project Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150 Security skills for JavaScript developers Understanding and Preventing Prototype Pollution in Node.js How to protect against a security breach in React Server Components IDOR Vulnerability: What is it and how to prevent it? The security vulnerability of serving images via a route as opposed to static middleware in Node.js Why is it considered a bad practice to write raw SQL commands? JS Security Concepts for JavaScript Developers Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities Secure JavaScript Coding Practices Against Command Injection Vulnerabilities To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained npm vulnerabilities: reviewing the security of your dependencies Disclosing code injection vulnerabilities in safe-eval-2 npm package Introducing Node.js Security Permissions Model, Threat Model, and Security Releases Common Node.js Security Issues and How to Mitigate Them How JavaScript developers should embrace npm security The XZ backdoor CVE-2024-3094: a JavaScript perspective Node.js Security Best Practices The Case for Node.js Secure Configuration Protecting Against Common Node.js Vulnerabilities Input Validation Security Best Practices for Node.js A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions JavaScript Security Issues in Node.js Applications OWASP Node.js Authentication, Authorization and Cryptography Practices OWASP Node.js Best Practices Guide Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR) North Korea malware on npm and Ledger connect-kit crypto heist Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM' Secure Code Review Tips to Defend Against Vulnerable Node.js Code Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
10 Best Practices for Secure Code Review of Node.js code
2023-12-20 · via NodeJS Security & NodeJS Secure Coding's Blog

In a prior article we learned why secure code review is important to Node.js. In this article we want to explore paramount code review skills that is paramount to Node.js and JavaScript developers in ensuring code quality and security.

Let’s get started with my recommendations for secure code review practices that are ideal and will help enhance your code review process to foster a culture of secure coding.

1. Node.js API Documentation

Consult the official Node.js API documentation regularly. Familiarity with the documentation ensures you’re using Node.js APIs correctly and securely. Leverage the documentation’s code examples to understand how to implement features securely.

One example where this is paramount is when you work with cryptographic operations. The Node.js crypto module provides cryptographic functionality that includes a set of wrappers for OpenSSL’s hash, HMAC, cipher, decipher, sign, and verify functions.

Reading the Node.js API carefully to understand how to leverage the crypto module to implement cryptographic operations securely is key to avoid security issues.

2. Utilize Secure APIs

Always opt for secure versions of Node.js APIs when available. For instance, prefer the crypto module for cryptographic operations rather than attempting custom implementations.

One example where this is paramount is the Node.js exec function which is used to execute commands in a shell and buffer the output. The exec function is a common source of command injection vulnerabilities in Node.js applications.

3. Dependency Scanning

Integrate dependency scanning tools like Snyk or the Snyk Advisor into your code review process where it is relevant to review newly added or updated dependencies.

Regularly check for known vulnerabilities in your project’s dependencies and address them promptly.

4. Code Security Linting

Enforce code linting rules specific to Node.js and JavaScript using tools like ESLint. Customize ESLint rules to include security-focused guidelines, ensuring your codebase adheres to best practices.

If you choose ESLint, then you have the eslint-plugin-security plugin which provides ESLint rules for Node.js security.

However, ESLint and the eslint-plugin-security is very rigid and doesn’t provide much flexibility. You may end up with a lot of false positives and it’s not very easy to customize the rules.

I’m biased but I’d recommend you take a look at Snyk Code which provides you with secure code linting in real-time on your VS Code IDE. It’s free too.

Snyk Code in VS Code

5. Data Validation and Sanitization

Emphasize the importance of input validation and data sanitization in code reviews. Ensure that user inputs are properly validated and sanitized to prevent common vulnerabilities like SQL injection or command injection. Encourage the use of established libraries for input validation and sanitization, such as the validator library for JavaScript.

6. Staying up to date with Node.js releases

Stay updated with the Node.js release notes to identify security enhancements and new features.

7. Error Handling

Review error handling practices to prevent information leakage. Avoid exposing detailed error messages to users. Encourage the use of custom error handling middleware to centralize error management and enhance security.

Another important tip here is to take notice you don’t leak data from process.env as that is a very common source of information leakage.

8. Secure Package Management

Educate developers about secure package management practices. Ensure they only install trusted packages from reliable sources.

Implement lockfile linters such as lockfile-lint to ensure that dependencies specified in the lockfile adhere to pre-defined security policies and mitigate a vector of attack where malicious actors can tamper with the lockfile.

9. Threat Modeling

Introduce threat modeling during code review discussions. Encourage developers to identify potential security threats and vulnerabilities in their code.

Consider using threat modeling tools or frameworks tailored for Node.js security assessments.

10. Continuous Education

Emphasize continuous education within your development team. Encourage developers to stay updated on security best practices through training, workshops, and online resources.

Promote participation in Node.js and JavaScript security communities to learn from peers and experts.

Two resources I’d recommend you check out are:

  1. The Snyk Learn educational platform which is open and free for everyone to learn about security.
  2. My book Node.js Secure Coding: Defending Against Command Injection Vulnerabilities which is a practical guide to understanding, identifying, and mitigating command injection vulnerabilities in Node.js applications.

What’s next? Skill up with Node.js Secure Coding

We covered a blend of intricacies relating to conducting effective code reviews in the world of Node.js and JavaScript development. By integrating these Node.js and JavaScript-specific best practices into your secure code review process, you’ll empower your team to develop secure and resilient applications.

As a next step, I invite you to explore: Node.js Secure Coding: Defending Against Command Injection Vulnerabilities 🌟

This Node.js security book is a comprehensive resource designed to deepen your understanding of command injection vulnerabilities and equip you with the skills needed to defend against them effectively. Dive into real-world vulnerable npm package code examples, practical self-assessment Node.js security questions, and expert insights to bolster your Node.js security expertise.

Visit https://www.nodejs-security.com to learn more and take your Node.js development to a new level of security. Secure coding isn’t just a goal; it’s a journey, and I’m here to guide you every step of the way.