@ivangrynenko/javascript-vulnerable-outdated-components
Javascript Vulnerable Outdated Components cursor rules
prpm install @ivangrynenko/javascript-vulnerable-outdated-components0 total downloads
📄 Full Prompt Content
---
description: Detect and prevent the use of vulnerable and outdated components in JavaScript applications as defined in OWASP Top 10:2021-A06
globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !**/build/**, !**/coverage/**
---
# JavaScript Vulnerable and Outdated Components (OWASP A06:2021)
<rule>
name: javascript_vulnerable_outdated_components
description: Detect and prevent the use of vulnerable and outdated components in JavaScript applications as defined in OWASP Top 10:2021-A06
actions:
- type: enforce
conditions:
# Pattern 1: Outdated Package Versions in package.json
- pattern: "\"(dependencies|devDependencies)\"\\s*:\\s*\\{[^}]*?\"([^\"]+)\"\\s*:\\s*\"\\^?([0-9]+\\.[0-9]+\\.[0-9]+)\""
location: "package\\.json$"
message: "Check for outdated dependencies in package.json. Regularly update dependencies to avoid known vulnerabilities."
# Pattern 2: Direct CDN Links Without Integrity Hashes
- pattern: "<script\\s+src=['\"]https?://(?:cdn|unpkg|jsdelivr)[^'\"]*['\"][^>]*(?!integrity=)"
location: "\\.(html|js|jsx|ts|tsx)$"
message: "CDN resources without integrity hashes. Add integrity and crossorigin attributes to script tags loading external resources."
# Pattern 3: Hardcoded Library Versions in HTML
- pattern: "<script\\s+src=['\"][^'\"]*(?:jquery|bootstrap|react|vue|angular|lodash|moment)[@-][0-9]+\\.[0-9]+\\.[0-9]+[^'\"]*['\"]"
location: "\\.html$"
message: "Hardcoded library versions in HTML. Consider using a package manager to manage dependencies."
# Pattern 4: Deprecated Node.js APIs
- pattern: "(?:new Buffer\\(|require\\(['\"]crypto['\"]\\)\\.createCipher\\(|require\\(['\"]crypto['\"]\\)\\.randomBytes\\([^,)]+\\)|require\\(['\"]fs['\"]\\)\\.exists\\()"
message: "Using deprecated Node.js APIs. Replace with modern alternatives to avoid security and maintenance issues."
# Pattern 5: Deprecated Browser APIs
- pattern: "document\\.write\\(|document\\.execCommand\\(|escape\\(|unescape\\(|showModalDialog\\(|localStorage\\.clear\\(\\)|sessionStorage\\.clear\\(\\)"
location: "(?:src|components|pages)"
message: "Using deprecated browser APIs. Replace with modern alternatives to avoid compatibility and security issues."
# Pattern 6: Insecure Dependency Loading
- pattern: "require\\([^)]*?\\+\\s*[^)]+\\)|import\\([^)]*?\\+\\s*[^)]+\\)"
message: "Dynamic dependency loading with variable concatenation. This can lead to dependency confusion attacks."
# Pattern 7: Vulnerable Regular Expression Patterns (ReDoS)
- pattern: "new RegExp\\([^)]*?(?:\\(.*\\)\\*|\\*\\+|\\+\\*|\\{\\d+,\\})"
message: "Potentially vulnerable regular expression pattern that could lead to ReDoS attacks. Review and optimize the regex pattern."
# Pattern 8: Insecure Package Installation
- pattern: "npm\\s+install\\s+(?:--no-save|--no-audit|--no-fund|--force)"
location: "(?:scripts|Dockerfile|docker-compose\\.yml|\\.github/workflows)"
message: "Insecure package installation flags. Avoid using --no-audit, --no-save, or --force flags when installing packages."
# Pattern 9: Missing Lock Files
- pattern: "package\\.json"
location: "package\\.json$"
negative_pattern: "package-lock\\.json|yarn\\.lock|pnpm-lock\\.yaml"
message: "Missing lock file. Use package-lock.json, yarn.lock, or pnpm-lock.yaml to ensure dependency consistency."
# Pattern 10: Insecure Webpack Configuration
- pattern: "webpack\\.config\\.js"
location: "webpack\\.config\\.js$"
negative_pattern: "(?:noEmitOnErrors|optimization\\.minimize)"
message: "Potentially insecure webpack configuration. Consider enabling noEmitOnErrors and optimization.minimize."
# Pattern 11: Outdated TypeScript Configuration
- pattern: "\"compilerOptions\"\\s*:\\s*\\{[^}]*?\"target\"\\s*:\\s*\"ES5\""
location: "tsconfig\\.json$"
message: "Outdated TypeScript target. Consider using a more modern target like ES2020 for better security features."
# Pattern 12: Insecure Package Sources
- pattern: "registry\\s*=\\s*(?!https://registry\\.npmjs\\.org)"
location: "\\.npmrc$"
message: "Using a non-standard npm registry. Ensure you trust the source of your packages."
# Pattern 13: Missing npm audit in CI/CD
- pattern: "(?:ci|test|build)\\s*:\\s*\"[^\"]*?\""
location: "package\\.json$"
negative_pattern: "npm\\s+audit"
message: "Missing npm audit in CI/CD scripts. Add 'npm audit' to your CI/CD pipeline to detect vulnerabilities."
# Pattern 14: Insecure Import Maps
- pattern: "<script\\s+type=['\"]importmap['\"][^>]*>[^<]*?\"imports\"\\s*:\\s*\\{[^}]*?\"[^\"]+\"\\s*:\\s*\"https?://[^\"]+\""
negative_pattern: "integrity="
message: "Insecure import maps without integrity checks. Add integrity hashes to import map entries."
# Pattern 15: Outdated Polyfills
- pattern: "(?:core-js|@babel/polyfill|es6-promise|whatwg-fetch)"
message: "Using potentially outdated polyfills. Consider using modern alternatives or feature detection."
- type: suggest
message: |
**JavaScript Vulnerable and Outdated Components Best Practices:**
1. **Dependency Management:**
- Regularly update dependencies to their latest secure versions
- Use tools like npm audit, Snyk, or Dependabot to detect vulnerabilities
- Example:
```javascript
// Add these scripts to package.json
{
"scripts": {
"audit": "npm audit",
"audit:fix": "npm audit fix",
"outdated": "npm outdated",
"update": "npm update",
"prestart": "npm audit --production"
}
}
```
2. **Lock Files:**
- Always use lock files (package-lock.json, yarn.lock, or pnpm-lock.yaml)
- Commit lock files to version control
- Example:
```bash
# Generate a lock file if it doesn't exist
npm install
# Or for Yarn
yarn
# Or for pnpm
pnpm install
```
3. **Subresource Integrity:**
- Use integrity hashes when loading resources from CDNs
- Example:
```html
<script
src="https://cdn.jsdelivr.net/npm/react@18.2.0/umd/react.production.min.js"
integrity="sha384-tMH8h3BGESGckSAVGZ82T9n90ztNepwCjSPJ0A7g2vdY8M0oKtDaDGg0G53cysJA"
crossorigin="anonymous">
</script>
```
4. **Automated Security Scanning:**
- Integrate security scanning into your CI/CD pipeline
- Example GitHub Actions workflow:
```yaml
name: Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 0' # Run weekly
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run security audit
run: npm audit --audit-level=high
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
```
5. **Dependency Pinning:**
- Pin dependencies to specific versions to prevent unexpected updates
- Example:
```json
{
"dependencies": {
"express": "4.18.2",
"react": "18.2.0",
"lodash": "4.17.21"
}
}
```
6. **Deprecated API Replacement:**
- Replace deprecated Node.js APIs with modern alternatives
- Example:
```javascript
// INSECURE: Using deprecated Buffer constructor
const buffer = new Buffer(data);
// SECURE: Using Buffer.from()
const buffer = Buffer.from(data);
// INSECURE: Using deprecated crypto methods
const crypto = require('crypto');
const cipher = crypto.createCipher('aes-256-cbc', key);
// SECURE: Using modern crypto methods
const crypto = require('crypto');
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
```
7. **Browser API Modernization:**
- Replace deprecated browser APIs with modern alternatives
- Example:
```javascript
// INSECURE: Using document.write
document.write('<h1>Hello World</h1>');
// SECURE: Using DOM manipulation
document.getElementById('content').innerHTML = '<h1>Hello World</h1>';
// INSECURE: Using escape/unescape
const encoded = escape(data);
// SECURE: Using encodeURIComponent
const encoded = encodeURIComponent(data);
```
8. **Safe Dynamic Imports:**
- Avoid dynamic imports with variable concatenation
- Example:
```javascript
// INSECURE: Dynamic import with concatenation
const moduleName = userInput;
import('./' + moduleName + '.js');
// SECURE: Validate input against a whitelist
const validModules = ['module1', 'module2', 'module3'];
if (validModules.includes(moduleName)) {
import(`./${moduleName}.js`);
}
```
9. **Regular Expression Safety:**
- Avoid vulnerable regex patterns that could lead to ReDoS attacks
- Example:
```javascript
// INSECURE: Vulnerable regex pattern
const regex = /^(a+)+$/;
// SECURE: Optimized regex pattern
const regex = /^a+$/;
```
10. **Vendor Management:**
- Evaluate the security posture of third-party libraries before use
- Prefer libraries with active maintenance and security focus
- Example evaluation criteria:
- When was the last commit?
- How quickly are security issues addressed?
- Does the project have a security policy?
- Is there a responsible disclosure process?
- How many open issues and pull requests exist?
- What is the download count and GitHub stars?
11. **Runtime Dependency Checking:**
- Implement runtime checks for critical dependencies
- Example:
```javascript
// Check package version at runtime for critical dependencies
try {
const packageJson = require('some-critical-package/package.json');
const semver = require('semver');
if (semver.lt(packageJson.version, '2.0.0')) {
console.warn('Warning: Using a potentially vulnerable version of some-critical-package');
}
} catch (err) {
console.error('Error checking package version:', err);
}
```
12. **Minimal Dependencies:**
- Minimize the number of dependencies to reduce attack surface
- Regularly audit and remove unused dependencies
- Example:
```bash
# Find unused dependencies
npx depcheck
# Analyze your bundle size
npx webpack-bundle-analyzer
```
- type: validate
conditions:
# Check 1: Using npm audit
- pattern: "\"scripts\"\\s*:\\s*\\{[^}]*?\"audit\"\\s*:\\s*\"npm audit"
message: "Using npm audit to check for vulnerabilities."
# Check 2: Using lock files
- pattern: "package-lock\\.json|yarn\\.lock|pnpm-lock\\.yaml"
message: "Using lock files to ensure dependency consistency."
# Check 3: Using integrity hashes
- pattern: "integrity=['\"]sha\\d+-[A-Za-z0-9+/=]+['\"]"
message: "Using subresource integrity hashes for external resources."
# Check 4: Using modern Buffer API
- pattern: "Buffer\\.(?:from|alloc|allocUnsafe)"
message: "Using modern Buffer API instead of deprecated constructor."
# Check 5: Using dependency scanning in CI
- pattern: "npm\\s+audit|snyk\\s+test|yarn\\s+audit"
location: "(?:\\.github/workflows|\\.gitlab-ci\\.yml|Jenkinsfile|azure-pipelines\\.yml)"
message: "Integrating dependency scanning in CI/CD pipeline."
metadata:
priority: high
version: 1.0
tags:
- security
- javascript
- nodejs
- browser
- dependencies
- owasp
- language:javascript
- framework:express
- framework:react
- framework:vue
- framework:angular
- category:security
- subcategory:dependencies
- standard:owasp-top10
- risk:a06-vulnerable-outdated-components
references:
- "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/"
- "https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html"
- "https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html"
- "https://docs.npmjs.com/cli/v8/commands/npm-audit"
- "https://snyk.io/learn/npm-security/"
- "https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity"
- "https://github.com/OWASP/NodeGoat"
- "https://owasp.org/www-project-dependency-check/"
</rule>
💡 Suggested Test Inputs
Loading suggested inputs...
🎯 Community Test Results
Loading results...
📦 Package Info
- Format
- cursor
- Type
- rule
- Category
- languages