Static Analysis and Security Scanning

Overview

We use Semgrep as our primary static analysis tool to identify potential security vulnerabilities in our codebase. This document outlines our approach to security scanning and provides examples of common issues that can be detected.

Setting Up Semgrep

Semgrep is a powerful static analysis tool that helps identify security vulnerabilities in your codebase. Here's how to set it up:

1. Install Semgrep:

# Using Homebrew (macOS)
brew install semgrep

# Using pip
pip install semgrep

2. Create a .semgrep.yml configuration file in your project root:

rules:
  - id: xss-vulnerability
    pattern: innerHTML = $X
    message: "Potential XSS vulnerability: Using innerHTML without sanitization"
    languages: [javascript, typescript]
    severity: ERROR

  - id: path-traversal
    pattern: path.join($DIR, $USER_INPUT)
    message: "Potential path traversal vulnerability"
    languages: [javascript, typescript]
    severity: ERROR

  - id: redos-vulnerability
    pattern: new RegExp($PATTERN, 'i')
    message: "Potential ReDoS vulnerability: Using user input in regex without validation"
    languages: [javascript, typescript]
    severity: ERROR

3. Run Semgrep:

semgrep --config .semgrep.yml .

Common Security Issues Detected

1. XSS Vulnerabilities

Semgrep helps identify potential XSS vulnerabilities, particularly in cases where:

• innerHTML is used without proper sanitization
• SVG content is rendered without validation
• User input is directly injected into the DOM
• HTML templates use unescaped user input

Example fix using DOMPurify:

import DOMPurify from 'dompurify';

const sanitizedContent = DOMPurify.sanitize(userContent);
element.innerHTML = sanitizedContent;

2. ReDoS Vulnerabilities

Semgrep can detect potential ReDoS vulnerabilities in:

• Regular expressions using user input
• Complex string operations without input validation
• Unbounded regex patterns

Example protections:

// Input length limit
const MAX_INPUT_LENGTH = 100;
const safeInput = input.slice(0, MAX_INPUT_LENGTH);

// Input validation
if (!/^[\w\s\-.,!?]+$/.test(safeInput)) {
  return;
}

// Timeout protection
const timeout = setTimeout(() => {
  console.warn('Operation timed out');
  return;
}, 1000);

3. Path Traversal Vulnerabilities

Semgrep identifies potential path traversal issues in:

• File path construction using user input
• Directory operations without proper validation
• File system access without path sanitization

Example protections:

// Path sanitization
const sanitizedPath = path.replace(/\.\./g, '').replace(/\/+/g, '/').replace(/^\/+|\/+$/g, '');

// Path validation
const baseDir = path.join(process.cwd(), 'content');
const filePath = path.join(baseDir, sanitizedPath);

if (!filePath.startsWith(baseDir)) {
  return;
}

4. Unsafe String Formatting

Semgrep detects potential issues with string formatting in:

• Console logging with user input
• Template literals with unescaped user data
• String concatenation in logging statements

Example fix:

// Instead of
console.error(`Error processing ${userInput}`);

// Use
console.error('Error processing:', userInput);

Security Dependencies

We maintain several security-focused dependencies:

• dompurify and @types/dompurify for XSS protection
• escape-string-regexp and @types/escape-string-regexp for safe regex handling

Integration with Development Workflow

1. Pre-commit Hooks: Semgrep scans are integrated into our pre-commit hooks
2. CI/CD Pipeline: Automated security scanning in our CI/CD pipeline
3. Regular Audits: Scheduled security audits using Semgrep

Best Practices

1. Regular Scanning:

   • Run Semgrep scans before committing code
   • Schedule regular security audits
   • Review and update rules as needed

2. Security Measures:

   • Implement Content Security Policy (CSP) headers
   • Use rate limiting for API endpoints
   • Implement input validation middleware
   • Sanitize all user input before use
   • Use safe string formatting in logging

3. Documentation:

   • Keep security documentation up to date
   • Document new security measures
   • Maintain a security checklist for new features

Historical Context

On April 21, 2024, we implemented comprehensive security fixes addressing:

• XSS vulnerabilities in SVG rendering and DOM manipulation
• ReDoS vulnerabilities in text processing
• Path traversal vulnerabilities in file handling

These fixes were identified through our Semgrep integration and have been incorporated into our ongoing security practices.

Current Findings (April 2024)

The latest Semgrep scan identified several areas for improvement:

1. XSS Vulnerabilities:

   • HTML template injection in feedback and registration emails
   • Unsafe DOM manipulation in component inspector

2. ReDoS Vulnerabilities:

   • User input in regex patterns in UserSubscription model
   • Dynamic regex construction in text highlighting

3. Unsafe String Formatting:

   • Console logging with user input in multiple components
   • Template literals with unescaped user data

4. Data Exfiltration Risks:

   • Object.assign with user-controlled data in chat messages

These findings are being addressed in separate PRs to maintain a clear separation of concerns and manageable review processes.