Javascript Static Code Analyzer Héctor Quartino [email protected] 

About me • 10+ years of developer experience. • Multiple languages / technologies (Java, C#, JS). • Curious about Security for a while. • AppSec Engineer @ NetSuite. 

About this talk • Motivation. • A bit of theory on the concepts behind static code analyzers. • Related Javascript tools. 

Static Code Analysis – What & Why? • Runs on source code (white-box testing). • Can use project specific rules. • Can be automated. • Highly effective with specific patterns. • Early detection of potential issues. 

Why analyze Javascript code? • Scripting language of the Web. – Web Applications vs. Native Apps on mobile. • JavaScript Server Applications – Rhino – NodeJS • IoT – Embedded Devices – Home Automation – Robotics – DIY 

Why a Javascript Static Code Analyzer? • Scenario of 100% Javascript Applications is more common. • Testing infrastructure in Javascript too! • Goal: One language can give more flexibility to teams. • Goal: Run static code analysis on CI / nightly builds. • Goal: Leverage existing tools available in the Javascript community. 

Static Code Analysis Limitations • False positives – Need a way to filter successive scan results. • False negatives – Some vulnerabilities need to be discovered via dynamic code analysis. – Unaware of custom APIs, cross layer vulnerabilities, or configuration files. – Add custom rules to mitigate. 

A few compiler concepts • Compiler: transforms code from one language to another. Lexer Parser Optimizer Generator Token s AST IR Output Input 

A few compiler concepts • Compiler: transforms code from one language to another. Lexer Parser Optimizer Generator Token s AST IR Output Input Used by Static Analysis 

A few compiler concepts (cont.) • Lexer: transforms code into tokens. Lexer Token s Input var foo = bar; Type Value Keyword var Identifier foo Punctuator = Identifier bar Punctuator ; Lexical Grammar 

A few compiler concepts (cont.) • Parser: transforms tokens into AST. • Abstract Syntax Tree: represents program structure. Parser Token s AST Type Value Keyword var Identifier foo Punctuator = Identifier bar Punctuator ; VariableDeclaration bar foo Syntactic Grammar 

A few Static Code Analyzer techniques • Data Flow Analysis – Collect dynamic information about data by analyzing static information. – Determine the Control Flows for a given program. if (a > 1) { pathA(a); } else { pathB(1); } if path A path B end- if 

A few Static Code Analyzer techniques • Taint Analysis: Trace variables from user inputs (taints) to potentially vulnerable functions (sinks). var searchTerms = $(‘q’).val(); var trimmedSearchTerms = searchTerms.trim(); // … code displaySearchResults(trimmedSearchTerms, results); function displaySearchResults(terms, results) { $(selector).append(terms); // XSS } 

Javascript Tools • Parser: Esprima, Acorn. • AST: ESTree. • Code Analyzer: ScanJS. • Code Analyzer, take 2: ESLint. 

Esprima • Standard ECMAScript parser written in ECMAScript. – Supports ES6. – Standard AST based on ESTree project. – Heavily used, some examples: • Code Minifier: esmangle • Code Instrumentation: Instanbul • ES6 to ES5 transpiler: esnext (uses Espree) 

ESTree • De facto standard AST specification. • Originated as part of SpiderMonkey’s Parser API. • Lots of manipulation tools available. DEMO 

ScanJS • Focused on client-side web applications. • Web UI, no command line tools makes it hard to integrate with build tools. • Developed by Mozilla, unfortunately deprecated, but lives on as plugin for ESLint: eslint-config-scanjs. DEMO 

ESLint • Uses Espree (fork of Esprima) for parsing. • Pluggable architecture: – All rules are plugins, more can be added at runtime. – Different parsers can be used (Esprima, Espree or Babel are currently compatible). – Language extensions specified at configuration. – Global variables predefined through Environments. • Integrates with editors, build systems, command line tools, and more! 

DEMO 

Q&A 

Reference material • Esprima: http://esprima.org/ • ESTree spec: https://github.com/estree/estree/blob/master/spec.md • ESTools projects: https://github.com/estools • ESLint: http://eslint.org/ • ESLint integrations: http://eslint.org/docs/user-guide/integrations • ScanJS ESLint Plugin: https://github.com/mozfreddyb/eslint-config-scanjs • ScanJS ESLint Rules: https://github.com/mozfreddyb/eslint-plugin-scanjs-rules