Merge pull request #486 from owasp-noir/issue-481

Enhanced detection logic for Express

spec/unit_test/detector/javascript/express_spec.cr

@@ -8,7 +8,56 @@ describe "Detect JS Express" do
   it "require_single_quot" do
     instance.detect("index.js", "require('express')").should eq(true)
   end
+
   it "require_double_quot" do
     instance.detect("index.js", "require(\"express\")").should eq(true)
   end
-end
+
+  it "import_single_quot" do
+    instance.detect("index.js", "import express from 'express'").should eq(true)
+  end
+
+  it "import_double_quot" do
+    instance.detect("index.js", "import express from \"express\"").should eq(true)
+  end
+
+  it "const_require_single_quot" do
+    instance.detect("index.js", "const express = require('express')").should eq(true)
+  end
+
+  it "const_require_double_quot" do
+    instance.detect("index.js", "const express = require(\"express\")").should eq(true)
+  end
+
+  it "let_require_single_quot" do
+    instance.detect("index.js", "let express = require('express')").should eq(true)
+  end
+
+  it "let_require_double_quot" do
+    instance.detect("index.js", "let express = require(\"express\")").should eq(true)
+  end
+
+  it "var_require_single_quot" do
+    instance.detect("index.js", "var express = require('express')").should eq(true)
+  end
+
+  it "var_require_double_quot" do
+    instance.detect("index.js", "var express = require(\"express\")").should eq(true)
+  end
+
+  it "import_router_single_quot" do
+    instance.detect("index.js", "import { Router } from 'express'").should eq(true)
+  end
+
+  it "import_router_double_quot" do
+    instance.detect("index.js", "import { Router } from \"express\"").should eq(true)
+  end
+
+  it "app_use_express_json" do
+    instance.detect("index.js", "app.use(express.json())").should eq(true)
+  end
+
+  it "app_use_express_urlencoded" do
+    instance.detect("index.js", "app.use(express.urlencoded({ extended: true }))").should eq(true)
+  end
+end

src/detector/detectors/javascript/express.cr

@@ -3,9 +3,12 @@ require "../../../models/detector"
 module Detector::Javascript
   class Express < Detector
     def detect(filename : String, file_contents : String) : Bool
-      if (filename.includes? ".js") && (file_contents.includes? "require('express')")
-        true
-      elsif (filename.includes? ".js") && (file_contents.includes? "require(\"express\")")
+      if (filename.includes?(".js") || filename.includes?(".mjs") || filename.includes?(".ts")) &&
+         (file_contents.match(/require\(['"]express['"]\)/) ||
+          file_contents.match(/import express from ['"]express['"]/) ||
+          file_contents.match(/import { Router } from ['"]express['"]/) ||
+          file_contents.match(/app\.use\(express\.json\(\)\)/) ||
+          file_contents.match(/app\.use\(express\.urlencoded\(\{ extended: true \}\)\)/))
         true
       else
         false
@@ -16,4 +19,4 @@ module Detector::Javascript
       @name = "js_express"
     end
   end
-end
+end

src/detector/detectors/javascript/restify.cr

@@ -7,8 +7,6 @@ module Detector::Javascript
         true
       elsif (filename.includes? ".js") && (file_contents.includes? "require(\"restify\")")
         true
-      elsif (filename.includes? ".ts") && (file_contents.includes? "server")
-        true
       elsif (filename.includes? ".ts") && (file_contents.includes? "require(\"restify\")")
         true
       else