diff --git a/harishumasankar18_personal_org/detect-new-function.jsx b/harishumasankar18_personal_org/detect-new-function.jsx new file mode 100644 index 0000000000..0ea240584d --- /dev/null +++ b/harishumasankar18_personal_org/detect-new-function.jsx @@ -0,0 +1,21 @@ + +const calculate = (activity, health, weight, happiness) => { + return new Promise(async (resolve, reject) => { + try { + // devine formula :100: + let res = `with(a='${activity}', hp=${health}, w=${weight}, hs=${happiness}) { + if (a == 'feed') { hp += 1; w += 5; hs += 3; } if (a == 'play') { w -= 5; hp += 2; hs += 3; } if (a == 'sleep') { hp += 2; w += 3; hs += 3; } if ((a == 'feed' || a == 'sleep' ) && w > 70) { hp -= 10; hs -= 10; } else if ((a == 'feed' || a == 'sleep' ) && w < 40) { hp += 10; hs += 5; } else if (a == 'play' && w < 40) { hp -= 10; hs -= 10; } else if ( hs > 70 && (hp < 40 || w < 30)) { hs -= 10; } if ( hs > 70 ) { m = 'kissy' } else if ( hs < 40 ) { m = 'cry' } else { m = 'awkward'; } if ( hs > 100) { hs = 100; } if ( hs < 5) { hs = 5; } if ( hp < 5) { hp = 5; } if ( hp > 100) { hp = 100; } if (w < 10) { w = 10 } return {m, hp, w, hs} + }`; + quickMaths = new Function(res); + const {m, hp, w, hs} = quickMaths(); + resolve({mood: m, health: hp, weight: w, happiness: hs}) + } + catch (e) { + reject(e); + } + }); +} + +module.exports = { + calculate +} \ No newline at end of file diff --git a/harishumasankar18_personal_org/detect-new-function.yaml b/harishumasankar18_personal_org/detect-new-function.yaml new file mode 100644 index 0000000000..fe4b2773c3 --- /dev/null +++ b/harishumasankar18_personal_org/detect-new-function.yaml @@ -0,0 +1,24 @@ +rules: +- id: detect-new-function + languages: + - javascript + severity: ERROR + message: | + Using `new Function(...)` can lead to potential security vulnerabilities like arbitrary code execution. Avoid using it. + pattern: | + new Function(...) + metadata: + category: security + confidence: MEDIUM + likelihood: LOW + impact: LOW + cwe: + - 'CWE 94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A3:2021 Injection + technology: + - javascript + references: + - https://nvd.nist.gov/vuln/detail/cve-2023-23623 + subcategory: + - guardrail