A recent experience with a NestJS codebase highlighted the importance of automated security checks. Despite having a robust testing suite and code review process, a first run of the eslint-plugin-nestjs-security linting tool found 47 violations, including six distinct vulnerability classes that had gone undetected by reviewers.
Introduction to the Vulnerabilities
The six vulnerabilities found included unguarded controllers, sensitive fields leaking in responses, auth endpoints without rate limiting, unvalidated DTO inputs, DTO properties without validation decorators, and missing error handlers. Each of these vulnerabilities had survived code review due to various reasons, including incorrect assumptions about global configurations and missing validation decorators.
Unguarded Controllers and Sensitive Fields
The first vulnerability found was an unguarded controller, which allowed unauthorized access to certain routes. This was due to a missing @UseGuards decorator at the controller level. Another vulnerability found was sensitive fields leaking in responses, which was caused by a missing @Exclude decorator on certain fields in the entity class.
Auth Endpoints and Input Validation
The linting tool also found auth endpoints without rate limiting, which made the application vulnerable to brute-force attacks. This was due to a missing @Throttle decorator on the auth controller. Additionally, the tool found unvalidated DTO inputs, which allowed any shape of data to pass through at runtime. This was due to a missing ValidationPipe at the parameter level or a global level.
DTO Properties and Error Handling
The tool also found DTO properties without validation decorators, which allowed any length or encoding of data to pass through. This was due to a missing decorator on certain properties in the DTO class. Finally, the tool found missing error handlers, which could lead to unexpected behavior in case of errors.
Conclusion and Future Directions
In conclusion, the experience highlights the importance of automated security checks in ensuring the security of NestJS applications. By using tools like eslint-plugin-nestjs-security, developers can identify and fix vulnerabilities that may have gone undetected by reviewers. As the application continues to evolve, it is essential to prioritize security and ensure that all necessary checks are in place to prevent similar vulnerabilities from arising in the future.
AI summary
NestJS projenizde statik analiz araçlarını kullanmaya başlamak, kod inceleme sırasında gözden kaçan ciddi güvenlik açıklarını ortaya çıkarabilir. Bu makalede, 40 bin satırlık bir kod tabanında tespit edilen 6 farklı güvenlik açığı ve onları düzeltmenin pratik yolları ele alınıyor.
