npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

sast-json-schema

v0.0.0-alpha.4

Published

Meta-schema for the Static Application Security Testing (SAST) of JSON Schemas

Downloads

575

Readme

sast-json-schema

Meta-schema for the Static Application Security Testing (SAST) of JSON Schemas

High-level functionality

  • Ensure strictness of inperputation.
  • Ensure integer or number are within a safe range.
  • Ensure string have defined allowed values and length.
  • Ensure arrays have defined types and lenth.
  • Ensure object have defined properties and count.

How to run

Manually

ajv = new Ajv({strictTypes: false})
const isSchemaSecure = ajv.compile(require("sast-json-schema/index.json"))
isSchemaSecure(schema)

cli

Using ajv-cmd

ajv sast path/to/schema.json

OWASP ASVS 5.0 (2024-10)

The following criteria should be considered when writing JSON Schemas used for input validation of an API endpoint.

  • 1.5.1: Verify that input validation rules define how to check the validity of data items against an expected structure. This could be common data formats such as credit card numbers, e-mail addresses, telephone numbers, or it could be an internal data format.
  • 1.5.5: Verify that input validation rules are documented and define how to ensure the logical and contextual consistency of combined data items, such as checking that suburb and zipcode match.
  • 5.1.1: Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (query string, body parameters, cookies, or headers).
  • 5.1.3: Verify that all input is validated using positive validation, against an allowed list of values, patterns or ranges to enforce business or functional expectations for that input.
  • 5.1.4: Verify that data items with an expected structure are validated according to the pre-defined rules.
  • 5.1.6: Verify that untrusted input is validated for length before being included in a cookie (including as part of a JWT) and that the cookie name and value length combined are not over 4096 bytes.
  • 5.1.8: Verify that the application validates that user-controlled input in HTTP request header fields does not exceed the server's maximum header field size limit (usually 4kB or 8kB) to prevent client-based denial of service attacks.
  • 5.2.2: Verify that data being passed to a potentially dangerous context is sanitized beforehand to enforce safety measures, such as only allowing characters which are safe for this context and trimming input which is too long.
  • 5.4.3: Verify that sign, range, and input validation techniques are used to prevent integer overflows.
  • 5.5.3: Verify that if deserialization is used when communicating with untrusted clients, the input is handled safely. For example, by only allowing a allowlist of object types or not allowing the client to define the object type to deserialize to, in order to prevent deserialization attacks.
  • 10.4.4: Verify that the application has countermeasures to protect against mass assignment attacks by limiting allowed fields per controller and action, e.g. it is not possible to insert or update a field value when it was not intended to be part of that action.
  • 13.2.2: Verify that JSON schema validation is in place and verified before accepting input.
  • 13.2.5: Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.
  • 13.6.1: Verify that the application only responds to HTTP methods in use by the application or by the API (including OPTIONS during preflight requests) and unused methods (e.g. TRACE) are blocked.
  • 13.7.1: Verify that the value in the Content-Length request header matches the calculated length using the built-in mechanism.

Sources

Contributions

Contributions are most welcome. Something missed, please reach out. I'd also love for security experts to give it an audit.