Chapter 2. Common Coding Mistakes Behind Top Vulnerabilities

By seeking and blundering we learn.

Johann Wolfgang von Goethe

The advisories published in npm Advisories, Snyk Vulnerability Database, and HackerOne Disclosures are a very useful learning resource. By organizing and becoming familiar with underlying patterns, we can improve the security posture of the code we ship. As we reviewed in Chapter 1, we can attribute around 87% of the vulnerabilities found in Node packages to only five vulnerability types. In this chapter, we explore these top five vulnerability types and the coding mistakes that cause them.

1. Insecure Access to Filesystem

Let’s begin by reviewing the most recurring of Node package vulnerabilities that are related to compromising the access to the filesystem or tampering with it. As shown in Figure 2-1, directory traversal and symlink attack are the most prominent types of attacks in this category.

Figure 2-1. Breakdown of insecure filesystem access–related Node vulnerabilities (source: 303 unique insecure filesystem access advisories published by Snyk and npm/Node Security Platform as of April 2018)

Directory Traversal

Directory traversal is a very common security issue found in npm packages. To understand about its disastrous potential, there might not a better example than the Big Bug on npm itself that was caused by an insecure dependency vulnerable ...