使用NodeJsScan掃描nodejs代碼檢查安全性

使用NodeJsScan掃描nodejs代碼檢查安全性
1.下載源碼：https://github.com/ajinabraham/NodeJsScan
2.下載Windows版docker toolbox: http://get.daocloud.io/#install-toolbox
3.下載PostgreSQL安裝詳細步驟（windows）
http://blog.chinaunix.net/uid-354915-id-3498734.html
https://www.enterprisedb.com/downloads/postgres-postgresql-downloads
https://www.pgadmin.org/
user:postgres,pw:admin,port:5432
4.重啟電腦，打開pgAdmin4程序
http://127.0.0.1:49908/browser/
創建一個數據庫nodejsscan
=================
https://ajinabraham.github.io/NodeJsScan/
安裝Python3.7 設置環境變量
D:\Python\Python37\Scripts\
D:\Python\Python37\
cmd命令行
d:
cd D:\pyworkspace\NodeJsScan>
先升級pip
python -m pip install --upgrade pip
安裝依賴包
pip3 install -r requirements.txt
執行命令
python migrate.py # Run once to create database entries required
python app.py # Testing Environment
gunicorn -b 0.0.0.0:9090 app:app # Production Environment
-----------------
D:\pyworkspace\NodeJsScan>python app.py
* Serving Flask app "app" (lazy loading)
* Environment: production
WARNING: Do not use the development server in a production environment.
Use a production WSGI server instead.
* Debug mode: off
* Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)

===========================
pip install nodejsscan
-----------------
Docker
docker build -t nodejsscan .
docker run -it -p 9090:9090 nodejsscan
-------------------
D:\pyworkspace\NodeJsScan> docker build -t nodejsscan .
要執行多次下載很多東西后才成功
Successfully built 829f23dfd371
Successfully tagged nodejsscan:latest

-----------------
docker run -it -p 9090:9090 nodejsscan

LOG: database system was shut down at 2018-08-03 09:48:02 UTC
LOG: MultiXact member wraparound protections are now enabled
LOG: database system is ready to accept connections
LOG: autovacuum launcher started
[INFO] Table entries created!
[2018-08-03 09:48:09 +0000] [57] [INFO] Starting gunicorn 19.9.0
[2018-08-03 09:48:09 +0000] [57] [INFO] Listening at: http://0.0.0.0:9090 (57)
[2018-08-03 09:48:09 +0000] [57] [INFO] Using worker: sync
[2018-08-03 09:48:09 +0000] [60] [INFO] Booting worker with pid: 60

=========================
在另外一個控制台，cmd進入到對應js文件目錄下執行nodejsscan -d 文件夾名稱
d:
D:\nodejsspace>nodejsscan -d yourjsdir
輸出類似：
[INFO] Running Static Analyzer on - yourjsdir

{
"files": [
{
"\\app.js": "yourjsdir\\app.js"
},
示例如下：

另外，部署后可以在網頁版查看的

=========================
可能遇到的錯誤：
'pip3' 不是內部或外部命令，也不是可運行的程序
解決辦法：要添加Python的環境變量
D:\Program Files (x86)\pgAdmin 4\v3\venv\Scripts

pip3 install -r requirements.txt
Fatal error in launcher: Unable to create process using '"'

python -m pip3 install -r requirements.txt
D:\Program Files (x86)\pgAdmin 4\v3\venv\Scripts\python.exe: No module named pip3
要先安裝pip3，或者升級，或者改成php命令執行

----------------
pip3 install -r requirements.txt
python3 migrate.py # Run once to create database entries required
python3 app.py # Testing Environment
gunicorn -b 0.0.0.0:9090 app:app # Production Environment
--------------
pip3 install -r requirements.txt
python migrate.py # Run once to create database entries required
python app.py # Testing Environment
gunicorn -b 0.0.0.0:9090 app:app # Production Environment
-----------------
docker run -it -p 9090:9090 nodejsscan
D:\pyworkspace\NodeJsScan>docker run -it -p 9090:9090 nodejsscan
Unable to find image 'nodejsscan:latest' locally
docker: Error response from daemon: pull access denied for nodejsscan, repository does not exist or may require 'docker login'.
See 'docker run --help'.

The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

================

node防xss攻擊插件

var xss = require('node-xss').clean;
router.post("/orders/insert-orders", function (req, res) {
    //對請求體做xss過濾
    var data = xss(req.body);
    var url = urlMap.englishlistenspeakserver + '/orders/insert-orders';
    var options = {
        url: url,
        method: 'POST',
        json: true,
        qs: data
    };
    request(options, function (error, response, body) {
        res.send(body);
    })
});