Agnech

TypeScript Patterns

68+ vulnerability patterns for TypeScript and JavaScript applications including Node.js, React, Next.js, and Express frameworks.

Overview

Bloodhound detects security vulnerabilities specific to TypeScript and JavaScript ecosystems, including modern framework patterns for React, Next.js, Express, and Node.js applications.

12
Critical
24
High
18
Medium
14
Low

Injection Vulnerabilities

Critical

SQL Injection

Unsanitized user input in SQL queries allows attackers to manipulate database operations.

Vulnerable
TypeScript
1// Vulnerable: String concatenation in SQL query
2const userId = req.query.id;
3const query = `SELECT * FROM users WHERE id = '${userId}'`;
4db.query(query);
Secure
TypeScript
1// Secure: Parameterized queries
2const userId = req.query.id;
3const query = 'SELECT * FROM users WHERE id = $1';
4db.query(query, [userId]);
Critical

NoSQL Injection

MongoDB and other NoSQL databases are vulnerable to operator injection.

Vulnerable
TypeScript
1// Vulnerable: Direct object insertion
2const user = await User.findOne({
3  username: req.body.username,
4  password: req.body.password  // Could be { $gt: "" }
5});
Secure
TypeScript
1// Secure: Type validation and sanitization
2const username = String(req.body.username);
3const password = String(req.body.password);
4const user = await User.findOne({ username, password });
Critical

Command Injection

User input passed to shell commands can execute arbitrary system commands.

Vulnerable
TypeScript
1// Vulnerable: Unsanitized command execution
2const filename = req.query.file;
3exec(`cat /uploads/${filename}`, callback);
Secure
TypeScript
1// Secure: Use execFile with arguments array
2const filename = path.basename(req.query.file);
3execFile('cat', [path.join('/uploads', filename)], callback);

Cross-Site Scripting (XSS)

High

Reflected XSS

User input reflected in HTML without proper encoding.

Vulnerable
TypeScript
1// Vulnerable: Direct HTML insertion
2res.send(`<div>Hello, ${req.query.name}</div>`);
Secure
TypeScript
1// Secure: Use template engine with auto-escaping
2import { escape } from 'html-escaper';
3res.send(`<div>Hello, ${escape(req.query.name)}</div>`);
High

DOM-Based XSS

Client-side JavaScript that inserts untrusted data into the DOM.

Vulnerable
TypeScript
1// Vulnerable: innerHTML with user data
2document.getElementById('output').innerHTML = location.hash.slice(1);
Secure
TypeScript
1// Secure: Use textContent instead
2document.getElementById('output').textContent = location.hash.slice(1);

Prototype Pollution

High

Prototype Pollution

Modifying Object.prototype through malicious input affects all objects.

Vulnerable
TypeScript
1// Vulnerable: Deep merge without prototype check
2function merge(target, source) {
3  for (const key in source) {
4    if (typeof source[key] === 'object') {
5      target[key] = merge(target[key] || {}, source[key]);
6    } else {
7      target[key] = source[key];
8    }
9  }
10  return target;
11}
Secure
TypeScript
1// Secure: Check for __proto__ and constructor
2function safeMerge(target, source) {
3  for (const key in source) {
4    if (key === '__proto__' || key === 'constructor') continue;
5    if (typeof source[key] === 'object' && source[key] !== null) {
6      target[key] = safeMerge(target[key] || {}, source[key]);
7    } else {
8      target[key] = source[key];
9    }
10  }
11  return target;
12}

Server-Side Request Forgery

Critical

Server-Side Request Forgery

Attacker-controlled URLs can access internal services and cloud metadata.

Vulnerable
TypeScript
1// Vulnerable: No URL validation
2const url = req.query.url;
3const response = await fetch(url);
4res.send(await response.text());
Secure
TypeScript
1// Secure: URL allowlist validation
2const ALLOWED_HOSTS = ['api.example.com', 'cdn.example.com'];
3const url = new URL(req.query.url);
4if (!ALLOWED_HOSTS.includes(url.hostname)) {
5  throw new Error('Invalid host');
6}
7const response = await fetch(url.href);

Authentication Issues

High

Weak JWT Configuration

Insecure JWT signing algorithms or weak secrets enable token forgery.

Vulnerable
TypeScript
1// Vulnerable: Algorithm confusion attack
2const token = jwt.verify(req.headers.token, publicKey);
Secure
TypeScript
1// Secure: Specify allowed algorithms
2const token = jwt.verify(req.headers.token, secret, {
3  algorithms: ['HS256'],
4  issuer: 'myapp',
5});
Medium

Timing Attack on Comparison

Non-constant-time string comparison leaks information through timing.

Vulnerable
TypeScript
1// Vulnerable: Regular comparison
2if (userToken === storedToken) { /* ... */ }
Secure
TypeScript
1// Secure: Constant-time comparison
2import { timingSafeEqual } from 'crypto';
3const isValid = timingSafeEqual(
4  Buffer.from(userToken),
5  Buffer.from(storedToken)
6);

Framework-Specific Patterns

Bloodhound also detects vulnerabilities specific to React, Next.js, Express, and other popular frameworks. See the full pattern library in the VS Code extension.