{"id":13465122,"url":"https://github.com/kongbytes/joi-security","last_synced_at":"2025-12-25T15:51:35.301Z","repository":{"id":41868793,"uuid":"255750278","full_name":"kongbytes/joi-security","owner":"kongbytes","description":"Detect security flaws in Joi validation schemas (XSS, SQL injection, ...) 🔥","archived":false,"fork":false,"pushed_at":"2024-06-16T14:17:44.000Z","size":561,"stargazers_count":44,"open_issues_count":1,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-17T13:02:54.517Z","etag":null,"topics":["audits","hapi","joi","js","security","sql-injection","typescript","validation","web-security","xss"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kongbytes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-14T23:17:59.000Z","updated_at":"2024-10-10T10:00:23.000Z","dependencies_parsed_at":"2024-01-13T10:12:42.546Z","dependency_job_id":"0a848610-68f7-42c6-95a1-4c0adcd2eabc","html_url":"https://github.com/kongbytes/joi-security","commit_stats":null,"previous_names":["saluki/joi-security"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kongbytes%2Fjoi-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kongbytes%2Fjoi-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kongbytes%2Fjoi-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kongbytes%2Fjoi-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kongbytes","download_url":"https://codeload.github.com/kongbytes/joi-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244875045,"owners_count":20524591,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audits","hapi","joi","js","security","sql-injection","typescript","validation","web-security","xss"],"created_at":"2024-07-31T14:01:00.186Z","updated_at":"2025-12-25T15:51:35.262Z","avatar_url":"https://github.com/kongbytes.png","language":"TypeScript","readme":"# Joi security 🔥\n\n**This project provides a CLI for offensive and defensive security assesments on the Joi validator library. The goal is to ensure that a given Joi validation shema can resist against known security attacks such as SQL injections, path traversal and SSRF attempts.**\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/Saluki/joi-security/master/docs/joi-security-results-v1.png\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/Saluki/joi-security/master/docs/joi-security-web-v1.png\"\u003e\n\u003c/p\u003e\n\n## Getting started\n\nInstall the latest *joi-security* CLI tool using NPM.\n\n```bash\nnpm install -g joi-security\n```\n\nCreate a sample JavaScript file containing the Joi schema below and name it `schema.js`.\n\n```js\n// A sample Joi schema used for login validation\nJoi.object().keys({\n    username: Joi.string().required(),\n    password: Joi.string().required()\n});\n```\n\nScan the JS file using the `joi-security` scan command.\n\n```bash\njoi-security scan ./schema.js\n```\n\nDo not include `require` or `return` statements in the provided JS file, an export named `Joi` will be provided. Keep the Joi schema to analyze as last statement in your file, as it will be otherwise ignored.\n\n## Web attacks\n\nThe *joi-security* CLI includes by default a wide range of attacks that will be used to test your Joi schemas :\n\n* XSS including Markdown bypass\n* SQL injections\n* NoSQL injections\n* RCE (*Remote Code Execution*)\n* LFI (*Local File Inclusion*)\n* Overflow\n* SSRF\n* Suspicious IP addresses\n* Homograph attacks on domains \u0026 emails\n\nJoi security will also attempt to detect the input content based on key names and perform targeted attacks. For example, when matching with potential phone numbers the CLI will try to perform phone-related attacks against the Joi schema.\n\nCredits to the awesome [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/) repository for the advanced attacks.\n\n## Options \u0026 advanced usage\n\nChanging the output format to HTML, defaults to `console` output.\n\n```bash\njoi-security scan ./schema.js --output=web\n```\n\nEach attack may be linked to a set of tags that are displayed below below the payloads (`#xss,advanced`). Ignore a set of malicious payload tags with the `ignore` option, which may provide more accurate results.\n\n```bash\njoi-security scan ./schema.js --ignore=sql,markdown,overflow,aws\n```\n\n## Contributing\n\nClone this project and make sure to have a complete Node installation (including NPM) on your workstation. Please note that this project has currently been tested with Node LTS 12.\n\n```bash\n# Go inside the Joi security project folder\ncd joi-security\n\n# Install all project dependencies\nnpm install\n\n# Run a first development scan against a Joi schema\nnpm run dev scan ./sandbox/blogpost-schema.js\n```\n\n## Copyright and license\n\n\"Joi security\" is released under the GNU Affero General Public License. Feel free to suggest a feature, report a bug, or ask something: https://github.com/Saluki/joi-security/issues\n","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkongbytes%2Fjoi-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkongbytes%2Fjoi-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkongbytes%2Fjoi-security/lists"}