node-sequelize-hardcoded-secret-argument-typescript

Sakshis · Sakshis · commit 29ec62de94d1 · 2024-12-05T10:55:42.000Z
diff --git a/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml b/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml
@@ -0,0 +1,75 @@
+id: node-sequelize-hardcoded-secret-argument-typescript
+language: typescript
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-287] Improper Authentication.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+    MATCH_BLANK_PASSWORD:
+        kind: string
+        pattern: $Q
+        inside:
+               stopBy: end
+               kind: lexical_declaration
+               all:
+                - has:
+                   stopBy: end
+                   kind: new_expression
+                   all:
+                   - has:
+                      stopBy: end
+                      kind: identifier
+                      pattern: $E
+                   - has:
+                      stopBy: end
+                      kind: arguments
+                      nthChild: 2
+                      has:
+                       stopBy: end
+                       kind: string
+                       nthChild: 3
+                       pattern: $Q
+                       has:
+                            stopBy: end
+                            kind: string_fragment
+                - any:
+                    - follows:
+                       stopBy: end
+                       kind: lexical_declaration
+                       has: 
+                        stopBy: end
+                        kind: variable_declarator
+                        has:
+                            stopBy: end
+                            kind: identifier
+                            pattern: $E
+                    - follows:
+                       stopBy: end
+                       kind: import_statement
+                       has: 
+                        stopBy: end
+                        kind: import_clause
+                        has:
+                            stopBy: end
+                            kind: identifier
+                            pattern: $E
+                    - follows:
+                       stopBy: end
+                       kind: import_statement
+                       has: 
+                        stopBy: end
+                        kind: import_clause
+                        has:
+                            stopBy: end
+                            kind: identifier
+                            pattern: $E
+rule:
+    kind: string
+    matches: MATCH_BLANK_PASSWORD
diff --git a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml
@@ -0,0 +1,65 @@
+id: node-sequelize-hardcoded-secret-argument-typescript
+snapshots:
+  ? |
+    const Sequelize = require('sequelize');
+    const sequelize = new Sequelize('database', 'username', 'password', {
+    host: 'localhost',
+    port: '5433',
+    dialect: 'postgres'
+    })
+  : labels:
+    - source: '''password'''
+      style: primary
+      start: 96
+      end: 106
+    - source: Sequelize
+      style: secondary
+      start: 62
+      end: 71
+    - source: password
+      style: secondary
+      start: 97
+      end: 105
+    - source: '''password'''
+      style: secondary
+      start: 96
+      end: 106
+    - source: |-
+        ('database', 'username', 'password', {
+        host: 'localhost',
+        port: '5433',
+        dialect: 'postgres'
+        })
+      style: secondary
+      start: 71
+      end: 165
+    - source: |-
+        new Sequelize('database', 'username', 'password', {
+        host: 'localhost',
+        port: '5433',
+        dialect: 'postgres'
+        })
+      style: secondary
+      start: 58
+      end: 165
+    - source: Sequelize
+      style: secondary
+      start: 6
+      end: 15
+    - source: Sequelize = require('sequelize')
+      style: secondary
+      start: 6
+      end: 38
+    - source: const Sequelize = require('sequelize');
+      style: secondary
+      start: 0
+      end: 39
+    - source: |-
+        const sequelize = new Sequelize('database', 'username', 'password', {
+        host: 'localhost',
+        port: '5433',
+        dialect: 'postgres'
+        })
+      style: secondary
+      start: 40
+      end: 165
diff --git a/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml b/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml
@@ -0,0 +1,18 @@
+id: node-sequelize-hardcoded-secret-argument-typescript
+valid:
+  - |
+    const Sequelize = require('sequelize');
+    const sequelize = new Sequelize({
+    database: 'pinche',
+    username: 'root',
+    password: '123456789',
+    dialect: 'mysql'
+    })
+invalid:
+  - |
+    const Sequelize = require('sequelize');
+    const sequelize = new Sequelize('database', 'username', 'password', {
+    host: 'localhost',
+    port: '5433',
+    dialect: 'postgres'
+    })
