Skip to content

Commit 555997c

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add YAML configs and tests for hard-coded secrets and empty passwords (#168)
* node-sequelize-empty-password-argument-typescript * node-sequelize-hardcoded-secret-argument-typescript * express-jwt-hardcoded-secret-typescript --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 951b38c commit 555997c

9 files changed

+1738
-0
lines changed

rules/typescript/security/express-jwt-hardcoded-secret-typescript.yml

Lines changed: 494 additions & 0 deletions
Large diffs are not rendered by default.

rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml

Lines changed: 173 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,173 @@
1+
id: node-sequelize-empty-password-argument-typescript
2+
language: typescript
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287] Improper Authentication.
13+
[REFERENCES]
14+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
ast-grep-essentials: true
16+
utils:
17+
Match_pattern_directly:
18+
kind: string
19+
all:
20+
- not:
21+
has:
22+
kind: string_fragment
23+
- nthChild:
24+
position: 3
25+
ofRule:
26+
not:
27+
kind: comment
28+
- inside:
29+
kind: arguments
30+
all:
31+
- has:
32+
nthChild:
33+
position: 4
34+
ofRule:
35+
not:
36+
kind: comment
37+
- not:
38+
has:
39+
nthChild:
40+
position: 5
41+
ofRule:
42+
not:
43+
kind: comment
44+
- inside:
45+
kind: new_expression
46+
all:
47+
- has:
48+
kind: identifier
49+
pattern: $SQL
50+
- any:
51+
- inside:
52+
stopBy: end
53+
follows:
54+
stopBy: end
55+
any:
56+
- pattern: $SQL = require('sequelize');
57+
- pattern: const $SQL = require('sequelize');
58+
- pattern: var $SQL = require('sequelize');
59+
- pattern: let $SQL = require('sequelize');
60+
- pattern: import $SQL from 'sequelize';
61+
- pattern: import * as $SQL from 'sequelize';
62+
- kind: import_statement
63+
all:
64+
- has:
65+
kind: import_clause
66+
has:
67+
stopBy: end
68+
pattern: $SQL
69+
- has:
70+
kind: string
71+
has:
72+
kind: string_fragment
73+
regex: ^sequelize$
74+
- not:
75+
inside:
76+
stopBy: end
77+
kind: enum_declaration
78+
79+
Match_pattern_with_Instance:
80+
kind: identifier
81+
pattern: $PASS
82+
all:
83+
- nthChild:
84+
position: 3
85+
ofRule:
86+
not:
87+
kind: comment
88+
- inside:
89+
kind: arguments
90+
all:
91+
- not:
92+
has:
93+
nthChild:
94+
position: 5
95+
ofRule:
96+
not:
97+
kind: comment
98+
- has:
99+
nthChild:
100+
position: 4
101+
ofRule:
102+
not:
103+
kind: comment
104+
- inside:
105+
kind: new_expression
106+
all:
107+
- has:
108+
kind: identifier
109+
pattern: $SQL
110+
- any:
111+
- inside:
112+
stopBy: end
113+
follows:
114+
stopBy: end
115+
any:
116+
- pattern: $SQL = require('sequelize');
117+
- pattern: const $SQL = require('sequelize');
118+
- pattern: var $SQL = require('sequelize');
119+
- pattern: let $SQL = require('sequelize');
120+
- pattern: import $SQL from 'sequelize';
121+
- pattern: import * as $SQL from 'sequelize';
122+
- kind: import_statement
123+
all:
124+
- has:
125+
kind: import_clause
126+
has:
127+
stopBy: end
128+
pattern: $SQL
129+
- has:
130+
kind: string
131+
has:
132+
kind: string_fragment
133+
regex: ^sequelize$
134+
- inside:
135+
stopBy: end
136+
follows:
137+
stopBy: end
138+
any:
139+
- kind: lexical_declaration
140+
has:
141+
kind: variable_declarator
142+
all:
143+
- has:
144+
kind: identifier
145+
pattern: $PASS
146+
- has:
147+
any:
148+
- kind: template_string
149+
regex: ^``$
150+
- kind: string
151+
not:
152+
has:
153+
kind: string_fragment
154+
- kind: variable_declaration
155+
has:
156+
kind: variable_declarator
157+
all:
158+
- has:
159+
kind: identifier
160+
pattern: $PASS
161+
- has:
162+
kind: string
163+
not:
164+
has:
165+
kind: string_fragment
166+
- not:
167+
inside:
168+
stopBy: end
169+
kind: enum_declaration
170+
rule:
171+
any:
172+
- matches: Match_pattern_directly
173+
- matches: Match_pattern_with_Instance

rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml

Lines changed: 158 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,158 @@
1+
id: node-sequelize-hardcoded-secret-argument-typescript
2+
language: typescript
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-287] Improper Authentication.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
ast-grep-essentials: true
15+
utils:
16+
Match_pattern_directly:
17+
kind: string
18+
all:
19+
- has:
20+
kind: string_fragment
21+
- nthChild:
22+
position: 3
23+
ofRule:
24+
not:
25+
kind: comment
26+
- inside:
27+
kind: arguments
28+
all:
29+
- has:
30+
nthChild:
31+
position: 4
32+
ofRule:
33+
not:
34+
kind: comment
35+
- not:
36+
has:
37+
nthChild:
38+
position: 5
39+
ofRule:
40+
not:
41+
kind: comment
42+
- inside:
43+
kind: new_expression
44+
all:
45+
- has:
46+
kind: identifier
47+
pattern: $SQL
48+
- any:
49+
- inside:
50+
stopBy: end
51+
follows:
52+
stopBy: end
53+
any:
54+
- pattern: $SQL = require('sequelize');
55+
- pattern: const $SQL = require('sequelize');
56+
- pattern: var $SQL = require('sequelize');
57+
- pattern: let $SQL = require('sequelize');
58+
- pattern: import $SQL from 'sequelize';
59+
- pattern: import * as $SQL from 'sequelize';
60+
- kind: import_statement
61+
all:
62+
- has:
63+
kind: import_clause
64+
has:
65+
stopBy: end
66+
pattern: $SQL
67+
- has:
68+
kind: string
69+
has:
70+
kind: string_fragment
71+
regex: ^sequelize$
72+
- not:
73+
inside:
74+
stopBy: end
75+
kind: enum_declaration
76+
77+
Match_pattern_with_Instance:
78+
kind: identifier
79+
pattern: $PASS
80+
all:
81+
- nthChild:
82+
position: 3
83+
ofRule:
84+
not:
85+
kind: comment
86+
- inside:
87+
kind: arguments
88+
all:
89+
- not:
90+
has:
91+
nthChild:
92+
position: 5
93+
ofRule:
94+
not:
95+
kind: comment
96+
- has:
97+
nthChild:
98+
position: 4
99+
ofRule:
100+
not:
101+
kind: comment
102+
- inside:
103+
kind: new_expression
104+
all:
105+
- has:
106+
kind: identifier
107+
pattern: $SQL
108+
- any:
109+
- inside:
110+
stopBy: end
111+
follows:
112+
stopBy: end
113+
any:
114+
- pattern: $SQL = require('sequelize');
115+
- pattern: const $SQL = require('sequelize');
116+
- pattern: var $SQL = require('sequelize');
117+
- pattern: let $SQL = require('sequelize');
118+
- pattern: import $SQL from 'sequelize';
119+
- pattern: import * as $SQL from 'sequelize';
120+
- kind: import_statement
121+
all:
122+
- has:
123+
kind: import_clause
124+
has:
125+
stopBy: end
126+
pattern: $SQL
127+
- has:
128+
kind: string
129+
has:
130+
kind: string_fragment
131+
regex: ^sequelize$
132+
- inside:
133+
stopBy: end
134+
follows:
135+
stopBy: end
136+
any:
137+
- kind: lexical_declaration
138+
not:
139+
has:
140+
regex: ^let$
141+
has:
142+
kind: variable_declarator
143+
all:
144+
- has:
145+
kind: identifier
146+
pattern: $PASS
147+
- has:
148+
kind: string
149+
has:
150+
kind: string_fragment
151+
- not:
152+
inside:
153+
stopBy: end
154+
kind: enum_declaration
155+
rule:
156+
any:
157+
- matches: Match_pattern_directly
158+
- matches: Match_pattern_with_Instance

0 commit comments

Comments
 (0)