Skip to content

Commit 822bc26

Browse files
author
Sakshis
committed
node-sequelize-empty-password-argument-typescript
1 parent 2f95a8e commit 822bc26

File tree

3 files changed

+463
-0
lines changed

3 files changed

+463
-0
lines changed

rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml

Lines changed: 176 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,176 @@
1+
id: node-sequelize-empty-password-argument-typescript
2+
language: typescript
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287] Improper Authentication.
13+
[REFERENCES]
14+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
utils:
16+
MATCH_BLANK_PASSWORD:
17+
kind: string
18+
pattern: $Q
19+
inside:
20+
stopBy: end
21+
kind: lexical_declaration
22+
all:
23+
- has:
24+
stopBy: end
25+
kind: new_expression
26+
all:
27+
- has:
28+
stopBy: end
29+
kind: identifier
30+
pattern: $E
31+
- has:
32+
stopBy: end
33+
kind: arguments
34+
nthChild: 2
35+
has:
36+
stopBy: end
37+
kind: string
38+
nthChild: 3
39+
pattern: $Q
40+
not:
41+
has:
42+
stopBy: end
43+
kind: string_fragment
44+
- any:
45+
- follows:
46+
stopBy: end
47+
kind: lexical_declaration
48+
has:
49+
stopBy: end
50+
kind: variable_declarator
51+
has:
52+
stopBy: end
53+
kind: identifier
54+
pattern: $E
55+
- follows:
56+
stopBy: end
57+
kind: import_statement
58+
has:
59+
stopBy: end
60+
kind: import_clause
61+
has:
62+
stopBy: end
63+
kind: identifier
64+
pattern: $E
65+
- follows:
66+
stopBy: end
67+
kind: import_statement
68+
has:
69+
stopBy: end
70+
kind: import_clause
71+
has:
72+
stopBy: end
73+
kind: identifier
74+
pattern: $E
75+
76+
MATCH_BLANK_PASSWORD_WITH_INSTANCE:
77+
kind: identifier
78+
pattern: $Q
79+
inside:
80+
stopBy: end
81+
kind: lexical_declaration
82+
all:
83+
- has:
84+
stopBy: end
85+
kind: new_expression
86+
all:
87+
- has:
88+
stopBy: end
89+
kind: identifier
90+
pattern: $E
91+
- has:
92+
stopBy: end
93+
kind: arguments
94+
nthChild: 2
95+
has:
96+
stopBy: end
97+
kind: identifier
98+
nthChild: 3
99+
pattern: $Q
100+
not:
101+
has:
102+
stopBy: end
103+
kind: string_fragment
104+
- follows:
105+
stopBy: end
106+
kind: lexical_declaration
107+
has:
108+
stopBy: end
109+
kind: variable_declarator
110+
all:
111+
- has:
112+
stopBy: neighbor
113+
kind: identifier
114+
pattern: $Q
115+
- has:
116+
stopBy: neighbor
117+
kind: string
118+
not:
119+
has:
120+
stopBy: neighbor
121+
kind: string_fragment
122+
- any:
123+
- follows:
124+
stopBy: end
125+
kind: lexical_declaration
126+
has:
127+
stopBy: end
128+
kind: variable_declarator
129+
all:
130+
- has:
131+
stopBy: neighbor
132+
kind: identifier
133+
- has:
134+
stopBy: neighbor
135+
kind: call_expression
136+
all:
137+
- has:
138+
stopBy: neighbor
139+
kind: identifier
140+
regex: '^require$'
141+
- has:
142+
stopBy: neighbor
143+
kind: arguments
144+
has:
145+
stopBy: neighbor
146+
kind: string
147+
has:
148+
stopBy: neighbor
149+
kind: string_fragment
150+
regex: '^sequelize$'
151+
- follows:
152+
stopBy: end
153+
kind: import_statement
154+
has:
155+
stopBy: end
156+
kind: import_clause
157+
has:
158+
stopBy: end
159+
kind: identifier
160+
pattern: $E
161+
- follows:
162+
stopBy: end
163+
kind: import_statement
164+
has:
165+
stopBy: end
166+
kind: import_clause
167+
has:
168+
stopBy: end
169+
kind: identifier
170+
pattern: $E
171+
rule:
172+
any:
173+
- kind: string
174+
matches: MATCH_BLANK_PASSWORD
175+
- kind: identifier
176+
matches: MATCH_BLANK_PASSWORD_WITH_INSTANCE

0 commit comments

Comments
 (0)