Skip to content

Add security rules for detecting hard-coded secrets in JavaScript applications #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Dec 17, 2024
Merged

Add security rules for detecting hard-coded secrets in JavaScript applications #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a4a0303
node-sequelize-hardcoded-secret-argument-javascript
Dec 5, 2024
6a07c22
express-session-hardcoded-secret-javascript
Dec 5, 2024
b538c8b
express-jwt-hardcoded-secret-javascript
Dec 5, 2024
c88b8c2
modification in express-session-hardcoded-secret-javascript
Dec 17, 2024
315c7fe
modification in express-session-hardcoded-secret-javascript
Dec 17, 2024
befcc3f
modification in express-session-hardcoded-secret-javascript
Dec 17, 2024
c56b73b
modification in node-sequelize-hardcoded-secret-argument-javascript
Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
294 changes: 294 additions & 0 deletions rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,294 @@
id: express-jwt-hardcoded-secret-javascript
language: javascript
severity: warning
message: >-
A hard-coded credential was detected. It is not recommended to store
credentials in source-code, as this risks secrets being leaked and used by
either an internal or external malicious adversary. It is recommended to
use environment variables to securely provide credentials or retrieve
credentials from a secure vault or HSM (Hardware Security Module).
note: >-
[CWE-798] Use of Hard-coded Credentials.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
MATCH_SECRET_DIRECTLY:
kind: pair
inside:
stopBy: end
kind: expression_statement
all:
- has:
stopBy: end
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
pattern: $E
- has:
stopBy: end
kind: arguments
has:
stopBy: end
kind: object
has:
stopBy: neighbor
kind: pair
all:
- has:
stopBy: neighbor
kind: property_identifier
regex: '^secret$'
- has:
stopBy: neighbor
kind: string
has:
stopBy: neighbor
kind: string_fragment

- any:
- follows:
stopBy: end
kind: variable_declaration
has:
stopBy: end
kind: variable_declarator
all:
- has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: '^require$'
- has:
stopBy: neighbor
kind: arguments
has:
stopBy: neighbor
kind : string
has:
stopBy: neighbor
kind: string_fragment
regex: '^express-jwt$'
- follows:
stopBy: end
kind: import_statement
all:
- has:
stopBy: end
kind: import_clause
has:
stopBy: neighbor
kind: identifier
pattern: $E
- has:
stopBy: neighbor
kind: string
has:
stopBy: end
kind: string_fragment
regex: '^express-jwt$'
- follows:
stopBy: end
kind: import_statement
all:
- has:
stopBy: end
kind: import_clause
has:
stopBy: end
kind: namespace_import
has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: neighbor
kind: string
has:
stopBy: neighbor
kind: string_fragment
regex: '^express-jwt$'
- follows:
stopBy: end
kind: import_statement
all:
- has:
stopBy: neighbor
kind: import_clause
has:
stopBy: neighbor
kind: named_imports
has:
stopBy: neighbor
kind: import_specifier
has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: end
kind: string
has:
stopBy: end
kind: string_fragment
regex: '^express-jwt$'

MATCH_PATTERN_WITH_INSTANCE:
kind: pair
pattern: $O
inside:
stopBy: end
kind: expression_statement
all:
- has:
stopBy: end
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
pattern: $E
- has:
stopBy: end
kind: arguments
has:
stopBy: end
kind: object
has:
stopBy: neighbor
kind: pair
pattern: $O
all:
- has:
stopBy: neighbor
kind: property_identifier
regex: '^secret$'
- has:
stopBy: neighbor
kind: identifier
pattern: $F
- follows:
stopBy: end
kind: lexical_declaration
has:
stopBy: end
kind: variable_declarator
all:
- has:
stopBy: neighbor
kind: identifier
pattern: $F
- has:
stopBy: neighbor
kind: string
has:
stopBy: neighbor
kind: string_fragment

- any:
- follows:
stopBy: end
kind: variable_declaration
has:
stopBy: end
kind: variable_declarator
all:
- has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: '^require$'
- has:
stopBy: neighbor
kind: arguments
has:
stopBy: neighbor
kind : string
has:
stopBy: neighbor
kind: string_fragment
regex: '^express-jwt$'

- follows:
stopBy: end
kind: import_statement
all:
- has:
stopBy: end
kind: import_clause
has:
stopBy: neighbor
kind: identifier
pattern: $E
- has:
stopBy: neighbor
kind: string
has:
stopBy: end
kind: string_fragment
regex: '^express-jwt$'
- follows:
stopBy: end
kind: import_statement
all:
- has:
stopBy: end
kind: import_clause
has:
stopBy: end
kind: namespace_import
has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: neighbor
kind: string
has:
stopBy: neighbor
kind: string_fragment
regex: '^express-jwt$'
- follows:
stopBy: end
kind: import_statement
all:
- has:
stopBy: neighbor
kind: import_clause
has:
stopBy: neighbor
kind: named_imports
has:
stopBy: neighbor
kind: import_specifier
has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: end
kind: string
has:
stopBy: end
kind: string_fragment
regex: '^express-jwt$'
rule:
kind: pair
any:
- matches: MATCH_SECRET_DIRECTLY
- matches: MATCH_PATTERN_WITH_INSTANCE
Loading