diff --git a/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml b/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml new file mode 100644 index 00000000..f2cfad67 --- /dev/null +++ b/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml @@ -0,0 +1,294 @@ +id: express-jwt-hardcoded-secret-javascript +language: javascript +severity: warning +message: >- + A hard-coded credential was detected. It is not recommended to store + credentials in source-code, as this risks secrets being leaked and used by + either an internal or external malicious adversary. It is recommended to + use environment variables to securely provide credentials or retrieve + credentials from a secure vault or HSM (Hardware Security Module). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + MATCH_SECRET_DIRECTLY: + kind: pair + inside: + stopBy: end + kind: expression_statement + all: + - has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $E + - has: + stopBy: end + kind: arguments + has: + stopBy: end + kind: object + has: + stopBy: neighbor + kind: pair + all: + - has: + stopBy: neighbor + kind: property_identifier + regex: '^secret$' + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + + - any: + - follows: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^require$' + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + kind : string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: neighbor + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: string + has: + stopBy: end + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: end + kind: namespace_import + has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: neighbor + kind: import_clause + has: + stopBy: neighbor + kind: named_imports + has: + stopBy: neighbor + kind: import_specifier + has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: end + kind: string + has: + stopBy: end + kind: string_fragment + regex: '^express-jwt$' + + MATCH_PATTERN_WITH_INSTANCE: + kind: pair + pattern: $O + inside: + stopBy: end + kind: expression_statement + all: + - has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $E + - has: + stopBy: end + kind: arguments + has: + stopBy: end + kind: object + has: + stopBy: neighbor + kind: pair + pattern: $O + all: + - has: + stopBy: neighbor + kind: property_identifier + regex: '^secret$' + - has: + stopBy: neighbor + kind: identifier + pattern: $F + - follows: + stopBy: end + kind: lexical_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $F + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + + - any: + - follows: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^require$' + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + kind : string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-jwt$' + + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: neighbor + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: string + has: + stopBy: end + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: end + kind: namespace_import + has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: neighbor + kind: import_clause + has: + stopBy: neighbor + kind: named_imports + has: + stopBy: neighbor + kind: import_specifier + has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: end + kind: string + has: + stopBy: end + kind: string_fragment + regex: '^express-jwt$' +rule: + kind: pair + any: + - matches: MATCH_SECRET_DIRECTLY + - matches: MATCH_PATTERN_WITH_INSTANCE diff --git a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml new file mode 100644 index 00000000..eea3cd2f --- /dev/null +++ b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml @@ -0,0 +1,105 @@ +id: express-session-hardcoded-secret-javascript +language: javascript +severity: warning +message: >- + A hard-coded credential was detected. It is not recommended to store + credentials in source-code, as this risks secrets being leaked and used by + either an internal or external malicious adversary. It is recommended to + use environment variables to securely provide credentials or retrieve + credentials from a secure vault or HSM (Hardware Security Module). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + MATCH_SECRET: + kind: pair + pattern: $C + inside: + stopBy: end + kind: lexical_declaration + all: + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: object + has: + stopBy: end + kind: pair + pattern: $C + all: + - has: + stopBy: end + kind: property_identifier + pattern: $S + - has: + stopBy: end + kind: string + has: + stopBy: end + kind: string_fragment + + - follows: + stopBy: end + kind: import_statement + any: + - pattern: import session from 'express' + - pattern: import session from 'express-session' + - pattern: import {session} from 'express-session' + - pattern: import * as session from 'express-session' + MATCH_SECRET_with_Instance: + kind: pair + all: + - has: + stopBy: neighbor + kind: property_identifier + regex: ^secret$ + - has: + stopBy: neighbor + kind: identifier + pattern: $SECRET + - inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: lexical_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $SECRET + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + - inside: + stopBy: end + any: + - kind: lexical_declaration + - kind: expression_statement + follows: + stopBy: end + kind: import_statement + any: + - pattern: import session from 'express' + - pattern: import session from 'express-session' + - pattern: import {session} from 'express-session' + - pattern: import * as session from 'express-session' + +rule: + kind: pair + any: + - matches: MATCH_SECRET + - matches: MATCH_SECRET_with_Instance + +constraints: + S: + regex: '^secret$' diff --git a/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml b/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml new file mode 100644 index 00000000..3d719833 --- /dev/null +++ b/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml @@ -0,0 +1,97 @@ +id: node-sequelize-hardcoded-secret-argument-javascript +language: javascript +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-287] Improper Authentication. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + MATCH_BLANK_PASSWORD: + kind: string + pattern: $Q + inside: + stopBy: end + kind: lexical_declaration + all: + - has: + stopBy: end + kind: new_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: end + kind: arguments + nthChild: 2 + has: + stopBy: end + kind: string + nthChild: 3 + pattern: $Q + has: + stopBy: end + kind: string_fragment + - follows: + stopBy: end + any: + - pattern: const $E = require('sequelize') + - pattern: import $E from 'sequelize' + - pattern: import * as $E from 'sequelize' + - pattern: import {$E} from 'sequelize' + MATCH_BLANK_PASSWORD_with_instance: + kind: identifier + pattern: $W + inside: + stopBy: end + kind: lexical_declaration + all: + - has: + stopBy: end + kind: new_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: end + kind: arguments + nthChild: 2 + has: + stopBy: end + kind: identifier + nthChild: 3 + pattern: $W + - follows: + stopBy: end + any: + - pattern: const $E = require('sequelize') + - pattern: import $E from 'sequelize' + - pattern: import * as $E from 'sequelize' + - pattern: import {$E} from 'sequelize' + - follows: + stopBy: end + any: + - pattern: $W = $R + - pattern: let $W = $R +rule: + any: + - kind: string + matches: MATCH_BLANK_PASSWORD + - kind: identifier + matches: MATCH_BLANK_PASSWORD_with_instance +constraints: + R: + kind: string + has: + stopBy: neighbor + kind: string_fragment + diff --git a/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml new file mode 100644 index 00000000..8e8d96e8 --- /dev/null +++ b/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml @@ -0,0 +1,431 @@ +id: express-jwt-hardcoded-secret-javascript +snapshots: + ? | + import express from 'express'; + import jwt from 'express-jwt'; + app.get('/protected1', jwt({ secret: 'super-secret-key' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: ''super-secret-key''' + style: primary + start: 91 + end: 117 + - source: jwt + style: secondary + start: 85 + end: 88 + - source: secret + style: secondary + start: 91 + end: 97 + - source: super-secret-key + style: secondary + start: 100 + end: 116 + - source: '''super-secret-key''' + style: secondary + start: 99 + end: 117 + - source: 'secret: ''super-secret-key''' + style: secondary + start: 91 + end: 117 + - source: '{ secret: ''super-secret-key'' }' + style: secondary + start: 89 + end: 119 + - source: '({ secret: ''super-secret-key'' })' + style: secondary + start: 88 + end: 120 + - source: 'jwt({ secret: ''super-secret-key'' })' + style: secondary + start: 85 + end: 120 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: express-jwt + style: secondary + start: 48 + end: 59 + - source: '''express-jwt''' + style: secondary + start: 47 + end: 60 + - source: import jwt from 'express-jwt'; + style: secondary + start: 31 + end: 61 + - source: |- + app.get('/protected1', jwt({ secret: 'super-secret-key' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 62 + end: 216 + ? | + import express from 'express'; + import jwt from 'express-jwt'; + const secret3 = 'static-secret'; + app.get('/protected4', jwt({ secret: secret3, issuer: 'http://issuer' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: secret3' + style: primary + start: 124 + end: 139 + - source: jwt + style: secondary + start: 118 + end: 121 + - source: secret + style: secondary + start: 124 + end: 130 + - source: secret3 + style: secondary + start: 132 + end: 139 + - source: 'secret: secret3' + style: secondary + start: 124 + end: 139 + - source: '{ secret: secret3, issuer: ''http://issuer'' }' + style: secondary + start: 122 + end: 166 + - source: '({ secret: secret3, issuer: ''http://issuer'' })' + style: secondary + start: 121 + end: 167 + - source: 'jwt({ secret: secret3, issuer: ''http://issuer'' })' + style: secondary + start: 118 + end: 167 + - source: secret3 + style: secondary + start: 68 + end: 75 + - source: static-secret + style: secondary + start: 79 + end: 92 + - source: '''static-secret''' + style: secondary + start: 78 + end: 93 + - source: secret3 = 'static-secret' + style: secondary + start: 68 + end: 93 + - source: const secret3 = 'static-secret'; + style: secondary + start: 62 + end: 94 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: express-jwt + style: secondary + start: 48 + end: 59 + - source: '''express-jwt''' + style: secondary + start: 47 + end: 60 + - source: import jwt from 'express-jwt'; + style: secondary + start: 31 + end: 61 + - source: |- + app.get('/protected4', jwt({ secret: secret3, issuer: 'http://issuer' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 95 + end: 263 + ? | + import express from 'express'; + import jwt from 'express-jwt'; + let hardcodedSecret1 = 'super-secret-key'; + app.get('/protected2', jwt({ secret: hardcodedSecret1 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: hardcodedSecret1' + style: primary + start: 134 + end: 158 + - source: jwt + style: secondary + start: 128 + end: 131 + - source: secret + style: secondary + start: 134 + end: 140 + - source: hardcodedSecret1 + style: secondary + start: 142 + end: 158 + - source: 'secret: hardcodedSecret1' + style: secondary + start: 134 + end: 158 + - source: '{ secret: hardcodedSecret1 }' + style: secondary + start: 132 + end: 160 + - source: '({ secret: hardcodedSecret1 })' + style: secondary + start: 131 + end: 161 + - source: 'jwt({ secret: hardcodedSecret1 })' + style: secondary + start: 128 + end: 161 + - source: hardcodedSecret1 + style: secondary + start: 66 + end: 82 + - source: super-secret-key + style: secondary + start: 86 + end: 102 + - source: '''super-secret-key''' + style: secondary + start: 85 + end: 103 + - source: hardcodedSecret1 = 'super-secret-key' + style: secondary + start: 66 + end: 103 + - source: let hardcodedSecret1 = 'super-secret-key'; + style: secondary + start: 62 + end: 104 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: express-jwt + style: secondary + start: 48 + end: 59 + - source: '''express-jwt''' + style: secondary + start: 47 + end: 60 + - source: import jwt from 'express-jwt'; + style: secondary + start: 31 + end: 61 + - source: |- + app.get('/protected2', jwt({ secret: hardcodedSecret1 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 105 + end: 257 + ? | + import { expressJwt } from 'express-jwt'; + const secret4 = 'jwt-hardcoded-secret'; + app.get('/protected7', expressJwt({ secret: secret4 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: secret4' + style: primary + start: 118 + end: 133 + - source: expressJwt + style: secondary + start: 105 + end: 115 + - source: secret + style: secondary + start: 118 + end: 124 + - source: secret4 + style: secondary + start: 126 + end: 133 + - source: 'secret: secret4' + style: secondary + start: 118 + end: 133 + - source: '{ secret: secret4 }' + style: secondary + start: 116 + end: 135 + - source: '({ secret: secret4 })' + style: secondary + start: 115 + end: 136 + - source: 'expressJwt({ secret: secret4 })' + style: secondary + start: 105 + end: 136 + - source: secret4 + style: secondary + start: 48 + end: 55 + - source: jwt-hardcoded-secret + style: secondary + start: 59 + end: 79 + - source: '''jwt-hardcoded-secret''' + style: secondary + start: 58 + end: 80 + - source: secret4 = 'jwt-hardcoded-secret' + style: secondary + start: 48 + end: 80 + - source: const secret4 = 'jwt-hardcoded-secret'; + style: secondary + start: 42 + end: 81 + - source: expressJwt + style: secondary + start: 9 + end: 19 + - source: expressJwt + style: secondary + start: 9 + end: 19 + - source: '{ expressJwt }' + style: secondary + start: 7 + end: 21 + - source: '{ expressJwt }' + style: secondary + start: 7 + end: 21 + - source: express-jwt + style: secondary + start: 28 + end: 39 + - source: '''express-jwt''' + style: secondary + start: 27 + end: 40 + - source: import { expressJwt } from 'express-jwt'; + style: secondary + start: 0 + end: 41 + - source: |- + app.get('/protected7', expressJwt({ secret: secret4 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 82 + end: 232 + ? | + var jwt = require('express-jwt'); + app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: ''shhhhhhared-secret''' + style: primary + start: 62 + end: 90 + - source: jwt + style: secondary + start: 56 + end: 59 + - source: secret + style: secondary + start: 62 + end: 68 + - source: shhhhhhared-secret + style: secondary + start: 71 + end: 89 + - source: '''shhhhhhared-secret''' + style: secondary + start: 70 + end: 90 + - source: 'secret: ''shhhhhhared-secret''' + style: secondary + start: 62 + end: 90 + - source: '{ secret: ''shhhhhhared-secret'' }' + style: secondary + start: 60 + end: 92 + - source: '({ secret: ''shhhhhhared-secret'' })' + style: secondary + start: 59 + end: 93 + - source: 'jwt({ secret: ''shhhhhhared-secret'' })' + style: secondary + start: 56 + end: 93 + - source: jwt + style: secondary + start: 4 + end: 7 + - source: require + style: secondary + start: 10 + end: 17 + - source: express-jwt + style: secondary + start: 19 + end: 30 + - source: '''express-jwt''' + style: secondary + start: 18 + end: 31 + - source: ('express-jwt') + style: secondary + start: 17 + end: 32 + - source: require('express-jwt') + style: secondary + start: 10 + end: 32 + - source: jwt = require('express-jwt') + style: secondary + start: 4 + end: 32 + - source: var jwt = require('express-jwt'); + style: secondary + start: 0 + end: 33 + - source: |- + app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 34 + end: 189 diff --git a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml new file mode 100644 index 00000000..ae94c35e --- /dev/null +++ b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml @@ -0,0 +1,183 @@ +id: express-session-hardcoded-secret-javascript +snapshots: + ? | + import * as session from 'express-session' + let a = 'a' + app.use(session({ + secret: a, + resave: false, + saveUninitialized: false, + })); + : labels: + - source: 'secret: a' + style: primary + start: 73 + end: 82 + - source: secret + style: secondary + start: 73 + end: 79 + - source: a + style: secondary + start: 81 + end: 82 + - source: a + style: secondary + start: 47 + end: 48 + - source: a + style: secondary + start: 52 + end: 53 + - source: '''a''' + style: secondary + start: 51 + end: 54 + - source: a = 'a' + style: secondary + start: 47 + end: 54 + - source: let a = 'a' + style: secondary + start: 43 + end: 54 + - source: |- + app.use(session({ + secret: a, + resave: false, + saveUninitialized: false, + })); + style: secondary + start: 55 + end: 129 + - source: import * as session from 'express-session' + style: secondary + start: 0 + end: 42 + - source: |- + app.use(session({ + secret: a, + resave: false, + saveUninitialized: false, + })); + style: secondary + start: 55 + end: 129 + ? | + import * as session from 'express-session' + let config = { + secret: 'a', + resave: false, + saveUninitialized: false, + } + : labels: + - source: 'secret: ''a''' + style: primary + start: 58 + end: 69 + - source: secret + style: secondary + start: 58 + end: 64 + - source: a + style: secondary + start: 67 + end: 68 + - source: '''a''' + style: secondary + start: 66 + end: 69 + - source: 'secret: ''a''' + style: secondary + start: 58 + end: 69 + - source: |- + { + secret: 'a', + resave: false, + saveUninitialized: false, + } + style: secondary + start: 56 + end: 113 + - source: |- + config = { + secret: 'a', + resave: false, + saveUninitialized: false, + } + style: secondary + start: 47 + end: 113 + - source: import * as session from 'express-session' + style: secondary + start: 0 + end: 42 + - source: |- + let config = { + secret: 'a', + resave: false, + saveUninitialized: false, + } + style: secondary + start: 43 + end: 113 + ? |- + import * as session from 'express-session' + let secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + : labels: + - source: 'secret: ''foo''' + style: primary + start: 74 + end: 87 + - source: secret + style: secondary + start: 74 + end: 80 + - source: foo + style: secondary + start: 83 + end: 86 + - source: '''foo''' + style: secondary + start: 82 + end: 87 + - source: 'secret: ''foo''' + style: secondary + start: 74 + end: 87 + - source: |- + { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + style: secondary + start: 57 + end: 116 + - source: |- + secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + style: secondary + start: 47 + end: 116 + - source: import * as session from 'express-session' + style: secondary + start: 0 + end: 42 + - source: |- + let secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + style: secondary + start: 43 + end: 116 diff --git a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml new file mode 100644 index 00000000..c00d22c4 --- /dev/null +++ b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml @@ -0,0 +1,93 @@ +id: node-sequelize-hardcoded-secret-argument-javascript +snapshots: + ? | + const Sequelize = require('sequelize'); + const sequelize = new Sequelize('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + : labels: + - source: '''password''' + style: primary + start: 96 + end: 106 + - source: Sequelize + style: secondary + start: 62 + end: 71 + - source: password + style: secondary + start: 97 + end: 105 + - source: '''password''' + style: secondary + start: 96 + end: 106 + - source: |- + ('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + style: secondary + start: 71 + end: 165 + - source: |- + new Sequelize('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + style: secondary + start: 58 + end: 165 + - source: const Sequelize = require('sequelize'); + style: secondary + start: 0 + end: 39 + - source: |- + const sequelize = new Sequelize('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + style: secondary + start: 40 + end: 165 + ? | + const Sequelize = require('sequelize'); + const sequelize8 = new Sequelize('database', 'username', 'password', options); + : labels: + - source: '''password''' + style: primary + start: 97 + end: 107 + - source: Sequelize + style: secondary + start: 63 + end: 72 + - source: password + style: secondary + start: 98 + end: 106 + - source: '''password''' + style: secondary + start: 97 + end: 107 + - source: ('database', 'username', 'password', options) + style: secondary + start: 72 + end: 117 + - source: new Sequelize('database', 'username', 'password', options) + style: secondary + start: 59 + end: 117 + - source: const Sequelize = require('sequelize'); + style: secondary + start: 0 + end: 39 + - source: const sequelize8 = new Sequelize('database', 'username', 'password', options); + style: secondary + start: 40 + end: 118 diff --git a/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml b/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml new file mode 100644 index 00000000..122ab423 --- /dev/null +++ b/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml @@ -0,0 +1,44 @@ +id: express-jwt-hardcoded-secret-javascript +valid: + - | + app.get('/ok-protected', jwt({ secret: process.env.SECRET }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); +invalid: + - | + var jwt = require('express-jwt'); + app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + - | + import express from 'express'; + import jwt from 'express-jwt'; + let hardcodedSecret1 = 'super-secret-key'; + app.get('/protected2', jwt({ secret: hardcodedSecret1 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + - | + import express from 'express'; + import jwt from 'express-jwt'; + const secret3 = 'static-secret'; + app.get('/protected4', jwt({ secret: secret3, issuer: 'http://issuer' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + - | + import express from 'express'; + import jwt from 'express-jwt'; + app.get('/protected1', jwt({ secret: 'super-secret-key' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + - | + import { expressJwt } from 'express-jwt'; + const secret4 = 'jwt-hardcoded-secret'; + app.get('/protected7', expressJwt({ secret: secret4 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); diff --git a/tests/javascript/express-session-hardcoded-secret-javascript-test.yml b/tests/javascript/express-session-hardcoded-secret-javascript-test.yml new file mode 100644 index 00000000..b5059282 --- /dev/null +++ b/tests/javascript/express-session-hardcoded-secret-javascript-test.yml @@ -0,0 +1,31 @@ +id: express-session-hardcoded-secret-javascript +valid: + - | + let config1 = { + secret: config.secret, + resave: false, + saveUninitialized: false, + } +invalid: + - | + import * as session from 'express-session' + let config = { + secret: 'a', + resave: false, + saveUninitialized: false, + } + - | + import * as session from 'express-session' + let a = 'a' + app.use(session({ + secret: a, + resave: false, + saveUninitialized: false, + })); + - | + import * as session from 'express-session' + let secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } \ No newline at end of file diff --git a/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml b/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml new file mode 100644 index 00000000..a6f15374 --- /dev/null +++ b/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml @@ -0,0 +1,21 @@ +id: node-sequelize-hardcoded-secret-argument-javascript +valid: + - | + const Sequelize = require('sequelize'); + const sequelize = new Sequelize({ + database: 'pinche', + username: 'root', + password: '123456789', + dialect: 'mysql' + }) +invalid: + - | + const Sequelize = require('sequelize'); + const sequelize = new Sequelize('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + - | + const Sequelize = require('sequelize'); + const sequelize8 = new Sequelize('database', 'username', 'password', options);