From a4a0303d805d7982cad8f1040f5e809397038925 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Thu, 5 Dec 2024 06:44:34 +0000 Subject: [PATCH 1/7] node-sequelize-hardcoded-secret-argument-javascript --- ...e-hardcoded-secret-argument-javascript.yml | 75 ++++++++++++ ...ed-secret-argument-javascript-snapshot.yml | 109 ++++++++++++++++++ ...dcoded-secret-argument-javascript-test.yml | 21 ++++ 3 files changed, 205 insertions(+) create mode 100644 rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml create mode 100644 tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml create mode 100644 tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml diff --git a/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml b/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml new file mode 100644 index 00000000..45894b85 --- /dev/null +++ b/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml @@ -0,0 +1,75 @@ +id: node-sequelize-hardcoded-secret-argument-javascript +language: javascript +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-287] Improper Authentication. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + MATCH_BLANK_PASSWORD: + kind: string + pattern: $Q + inside: + stopBy: end + kind: lexical_declaration + all: + - has: + stopBy: end + kind: new_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: end + kind: arguments + nthChild: 2 + has: + stopBy: end + kind: string + nthChild: 3 + pattern: $Q + has: + stopBy: end + kind: string_fragment + - any: + - follows: + stopBy: end + kind: lexical_declaration + has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: identifier + pattern: $E + - follows: + stopBy: end + kind: import_statement + has: + stopBy: end + kind: import_clause + has: + stopBy: end + kind: identifier + pattern: $E + - follows: + stopBy: end + kind: import_statement + has: + stopBy: end + kind: import_clause + has: + stopBy: end + kind: identifier + pattern: $E +rule: + kind: string + matches: MATCH_BLANK_PASSWORD diff --git a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml new file mode 100644 index 00000000..a395d218 --- /dev/null +++ b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml @@ -0,0 +1,109 @@ +id: node-sequelize-hardcoded-secret-argument-javascript +snapshots: + ? | + const Sequelize = require('sequelize'); + const sequelize = new Sequelize('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + : labels: + - source: '''password''' + style: primary + start: 96 + end: 106 + - source: Sequelize + style: secondary + start: 62 + end: 71 + - source: password + style: secondary + start: 97 + end: 105 + - source: '''password''' + style: secondary + start: 96 + end: 106 + - source: |- + ('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + style: secondary + start: 71 + end: 165 + - source: |- + new Sequelize('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + style: secondary + start: 58 + end: 165 + - source: Sequelize + style: secondary + start: 6 + end: 15 + - source: Sequelize = require('sequelize') + style: secondary + start: 6 + end: 38 + - source: const Sequelize = require('sequelize'); + style: secondary + start: 0 + end: 39 + - source: |- + const sequelize = new Sequelize('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + style: secondary + start: 40 + end: 165 + ? | + const Sequelize = require('sequelize'); + const sequelize8 = new Sequelize('database', 'username', 'password', options); + : labels: + - source: '''password''' + style: primary + start: 97 + end: 107 + - source: Sequelize + style: secondary + start: 63 + end: 72 + - source: password + style: secondary + start: 98 + end: 106 + - source: '''password''' + style: secondary + start: 97 + end: 107 + - source: ('database', 'username', 'password', options) + style: secondary + start: 72 + end: 117 + - source: new Sequelize('database', 'username', 'password', options) + style: secondary + start: 59 + end: 117 + - source: Sequelize + style: secondary + start: 6 + end: 15 + - source: Sequelize = require('sequelize') + style: secondary + start: 6 + end: 38 + - source: const Sequelize = require('sequelize'); + style: secondary + start: 0 + end: 39 + - source: const sequelize8 = new Sequelize('database', 'username', 'password', options); + style: secondary + start: 40 + end: 118 diff --git a/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml b/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml new file mode 100644 index 00000000..a6f15374 --- /dev/null +++ b/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml @@ -0,0 +1,21 @@ +id: node-sequelize-hardcoded-secret-argument-javascript +valid: + - | + const Sequelize = require('sequelize'); + const sequelize = new Sequelize({ + database: 'pinche', + username: 'root', + password: '123456789', + dialect: 'mysql' + }) +invalid: + - | + const Sequelize = require('sequelize'); + const sequelize = new Sequelize('database', 'username', 'password', { + host: 'localhost', + port: '5433', + dialect: 'postgres' + }) + - | + const Sequelize = require('sequelize'); + const sequelize8 = new Sequelize('database', 'username', 'password', options); From 6a07c2298648ee1f1592d27304c40bcce9552b93 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Thu, 5 Dec 2024 06:54:58 +0000 Subject: [PATCH 2/7] express-session-hardcoded-secret-javascript --- ...ss-session-hardcoded-secret-javascript.yml | 255 +++++++++++++++++ ...n-hardcoded-secret-javascript-snapshot.yml | 270 ++++++++++++++++++ ...ssion-hardcoded-secret-javascript-test.yml | 31 ++ 3 files changed, 556 insertions(+) create mode 100644 rules/javascript/security/express-session-hardcoded-secret-javascript.yml create mode 100644 tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml create mode 100644 tests/javascript/express-session-hardcoded-secret-javascript-test.yml diff --git a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml new file mode 100644 index 00000000..240c5683 --- /dev/null +++ b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml @@ -0,0 +1,255 @@ +id: express-session-hardcoded-secret-javascript +language: javascript +severity: warning +message: >- + A hard-coded credential was detected. It is not recommended to store + credentials in source-code, as this risks secrets being leaked and used by + either an internal or external malicious adversary. It is recommended to + use environment variables to securely provide credentials or retrieve + credentials from a secure vault or HSM (Hardware Security Module). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + MATCH_SECRET: + kind: pair + pattern: $C + inside: + stopBy: end + kind: lexical_declaration + all: + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: object + has: + stopBy: end + kind: pair + pattern: $C + all: + - has: + stopBy: end + kind: property_identifier + pattern: $S + - has: + stopBy: end + kind: string + has: + stopBy: end + kind: string_fragment + + - any: + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: neighbor + kind: identifier + pattern: $T + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-session$' + + - follows: + stopBy: end + kind: expression_statement + has: + stopBy: end + kind: assignment_expression + has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^require$' + - has: + stopBy: end + kind: arguments + has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-session$' + + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: neighbor + kind: import_clause + has: + stopBy: neighbor + kind: namespace_import + has: + stopBy: neighbor + kind: identifier + pattern: $T + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-session$' + + MATCH_SECRET_INSIDE_APP: + kind: pair + pattern: $C + inside: + stopBy: end + kind: expression_statement + all: + - has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: end + kind: member_expression + all: + - has: + stopBy: end + kind: identifier + - has: + stopBy: end + kind: property_identifier + regex: '^use$' + - has: + stopBy: end + kind: arguments + has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $T + - has: + stopBy: end + kind: object + has: + stopBy: end + kind: pair + pattern: $C + all: + - has: + stopBy: end + kind: property_identifier + pattern: $S + - any: + - has: + stopBy: neighbor + kind: identifier + - has: + stopBy: neighbor + kind: string + + - any: + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: neighbor + kind: identifier + pattern: $T + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-session$' + + - follows: + stopBy: end + kind: expression_statement + has: + stopBy: end + kind: assignment_expression + has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^require$' + - has: + stopBy: end + kind: arguments + has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-session$' + + - follows: + stopBy: end + kind: import_statement + has: + stopBy: end + kind: import_clause + all: + - has: + stopBy: end + kind: named_imports + has: + stopBy: end + kind: import_specifier + has: + stopBy: end + kind: identifier + pattern: $T + + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: neighbor + kind: import_clause + has: + stopBy: neighbor + kind: namespace_import + has: + stopBy: neighbor + kind: identifier + pattern: $T + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-session$' +rule: + kind: pair + any: + - matches: MATCH_SECRET + - matches: MATCH_SECRET_INSIDE_APP +constraints: + S: + regex: '^secret$' diff --git a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml new file mode 100644 index 00000000..ba0da278 --- /dev/null +++ b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml @@ -0,0 +1,270 @@ +id: express-session-hardcoded-secret-javascript +snapshots: + ? | + import * as session from 'express-session' + let a = 'a' + app.use(session({ + secret: a, + resave: false, + saveUninitialized: false, + })); + : labels: + - source: 'secret: a' + style: primary + start: 73 + end: 82 + - source: app + style: secondary + start: 55 + end: 58 + - source: use + style: secondary + start: 59 + end: 62 + - source: app.use + style: secondary + start: 55 + end: 62 + - source: session + style: secondary + start: 63 + end: 70 + - source: secret + style: secondary + start: 73 + end: 79 + - source: a + style: secondary + start: 81 + end: 82 + - source: 'secret: a' + style: secondary + start: 73 + end: 82 + - source: |- + { + secret: a, + resave: false, + saveUninitialized: false, + } + style: secondary + start: 71 + end: 126 + - source: |- + session({ + secret: a, + resave: false, + saveUninitialized: false, + }) + style: secondary + start: 63 + end: 127 + - source: |- + (session({ + secret: a, + resave: false, + saveUninitialized: false, + })) + style: secondary + start: 62 + end: 128 + - source: |- + app.use(session({ + secret: a, + resave: false, + saveUninitialized: false, + })) + style: secondary + start: 55 + end: 128 + - source: session + style: secondary + start: 12 + end: 19 + - source: '* as session' + style: secondary + start: 7 + end: 19 + - source: '* as session' + style: secondary + start: 7 + end: 19 + - source: express-session + style: secondary + start: 26 + end: 41 + - source: '''express-session''' + style: secondary + start: 25 + end: 42 + - source: import * as session from 'express-session' + style: secondary + start: 0 + end: 42 + - source: |- + app.use(session({ + secret: a, + resave: false, + saveUninitialized: false, + })); + style: secondary + start: 55 + end: 129 + ? | + import * as session from 'express-session' + let config = { + secret: 'a', + resave: false, + saveUninitialized: false, + } + : labels: + - source: 'secret: ''a''' + style: primary + start: 58 + end: 69 + - source: secret + style: secondary + start: 58 + end: 64 + - source: a + style: secondary + start: 67 + end: 68 + - source: '''a''' + style: secondary + start: 66 + end: 69 + - source: 'secret: ''a''' + style: secondary + start: 58 + end: 69 + - source: |- + { + secret: 'a', + resave: false, + saveUninitialized: false, + } + style: secondary + start: 56 + end: 113 + - source: |- + config = { + secret: 'a', + resave: false, + saveUninitialized: false, + } + style: secondary + start: 47 + end: 113 + - source: session + style: secondary + start: 12 + end: 19 + - source: '* as session' + style: secondary + start: 7 + end: 19 + - source: '* as session' + style: secondary + start: 7 + end: 19 + - source: express-session + style: secondary + start: 26 + end: 41 + - source: '''express-session''' + style: secondary + start: 25 + end: 42 + - source: import * as session from 'express-session' + style: secondary + start: 0 + end: 42 + - source: |- + let config = { + secret: 'a', + resave: false, + saveUninitialized: false, + } + style: secondary + start: 43 + end: 113 + ? |- + import * as session from 'express-session' + let secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + : labels: + - source: 'secret: ''foo''' + style: primary + start: 74 + end: 87 + - source: secret + style: secondary + start: 74 + end: 80 + - source: foo + style: secondary + start: 83 + end: 86 + - source: '''foo''' + style: secondary + start: 82 + end: 87 + - source: 'secret: ''foo''' + style: secondary + start: 74 + end: 87 + - source: |- + { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + style: secondary + start: 57 + end: 116 + - source: |- + secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + style: secondary + start: 47 + end: 116 + - source: session + style: secondary + start: 12 + end: 19 + - source: '* as session' + style: secondary + start: 7 + end: 19 + - source: '* as session' + style: secondary + start: 7 + end: 19 + - source: express-session + style: secondary + start: 26 + end: 41 + - source: '''express-session''' + style: secondary + start: 25 + end: 42 + - source: import * as session from 'express-session' + style: secondary + start: 0 + end: 42 + - source: |- + let secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + style: secondary + start: 43 + end: 116 diff --git a/tests/javascript/express-session-hardcoded-secret-javascript-test.yml b/tests/javascript/express-session-hardcoded-secret-javascript-test.yml new file mode 100644 index 00000000..b5059282 --- /dev/null +++ b/tests/javascript/express-session-hardcoded-secret-javascript-test.yml @@ -0,0 +1,31 @@ +id: express-session-hardcoded-secret-javascript +valid: + - | + let config1 = { + secret: config.secret, + resave: false, + saveUninitialized: false, + } +invalid: + - | + import * as session from 'express-session' + let config = { + secret: 'a', + resave: false, + saveUninitialized: false, + } + - | + import * as session from 'express-session' + let a = 'a' + app.use(session({ + secret: a, + resave: false, + saveUninitialized: false, + })); + - | + import * as session from 'express-session' + let secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } \ No newline at end of file From b538c8b6213e19b250f74310c26b3e56eee1bced Mon Sep 17 00:00:00 2001 From: Sakshis Date: Thu, 5 Dec 2024 07:08:29 +0000 Subject: [PATCH 3/7] express-jwt-hardcoded-secret-javascript --- ...xpress-jwt-hardcoded-secret-javascript.yml | 294 ++++++++++++ ...t-hardcoded-secret-javascript-snapshot.yml | 431 ++++++++++++++++++ ...s-jwt-hardcoded-secret-javascript-test.yml | 44 ++ 3 files changed, 769 insertions(+) create mode 100644 rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml create mode 100644 tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml create mode 100644 tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml diff --git a/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml b/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml new file mode 100644 index 00000000..f2cfad67 --- /dev/null +++ b/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml @@ -0,0 +1,294 @@ +id: express-jwt-hardcoded-secret-javascript +language: javascript +severity: warning +message: >- + A hard-coded credential was detected. It is not recommended to store + credentials in source-code, as this risks secrets being leaked and used by + either an internal or external malicious adversary. It is recommended to + use environment variables to securely provide credentials or retrieve + credentials from a secure vault or HSM (Hardware Security Module). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + MATCH_SECRET_DIRECTLY: + kind: pair + inside: + stopBy: end + kind: expression_statement + all: + - has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $E + - has: + stopBy: end + kind: arguments + has: + stopBy: end + kind: object + has: + stopBy: neighbor + kind: pair + all: + - has: + stopBy: neighbor + kind: property_identifier + regex: '^secret$' + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + + - any: + - follows: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^require$' + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + kind : string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: neighbor + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: string + has: + stopBy: end + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: end + kind: namespace_import + has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: neighbor + kind: import_clause + has: + stopBy: neighbor + kind: named_imports + has: + stopBy: neighbor + kind: import_specifier + has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: end + kind: string + has: + stopBy: end + kind: string_fragment + regex: '^express-jwt$' + + MATCH_PATTERN_WITH_INSTANCE: + kind: pair + pattern: $O + inside: + stopBy: end + kind: expression_statement + all: + - has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $E + - has: + stopBy: end + kind: arguments + has: + stopBy: end + kind: object + has: + stopBy: neighbor + kind: pair + pattern: $O + all: + - has: + stopBy: neighbor + kind: property_identifier + regex: '^secret$' + - has: + stopBy: neighbor + kind: identifier + pattern: $F + - follows: + stopBy: end + kind: lexical_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $F + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + + - any: + - follows: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^require$' + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + kind : string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-jwt$' + + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: neighbor + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: string + has: + stopBy: end + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: end + kind: namespace_import + has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-jwt$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: neighbor + kind: import_clause + has: + stopBy: neighbor + kind: named_imports + has: + stopBy: neighbor + kind: import_specifier + has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: end + kind: string + has: + stopBy: end + kind: string_fragment + regex: '^express-jwt$' +rule: + kind: pair + any: + - matches: MATCH_SECRET_DIRECTLY + - matches: MATCH_PATTERN_WITH_INSTANCE diff --git a/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml new file mode 100644 index 00000000..8e8d96e8 --- /dev/null +++ b/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml @@ -0,0 +1,431 @@ +id: express-jwt-hardcoded-secret-javascript +snapshots: + ? | + import express from 'express'; + import jwt from 'express-jwt'; + app.get('/protected1', jwt({ secret: 'super-secret-key' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: ''super-secret-key''' + style: primary + start: 91 + end: 117 + - source: jwt + style: secondary + start: 85 + end: 88 + - source: secret + style: secondary + start: 91 + end: 97 + - source: super-secret-key + style: secondary + start: 100 + end: 116 + - source: '''super-secret-key''' + style: secondary + start: 99 + end: 117 + - source: 'secret: ''super-secret-key''' + style: secondary + start: 91 + end: 117 + - source: '{ secret: ''super-secret-key'' }' + style: secondary + start: 89 + end: 119 + - source: '({ secret: ''super-secret-key'' })' + style: secondary + start: 88 + end: 120 + - source: 'jwt({ secret: ''super-secret-key'' })' + style: secondary + start: 85 + end: 120 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: express-jwt + style: secondary + start: 48 + end: 59 + - source: '''express-jwt''' + style: secondary + start: 47 + end: 60 + - source: import jwt from 'express-jwt'; + style: secondary + start: 31 + end: 61 + - source: |- + app.get('/protected1', jwt({ secret: 'super-secret-key' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 62 + end: 216 + ? | + import express from 'express'; + import jwt from 'express-jwt'; + const secret3 = 'static-secret'; + app.get('/protected4', jwt({ secret: secret3, issuer: 'http://issuer' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: secret3' + style: primary + start: 124 + end: 139 + - source: jwt + style: secondary + start: 118 + end: 121 + - source: secret + style: secondary + start: 124 + end: 130 + - source: secret3 + style: secondary + start: 132 + end: 139 + - source: 'secret: secret3' + style: secondary + start: 124 + end: 139 + - source: '{ secret: secret3, issuer: ''http://issuer'' }' + style: secondary + start: 122 + end: 166 + - source: '({ secret: secret3, issuer: ''http://issuer'' })' + style: secondary + start: 121 + end: 167 + - source: 'jwt({ secret: secret3, issuer: ''http://issuer'' })' + style: secondary + start: 118 + end: 167 + - source: secret3 + style: secondary + start: 68 + end: 75 + - source: static-secret + style: secondary + start: 79 + end: 92 + - source: '''static-secret''' + style: secondary + start: 78 + end: 93 + - source: secret3 = 'static-secret' + style: secondary + start: 68 + end: 93 + - source: const secret3 = 'static-secret'; + style: secondary + start: 62 + end: 94 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: express-jwt + style: secondary + start: 48 + end: 59 + - source: '''express-jwt''' + style: secondary + start: 47 + end: 60 + - source: import jwt from 'express-jwt'; + style: secondary + start: 31 + end: 61 + - source: |- + app.get('/protected4', jwt({ secret: secret3, issuer: 'http://issuer' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 95 + end: 263 + ? | + import express from 'express'; + import jwt from 'express-jwt'; + let hardcodedSecret1 = 'super-secret-key'; + app.get('/protected2', jwt({ secret: hardcodedSecret1 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: hardcodedSecret1' + style: primary + start: 134 + end: 158 + - source: jwt + style: secondary + start: 128 + end: 131 + - source: secret + style: secondary + start: 134 + end: 140 + - source: hardcodedSecret1 + style: secondary + start: 142 + end: 158 + - source: 'secret: hardcodedSecret1' + style: secondary + start: 134 + end: 158 + - source: '{ secret: hardcodedSecret1 }' + style: secondary + start: 132 + end: 160 + - source: '({ secret: hardcodedSecret1 })' + style: secondary + start: 131 + end: 161 + - source: 'jwt({ secret: hardcodedSecret1 })' + style: secondary + start: 128 + end: 161 + - source: hardcodedSecret1 + style: secondary + start: 66 + end: 82 + - source: super-secret-key + style: secondary + start: 86 + end: 102 + - source: '''super-secret-key''' + style: secondary + start: 85 + end: 103 + - source: hardcodedSecret1 = 'super-secret-key' + style: secondary + start: 66 + end: 103 + - source: let hardcodedSecret1 = 'super-secret-key'; + style: secondary + start: 62 + end: 104 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: jwt + style: secondary + start: 38 + end: 41 + - source: express-jwt + style: secondary + start: 48 + end: 59 + - source: '''express-jwt''' + style: secondary + start: 47 + end: 60 + - source: import jwt from 'express-jwt'; + style: secondary + start: 31 + end: 61 + - source: |- + app.get('/protected2', jwt({ secret: hardcodedSecret1 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 105 + end: 257 + ? | + import { expressJwt } from 'express-jwt'; + const secret4 = 'jwt-hardcoded-secret'; + app.get('/protected7', expressJwt({ secret: secret4 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: secret4' + style: primary + start: 118 + end: 133 + - source: expressJwt + style: secondary + start: 105 + end: 115 + - source: secret + style: secondary + start: 118 + end: 124 + - source: secret4 + style: secondary + start: 126 + end: 133 + - source: 'secret: secret4' + style: secondary + start: 118 + end: 133 + - source: '{ secret: secret4 }' + style: secondary + start: 116 + end: 135 + - source: '({ secret: secret4 })' + style: secondary + start: 115 + end: 136 + - source: 'expressJwt({ secret: secret4 })' + style: secondary + start: 105 + end: 136 + - source: secret4 + style: secondary + start: 48 + end: 55 + - source: jwt-hardcoded-secret + style: secondary + start: 59 + end: 79 + - source: '''jwt-hardcoded-secret''' + style: secondary + start: 58 + end: 80 + - source: secret4 = 'jwt-hardcoded-secret' + style: secondary + start: 48 + end: 80 + - source: const secret4 = 'jwt-hardcoded-secret'; + style: secondary + start: 42 + end: 81 + - source: expressJwt + style: secondary + start: 9 + end: 19 + - source: expressJwt + style: secondary + start: 9 + end: 19 + - source: '{ expressJwt }' + style: secondary + start: 7 + end: 21 + - source: '{ expressJwt }' + style: secondary + start: 7 + end: 21 + - source: express-jwt + style: secondary + start: 28 + end: 39 + - source: '''express-jwt''' + style: secondary + start: 27 + end: 40 + - source: import { expressJwt } from 'express-jwt'; + style: secondary + start: 0 + end: 41 + - source: |- + app.get('/protected7', expressJwt({ secret: secret4 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 82 + end: 232 + ? | + var jwt = require('express-jwt'); + app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + : labels: + - source: 'secret: ''shhhhhhared-secret''' + style: primary + start: 62 + end: 90 + - source: jwt + style: secondary + start: 56 + end: 59 + - source: secret + style: secondary + start: 62 + end: 68 + - source: shhhhhhared-secret + style: secondary + start: 71 + end: 89 + - source: '''shhhhhhared-secret''' + style: secondary + start: 70 + end: 90 + - source: 'secret: ''shhhhhhared-secret''' + style: secondary + start: 62 + end: 90 + - source: '{ secret: ''shhhhhhared-secret'' }' + style: secondary + start: 60 + end: 92 + - source: '({ secret: ''shhhhhhared-secret'' })' + style: secondary + start: 59 + end: 93 + - source: 'jwt({ secret: ''shhhhhhared-secret'' })' + style: secondary + start: 56 + end: 93 + - source: jwt + style: secondary + start: 4 + end: 7 + - source: require + style: secondary + start: 10 + end: 17 + - source: express-jwt + style: secondary + start: 19 + end: 30 + - source: '''express-jwt''' + style: secondary + start: 18 + end: 31 + - source: ('express-jwt') + style: secondary + start: 17 + end: 32 + - source: require('express-jwt') + style: secondary + start: 10 + end: 32 + - source: jwt = require('express-jwt') + style: secondary + start: 4 + end: 32 + - source: var jwt = require('express-jwt'); + style: secondary + start: 0 + end: 33 + - source: |- + app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + style: secondary + start: 34 + end: 189 diff --git a/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml b/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml new file mode 100644 index 00000000..122ab423 --- /dev/null +++ b/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml @@ -0,0 +1,44 @@ +id: express-jwt-hardcoded-secret-javascript +valid: + - | + app.get('/ok-protected', jwt({ secret: process.env.SECRET }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); +invalid: + - | + var jwt = require('express-jwt'); + app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + - | + import express from 'express'; + import jwt from 'express-jwt'; + let hardcodedSecret1 = 'super-secret-key'; + app.get('/protected2', jwt({ secret: hardcodedSecret1 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + - | + import express from 'express'; + import jwt from 'express-jwt'; + const secret3 = 'static-secret'; + app.get('/protected4', jwt({ secret: secret3, issuer: 'http://issuer' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + - | + import express from 'express'; + import jwt from 'express-jwt'; + app.get('/protected1', jwt({ secret: 'super-secret-key' }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); + - | + import { expressJwt } from 'express-jwt'; + const secret4 = 'jwt-hardcoded-secret'; + app.get('/protected7', expressJwt({ secret: secret4 }), function(req, res) { + if (!req.user.admin) return res.sendStatus(401); + res.sendStatus(200); + }); From c88b8c2fe2169562e734a39b83342d783c244cb2 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Tue, 17 Dec 2024 11:25:20 +0000 Subject: [PATCH 4/7] modification in express-session-hardcoded-secret-javascript --- ...ss-session-hardcoded-secret-javascript.yml | 171 ++++-------------- ...n-hardcoded-secret-javascript-snapshot.yml | 90 ++------- 2 files changed, 48 insertions(+), 213 deletions(-) diff --git a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml index 240c5683..01a4ab35 100644 --- a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml +++ b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml @@ -108,148 +108,43 @@ utils: kind: string_fragment regex: '^express-session$' - MATCH_SECRET_INSIDE_APP: - kind: pair - pattern: $C - inside: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: property_identifier - regex: '^use$' - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $T - - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - pattern: $C - all: - - has: - stopBy: end - kind: property_identifier - pattern: $S - - any: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: string - - - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: + MATCH_SECRET_with_Instance: + kind: pair + all: + - has: + stopBy: neighbor + kind: property_identifier + regex: ^secret$ + - has: + stopBy: neighbor + kind: identifier + pattern: $SECRET + - inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: lexical_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $SECRET + - has: + stopBy: neighbor + kind: string + has: stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: '^express-session$' - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^require$' - - has: - stopBy: end - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: '^express-session$' - - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - all: - - has: - stopBy: end - kind: named_imports - has: - stopBy: end - kind: import_specifier - has: - stopBy: end - kind: identifier - pattern: $T - - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: '^express-session$' -rule: + kind: string_fragment +rule: kind: pair any: - matches: MATCH_SECRET - - matches: MATCH_SECRET_INSIDE_APP + - matches: MATCH_SECRET_with_Instance + constraints: S: regex: '^secret$' diff --git a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml index ba0da278..e6c8c2c2 100644 --- a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml +++ b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml @@ -13,22 +13,6 @@ snapshots: style: primary start: 73 end: 82 - - source: app - style: secondary - start: 55 - end: 58 - - source: use - style: secondary - start: 59 - end: 62 - - source: app.use - style: secondary - start: 55 - end: 62 - - source: session - style: secondary - start: 63 - end: 70 - source: secret style: secondary start: 73 @@ -37,70 +21,26 @@ snapshots: style: secondary start: 81 end: 82 - - source: 'secret: a' - style: secondary - start: 73 - end: 82 - - source: |- - { - secret: a, - resave: false, - saveUninitialized: false, - } - style: secondary - start: 71 - end: 126 - - source: |- - session({ - secret: a, - resave: false, - saveUninitialized: false, - }) - style: secondary - start: 63 - end: 127 - - source: |- - (session({ - secret: a, - resave: false, - saveUninitialized: false, - })) - style: secondary - start: 62 - end: 128 - - source: |- - app.use(session({ - secret: a, - resave: false, - saveUninitialized: false, - })) - style: secondary - start: 55 - end: 128 - - source: session - style: secondary - start: 12 - end: 19 - - source: '* as session' + - source: a style: secondary - start: 7 - end: 19 - - source: '* as session' + start: 47 + end: 48 + - source: a style: secondary - start: 7 - end: 19 - - source: express-session + start: 52 + end: 53 + - source: '''a''' style: secondary - start: 26 - end: 41 - - source: '''express-session''' + start: 51 + end: 54 + - source: a = 'a' style: secondary - start: 25 - end: 42 - - source: import * as session from 'express-session' + start: 47 + end: 54 + - source: let a = 'a' style: secondary - start: 0 - end: 42 + start: 43 + end: 54 - source: |- app.use(session({ secret: a, From 315c7fec3969709461c6a95ae2417d3966529c76 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Tue, 17 Dec 2024 11:30:53 +0000 Subject: [PATCH 5/7] modification in express-session-hardcoded-secret-javascript --- ...ss-session-hardcoded-secret-javascript.yml | 72 ++++++++++++++++++- ...n-hardcoded-secret-javascript-snapshot.yml | 33 +++++++++ 2 files changed, 103 insertions(+), 2 deletions(-) diff --git a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml index 01a4ab35..5fb703d4 100644 --- a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml +++ b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml @@ -139,12 +139,80 @@ utils: has: stopBy: neighbor kind: string_fragment + - inside: + stopBy: end + any: + - kind: lexical_declaration + - kind: expression_statement + any: + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: end + kind: import_clause + has: + stopBy: neighbor + kind: identifier + pattern: $T + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-session$' + - follows: + stopBy: end + kind: expression_statement + has: + stopBy: end + kind: assignment_expression + has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^require$' + - has: + stopBy: end + kind: arguments + has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-session$' + - follows: + stopBy: end + kind: import_statement + all: + - has: + stopBy: neighbor + kind: import_clause + has: + stopBy: neighbor + kind: namespace_import + has: + stopBy: neighbor + kind: identifier + pattern: $T + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: '^express-session$' rule: kind: pair any: - matches: MATCH_SECRET - matches: MATCH_SECRET_with_Instance - constraints: S: - regex: '^secret$' + regex: '^secret$' \ No newline at end of file diff --git a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml index e6c8c2c2..0bd27648 100644 --- a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml +++ b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml @@ -50,6 +50,39 @@ snapshots: style: secondary start: 55 end: 129 + - source: session + style: secondary + start: 12 + end: 19 + - source: '* as session' + style: secondary + start: 7 + end: 19 + - source: '* as session' + style: secondary + start: 7 + end: 19 + - source: express-session + style: secondary + start: 26 + end: 41 + - source: '''express-session''' + style: secondary + start: 25 + end: 42 + - source: import * as session from 'express-session' + style: secondary + start: 0 + end: 42 + - source: |- + app.use(session({ + secret: a, + resave: false, + saveUninitialized: false, + })); + style: secondary + start: 55 + end: 129 ? | import * as session from 'express-session' let config = { From befcc3ff65152827821c37b99bdfb12145bf2fa8 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Tue, 17 Dec 2024 11:38:45 +0000 Subject: [PATCH 6/7] modification in express-session-hardcoded-secret-javascript --- ...ss-session-hardcoded-secret-javascript.yml | 151 +++--------------- ...n-hardcoded-secret-javascript-snapshot.yml | 60 ------- 2 files changed, 19 insertions(+), 192 deletions(-) diff --git a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml index 5fb703d4..eea3cd2f 100644 --- a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml +++ b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml @@ -41,73 +41,14 @@ utils: stopBy: end kind: string_fragment - - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: '^express-session$' - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^require$' - - has: - stopBy: end - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: '^express-session$' - - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: '^express-session$' - + - follows: + stopBy: end + kind: import_statement + any: + - pattern: import session from 'express' + - pattern: import session from 'express-session' + - pattern: import {session} from 'express-session' + - pattern: import * as session from 'express-session' MATCH_SECRET_with_Instance: kind: pair all: @@ -144,75 +85,21 @@ utils: any: - kind: lexical_declaration - kind: expression_statement - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: '^express-session$' - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^require$' - - has: - stopBy: end - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: '^express-session$' - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: '^express-session$' + follows: + stopBy: end + kind: import_statement + any: + - pattern: import session from 'express' + - pattern: import session from 'express-session' + - pattern: import {session} from 'express-session' + - pattern: import * as session from 'express-session' + rule: kind: pair any: - matches: MATCH_SECRET - matches: MATCH_SECRET_with_Instance + constraints: S: - regex: '^secret$' \ No newline at end of file + regex: '^secret$' diff --git a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml index 0bd27648..ae94c35e 100644 --- a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml +++ b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml @@ -50,26 +50,6 @@ snapshots: style: secondary start: 55 end: 129 - - source: session - style: secondary - start: 12 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: express-session - style: secondary - start: 26 - end: 41 - - source: '''express-session''' - style: secondary - start: 25 - end: 42 - source: import * as session from 'express-session' style: secondary start: 0 @@ -129,26 +109,6 @@ snapshots: style: secondary start: 47 end: 113 - - source: session - style: secondary - start: 12 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: express-session - style: secondary - start: 26 - end: 41 - - source: '''express-session''' - style: secondary - start: 25 - end: 42 - source: import * as session from 'express-session' style: secondary start: 0 @@ -208,26 +168,6 @@ snapshots: style: secondary start: 47 end: 116 - - source: session - style: secondary - start: 12 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: express-session - style: secondary - start: 26 - end: 41 - - source: '''express-session''' - style: secondary - start: 25 - end: 42 - source: import * as session from 'express-session' style: secondary start: 0 From c56b73bf48cdcb37ffd6f7f7a236d76e1af4f399 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Tue, 17 Dec 2024 11:57:07 +0000 Subject: [PATCH 7/7] modification in node-sequelize-hardcoded-secret-argument-javascript --- ...e-hardcoded-secret-argument-javascript.yml | 84 ++++++++++++------- ...ed-secret-argument-javascript-snapshot.yml | 16 ---- 2 files changed, 53 insertions(+), 47 deletions(-) diff --git a/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml b/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml index 45894b85..3d719833 100644 --- a/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml +++ b/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml @@ -39,37 +39,59 @@ utils: has: stopBy: end kind: string_fragment - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - - follows: + - follows: + stopBy: end + any: + - pattern: const $E = require('sequelize') + - pattern: import $E from 'sequelize' + - pattern: import * as $E from 'sequelize' + - pattern: import {$E} from 'sequelize' + MATCH_BLANK_PASSWORD_with_instance: + kind: identifier + pattern: $W + inside: + stopBy: end + kind: lexical_declaration + all: + - has: + stopBy: end + kind: new_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $E + - has: + stopBy: end + kind: arguments + nthChild: 2 + has: stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E + kind: identifier + nthChild: 3 + pattern: $W + - follows: + stopBy: end + any: + - pattern: const $E = require('sequelize') + - pattern: import $E from 'sequelize' + - pattern: import * as $E from 'sequelize' + - pattern: import {$E} from 'sequelize' + - follows: + stopBy: end + any: + - pattern: $W = $R + - pattern: let $W = $R rule: + any: + - kind: string + matches: MATCH_BLANK_PASSWORD + - kind: identifier + matches: MATCH_BLANK_PASSWORD_with_instance +constraints: + R: kind: string - matches: MATCH_BLANK_PASSWORD + has: + stopBy: neighbor + kind: string_fragment + diff --git a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml index a395d218..c00d22c4 100644 --- a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml +++ b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml @@ -42,14 +42,6 @@ snapshots: style: secondary start: 58 end: 165 - - source: Sequelize - style: secondary - start: 6 - end: 15 - - source: Sequelize = require('sequelize') - style: secondary - start: 6 - end: 38 - source: const Sequelize = require('sequelize'); style: secondary start: 0 @@ -91,14 +83,6 @@ snapshots: style: secondary start: 59 end: 117 - - source: Sequelize - style: secondary - start: 6 - end: 15 - - source: Sequelize = require('sequelize') - style: secondary - start: 6 - end: 38 - source: const Sequelize = require('sequelize'); style: secondary start: 0