Skip to content

Add YAML configs and tests for hard-coded secrets and empty passwords #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 7, 2025
Merged

Add YAML configs and tests for hard-coded secrets and empty passwords #168

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7c790d8
node-sequelize-empty-password-argument-typescript
Mar 5, 2025
d8ec61b
node-sequelize-hardcoded-secret-argument-typescript
Mar 5, 2025
2a29fb2
express-jwt-hardcoded-secret-typescript
Mar 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
494 changes: 494 additions & 0 deletions rules/typescript/security/express-jwt-hardcoded-secret-typescript.yml
View file
Open in desktop

Large diffs are not rendered by default.

173 changes: 173 additions & 0 deletions rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
id: node-sequelize-empty-password-argument-typescript
language: typescript
severity: warning
message: >-
The application creates a database connection with an empty password.
This can lead to unauthorized access by either an internal or external
malicious actor. To prevent this vulnerability, enforce authentication
when connecting to a database by using environment variables to securely
provide credentials or retrieving them from a secure vault or HSM
(Hardware Security Module).
note: >-
[CWE-287] Improper Authentication.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
ast-grep-essentials: true
utils:
Match_pattern_directly:
kind: string
all:
- not:
has:
kind: string_fragment
- nthChild:
position: 3
ofRule:
not:
kind: comment
- inside:
kind: arguments
all:
- has:
nthChild:
position: 4
ofRule:
not:
kind: comment
- not:
has:
nthChild:
position: 5
ofRule:
not:
kind: comment
- inside:
kind: new_expression
all:
- has:
kind: identifier
pattern: $SQL
- any:
- inside:
stopBy: end
follows:
stopBy: end
any:
- pattern: $SQL = require('sequelize');
- pattern: const $SQL = require('sequelize');
- pattern: var $SQL = require('sequelize');
- pattern: let $SQL = require('sequelize');
- pattern: import $SQL from 'sequelize';
- pattern: import * as $SQL from 'sequelize';
- kind: import_statement
all:
- has:
kind: import_clause
has:
stopBy: end
pattern: $SQL
- has:
kind: string
has:
kind: string_fragment
regex: ^sequelize$
- not:
inside:
stopBy: end
kind: enum_declaration

Match_pattern_with_Instance:
kind: identifier
pattern: $PASS
all:
- nthChild:
position: 3
ofRule:
not:
kind: comment
- inside:
kind: arguments
all:
- not:
has:
nthChild:
position: 5
ofRule:
not:
kind: comment
- has:
nthChild:
position: 4
ofRule:
not:
kind: comment
- inside:
kind: new_expression
all:
- has:
kind: identifier
pattern: $SQL
- any:
- inside:
stopBy: end
follows:
stopBy: end
any:
- pattern: $SQL = require('sequelize');
- pattern: const $SQL = require('sequelize');
- pattern: var $SQL = require('sequelize');
- pattern: let $SQL = require('sequelize');
- pattern: import $SQL from 'sequelize';
- pattern: import * as $SQL from 'sequelize';
- kind: import_statement
all:
- has:
kind: import_clause
has:
stopBy: end
pattern: $SQL
- has:
kind: string
has:
kind: string_fragment
regex: ^sequelize$
- inside:
stopBy: end
follows:
stopBy: end
any:
- kind: lexical_declaration
has:
kind: variable_declarator
all:
- has:
kind: identifier
pattern: $PASS
- has:
any:
- kind: template_string
regex: ^``$
- kind: string
not:
has:
kind: string_fragment
- kind: variable_declaration
has:
kind: variable_declarator
all:
- has:
kind: identifier
pattern: $PASS
- has:
kind: string
not:
has:
kind: string_fragment
- not:
inside:
stopBy: end
kind: enum_declaration
rule:
any:
- matches: Match_pattern_directly
- matches: Match_pattern_with_Instance
158 changes: 158 additions & 0 deletions rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
id: node-sequelize-hardcoded-secret-argument-typescript
language: typescript
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-287] Improper Authentication.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
ast-grep-essentials: true
utils:
Match_pattern_directly:
kind: string
all:
- has:
kind: string_fragment
- nthChild:
position: 3
ofRule:
not:
kind: comment
- inside:
kind: arguments
all:
- has:
nthChild:
position: 4
ofRule:
not:
kind: comment
- not:
has:
nthChild:
position: 5
ofRule:
not:
kind: comment
- inside:
kind: new_expression
all:
- has:
kind: identifier
pattern: $SQL
- any:
- inside:
stopBy: end
follows:
stopBy: end
any:
- pattern: $SQL = require('sequelize');
- pattern: const $SQL = require('sequelize');
- pattern: var $SQL = require('sequelize');
- pattern: let $SQL = require('sequelize');
- pattern: import $SQL from 'sequelize';
- pattern: import * as $SQL from 'sequelize';
- kind: import_statement
all:
- has:
kind: import_clause
has:
stopBy: end
pattern: $SQL
- has:
kind: string
has:
kind: string_fragment
regex: ^sequelize$
- not:
inside:
stopBy: end
kind: enum_declaration

Match_pattern_with_Instance:
kind: identifier
pattern: $PASS
all:
- nthChild:
position: 3
ofRule:
not:
kind: comment
- inside:
kind: arguments
all:
- not:
has:
nthChild:
position: 5
ofRule:
not:
kind: comment
- has:
nthChild:
position: 4
ofRule:
not:
kind: comment
- inside:
kind: new_expression
all:
- has:
kind: identifier
pattern: $SQL
- any:
- inside:
stopBy: end
follows:
stopBy: end
any:
- pattern: $SQL = require('sequelize');
- pattern: const $SQL = require('sequelize');
- pattern: var $SQL = require('sequelize');
- pattern: let $SQL = require('sequelize');
- pattern: import $SQL from 'sequelize';
- pattern: import * as $SQL from 'sequelize';
- kind: import_statement
all:
- has:
kind: import_clause
has:
stopBy: end
pattern: $SQL
- has:
kind: string
has:
kind: string_fragment
regex: ^sequelize$
- inside:
stopBy: end
follows:
stopBy: end
any:
- kind: lexical_declaration
not:
has:
regex: ^let$
has:
kind: variable_declarator
all:
- has:
kind: identifier
pattern: $PASS
- has:
kind: string
has:
kind: string_fragment
- not:
inside:
stopBy: end
kind: enum_declaration
rule:
any:
- matches: Match_pattern_directly
- matches: Match_pattern_with_Instance
Loading