Skip to content

Add security rules and tests for TypeScript applications in AngularJS and Sequelize #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 9 commits into from
Closed

Add security rules and tests for TypeScript applications in AngularJS and Sequelize #76

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
822bc26
node-sequelize-empty-password-argument-typescript
Dec 5, 2024
8cef5e1
detect-angular-sce-disabled-typescript
Dec 5, 2024
29ec62d
node-sequelize-hardcoded-secret-argument-typescript
Dec 5, 2024
bb93568
modification in node-sequelize-empty-password-argument-typescript
Dec 18, 2024
f6860f3
modification in node-sequelize-empty-password-argument-typescript
Dec 24, 2024
35d59df
modification in detect-angular-sce-disabled-typescript
Dec 26, 2024
772d260
modification in node-sequelize-empty-password-argument-typescript
Dec 26, 2024
a029238
modification in node-sequelize-hardcoded-secret-argument-typescript
Dec 26, 2024
74db3ba
modification in detect-angular-sce-disabled-typescript
Jan 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions rules/typescript/security/detect-angular-sce-disabled-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
id: detect-angular-sce-disabled-typescript
language: typescript
severity: warning
message: >-
$sceProvider is set to false. Disabling Strict Contextual escaping
(SCE) in an AngularJS application could provide additional attack surface
for XSS vulnerabilities.
note: >-
[CWE-79] Improper Neutralization of Input During Web Page Generation.
[REFERENCES]
- https://docs.angularjs.org/api/ng/service/$sce
- https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
rule:
kind: expression_statement
regex: ^\$sceProvider
has:
kind: call_expression
stopBy: end
all:
- has:
kind: member_expression
nthChild: 1
all:
- has:
kind: identifier
regex: ^\$sceProvider$
- has:
kind: property_identifier
regex: ^enabled$
precedes:
kind: arguments
has:
kind: 'false'
nthChild: 1
not:
has:
nthChild: 2
196 changes: 196 additions & 0 deletions rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,196 @@
id: node-sequelize-empty-password-argument-typescript
language: typescript
severity: warning
message: >-
The application creates a database connection with an empty password.
This can lead to unauthorized access by either an internal or external
malicious actor. To prevent this vulnerability, enforce authentication
when connecting to a database by using environment variables to securely
provide credentials or retrieving them from a secure vault or HSM
(Hardware Security Module).
note: >-
[CWE-287] Improper Authentication.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
MATCH_BLANK_PASSWORD:
kind: string
pattern: $Q
inside:
stopBy: end
kind: lexical_declaration
all:
- has:
stopBy: end
kind: new_expression
all:
- has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: end
kind: arguments
nthChild: 2
has:
stopBy: end
kind: string
nthChild: 3
pattern: $Q
not:
has:
stopBy: end
kind: string_fragment
- any:
- follows:
stopBy: end
kind: lexical_declaration
has:
stopBy: end
kind: variable_declarator
all:
- has:
stopBy: neighbor
kind: identifier
- has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: '^require$'
- has:
stopBy: neighbor
kind: arguments
has:
stopBy: neighbor
kind: string
has:
stopBy: neighbor
kind: string_fragment
regex: '^sequelize$'
- follows:
stopBy: end
kind: import_statement
has:
stopBy: end
kind: import_clause
has:
stopBy: end
kind: identifier
pattern: $E
- follows:
stopBy: end
kind: import_statement
has:
stopBy: end
kind: import_clause
has:
stopBy: end
kind: identifier
pattern: $E


MATCH_BLANK_PASSWORD_WITH_INSTANCE:
kind: identifier
pattern: $Q
inside:
stopBy: end
kind: lexical_declaration
all:
- has:
stopBy: end
kind: new_expression
all:
- has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: end
kind: arguments
nthChild: 2
has:
stopBy: end
kind: identifier
nthChild: 3
pattern: $Q
not:
has:
stopBy: end
kind: string_fragment
- follows:
stopBy: end
kind: lexical_declaration
has:
stopBy: end
kind: variable_declarator
all:
- has:
stopBy: neighbor
kind: identifier
pattern: $Q
- has:
stopBy: neighbor
kind: string
not:
has:
stopBy: neighbor
kind: string_fragment
- any:
- follows:
stopBy: end
kind: lexical_declaration
has:
stopBy: end
kind: variable_declarator
all:
- has:
stopBy: neighbor
kind: identifier
- has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: '^require$'
- has:
stopBy: neighbor
kind: arguments
has:
stopBy: neighbor
kind: string
has:
stopBy: neighbor
kind: string_fragment
regex: '^sequelize$'
- follows:
stopBy: end
kind: import_statement
has:
stopBy: end
kind: import_clause
has:
stopBy: end
kind: identifier
pattern: $E
- follows:
stopBy: end
kind: import_statement
has:
stopBy: end
kind: import_clause
has:
stopBy: end
kind: identifier
pattern: $E
Comment on lines +95 to +189
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Reduce pattern duplication

The MATCH_BLANK_PASSWORD_WITH_INSTANCE pattern shares significant code with MATCH_BLANK_PASSWORD. Consider extracting common patterns into reusable utilities:

  • Import/require detection logic
  • Sequelize instance creation patterns

Example refactor:

utils:
  SEQUELIZE_IMPORT_PATTERN:
    kind: import_statement
    has:
      stopBy: end
      kind: import_clause
      has:
        stopBy: end
        kind: identifier
        pattern: $E
🧰 Tools
🪛 yamllint (1.35.1)

[warning] 99-99: wrong indentation: expected 12 but found 15

(indentation)

[warning] 102-102: wrong indentation: expected 19 but found 16

(indentation)

[warning] 103-103: wrong indentation: expected 22 but found 19

(indentation)

[warning] 106-106: wrong indentation: expected 23 but found 19

(indentation)

[warning] 107-107: wrong indentation: expected 25 but found 22

(indentation)

[warning] 111-111: wrong indentation: expected 25 but found 22

(indentation)

[warning] 115-115: wrong indentation: expected 26 but found 23

(indentation)

[warning] 120-120: wrong indentation: expected 27 but found 24

(indentation)

[warning] 142-142: wrong indentation: expected 22 but found 20

(indentation)

[warning] 143-143: wrong indentation: expected 26 but found 28

(indentation)

[warning] 171-171: wrong indentation: expected 26 but found 23

(indentation)

[error] 173-173: trailing spaces

(trailing-spaces)

[warning] 174-174: wrong indentation: expected 27 but found 24

(indentation)

[warning] 181-181: wrong indentation: expected 26 but found 23

(indentation)

[error] 183-183: trailing spaces

(trailing-spaces)

[warning] 184-184: wrong indentation: expected 27 but found 24

(indentation)

rule:
any:
- kind: string
matches: MATCH_BLANK_PASSWORD
- kind: identifier
matches: MATCH_BLANK_PASSWORD_WITH_INSTANCE

97 changes: 97 additions & 0 deletions rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
id: node-sequelize-hardcoded-secret-argument-typescript
language: typescript
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-287] Improper Authentication.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
MATCH_BLANK_PASSWORD:
kind: string
pattern: $Q
inside:
stopBy: end
kind: lexical_declaration
all:
- has:
stopBy: end
kind: new_expression
all:
- has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: end
kind: arguments
nthChild: 2
has:
stopBy: end
kind: string
nthChild: 3
pattern: $Q
has:
stopBy: end
kind: string_fragment
- follows:
stopBy: end
any:
- pattern: const $E = require('sequelize')
- pattern: import $E from 'sequelize'
- pattern: import * as $E from 'sequelize'
- pattern: import {$E} from 'sequelize'
MATCH_BLANK_PASSWORD_with_instance:
kind: identifier
pattern: $W
inside:
stopBy: end
kind: lexical_declaration
all:
- has:
stopBy: end
kind: new_expression
all:
- has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: end
kind: arguments
nthChild: 2
has:
stopBy: end
kind: identifier
nthChild: 3
pattern: $W
- follows:
stopBy: end
any:
- pattern: const $E = require('sequelize')
- pattern: import $E from 'sequelize'
- pattern: import * as $E from 'sequelize'
- pattern: import {$E} from 'sequelize'
- follows:
stopBy: end
any:
- pattern: $W = $R
- pattern: let $W = $R
rule:
any:
- kind: string
matches: MATCH_BLANK_PASSWORD
- kind: identifier
matches: MATCH_BLANK_PASSWORD_with_instance
constraints:
R:
kind: string
has:
stopBy: neighbor
kind: string_fragment

Comment on lines +91 to +97
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Enhance string pattern constraints

The current constraint could be improved to:

  1. Validate string content more thoroughly
  2. Check for common password patterns
  3. Remove trailing spaces

Apply this diff:

 constraints:
    R:
     kind: string
     has:
        stopBy: neighbor
        kind: string_fragment
-    
+     not:
+       pattern: (test|example|mock)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
constraints:
R:
kind: string
has:
stopBy: neighbor
kind: string_fragment
constraints:
R:
kind: string
has:
stopBy: neighbor
kind: string_fragment
not:
pattern: (test|example|mock)
🧰 Tools
🪛 yamllint (1.35.1)

[warning] 92-92: wrong indentation: expected 4 but found 3

(indentation)

[warning] 93-93: wrong indentation: expected 7 but found 4

(indentation)

[warning] 95-95: wrong indentation: expected 8 but found 7

(indentation)

[error] 97-97: trailing spaces

(trailing-spaces)

Loading