node-sequelize-empty-password-argument-typescript

ESS-ENN · ESS-ENN · commit 6e710c565f18 · 2024-10-03T18:09:09.000+05:30
diff --git a/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml b/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml
@@ -0,0 +1,78 @@
+id: node-sequelize-empty-password-argument-typescript
+language: typescript
+severity: warning
+message: >-
+  The application creates a database connection with an empty password.
+  This can lead to unauthorized access by either an internal or external
+  malicious actor. To prevent this vulnerability, enforce authentication
+  when connecting to a database by using environment variables to securely
+  provide credentials or retrieving them from a secure vault or HSM
+  (Hardware Security Module).
+note: >-
+  [CWE-287] Improper Authentication.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  MATCH_BLANK_PASSWORD:
+    kind: string
+    pattern: $Q
+    inside:
+      stopBy: end
+      kind: lexical_declaration
+      all:
+        - has:
+            stopBy: end
+            kind: new_expression
+            all:
+              - has:
+                  stopBy: end
+                  kind: identifier
+                  pattern: $E
+              - has:
+                  stopBy: end
+                  kind: arguments
+                  nthChild: 2
+                  has:
+                    stopBy: end
+                    kind: string
+                    nthChild: 3
+                    pattern: $Q
+                    not:
+                      has:
+                        stopBy: end
+                        kind: string_fragment
+        - any:
+            - follows:
+                stopBy: end
+                kind: lexical_declaration
+                has:
+                  stopBy: end
+                  kind: variable_declarator
+                  has:
+                    stopBy: end
+                    kind: identifier
+                    pattern: $E
+            - follows:
+                stopBy: end
+                kind: import_statement
+                has:
+                  stopBy: end
+                  kind: import_clause
+                  has:
+                    stopBy: end
+                    kind: identifier
+                    pattern: $E
+            - follows:
+                stopBy: end
+                kind: import_statement
+                has:
+                  stopBy: end
+                  kind: import_clause
+                  has:
+                    stopBy: end
+                    kind: identifier
+                    pattern: $E
+
+rule:
+  kind: string
+  matches: MATCH_BLANK_PASSWORD
diff --git a/tests/__snapshots__/node-sequelize-empty-password-argument-typescript-snapshot.yml b/tests/__snapshots__/node-sequelize-empty-password-argument-typescript-snapshot.yml
@@ -0,0 +1,61 @@
+id: node-sequelize-empty-password-argument-typescript
+snapshots:
+  ? |
+    const Sequelize = require('sequelize');
+    const sequelize1 = new Sequelize('database', 'username', '', {
+    host: 'localhost',
+    port: '5433',
+    dialect: 'postgres'
+    })
+  : labels:
+    - source: ''''''
+      style: primary
+      start: 97
+      end: 99
+    - source: Sequelize
+      style: secondary
+      start: 63
+      end: 72
+    - source: ''''''
+      style: secondary
+      start: 97
+      end: 99
+    - source: |-
+        ('database', 'username', '', {
+        host: 'localhost',
+        port: '5433',
+        dialect: 'postgres'
+        })
+      style: secondary
+      start: 72
+      end: 158
+    - source: |-
+        new Sequelize('database', 'username', '', {
+        host: 'localhost',
+        port: '5433',
+        dialect: 'postgres'
+        })
+      style: secondary
+      start: 59
+      end: 158
+    - source: Sequelize
+      style: secondary
+      start: 6
+      end: 15
+    - source: Sequelize = require('sequelize')
+      style: secondary
+      start: 6
+      end: 38
+    - source: const Sequelize = require('sequelize');
+      style: secondary
+      start: 0
+      end: 39
+    - source: |-
+        const sequelize1 = new Sequelize('database', 'username', '', {
+        host: 'localhost',
+        port: '5433',
+        dialect: 'postgres'
+        })
+      style: secondary
+      start: 40
+      end: 158
diff --git a/tests/typescript/node-sequelize-empty-password-argument-typescript-test.yml b/tests/typescript/node-sequelize-empty-password-argument-typescript-test.yml
@@ -0,0 +1,18 @@
+id: node-sequelize-empty-password-argument-typescript
+valid:
+  - |
+    const Sequelize = require('sequelize');
+    const sequelize = new Sequelize({
+    database: 'pinche',
+    username: 'root',
+    password: '123456789',
+    dialect: 'mysql'
+    });
+invalid:
+  - |
+    const Sequelize = require('sequelize');
+    const sequelize1 = new Sequelize('database', 'username', '', {
+    host: 'localhost',
+    port: '5433',
+    dialect: 'postgres'
+    })
