File tree Expand file tree Collapse file tree 3 files changed +769
-0
lines changed
rules/javascript/security Expand file tree Collapse file tree 3 files changed +769
-0
lines changed Original file line number Diff line number Diff line change 1+ id: express-jwt-hardcoded-secret-javascript
2+ language: javascript
3+ severity: warning
4+ message: >-
5+ A hard-coded credential was detected. It is not recommended to store
6+ credentials in source-code, as this risks secrets being leaked and used by
7+ either an internal or external malicious adversary. It is recommended to
8+ use environment variables to securely provide credentials or retrieve
9+ credentials from a secure vault or HSM (Hardware Security Module).
10+ note: >-
11+ [CWE-798] Use of Hard-coded Credentials.
12+ [REFERENCES]
13+ - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+ utils:
15+ MATCH_SECRET_DIRECTLY:
16+ kind: pair
17+ inside:
18+ stopBy: end
19+ kind: expression_statement
20+ all:
21+ - has:
22+ stopBy: end
23+ kind: call_expression
24+ all:
25+ - has:
26+ stopBy: neighbor
27+ kind: identifier
28+ pattern: $E
29+ - has:
30+ stopBy: end
31+ kind: arguments
32+ has:
33+ stopBy: end
34+ kind: object
35+ has:
36+ stopBy: neighbor
37+ kind: pair
38+ all:
39+ - has:
40+ stopBy: neighbor
41+ kind: property_identifier
42+ regex: '^secret$'
43+ - has:
44+ stopBy: neighbor
45+ kind: string
46+ has:
47+ stopBy: neighbor
48+ kind: string_fragment
49+
50+ - any:
51+ - follows:
52+ stopBy: end
53+ kind: variable_declaration
54+ has:
55+ stopBy: end
56+ kind: variable_declarator
57+ all:
58+ - has:
59+ stopBy: end
60+ kind: identifier
61+ pattern: $E
62+ - has:
63+ stopBy: neighbor
64+ kind: call_expression
65+ all:
66+ - has:
67+ stopBy: neighbor
68+ kind: identifier
69+ regex: '^require$'
70+ - has:
71+ stopBy: neighbor
72+ kind: arguments
73+ has:
74+ stopBy: neighbor
75+ kind : string
76+ has:
77+ stopBy: neighbor
78+ kind: string_fragment
79+ regex: '^express-jwt$'
80+ - follows:
81+ stopBy: end
82+ kind: import_statement
83+ all:
84+ - has:
85+ stopBy: end
86+ kind: import_clause
87+ has:
88+ stopBy: neighbor
89+ kind: identifier
90+ pattern: $E
91+ - has:
92+ stopBy: neighbor
93+ kind: string
94+ has:
95+ stopBy: end
96+ kind: string_fragment
97+ regex: '^express-jwt$'
98+ - follows:
99+ stopBy: end
100+ kind: import_statement
101+ all:
102+ - has:
103+ stopBy: end
104+ kind: import_clause
105+ has:
106+ stopBy: end
107+ kind: namespace_import
108+ has:
109+ stopBy: end
110+ kind: identifier
111+ pattern: $E
112+ - has:
113+ stopBy: neighbor
114+ kind: string
115+ has:
116+ stopBy: neighbor
117+ kind: string_fragment
118+ regex: '^express-jwt$'
119+ - follows:
120+ stopBy: end
121+ kind: import_statement
122+ all:
123+ - has:
124+ stopBy: neighbor
125+ kind: import_clause
126+ has:
127+ stopBy: neighbor
128+ kind: named_imports
129+ has:
130+ stopBy: neighbor
131+ kind: import_specifier
132+ has:
133+ stopBy: end
134+ kind: identifier
135+ pattern: $E
136+ - has:
137+ stopBy: end
138+ kind: string
139+ has:
140+ stopBy: end
141+ kind: string_fragment
142+ regex: '^express-jwt$'
143+
144+ MATCH_PATTERN_WITH_INSTANCE:
145+ kind: pair
146+ pattern: $O
147+ inside:
148+ stopBy: end
149+ kind: expression_statement
150+ all:
151+ - has:
152+ stopBy: end
153+ kind: call_expression
154+ all:
155+ - has:
156+ stopBy: neighbor
157+ kind: identifier
158+ pattern: $E
159+ - has:
160+ stopBy: end
161+ kind: arguments
162+ has:
163+ stopBy: end
164+ kind: object
165+ has:
166+ stopBy: neighbor
167+ kind: pair
168+ pattern: $O
169+ all:
170+ - has:
171+ stopBy: neighbor
172+ kind: property_identifier
173+ regex: '^secret$'
174+ - has:
175+ stopBy: neighbor
176+ kind: identifier
177+ pattern: $F
178+ - follows:
179+ stopBy: end
180+ kind: lexical_declaration
181+ has:
182+ stopBy: end
183+ kind: variable_declarator
184+ all:
185+ - has:
186+ stopBy: neighbor
187+ kind: identifier
188+ pattern: $F
189+ - has:
190+ stopBy: neighbor
191+ kind: string
192+ has:
193+ stopBy: neighbor
194+ kind: string_fragment
195+
196+ - any:
197+ - follows:
198+ stopBy: end
199+ kind: variable_declaration
200+ has:
201+ stopBy: end
202+ kind: variable_declarator
203+ all:
204+ - has:
205+ stopBy: end
206+ kind: identifier
207+ pattern: $E
208+ - has:
209+ stopBy: neighbor
210+ kind: call_expression
211+ all:
212+ - has:
213+ stopBy: neighbor
214+ kind: identifier
215+ regex: '^require$'
216+ - has:
217+ stopBy: neighbor
218+ kind: arguments
219+ has:
220+ stopBy: neighbor
221+ kind : string
222+ has:
223+ stopBy: neighbor
224+ kind: string_fragment
225+ regex: '^express-jwt$'
226+
227+ - follows:
228+ stopBy: end
229+ kind: import_statement
230+ all:
231+ - has:
232+ stopBy: end
233+ kind: import_clause
234+ has:
235+ stopBy: neighbor
236+ kind: identifier
237+ pattern: $E
238+ - has:
239+ stopBy: neighbor
240+ kind: string
241+ has:
242+ stopBy: end
243+ kind: string_fragment
244+ regex: '^express-jwt$'
245+ - follows:
246+ stopBy: end
247+ kind: import_statement
248+ all:
249+ - has:
250+ stopBy: end
251+ kind: import_clause
252+ has:
253+ stopBy: end
254+ kind: namespace_import
255+ has:
256+ stopBy: end
257+ kind: identifier
258+ pattern: $E
259+ - has:
260+ stopBy: neighbor
261+ kind: string
262+ has:
263+ stopBy: neighbor
264+ kind: string_fragment
265+ regex: '^express-jwt$'
266+ - follows:
267+ stopBy: end
268+ kind: import_statement
269+ all:
270+ - has:
271+ stopBy: neighbor
272+ kind: import_clause
273+ has:
274+ stopBy: neighbor
275+ kind: named_imports
276+ has:
277+ stopBy: neighbor
278+ kind: import_specifier
279+ has:
280+ stopBy: end
281+ kind: identifier
282+ pattern: $E
283+ - has:
284+ stopBy: end
285+ kind: string
286+ has:
287+ stopBy: end
288+ kind: string_fragment
289+ regex: '^express-jwt$'
290+ rule:
291+ kind: pair
292+ any:
293+ - matches: MATCH_SECRET_DIRECTLY
294+ - matches: MATCH_PATTERN_WITH_INSTANCE
You can’t perform that action at this time.
0 commit comments