feat(JS rules): add CWE-525 bad caching policy for expressjs JWT not …

…revoked (#695)

feat: add cwe-525 bad caching policy / express JWT not revoked

integration/rules/javascript_test.go

@@ -88,6 +88,10 @@ func TestJavascriptExpressExternalFileUpload(t *testing.T) {
 	getRunner(t).runTest(t, javascriptRulesPath+"express/external_file_upload")
 }
 
+func TestJavascriptExpressJwtNotRevoked(t *testing.T) {
+	getRunner(t).runTest(t, javascriptRulesPath+"express/jwt_not_revoked")
+}
+
 func TestJavascriptExpressExposedDirListing(t *testing.T) {
 	t.Parallel()
 	getRunner(t).runTest(t, javascriptRulesPath+"express/exposed_dir_listing")

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked.yml

@@ -0,0 +1,41 @@
+patterns:
+  - pattern: |
+      expressjwt($<HASH_CONTENT>)
+    filters:
+      - variable: HASH_CONTENT
+        detection: javascript_express_jwt_not_revoked_secret_datatype
+      - not:
+          variable: HASH_CONTENT
+          detection: javascript_express_jwt_not_revoked_is_revoked
+languages:
+  - javascript
+auxiliary:
+  - id: javascript_express_jwt_not_revoked_secret_datatype
+    patterns:
+      - pattern: |
+          { $<...>secret: $<DATA_TYPE>$<...> }
+        filters:
+          - variable: DATA_TYPE
+            detection: datatype
+  - id: javascript_express_jwt_not_revoked_is_revoked
+    patterns:
+      - pattern: |
+          { $<...>isRevoked: $<_>$<...> }
+trigger: presence
+severity:
+  default: "warning"
+metadata:
+  description: "Unrevoked JWT detected."
+  remediation_message: |
+    ## Description
+    The best practice caching policy is to revoke JWTs especially when these contain senstitive information.
+
+    <!--
+    ## Remediations
+    Coming soon.
+    ## Resources
+    Coming soon.
+    -->
+  cwe_id:
+    - 525
+  id: "javascript_express_jwt_not_revoked"

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked/.snapshots/TestJavascriptExpressJwtNotRevoked--express_jwt_not_revoked.yml

@@ -0,0 +1,15 @@
+warning:
+    - rule:
+        cwe_ids:
+            - "525"
+        id: javascript_express_jwt_not_revoked
+        description: Unrevoked JWT detected.
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_express_jwt_not_revoked
+      line_number: 5
+      filename: express_jwt_not_revoked.js
+      category_groups:
+        - PII
+      parent_line_number: 5
+      parent_content: 'expressjwt({ secret: currentUser.email, algorithms: ["HS256"] })'
+
+

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked/.snapshots/TestJavascriptExpressJwtNotRevoked--ok_express_jwt_revoked.yml

@@ -0,0 +1,3 @@
+{}
+
+

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked/testdata/express_jwt_not_revoked.js

@@ -0,0 +1,19 @@
+import { expressjwt } from "express-jwt";
+
+app.get(
+  "/unrevoked",
+  expressjwt({ secret: currentUser.email, algorithms: ["HS256"] }),
+  function (req, res) {
+    if (!req.auth.admin) return res.sendStatus(401);
+    res.sendStatus(200);
+  }
+);
+
+app.get(
+  "/unrevoked",
+  expressjwt({ secret: "some-secret", algorithms: ["HS256"] }),
+  function (req, res) {
+    if (!req.auth.admin) return res.sendStatus(401);
+    res.sendStatus(200);
+  }
+);

pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked/testdata/ok_express_jwt_revoked.js

@@ -0,0 +1,10 @@
+import { expressjwt } from "express-jwt";
+
+app.get(
+  "/revoked",
+  expressjwt({ secret: currentUser.email, isRevoked: this.customRevokeCall(), algorithms: ["HS256"] }),
+  function (req, res) {
+    if (!req.auth.admin) return res.sendStatus(401);
+    res.sendStatus(200);
+  }
+);