docs(fix): Update remediation messages for js/ruby rules (#556)

* docs(fix): Update remediation messages for js/ruby

* chore: update snapshots

---------

Co-authored-by: gotbadger <p.j.h@hey.com>

pkg/commands/process/settings/rules/javascript/express/insecure_cookie.yml

@@ -22,8 +22,17 @@ severity:
 skip_data_types:
   - "Unique Identifier"
 metadata:
-  description: "Ensure cookies are sent over https."
+  description: "Ensure cookies are sent over HTTPS."
   remediation_message: |
-    FIXME
+    ## Description
+    To make sure cookies don't open your application up to exploits or unauthorized access, don't use default cookie values and make sure to set security options appropriately.
+
+    ## Remediations
+    - Instead of the default cookie name, use generic names.
+    - Set cookie security values to use HTTP(S) instead of client-side javascript.
+    - Set `secure` values to `true` to force cookies to only send over HTTPS.
+
+    ## Resources
+    - [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely)
   dsr_id: "DSR-5"
   id: "express_insecure_cookie"

pkg/commands/process/settings/rules/javascript/express/insecure_cookie/.snapshots/TestExpressSecureCookieSummary-summary_javascript_express_insecure_cookie_http_only.js

@@ -1,7 +1,7 @@
 low:
     - rule_dsrid: DSR-5
       rule_display_id: express_insecure_cookie
-      rule_description: Ensure cookies are sent over https.
+      rule_description: Ensure cookies are sent over HTTPS.
       rule_documentation_url: https://curio.sh/reference/rules/express_insecure_cookie
       line_number: 9
       filename: pkg/commands/process/settings/rules/javascript/express/insecure_cookie/testdata/http_only.js

pkg/commands/process/settings/rules/javascript/express/insecure_cookie/.snapshots/TestExpressSecureCookieSummary-summary_javascript_express_insecure_cookie_insecure_cookie.js

@@ -1,7 +1,7 @@
 low:
     - rule_dsrid: DSR-5
       rule_display_id: express_insecure_cookie
-      rule_description: Ensure cookies are sent over https.
+      rule_description: Ensure cookies are sent over HTTPS.
       rule_documentation_url: https://curio.sh/reference/rules/express_insecure_cookie
       line_number: 9
       filename: pkg/commands/process/settings/rules/javascript/express/insecure_cookie/testdata/insecure_cookie.js

pkg/commands/process/settings/rules/javascript/lang/exception.yml

@@ -44,13 +44,13 @@ metadata:
 
     ❌ Avoid using sensitive data in exception messages:
 
-    ```ruby
+    ```javascript
     throw new CustomError(`Error with ${user.email}`)
     ```
 
     ✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:
 
-    ```ruby
+    ```javascript
     throw new CustomError(`Error with ${user.uuid}`)
     ```
     <!--

pkg/commands/process/settings/rules/javascript/lang/file_generation.yml

@@ -26,7 +26,7 @@ metadata:
 
     ## Remediations
 
-    Coming soon.
+    Avoid writing sensitive data to logs, backups, or exports whenever possible. Instead obfuscate and/or filter the data to exclude sensitive information.
 
     <!--
     ## Resources

pkg/commands/process/settings/rules/javascript/lang/jwt.yml

@@ -24,7 +24,7 @@ metadata:
 
     ## Remediations
 
-    ❌ Avoid storing sensitive data in JWT:
+    ❌ Avoid storing sensitive data in JWTs:
 
     ```javascript
       const jwt = require('jsonwebtoken');
@@ -41,5 +41,6 @@ metadata:
     <!--
     ## Resources
     Coming soon.
+    -->
   dsr_id: "DSR-5"
   id: "javascript_jwt"

pkg/commands/process/settings/rules/javascript/lang/logger.yml

@@ -85,7 +85,7 @@ metadata:
     logger.info(`User is: ${user.email}`)
     ```
 
-    ✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:
+    ✅ If you need to identify a user, use their unique identifier instead of their personal identifiable information:
 
     ```javascript
     logger.info(`User is: ${user.uuid}`)

pkg/commands/process/settings/rules/javascript/lang/session.yml

@@ -19,13 +19,27 @@ metadata:
   remediation_message: |
     ## Description
 
-    Sensitive data should not be stored in localstorage session. This policy looks for any sensitive data stored within the localstorage.
+    Sensitive data should not be stored in a `localStorage` session. This policy looks for any sensitive data stored within the localstorage.
 
     ## Remediations
-    ✅ To ensure session's data stays safe, ensure to use a database-based session storage:
+
+    It's best to avoid storing sensitive data in `localStorage` whenever possible. To keep session data safe, use a server-based session storage solution instead.
+
+    ❌ If you do need do store data in `localStorage`, avoid including sensitive data:
+
+    ```javascript
+    localStorage.setItem('user', email)
+    ```
+
+     ✅ Instead, use a unique identifier:
+
+    ```javascript
+    localStorage.setItem('user', user.uuid)
+    ```
 
     <!--
     ## Resources
     Coming soon.
+    -->
   dsr_id: "DSR-5"
   id: "javascript_session"

pkg/commands/process/settings/rules/javascript/lang/weak_encryption.yml

@@ -38,13 +38,19 @@ metadata:
     Sensitive data should be encrypted with strong encryption algorithms like aes-256-cbc
 
     ## Remediations
-    var crypto = require("crypto");
 
-    var key = "secret key";
-    var encrypted = crypto.createHmac("es-256-cbc", key).update(user.password);
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption): MD5, RC4, DES, Blowfish, SHA1. 1024-bit RSA or DSA, 160-bit ECDSA (elliptic curves), 80/112-bit 2TDEA (two key triple DES) are considered as weak hash/encryption algorithms and therefor shouldn't be used.
+
+    ✅ Use stronger encryption algorithms when storing data.
+
+    ```javascript
+    const crypto = require("crypto");
+
+    const key = "secret key";
+    const encrypted = crypto.createHmac("es-256-cbc", key).update(user.password);
+    ```
 
-    <!--
     ## Resources
-    Coming soon.
+    - [NodeJS Crypto Module](https://nodejs.org/api/crypto.html#cryptocreatehmacalgorithm-key-options)
   dsr_id: "DSR-5"
   id: "javascript_weak_encryption"

pkg/commands/process/settings/rules/ruby/third_parties/algolia.yml

@@ -36,12 +36,11 @@ metadata:
   description: "Do not store sensitive data in Algolia."
   remediation_message: |
     ## Description
-    TODO
-
+    Leaking sensitive data to third-party data tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Algolia.
+    <!--
     ## Remediations
-
-    TODO
-
+    Coming soon.
+    -->
     ## Resources
     - [Algolia docs](https://www.algolia.com/doc/)
   dsr_id: DSR-6

pkg/commands/process/settings/rules/ruby/third_parties/elasticsearch.yml

@@ -44,11 +44,11 @@ metadata:
   description: "Do not store sensitive data in Elasticsearch."
   remediation_message: |
     ## Description
-    TODO
-
+    Leaking sensitive data to third-party data tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Elasticsearch.
+    <!--
     ## Remediations
-
-    TODO
+    Coming soon.
+    -->
 
     ## Resources
     - [Elasticsearch docs](https://www.elastic.co/guide/en/elasticsearch/client/ruby-api/current/index.html)