feat: jwt hardcoded secret (#650)

* docs: update jwt cwe * feat: add jwt hardcoded secret * fix: remove debug log * feat: update severity * fix: typo * chore: update test
Bearer · Feb 23, 2023 · e23dbcc · e23dbcc
1 parent af8a13f
commit e23dbcc
Show file tree

Hide file tree

Showing 10 changed files with 64 additions and 5 deletions.
diff --git a/integration/rules/javascript_test.go b/integration/rules/javascript_test.go
@@ -24,6 +24,11 @@ func TestJavascriptJWT(t *testing.T) {
 	getRunner(t).runTest(t, javascriptRulesPath+"lang/jwt")
 }
 
+func TestJavascriptJWTHardcodedSecret(t *testing.T) {
+	t.Parallel()
+	getRunner(t).runTest(t, javascriptRulesPath+"lang/jwt_hardcoded_secret")
+}
+
 func TestJavascriptHTTPInsecure(t *testing.T) {
 	t.Parallel()
 	getRunner(t).runTest(t, javascriptRulesPath+"lang/http_insecure")

diff --git a/new/language/implementation/javascript/javascript.go b/new/language/implementation/javascript/javascript.go
@@ -32,7 +32,7 @@ var (
 
 	// $<name:type> or $<name:type1|type2> or $<name>
 	patternQueryVariableRegex = regexp.MustCompile(`\$<(?P<name>[^>:!\.]+)(?::(?P<types>[^>]+))?>`)
-	allowedPatternQueryTypes  = []string{"identifier", "property_identifier", "_", "member_expression"}
+	allowedPatternQueryTypes  = []string{"identifier", "property_identifier", "_", "member_expression", "string"}
 
 	matchNodeRegex = regexp.MustCompile(`\$<!>`)
 

diff --git a/...nds/process/settings/rules/javascript/lang/jwt/.snapshots/TestJavascriptJWT--unsecure.yml b/...nds/process/settings/rules/javascript/lang/jwt/.snapshots/TestJavascriptJWT--unsecure.yml
@@ -3,9 +3,13 @@ low:
       rule_display_id: javascript_jwt
       rule_description: Sensitive data in a JWT detected.
       rule_documentation_url: https://docs.bearer.com/reference/rules/javascript_jwt
-      line_number: 2
+      line_number: 3
       filename: unsecure.js
       parent_line_number: 2
-      parent_content: 'jwt.sign({ user: { email: "jhon@gmail.com" } }, "shhhhh")'
+      parent_content: |-
+        jwt.sign(
+        	{ user: { email: "jhon@gmail.com" } },
+        	process.env.JWT_SECRET
+        )
 
 
diff --git a/pkg/commands/process/settings/rules/javascript/lang/jwt/testdata/secure.js b/pkg/commands/process/settings/rules/javascript/lang/jwt/testdata/secure.js
@@ -2,5 +2,5 @@ var jwt = require("jsonwebtoken");
 
 var token = jwt.sign(
 	{ user: { uuid: "1fbae5ff-86c8-4ece-8278-bd94957de1bf" } },
-	"shhhhh"
+	process.env.JWT_SECRET
 );
diff --git a/pkg/commands/process/settings/rules/javascript/lang/jwt/testdata/unsecure.js b/pkg/commands/process/settings/rules/javascript/lang/jwt/testdata/unsecure.js
@@ -1,2 +1,5 @@
 var jwt = require("jsonwebtoken");
-var token = jwt.sign({ user: { email: "jhon@gmail.com" } }, "shhhhh");
+var token = jwt.sign(
+	{ user: { email: "jhon@gmail.com" } },
+	process.env.JWT_SECRET
+);
diff --git a/...ascript/lang/jwt_hardcoded_secret/.snapshots/TestJavascriptJWTHardcodedSecret--secure.yml b/...ascript/lang/jwt_hardcoded_secret/.snapshots/TestJavascriptJWTHardcodedSecret--secure.yml
@@ -0,0 +1,3 @@
+{}
+
+
diff --git a/...cript/lang/jwt_hardcoded_secret/.snapshots/TestJavascriptJWTHardcodedSecret--unsecure.yml b/...cript/lang/jwt_hardcoded_secret/.snapshots/TestJavascriptJWTHardcodedSecret--unsecure.yml
@@ -0,0 +1,11 @@
+medium:
+    - rule_dsrid: DSR-5
+      rule_display_id: javascript_jwt_hardcoded_secret
+      rule_description: Hardocded jwt secret deteted
+      rule_documentation_url: https://docs.bearer.com/reference/rules/javascript_jwt_hardcoded_secret
+      line_number: 3
+      filename: unsecure.js
+      parent_line_number: 3
+      parent_content: 'jwt.sign({ foo: "bar" }, "someSecret")'
+
+
diff --git a/pkg/commands/process/settings/rules/javascript/lang/jwt_hardcoded_secret/testdata/secure.js b/pkg/commands/process/settings/rules/javascript/lang/jwt_hardcoded_secret/testdata/secure.js
@@ -0,0 +1,3 @@
+var jwt = require("jsonwebtoken");
+
+var token = jwt.sign({ foo: "bar" }, process.env.JWT_SECRET);
diff --git a/...commands/process/settings/rules/javascript/lang/jwt_hardcoded_secret/testdata/unsecure.js b/...commands/process/settings/rules/javascript/lang/jwt_hardcoded_secret/testdata/unsecure.js
@@ -0,0 +1,3 @@
+var jwt = require("jsonwebtoken");
+
+var token = jwt.sign({ foo: "bar" }, "someSecret");
diff --git a/pkg/commands/process/settings/rules/javascript/lang/jwt_hardocoded_secret.yml b/pkg/commands/process/settings/rules/javascript/lang/jwt_hardocoded_secret.yml
@@ -0,0 +1,27 @@
+type: risk
+patterns:
+  - pattern: |
+      jwt.sign($<_>, $<SECRET:string>)
+languages:
+  - javascript
+trigger: presence
+severity:
+  default: medium
+skip_data_types:
+  - "Unique Identifier"
+metadata:
+  description: "Hardocded jwt secret deteted"
+  remediation_message: |
+    ## Description
+
+    Code is not a secure place to store secrets, use env variable.
+
+
+    <!--
+    ## Resources
+    Coming soon.
+    -->
+  dsr_id: "DSR-5"
+  cwe_id:
+    - 798
+  id: "javascript_jwt_hardcoded_secret"