Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(rules): add file_generation rule for JS #546

Merged
merged 1 commit into from
Feb 9, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions integration/rules/javascript_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,3 +61,13 @@ func TestJavascriptLangExceptionDataflow(t *testing.T) {
t.Parallel()
runRulesTest("javascript/lang/exception", "dataflow", "javascript_lang_exception", t)
}

func TestJavascriptLangFileGenerationSummary(t *testing.T) {
t.Parallel()
runRulesTest("javascript/lang/file_generation", "summary", "javascript_lang_file_generation", t)
}

func TestJavascriptLangFileGenerationDataflow(t *testing.T) {
t.Parallel()
runRulesTest("javascript/lang/file_generation", "dataflow", "javascript_lang_file_generation", t)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
patterns:
- pattern: |
fs.writeFile($<_>, $<DATA_TYPE>, $<...>)
filters:
- variable: DATA_TYPE
detection: datatype
- pattern: |
fs.writeFile($<_>, $<DATA_TYPE>, $<_>, ($<_>) => {})
filters:
- variable: DATA_TYPE
detection: datatype
languages:
- javascript
trigger: local
severity:
default: low
PII: critical
PHI: medium
PD: high
metadata:
description: "Do not write sensitive data to static files."
remediation_message: |
## Description

It is not uncommon to generate logs, backups, or data exports to static file formats. This rule checks if code exists to write sensitive data to static files.

## Remediations
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@markmichon Can I let you have a look at the remediation part please?


Coming soon.

<!--
## Resources
Coming soon.
-->
dsr_id: DSR-4
id: javascript_lang_file_generation
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
data_types:
- name: Email Address
detectors:
- name: javascript
locations:
- filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
line_number: 11
field_name: email
object_name: user
subject_name: User
- name: Firstname
detectors:
- name: javascript
locations:
- filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
line_number: 8
field_name: firstname
object_name: user
subject_name: User
- filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
line_number: 12
field_name: firstname
object_name: user
subject_name: User
- name: Lastname
detectors:
- name: javascript
locations:
- filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
line_number: 8
field_name: surname
object_name: user
subject_name: User
risks:
- detector_id: javascript_lang_file_generation
data_types:
- name: Email Address
stored: false
locations:
- filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
line_number: 11
parent:
line_number: 18
content: |-
fs.writeFile("data.csv", JSON.stringify(users), "utf-8", (err) => {
if (err) console.log(err)
else console.log("Data saved")
})
field_name: email
object_name: user
subject_name: User
- name: Firstname
stored: false
locations:
- filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
line_number: 8
parent:
line_number: 18
content: |-
fs.writeFile("data.csv", JSON.stringify(users), "utf-8", (err) => {
if (err) console.log(err)
else console.log("Data saved")
})
field_name: firstname
object_name: user
subject_name: User
- filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
line_number: 12
parent:
line_number: 18
content: |-
fs.writeFile("data.csv", JSON.stringify(users), "utf-8", (err) => {
if (err) console.log(err)
else console.log("Data saved")
})
field_name: firstname
object_name: user
subject_name: User
- name: Lastname
stored: false
locations:
- filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
line_number: 8
parent:
line_number: 18
content: |-
fs.writeFile("data.csv", JSON.stringify(users), "utf-8", (err) => {
if (err) console.log(err)
else console.log("Data saved")
})
field_name: surname
object_name: user
subject_name: User
components: []


--

Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
critical:
- rule_dsrid: DSR-4
rule_display_id: javascript_lang_file_generation
rule_description: Do not write sensitive data to static files.
rule_documentation_url: https://curio.sh/reference/rules/javascript_lang_file_generation
line_number: 8
filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
category_groups:
- PII
parent_line_number: 18
parent_content: |-
fs.writeFile("data.csv", JSON.stringify(users), "utf-8", (err) => {
if (err) console.log(err)
else console.log("Data saved")
})
- rule_dsrid: DSR-4
rule_display_id: javascript_lang_file_generation
rule_description: Do not write sensitive data to static files.
rule_documentation_url: https://curio.sh/reference/rules/javascript_lang_file_generation
line_number: 11
filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
category_groups:
- PII
parent_line_number: 18
parent_content: |-
fs.writeFile("data.csv", JSON.stringify(users), "utf-8", (err) => {
if (err) console.log(err)
else console.log("Data saved")
})
- rule_dsrid: DSR-4
rule_display_id: javascript_lang_file_generation
rule_description: Do not write sensitive data to static files.
rule_documentation_url: https://curio.sh/reference/rules/javascript_lang_file_generation
line_number: 12
filename: pkg/commands/process/settings/rules/javascript/lang/file_generation/testdata/file_generation.js
category_groups:
- PII
parent_line_number: 18
parent_content: |-
fs.writeFile("data.csv", JSON.stringify(users), "utf-8", (err) => {
if (err) console.log(err)
else console.log("Data saved")
})


--

Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
const fs = require("fs")

function generateUsername(firstname, surname) {
return `${firstname[0]}-${surname}`.toLowerCase()
}

const users = users.map((user) => {
const username = generateUsername(user.firstname, user.surname)

return {
email: user.email,
first_name: user.firstname,
username,
}
})

fs.writeFile("data.csv", JSON.stringify(users), callback)
fs.writeFile("data.csv", JSON.stringify(users), "utf-8", (err) => {
if (err) console.log(err)
else console.log("Data saved")
})