From b8e3decde803a460a168605d2c13dd96d264c771 Mon Sep 17 00:00:00 2001 From: vjerci <27707350+vjerci@users.noreply.github.com> Date: Mon, 27 Feb 2023 15:55:48 +0100 Subject: [PATCH 1/5] feat: add javascript hardcoded string support --- integration/rules/javascript_test.go | 10 ++++ .../javascript/lang/hardcoded_secret.yml | 37 ++++++++++++ .../TestJavascriptHardcodedSecret--secure.yml | 3 + ...iptHardcodedSecret--unsecure_assigment.yml | 13 ++++ ...scriptHardcodedSecret--unsecure_object.yml | 21 +++++++ .../lang/hardcoded_secret/testdata/secure.js | 2 + .../testdata/unsecure_assigment.js | 2 + .../testdata/unsecure_object.js | 6 ++ .../passport_hardcoded_secret.yml | 59 +++++++++++++++++++ ...scripPassportHardcodedSecret--unsecure.yml | 23 ++++++++ .../testdata/unsecure.js | 5 ++ 11 files changed, 181 insertions(+) create mode 100644 pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml create mode 100644 pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--secure.yml create mode 100644 pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_assigment.yml create mode 100644 pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_object.yml create mode 100644 pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/secure.js create mode 100644 pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_assigment.js create mode 100644 pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_object.js create mode 100644 pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml create mode 100644 pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/.snapshots/TestJavascripPassportHardcodedSecret--unsecure.yml create mode 100644 pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/testdata/unsecure.js diff --git a/integration/rules/javascript_test.go b/integration/rules/javascript_test.go index cde0faa04..6802bd9f8 100644 --- a/integration/rules/javascript_test.go +++ b/integration/rules/javascript_test.go @@ -49,6 +49,11 @@ func TestJavascriptLangFileGeneration(t *testing.T) { getRunner(t).runTest(t, javascriptRulesPath+"lang/file_generation") } +func TestJavascriptHardcodedSecret(t *testing.T) { + t.Parallel() + getRunner(t).runTest(t, javascriptRulesPath+"lang/hardcoded_secret") +} + func TestJavascriptAwsLambdaSqlInjection(t *testing.T) { t.Parallel() getRunner(t).runTest(t, javascriptRulesPath+"aws_lambda/sql_injection") @@ -193,3 +198,8 @@ func TestJavascriptBugsnag(t *testing.T) { t.Parallel() getRunner(t).runTest(t, javascriptRulesPath+"third_parties/bugsnag") } + +func TestJavascripPassportHardcodedSecret(t *testing.T) { + t.Parallel() + getRunner(t).runTest(t, javascriptRulesPath+"third_parties/passport_hardcoded_secret") +} diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml new file mode 100644 index 000000000..33582e51c --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml @@ -0,0 +1,37 @@ +patterns: + - pattern: | + { $: $ } + filters: + - variable: KEY + values: + - clientSecret + - secretOrKey + - consumerSecret + - pattern: | + $<_>.$ = $ + filters: + - variable: KEY + values: + - clientSecret + - secretOrKey + - consumerSecret +languages: + - javascript +trigger: presence +severity: + default: critical +metadata: + description: "Hardcoded secret detected" + remediation_message: | + ## Description + + Code is not a safe place to store secrets, use enviorment variables instead. + + + dsr_id: "DSR-5" + cwe_id: + - 95 + id: "javascript_hardcoded_secret" diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--secure.yml b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--secure.yml new file mode 100644 index 000000000..5cf32ecc5 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--secure.yml @@ -0,0 +1,3 @@ +{} + + diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_assigment.yml b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_assigment.yml new file mode 100644 index 000000000..8044e8ac1 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_assigment.yml @@ -0,0 +1,13 @@ +critical: + - rule: + cwe_ids: + - "95" + id: javascript_hardcoded_secret + description: Hardcoded secret detected + documentation_url: https://docs.bearer.com/reference/rules/javascript_hardcoded_secret + line_number: 2 + filename: unsecure_assigment.js + parent_line_number: 2 + parent_content: config.clientSecret = "secretHardcodedString" + + diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_object.yml b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_object.yml new file mode 100644 index 000000000..571d2fa70 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_object.yml @@ -0,0 +1,21 @@ +critical: + - rule: + cwe_ids: + - "95" + id: javascript_hardcoded_secret + description: Hardcoded secret detected + documentation_url: https://docs.bearer.com/reference/rules/javascript_hardcoded_secret + line_number: 1 + filename: unsecure_object.js + category_groups: + - PII + parent_line_number: 1 + parent_content: |- + { + clientID: process.env["GOOGLE_CLIENT_ID"], + clientSecret: "secretHardcodedString", + callbackURL: "/oauth2/redirect/google", + scope: ["profile"], + } + + diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/secure.js b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/secure.js new file mode 100644 index 000000000..298aa412e --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/secure.js @@ -0,0 +1,2 @@ +const config = {}; +config.clientSecret = process.env["GOOGLE_CLIENT_SECRET"]; diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_assigment.js b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_assigment.js new file mode 100644 index 000000000..89d1146f0 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_assigment.js @@ -0,0 +1,2 @@ +const config = {}; +config.clientSecret = "secretHardcodedString"; diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_object.js b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_object.js new file mode 100644 index 000000000..20b2641db --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_object.js @@ -0,0 +1,6 @@ +const config = { + clientID: process.env["GOOGLE_CLIENT_ID"], + clientSecret: "secretHardcodedString", + callbackURL: "/oauth2/redirect/google", + scope: ["profile"], +}; diff --git a/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml new file mode 100644 index 000000000..b5ea664f7 --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml @@ -0,0 +1,59 @@ +patterns: + - pattern: | + $($) + filters: + - variable: PASSPORT + detection: javascript_third_parties_passport_hardcoded_secret_passport_usage + - variable: STRATEGY + detection: javascript_third_parties_passport_strategy +auxiliary: + - id: javascript_third_parties_passport_strategy + patterns: + - pattern: | + new $($) + filters: + - variable: METHOD + values: + - Strategy + - LocalStrategy + - HTTPBearerStrategy + - BearerStrategy + - GoogleStrategy + - GoogleOauthStrategy + - TwitterStrategy + - JwtStrategy + - FacebookStrategy + - CognitoStrategy + - variable: CONFIG + detection: javascript_third_parties_passport_hardcoded_secret_secret_usage + - id: javascript_third_parties_passport_hardcoded_secret_secret_usage + patterns: + - pattern: | + { clientSecret: $<_:string> } + - pattern: | + { secretOrKey: $<_:string> } + - pattern: | + { consumerSecret: $<_:string> } + - id: javascript_third_parties_passport_hardcoded_secret_passport_usage + patterns: + - passport.use +languages: + - javascript +trigger: presence +severity: + default: critical +metadata: + description: "Hardcoded passport secret detected" + remediation_message: | + ## Description + + Code is not a safe place to store secrets, use enviorment variables instead. + + + dsr_id: "DSR-5" + cwe_id: + - 95 + id: "javascript_third_parties_passport_hardcoded_secret" diff --git a/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/.snapshots/TestJavascripPassportHardcodedSecret--unsecure.yml b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/.snapshots/TestJavascripPassportHardcodedSecret--unsecure.yml new file mode 100644 index 000000000..b06143b5b --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/.snapshots/TestJavascripPassportHardcodedSecret--unsecure.yml @@ -0,0 +1,23 @@ +critical: + - rule: + cwe_ids: + - "95" + id: javascript_hardcoded_secret + description: Hardcoded secret detected + documentation_url: https://docs.bearer.com/reference/rules/javascript_hardcoded_secret + line_number: 4 + filename: unsecure.js + parent_line_number: 4 + parent_content: '{ clientSecret: "hardcodedSecret" }' + - rule: + cwe_ids: + - "95" + id: javascript_third_parties_passport_hardcoded_secret + description: Hardcoded passport secret detected + documentation_url: https://docs.bearer.com/reference/rules/javascript_third_parties_passport_hardcoded_secret + line_number: 5 + filename: unsecure.js + parent_line_number: 5 + parent_content: passport.use(strategy) + + diff --git a/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/testdata/unsecure.js b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/testdata/unsecure.js new file mode 100644 index 000000000..dfec43a4c --- /dev/null +++ b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/testdata/unsecure.js @@ -0,0 +1,5 @@ +const GoogleStrategy = require("passport-google-oauth").Strategy; +const passport = require("passport"); + +const strategy = new GoogleStrategy({ clientSecret: "hardcodedSecret" }); +passport.use(strategy); From a206eea592da8242d7f5d9ace918fd7fb6b5e3f5 Mon Sep 17 00:00:00 2001 From: vjerci <27707350+vjerci@users.noreply.github.com> Date: Mon, 27 Feb 2023 16:48:38 +0100 Subject: [PATCH 2/5] feat: update cwe ids --- .../process/settings/rules/javascript/lang/hardcoded_secret.yml | 2 +- .../javascript/third_parties/passport_hardcoded_secret.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml index 33582e51c..c0f02d0c4 100644 --- a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml @@ -33,5 +33,5 @@ metadata: --> dsr_id: "DSR-5" cwe_id: - - 95 + - 798 id: "javascript_hardcoded_secret" diff --git a/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml index b5ea664f7..c3bb97605 100644 --- a/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml +++ b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml @@ -55,5 +55,5 @@ metadata: --> dsr_id: "DSR-5" cwe_id: - - 95 + - 798 id: "javascript_third_parties_passport_hardcoded_secret" From f429fe273b94b7e3596b56c45ca4e40d6f5614ee Mon Sep 17 00:00:00 2001 From: vjerci <27707350+vjerci@users.noreply.github.com> Date: Mon, 27 Feb 2023 16:49:48 +0100 Subject: [PATCH 3/5] feat: update cwe in snapshots --- .../TestJavascriptHardcodedSecret--unsecure_assigment.yml | 2 +- .../TestJavascriptHardcodedSecret--unsecure_object.yml | 2 +- .../TestJavascripPassportHardcodedSecret--unsecure.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_assigment.yml b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_assigment.yml index 8044e8ac1..84b470260 100644 --- a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_assigment.yml +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_assigment.yml @@ -1,7 +1,7 @@ critical: - rule: cwe_ids: - - "95" + - "798" id: javascript_hardcoded_secret description: Hardcoded secret detected documentation_url: https://docs.bearer.com/reference/rules/javascript_hardcoded_secret diff --git a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_object.yml b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_object.yml index 571d2fa70..74abee6a9 100644 --- a/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_object.yml +++ b/pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_object.yml @@ -1,7 +1,7 @@ critical: - rule: cwe_ids: - - "95" + - "798" id: javascript_hardcoded_secret description: Hardcoded secret detected documentation_url: https://docs.bearer.com/reference/rules/javascript_hardcoded_secret diff --git a/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/.snapshots/TestJavascripPassportHardcodedSecret--unsecure.yml b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/.snapshots/TestJavascripPassportHardcodedSecret--unsecure.yml index b06143b5b..02564b7b8 100644 --- a/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/.snapshots/TestJavascripPassportHardcodedSecret--unsecure.yml +++ b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/.snapshots/TestJavascripPassportHardcodedSecret--unsecure.yml @@ -1,7 +1,7 @@ critical: - rule: cwe_ids: - - "95" + - "798" id: javascript_hardcoded_secret description: Hardcoded secret detected documentation_url: https://docs.bearer.com/reference/rules/javascript_hardcoded_secret @@ -11,7 +11,7 @@ critical: parent_content: '{ clientSecret: "hardcodedSecret" }' - rule: cwe_ids: - - "95" + - "798" id: javascript_third_parties_passport_hardcoded_secret description: Hardcoded passport secret detected documentation_url: https://docs.bearer.com/reference/rules/javascript_third_parties_passport_hardcoded_secret From 8ab7e5f3a203e0116a90919872f3156d0ac2390f Mon Sep 17 00:00:00 2001 From: Vjeran Fistric <27707350+vjerci@users.noreply.github.com> Date: Tue, 28 Feb 2023 10:41:44 +0100 Subject: [PATCH 4/5] Update pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml Co-authored-by: elsapet --- .../javascript/third_parties/passport_hardcoded_secret.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml index c3bb97605..40080b70f 100644 --- a/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml +++ b/pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml @@ -47,7 +47,7 @@ metadata: remediation_message: | ## Description - Code is not a safe place to store secrets, use enviorment variables instead. + Code is not a safe place to store secrets, use environment variables instead.