feat(javascript rule): hardcoded string support

integration/rules/javascript_test.go

@@ -49,6 +49,11 @@ func TestJavascriptLangFileGeneration(t *testing.T) {
 	getRunner(t).runTest(t, javascriptRulesPath+"lang/file_generation")
 }
 
+func TestJavascriptHardcodedSecret(t *testing.T) {
+	t.Parallel()
+	getRunner(t).runTest(t, javascriptRulesPath+"lang/hardcoded_secret")
+}
+
 func TestJavascriptAwsLambdaSqlInjection(t *testing.T) {
 	t.Parallel()
 	getRunner(t).runTest(t, javascriptRulesPath+"aws_lambda/sql_injection")
@@ -193,3 +198,8 @@ func TestJavascriptBugsnag(t *testing.T) {
 	t.Parallel()
 	getRunner(t).runTest(t, javascriptRulesPath+"third_parties/bugsnag")
 }
+
+func TestJavascripPassportHardcodedSecret(t *testing.T) {
+	t.Parallel()
+	getRunner(t).runTest(t, javascriptRulesPath+"third_parties/passport_hardcoded_secret")
+}

pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml

@@ -0,0 +1,37 @@
+patterns:
+  - pattern: |
+      { $<KEY>: $<ANTYHING:string> }
+    filters:
+      - variable: KEY
+        values:
+          - clientSecret
+          - secretOrKey
+          - consumerSecret
+  - pattern: |
+      $<_>.$<KEY> = $<ANTYHING:string>
+    filters:
+      - variable: KEY
+        values:
+          - clientSecret
+          - secretOrKey
+          - consumerSecret
+languages:
+  - javascript
+trigger: presence
+severity:
+  default: critical
+metadata:
+  description: "Hardcoded secret detected"
+  remediation_message: |
+    ## Description
+
+    Code is not a safe place to store secrets, use enviorment variables instead.
+
+    <!--
+    ## Resources
+    Coming soon.
+    -->
+  dsr_id: "DSR-5"
+  cwe_id:
+    - 798
+  id: "javascript_hardcoded_secret"

pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--secure.yml

@@ -0,0 +1,3 @@
+{}
+
+

pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_assigment.yml

@@ -0,0 +1,13 @@
+critical:
+    - rule:
+        cwe_ids:
+            - "798"
+        id: javascript_hardcoded_secret
+        description: Hardcoded secret detected
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_hardcoded_secret
+      line_number: 2
+      filename: unsecure_assigment.js
+      parent_line_number: 2
+      parent_content: config.clientSecret = "secretHardcodedString"
+
+

pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/.snapshots/TestJavascriptHardcodedSecret--unsecure_object.yml

@@ -0,0 +1,21 @@
+critical:
+    - rule:
+        cwe_ids:
+            - "798"
+        id: javascript_hardcoded_secret
+        description: Hardcoded secret detected
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_hardcoded_secret
+      line_number: 1
+      filename: unsecure_object.js
+      category_groups:
+        - PII
+      parent_line_number: 1
+      parent_content: |-
+        {
+        	clientID: process.env["GOOGLE_CLIENT_ID"],
+        	clientSecret: "secretHardcodedString",
+        	callbackURL: "/oauth2/redirect/google",
+        	scope: ["profile"],
+        }
+
+

pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/secure.js

@@ -0,0 +1,2 @@
+const config = {};
+config.clientSecret = process.env["GOOGLE_CLIENT_SECRET"];

pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_assigment.js

@@ -0,0 +1,2 @@
+const config = {};
+config.clientSecret = "secretHardcodedString";

pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret/testdata/unsecure_object.js

@@ -0,0 +1,6 @@
+const config = {
+	clientID: process.env["GOOGLE_CLIENT_ID"],
+	clientSecret: "secretHardcodedString",
+	callbackURL: "/oauth2/redirect/google",
+	scope: ["profile"],
+};

pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml

@@ -0,0 +1,59 @@
+patterns:
+  - pattern: |
+      $<PASSPORT>($<STRATEGY>)
+    filters:
+      - variable: PASSPORT
+        detection: javascript_third_parties_passport_hardcoded_secret_passport_usage
+      - variable: STRATEGY
+        detection: javascript_third_parties_passport_strategy
+auxiliary:
+  - id: javascript_third_parties_passport_strategy
+    patterns:
+      - pattern: |
+          new $<METHOD>($<CONFIG>)
+        filters:
+          - variable: METHOD
+            values:
+              - Strategy
+              - LocalStrategy
+              - HTTPBearerStrategy
+              - BearerStrategy
+              - GoogleStrategy
+              - GoogleOauthStrategy
+              - TwitterStrategy
+              - JwtStrategy
+              - FacebookStrategy
+              - CognitoStrategy
+          - variable: CONFIG
+            detection: javascript_third_parties_passport_hardcoded_secret_secret_usage
+  - id: javascript_third_parties_passport_hardcoded_secret_secret_usage
+    patterns:
+      - pattern: |
+          { clientSecret: $<_:string> }
+      - pattern: |
+          { secretOrKey: $<_:string> }
+      - pattern: |
+          { consumerSecret: $<_:string> }
+  - id: javascript_third_parties_passport_hardcoded_secret_passport_usage
+    patterns:
+      - passport.use
+languages:
+  - javascript
+trigger: presence
+severity:
+  default: critical
+metadata:
+  description: "Hardcoded passport secret detected"
+  remediation_message: |
+    ## Description
+
+    Code is not a safe place to store secrets, use enviorment variables instead.
+
+    <!--
+    ## Resources
+    Coming soon.
+    -->
+  dsr_id: "DSR-5"
+  cwe_id:
+    - 798
+  id: "javascript_third_parties_passport_hardcoded_secret"

pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/.snapshots/TestJavascripPassportHardcodedSecret--unsecure.yml

@@ -0,0 +1,23 @@
+critical:
+    - rule:
+        cwe_ids:
+            - "798"
+        id: javascript_hardcoded_secret
+        description: Hardcoded secret detected
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_hardcoded_secret
+      line_number: 4
+      filename: unsecure.js
+      parent_line_number: 4
+      parent_content: '{ clientSecret: "hardcodedSecret" }'
+    - rule:
+        cwe_ids:
+            - "798"
+        id: javascript_third_parties_passport_hardcoded_secret
+        description: Hardcoded passport secret detected
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_third_parties_passport_hardcoded_secret
+      line_number: 5
+      filename: unsecure.js
+      parent_line_number: 5
+      parent_content: passport.use(strategy)
+
+

pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret/testdata/unsecure.js

@@ -0,0 +1,5 @@
+const GoogleStrategy = require("passport-google-oauth").Strategy;
+const passport = require("passport");
+
+const strategy = new GoogleStrategy({ clientSecret: "hardcodedSecret" });
+passport.use(strategy);