From 4b23b8f8844c9c1350168bf67595d19a5d61547f Mon Sep 17 00:00:00 2001 From: gatsby003 Date: Thu, 24 Jul 2025 15:45:59 +0530 Subject: [PATCH] Add TypeScript security rules and tooling - Add ts-node security rules for runtime protection --- .gitignore | 1 + package.json | 2 +- rules/c/security/null-library-function-c.yml | 2 +- .../security/null-library-function-cpp.yml | 2 +- .../grpc-client-insecure-connection-go.yml | 2 +- .../security/plaintext-http-link-html.yml | 2 +- .../hardcoded-connection-password-java.yml | 2 +- .../java-jwt-hardcoded-secret-java.yml | 2 +- ...isclientconfig-hardcoded-password-java.yml | 2 +- .../java/security/use-of-default-aes-java.yml | 2 +- rules/java/security/use-of-md5-java.yml | 2 +- rules/java/security/use-of-sha1-java.yml | 2 +- .../security/openssl-cbc-static-iv-php.yml | 2 +- .../hashids-with-django-secret-python.yml | 2 +- ...python-peewee-pg-empty-password-python.yml | 2 +- .../python-pg8000-hardcoded-secret-python.yml | 2 +- .../python-psycopg2-empty-password-python.yml | 2 +- ...ython-psycopg2-hardcoded-secret-python.yml | 2 +- .../python-redis-empty-password-python.yml | 2 +- .../python-redis-hardcoded-secret-python.yml | 2 +- .../ruby-octokit-hardcoded-secret-ruby.yml | 2 +- .../security/ruby-pg-empty-password-ruby.yml | 2 +- .../ruby-pg-hardcoded-secret-ruby.yml | 2 +- rules/rust/security/empty-password-rust.yml | 2 +- .../rust/security/hardcoded-password-rust.yml | 2 +- .../security/argon2-weak-type-typescript.yml | 59 +++++++ .../security/avoid-crypto-rc4-typescript.yml | 42 +++++ .../security/avoid-crypto-sha1-typescript.yml | 34 ++++ .../security/avoid-des-typescript.yml | 42 +++++ .../security/chmod-permissions-typescript.yml | 35 ++++ .../security/command-injection-typescript.yml | 35 ++++ .../crypto-avoid-weak-hash-typescript.yml | 38 +++++ .../detect-buffer-noassert-typescript.yml | 86 ++++++++++ ...detect-eval-with-expression-typescript.yml | 46 +++++ .../security/detect-new-buffer-typescript.yml | 27 +++ .../detect-non-literal-regexp-typescript.yml | 36 ++++ .../detect-non-literal-require-typescript.yml | 33 ++++ .../detected-jwt-token-typescript.yml | 22 +++ .../hardcoded-hmac-key-typescript.yml | 96 +++++++++++ .../security/insecure-hash-typescript.yml | 43 +++++ .../jwt-sensitive-data-typescript.yml | 60 +++++++ .../jwt-weak-encryption-typescript.yml | 54 ++++++ .../log-sensitive-data-typescript.yml | 105 ++++++++++++ ...ize-empty-password-argument-typescript.yml | 2 +- ...e-hardcoded-secret-argument-typescript.yml | 2 +- .../security/sql-injection-typescript.yml | 45 +++++ sgconfig.yml | 2 +- .../argon2-weak-type-typescript-snapshot.yml | 98 +++++++++++ .../avoid-crypto-rc4-typescript-snapshot.yml | 58 +++++++ .../avoid-crypto-sha1-typescript-snapshot.yml | 47 ++++++ .../avoid-des-typescript-snapshot.yml | 62 +++++++ ...owfish-hardcoded-secret-swift-snapshot.yml | 52 ++++++ ...acha20-hardcoded-secret-swift-snapshot.yml | 52 ++++++ .../chmod-permissions-typescript-snapshot.yml | 56 +++++++ .../command-injection-typescript-snapshot.yml | 58 +++++++ ...to-avoid-weak-hash-typescript-snapshot.yml | 92 ++++++++++ ...oded-connection-password-java-snapshot.yml | 82 +++++++++ .../debug-enabled-python-snapshot.yml | 45 +++++ ...gular-sce-disabled-typescript-snapshot.yml | 31 ++++ ...ct-buffer-noassert-typescript-snapshot.yml | 74 ++++++++ ...al-with-expression-typescript-snapshot.yml | 46 +++++ .../detect-new-buffer-typescript-snapshot.yml | 39 +++++ ...non-literal-regexp-typescript-snapshot.yml | 39 +++++ ...on-literal-require-typescript-snapshot.yml | 42 +++++ ...detected-jwt-token-typescript-snapshot.yml | 28 ++++ .../ecb-cipher-java-snapshot.yml | 35 ++++ .../empty-password-rust-snapshot.yml | 96 +++++++++++ ...n-hardcoded-secret-javascript-snapshot.yml | 59 +++++++ ...tore-hardcoded-session-key-go-snapshot.yml | 81 +++++++++ ...la-csrf-hardcoded-auth-key-go-snapshot.yml | 63 +++++++ ...client-insecure-connection-go-snapshot.yml | 47 ++++++ ...oded-connection-password-java-snapshot.yml | 83 +++++++++ ...hardcoded-hmac-key-typescript-snapshot.yml | 148 ++++++++++++++++ ...-http-auth-in-controller-ruby-snapshot.yml | 60 +++++++ .../hardcoded-password-rust-snapshot.yml | 100 +++++++++++ ...ed-secret-in-credentials-java-snapshot.yml | 54 ++++++ ...hids-with-flask-secret-python-snapshot.yml | 48 ++++++ .../insecure-biometrics-swift-snapshot.yml | 7 + ...e-cipher-algorithm-rc4-python-snapshot.yml | 7 + .../insecure-hash-typescript-snapshot.yml | 94 +++++++++++ ...ava-jwt-hardcoded-secret-java-snapshot.yml | 83 +++++++++ ...onfig-hardcoded-password-java-snapshot.yml | 62 +++++++ ...jwt-sensitive-data-typescript-snapshot.yml | 158 ++++++++++++++++++ ...wt-weak-encryption-typescript-snapshot.yml | 98 +++++++++++ ...log-sensitive-data-typescript-snapshot.yml | 78 +++++++++ ...ed-secret-argument-typescript-snapshot.yml | 76 +++++++++ .../null-library-function-c-snapshot.yml | 33 ++++ .../null-library-function-cpp-snapshot.yml | 33 ++++ ...ation-hardcoded-password-java-snapshot.yml | 79 +++++++++ .../postgres-empty-password-rust-snapshot.yml | 103 ++++++++++++ ...n-ldap3-empty-password-python-snapshot.yml | 48 ++++++ ...ldap3-hardcoded-secret-python-snapshot.yml | 60 +++++++ ...n-mysql-empty-password-python-snapshot.yml | 64 +++++++ ...mysql-hardcoded-secret-python-snapshot.yml | 68 ++++++++ ...neo4j-hardcoded-secret-python-snapshot.yml | 65 +++++++ ...mysql-hardcoded-secret-python-snapshot.yml | 30 ++++ ...sycopg2-empty-password-python-snapshot.yml | 26 +++ ...copg2-hardcoded-secret-python-snapshot.yml | 30 ++++ ...mssql-hardcoded-secret-python-snapshot.yml | 48 ++++++ ...mysql-hardcoded-secret-python-snapshot.yml | 31 ++++ ...redis-hardcoded-secret-python-snapshot.yml | 48 ++++++ ...equests-empty-password-python-snapshot.yml | 18 ++ ...llib3-hardcoded-secret-python-snapshot.yml | 31 ++++ ...rabbit-hardcoded-secret-swift-snapshot.yml | 52 ++++++ .../reqwest-accept-invalid-rust-snapshot.yml | 6 + ...aws-sdk-hardcoded-secret-ruby-snapshot.yml | 62 +++++++ ...faraday-hardcoded-secret-ruby-snapshot.yml | 37 ++++ .../ruby-pg-empty-password-ruby-snapshot.yml | 58 +++++++ ...ruby-pg-hardcoded-secret-ruby-snapshot.yml | 67 ++++++++ ...s-reqwest-hardcoded-auth-rust-snapshot.yml | 50 ++++++ .../sql-injection-typescript-snapshot.yml | 45 +++++ ...roperty-hardcoded-secret-java-snapshot.yml | 35 ++++ ...-postgres-empty-password-rust-snapshot.yml | 52 ++++++ ...tgres-hardcoded-password-rust-snapshot.yml | 56 +++++++ .../use-of-blowfish-java-snapshot.yml | 25 +++ .../use-of-default-aes-java-snapshot.yml | 38 +++++ .../use-of-sha1-java-snapshot.yml | 41 +++++ .../use-of-weak-rsa-key-go-snapshot.yml | 27 +++ tests/c/null-library-function-c-test.yml | 2 +- tests/cpp/null-library-function-cpp-test.yml | 2 +- ...ie-store-hardcoded-session-key-go-test.yml | 2 +- ...orilla-csrf-hardcoded-auth-key-go-test.yml | 2 +- ...rpc-client-insecure-connection-go-test.yml | 2 +- tests/go/use-of-weak-rsa-key-go-test.yml | 2 +- ...ardcoded-connection-password-java-test.yml | 2 +- tests/java/ecb-cipher-java-test.yml | 2 +- ...ardcoded-connection-password-java-test.yml | 2 +- ...dcoded-secret-in-credentials-java-test.yml | 2 +- .../java-jwt-hardcoded-secret-java-test.yml | 2 +- ...entconfig-hardcoded-password-java-test.yml | 2 +- ...ntication-hardcoded-password-java-test.yml | 2 +- ...setproperty-hardcoded-secret-java-test.yml | 2 +- tests/java/use-of-blowfish-java-test.yml | 2 +- tests/java/use-of-default-aes-java-test.yml | 2 +- tests/java/use-of-rc2-java-test.yml | 2 +- tests/java/use-of-sha1-java-test.yml | 2 +- ...ssion-hardcoded-secret-javascript-test.yml | 2 +- tests/python/debug-enabled-python-test.yml | 2 +- .../hashids-with-flask-secret-python-test.yml | 2 +- ...ecure-cipher-algorithm-rc4-python-test.yml | 2 +- ...wt-python-hardcoded-secret-python-test.yml | 2 +- ...ython-ldap3-empty-password-python-test.yml | 2 +- ...hon-ldap3-hardcoded-secret-python-test.yml | 2 +- ...ython-mysql-empty-password-python-test.yml | 2 +- ...hon-mysql-hardcoded-secret-python-test.yml | 2 +- ...ython-neo4j-empty-password-python-test.yml | 2 +- ...hon-neo4j-hardcoded-secret-python-test.yml | 2 +- ...eewee-mysql-empty-password-python-test.yml | 2 +- ...wee-mysql-hardcoded-secret-python-test.yml | 2 +- ...n-peewee-pg-empty-password-python-test.yml | 2 +- ...peewee-pg-hardcoded-secret-python-test.yml | 2 +- ...on-psycopg2-empty-password-python-test.yml | 2 +- ...-psycopg2-hardcoded-secret-python-test.yml | 2 +- ...n-pymssql-hardcoded-secret-python-test.yml | 2 +- ...n-pymysql-hardcoded-secret-python-test.yml | 2 +- ...hon-redis-hardcoded-secret-python-test.yml | 2 +- ...on-requests-empty-password-python-test.yml | 2 +- ...n-urllib3-hardcoded-secret-python-test.yml | 2 +- ...oded-http-auth-in-controller-ruby-test.yml | 2 +- ...uby-aws-sdk-hardcoded-secret-ruby-test.yml | 2 +- ...uby-faraday-hardcoded-secret-ruby-test.yml | 2 +- .../ruby/ruby-pg-empty-password-ruby-test.yml | 2 +- .../ruby-pg-hardcoded-secret-ruby-test.yml | 2 +- tests/rust/empty-password-rust-test.yml | 2 +- tests/rust/hardcoded-password-rust-test.yml | 2 +- .../postgres-empty-password-rust-test.yml | 2 +- .../rust/reqwest-accept-invalid-rust-test.yml | 2 +- ...crets-reqwest-hardcoded-auth-rust-test.yml | 2 +- ...okio-postgres-empty-password-rust-test.yml | 2 +- ...-postgres-hardcoded-password-rust-test.yml | 2 +- .../blowfish-hardcoded-secret-swift-test.yml | 2 +- .../chacha20-hardcoded-secret-swift-test.yml | 2 +- .../swift/insecure-biometrics-swift-test.yml | 2 +- .../rabbit-hardcoded-secret-swift-test.yml | 2 +- .../argon2-weak-type-typescript-test.yml | 9 + .../avoid-crypto-rc4-typescript-test.yml | 9 + .../avoid-crypto-sha1-typescript-test.yml | 8 + .../typescript/avoid-des-typescript-test.yml | 11 ++ .../chmod-permissions-typescript-test.yml | 15 ++ .../command-injection-typescript-test.yml | 8 + ...crypto-avoid-weak-hash-typescript-test.yml | 10 ++ ...detect-angular-sce-disabled-typescript.yml | 2 +- ...detect-buffer-noassert-typescript-test.yml | 17 ++ ...t-eval-with-expression-typescript-test.yml | 12 ++ .../detect-new-buffer-typescript-test.yml | 8 + ...ect-non-literal-regexp-typescript-test.yml | 9 + ...ct-non-literal-require-typescript-test.yml | 9 + .../detected-jwt-token-typescript-test.yml | 11 ++ .../hardcoded-hmac-key-typescript-test.yml | 19 +++ .../insecure-hash-typescript-test.yml | 9 + .../jwt-sensitive-data-typescript-test.yml | 15 ++ .../jwt-weak-encryption-typescript-test.yml | 8 + .../log-sensitive-data-typescript-test.yml | 11 ++ ...dcoded-secret-argument-typescript-test.yml | 2 +- .../sql-injection-typescript-test.yml | 18 ++ 195 files changed, 5244 insertions(+), 85 deletions(-) create mode 100644 rules/typescript/security/argon2-weak-type-typescript.yml create mode 100644 rules/typescript/security/avoid-crypto-rc4-typescript.yml create mode 100644 rules/typescript/security/avoid-crypto-sha1-typescript.yml create mode 100644 rules/typescript/security/avoid-des-typescript.yml create mode 100644 rules/typescript/security/chmod-permissions-typescript.yml create mode 100644 rules/typescript/security/command-injection-typescript.yml create mode 100644 rules/typescript/security/crypto-avoid-weak-hash-typescript.yml create mode 100644 rules/typescript/security/detect-buffer-noassert-typescript.yml create mode 100644 rules/typescript/security/detect-eval-with-expression-typescript.yml create mode 100644 rules/typescript/security/detect-new-buffer-typescript.yml create mode 100644 rules/typescript/security/detect-non-literal-regexp-typescript.yml create mode 100644 rules/typescript/security/detect-non-literal-require-typescript.yml create mode 100644 rules/typescript/security/detected-jwt-token-typescript.yml create mode 100644 rules/typescript/security/hardcoded-hmac-key-typescript.yml create mode 100644 rules/typescript/security/insecure-hash-typescript.yml create mode 100644 rules/typescript/security/jwt-sensitive-data-typescript.yml create mode 100644 rules/typescript/security/jwt-weak-encryption-typescript.yml create mode 100644 rules/typescript/security/log-sensitive-data-typescript.yml create mode 100644 rules/typescript/security/sql-injection-typescript.yml create mode 100644 tests/__snapshots__/argon2-weak-type-typescript-snapshot.yml create mode 100644 tests/__snapshots__/avoid-crypto-rc4-typescript-snapshot.yml create mode 100644 tests/__snapshots__/avoid-crypto-sha1-typescript-snapshot.yml create mode 100644 tests/__snapshots__/avoid-des-typescript-snapshot.yml create mode 100644 tests/__snapshots__/chmod-permissions-typescript-snapshot.yml create mode 100644 tests/__snapshots__/command-injection-typescript-snapshot.yml create mode 100644 tests/__snapshots__/crypto-avoid-weak-hash-typescript-snapshot.yml create mode 100644 tests/__snapshots__/detect-buffer-noassert-typescript-snapshot.yml create mode 100644 tests/__snapshots__/detect-eval-with-expression-typescript-snapshot.yml create mode 100644 tests/__snapshots__/detect-new-buffer-typescript-snapshot.yml create mode 100644 tests/__snapshots__/detect-non-literal-regexp-typescript-snapshot.yml create mode 100644 tests/__snapshots__/detect-non-literal-require-typescript-snapshot.yml create mode 100644 tests/__snapshots__/detected-jwt-token-typescript-snapshot.yml create mode 100644 tests/__snapshots__/hardcoded-hmac-key-typescript-snapshot.yml create mode 100644 tests/__snapshots__/insecure-hash-typescript-snapshot.yml create mode 100644 tests/__snapshots__/jwt-sensitive-data-typescript-snapshot.yml create mode 100644 tests/__snapshots__/jwt-weak-encryption-typescript-snapshot.yml create mode 100644 tests/__snapshots__/log-sensitive-data-typescript-snapshot.yml create mode 100644 tests/__snapshots__/sql-injection-typescript-snapshot.yml create mode 100644 tests/typescript/argon2-weak-type-typescript-test.yml create mode 100644 tests/typescript/avoid-crypto-rc4-typescript-test.yml create mode 100644 tests/typescript/avoid-crypto-sha1-typescript-test.yml create mode 100644 tests/typescript/avoid-des-typescript-test.yml create mode 100644 tests/typescript/chmod-permissions-typescript-test.yml create mode 100644 tests/typescript/command-injection-typescript-test.yml create mode 100644 tests/typescript/crypto-avoid-weak-hash-typescript-test.yml create mode 100644 tests/typescript/detect-buffer-noassert-typescript-test.yml create mode 100644 tests/typescript/detect-eval-with-expression-typescript-test.yml create mode 100644 tests/typescript/detect-new-buffer-typescript-test.yml create mode 100644 tests/typescript/detect-non-literal-regexp-typescript-test.yml create mode 100644 tests/typescript/detect-non-literal-require-typescript-test.yml create mode 100644 tests/typescript/detected-jwt-token-typescript-test.yml create mode 100644 tests/typescript/hardcoded-hmac-key-typescript-test.yml create mode 100644 tests/typescript/insecure-hash-typescript-test.yml create mode 100644 tests/typescript/jwt-sensitive-data-typescript-test.yml create mode 100644 tests/typescript/jwt-weak-encryption-typescript-test.yml create mode 100644 tests/typescript/log-sensitive-data-typescript-test.yml create mode 100644 tests/typescript/sql-injection-typescript-test.yml diff --git a/.gitignore b/.gitignore index 8b290246..b794bc66 100644 --- a/.gitignore +++ b/.gitignore @@ -197,3 +197,4 @@ cscope.in.out cscope.po.out # End of https://www.toptal.com/developers/gitignore/api/node,tags,macos +.claude diff --git a/package.json b/package.json index 871f9b15..39711dfe 100644 --- a/package.json +++ b/package.json @@ -14,4 +14,4 @@ "devDependencies": { "@ast-grep/cli": "^0.31.1" } -} \ No newline at end of file +} diff --git a/rules/c/security/null-library-function-c.yml b/rules/c/security/null-library-function-c.yml index 5ed6c572..10a3c581 100644 --- a/rules/c/security/null-library-function-c.yml +++ b/rules/c/security/null-library-function-c.yml @@ -259,4 +259,4 @@ rule: - inside: stopBy: end kind: return_statement - \ No newline at end of file + diff --git a/rules/cpp/security/null-library-function-cpp.yml b/rules/cpp/security/null-library-function-cpp.yml index 8f6ba936..9935404c 100644 --- a/rules/cpp/security/null-library-function-cpp.yml +++ b/rules/cpp/security/null-library-function-cpp.yml @@ -259,4 +259,4 @@ rule: - inside: stopBy: end kind: return_statement - \ No newline at end of file + diff --git a/rules/go/security/grpc-client-insecure-connection-go.yml b/rules/go/security/grpc-client-insecure-connection-go.yml index 36cc447e..46fde22f 100644 --- a/rules/go/security/grpc-client-insecure-connection-go.yml +++ b/rules/go/security/grpc-client-insecure-connection-go.yml @@ -63,4 +63,4 @@ rule: kind: ERROR - has: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml index d177ad24..aa054c72 100644 --- a/rules/html/security/plaintext-http-link-html.yml +++ b/rules/html/security/plaintext-http-link-html.yml @@ -77,4 +77,4 @@ rule: stopBy: end kind: attribute_value regex: ^([Hh][Tt][Tt][Pp]://) - \ No newline at end of file + diff --git a/rules/java/security/hardcoded-connection-password-java.yml b/rules/java/security/hardcoded-connection-password-java.yml index e47ec3e8..6aca8ef7 100644 --- a/rules/java/security/hardcoded-connection-password-java.yml +++ b/rules/java/security/hardcoded-connection-password-java.yml @@ -349,4 +349,4 @@ rule: - matches: (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...") - matches: (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance \ No newline at end of file + - matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance diff --git a/rules/java/security/java-jwt-hardcoded-secret-java.yml b/rules/java/security/java-jwt-hardcoded-secret-java.yml index d1df5d02..e12717f3 100644 --- a/rules/java/security/java-jwt-hardcoded-secret-java.yml +++ b/rules/java/security/java-jwt-hardcoded-secret-java.yml @@ -126,4 +126,4 @@ rule: kind: ERROR - inside: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml b/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml index 53cddb78..e76a4956 100644 --- a/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml +++ b/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml @@ -827,4 +827,4 @@ rule: - matches: clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("...") - matches: clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - matches: new clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: (clients.jedis.JedisClientConfig|clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...") \ No newline at end of file + - matches: (clients.jedis.JedisClientConfig|clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...") diff --git a/rules/java/security/use-of-default-aes-java.yml b/rules/java/security/use-of-default-aes-java.yml index efc9fb51..ef80eaf5 100644 --- a/rules/java/security/use-of-default-aes-java.yml +++ b/rules/java/security/use-of-default-aes-java.yml @@ -317,4 +317,4 @@ constraints: all: - has: kind: string_fragment - regex: ^\s*(AES)\s*$ \ No newline at end of file + regex: ^\s*(AES)\s*$ diff --git a/rules/java/security/use-of-md5-java.yml b/rules/java/security/use-of-md5-java.yml index b7db1f27..6268e832 100644 --- a/rules/java/security/use-of-md5-java.yml +++ b/rules/java/security/use-of-md5-java.yml @@ -106,4 +106,4 @@ constraints: has: kind: string_fragment regex: ^MD5 - \ No newline at end of file + diff --git a/rules/java/security/use-of-sha1-java.yml b/rules/java/security/use-of-sha1-java.yml index b2268c1c..f3987fd0 100644 --- a/rules/java/security/use-of-sha1-java.yml +++ b/rules/java/security/use-of-sha1-java.yml @@ -169,4 +169,4 @@ rule: - not: has: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/php/security/openssl-cbc-static-iv-php.yml b/rules/php/security/openssl-cbc-static-iv-php.yml index 2e1df39c..2878067d 100644 --- a/rules/php/security/openssl-cbc-static-iv-php.yml +++ b/rules/php/security/openssl-cbc-static-iv-php.yml @@ -648,4 +648,4 @@ rule: - not: inside: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/python/security/hashids-with-django-secret-python.yml b/rules/python/security/hashids-with-django-secret-python.yml index 94104dfe..1e2b3f33 100644 --- a/rules/python/security/hashids-with-django-secret-python.yml +++ b/rules/python/security/hashids-with-django-secret-python.yml @@ -282,4 +282,4 @@ rule: - matches: hashids.Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) - matches: hashids.Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet) - matches: Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet) - - matches: Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) \ No newline at end of file + - matches: Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) diff --git a/rules/python/security/python-peewee-pg-empty-password-python.yml b/rules/python/security/python-peewee-pg-empty-password-python.yml index c71ae1c6..ed3e7d65 100644 --- a/rules/python/security/python-peewee-pg-empty-password-python.yml +++ b/rules/python/security/python-peewee-pg-empty-password-python.yml @@ -53,4 +53,4 @@ rule: - not: inside: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/python/security/python-pg8000-hardcoded-secret-python.yml b/rules/python/security/python-pg8000-hardcoded-secret-python.yml index db66b30d..43af09ac 100644 --- a/rules/python/security/python-pg8000-hardcoded-secret-python.yml +++ b/rules/python/security/python-pg8000-hardcoded-secret-python.yml @@ -72,4 +72,4 @@ rule: stopBy: end kind: ERROR - \ No newline at end of file + diff --git a/rules/python/security/python-psycopg2-empty-password-python.yml b/rules/python/security/python-psycopg2-empty-password-python.yml index 8921395e..5300af16 100644 --- a/rules/python/security/python-psycopg2-empty-password-python.yml +++ b/rules/python/security/python-psycopg2-empty-password-python.yml @@ -67,4 +67,4 @@ rule: kind: ERROR - inside: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/python/security/python-psycopg2-hardcoded-secret-python.yml b/rules/python/security/python-psycopg2-hardcoded-secret-python.yml index df80aeea..04df2975 100644 --- a/rules/python/security/python-psycopg2-hardcoded-secret-python.yml +++ b/rules/python/security/python-psycopg2-hardcoded-secret-python.yml @@ -66,4 +66,4 @@ rule: kind: ERROR - inside: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/python/security/python-redis-empty-password-python.yml b/rules/python/security/python-redis-empty-password-python.yml index a3984583..b19d1520 100644 --- a/rules/python/security/python-redis-empty-password-python.yml +++ b/rules/python/security/python-redis-empty-password-python.yml @@ -68,4 +68,4 @@ rule: - not: inside: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/python/security/python-redis-hardcoded-secret-python.yml b/rules/python/security/python-redis-hardcoded-secret-python.yml index 98a1f92e..bbbbb8f4 100644 --- a/rules/python/security/python-redis-hardcoded-secret-python.yml +++ b/rules/python/security/python-redis-hardcoded-secret-python.yml @@ -67,4 +67,4 @@ rule: - not: inside: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml index 722ba8cb..aa2ef09b 100644 --- a/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml @@ -129,4 +129,4 @@ rule: constraints: PASS: - kind: string \ No newline at end of file + kind: string diff --git a/rules/ruby/security/ruby-pg-empty-password-ruby.yml b/rules/ruby/security/ruby-pg-empty-password-ruby.yml index a2d63613..6f1dd50d 100644 --- a/rules/ruby/security/ruby-pg-empty-password-ruby.yml +++ b/rules/ruby/security/ruby-pg-empty-password-ruby.yml @@ -156,4 +156,4 @@ rule: kind: ERROR - inside: stopBy: end - kind: ERROR \ No newline at end of file + kind: ERROR diff --git a/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml index c730d538..8a99dc6d 100644 --- a/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml @@ -196,4 +196,4 @@ rule: - inside: stopBy: end kind: ERROR - \ No newline at end of file + diff --git a/rules/rust/security/empty-password-rust.yml b/rules/rust/security/empty-password-rust.yml index a00a3943..ff4f1285 100644 --- a/rules/rust/security/empty-password-rust.yml +++ b/rules/rust/security/empty-password-rust.yml @@ -1056,4 +1056,4 @@ rule: - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...) - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...) - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance \ No newline at end of file + - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance diff --git a/rules/rust/security/hardcoded-password-rust.yml b/rules/rust/security/hardcoded-password-rust.yml index 21161486..65295c4a 100644 --- a/rules/rust/security/hardcoded-password-rust.yml +++ b/rules/rust/security/hardcoded-password-rust.yml @@ -1033,4 +1033,4 @@ rule: - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...) - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...) - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance \ No newline at end of file + - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance diff --git a/rules/typescript/security/argon2-weak-type-typescript.yml b/rules/typescript/security/argon2-weak-type-typescript.yml new file mode 100644 index 00000000..28c4b32f --- /dev/null +++ b/rules/typescript/security/argon2-weak-type-typescript.yml @@ -0,0 +1,59 @@ +id: argon2-weak-type-typescript +severity: error +language: typescript +message: >- + Use secure encryption types when using `argon2`. Avoid using weak argon2 types + like argon2i or argon2d. Use argon2id instead for better security. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://github.com/ranisalt/node-argon2/wiki/Options#type +ast-grep-essentials: true +utils: + MATCH_ARGON2_WEAK_TYPE: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^argon2$" + - has: + stopBy: neighbor + kind: property_identifier + regex: "^hash$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + kind: object + has: + stopBy: neighbor + kind: pair + all: + - has: + stopBy: neighbor + kind: property_identifier + regex: "^type$" + - has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^argon2$" + - has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^argon2i$" + - regex: "^argon2d$" +rule: + kind: call_expression + any: + - matches: MATCH_ARGON2_WEAK_TYPE diff --git a/rules/typescript/security/avoid-crypto-rc4-typescript.yml b/rules/typescript/security/avoid-crypto-rc4-typescript.yml new file mode 100644 index 00000000..0b297176 --- /dev/null +++ b/rules/typescript/security/avoid-crypto-rc4-typescript.yml @@ -0,0 +1,42 @@ +id: avoid-crypto-rc4-typescript +severity: warning +language: typescript +message: >- + Avoid RC4 encryption. Use of the RC4 security protocol exposes your + application to vulnerabilities. Consider using stronger encryption algorithms. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://cryptojs.gitbook.io/docs/#ciphers +ast-grep-essentials: true +utils: + MATCH_RC4_USAGE: + kind: call_expression + has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^CryptoJS$" + - has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^RC4$" + - regex: "^RC4Drop$" + - has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^encrypt$" + - regex: "^decrypt$" +rule: + kind: call_expression + any: + - matches: MATCH_RC4_USAGE diff --git a/rules/typescript/security/avoid-crypto-sha1-typescript.yml b/rules/typescript/security/avoid-crypto-sha1-typescript.yml new file mode 100644 index 00000000..79073443 --- /dev/null +++ b/rules/typescript/security/avoid-crypto-sha1-typescript.yml @@ -0,0 +1,34 @@ +id: avoid-crypto-sha1-typescript +severity: warning +language: typescript +message: >- + Avoid SHA1 security protocol. Use of insecure encryption or hashing protocols + expose your application to vulnerabilities. Use stronger hashing algorithms like SHA-256. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://cryptojs.gitbook.io/docs/#hmac +ast-grep-essentials: true +utils: + MATCH_SHA1_USAGE: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^CryptoJS$" + - has: + stopBy: neighbor + kind: property_identifier + regex: "^HmacSHA1$" + - has: + stopBy: neighbor + kind: arguments +rule: + kind: call_expression + any: + - matches: MATCH_SHA1_USAGE diff --git a/rules/typescript/security/avoid-des-typescript.yml b/rules/typescript/security/avoid-des-typescript.yml new file mode 100644 index 00000000..9588e954 --- /dev/null +++ b/rules/typescript/security/avoid-des-typescript.yml @@ -0,0 +1,42 @@ +id: avoid-des-typescript +severity: warning +language: typescript +message: >- + Do not use DES or TripleDES, this is a weak security protocol. Use stronger + encryption algorithms like AES instead. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://cryptojs.gitbook.io/docs/#ciphers +ast-grep-essentials: true +utils: + MATCH_DES_USAGE: + kind: call_expression + has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^CryptoJS$" + - has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^DES$" + - regex: "^TripleDES$" + - has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^encrypt$" + - regex: "^decrypt$" +rule: + kind: call_expression + any: + - matches: MATCH_DES_USAGE diff --git a/rules/typescript/security/chmod-permissions-typescript.yml b/rules/typescript/security/chmod-permissions-typescript.yml new file mode 100644 index 00000000..2c2050bb --- /dev/null +++ b/rules/typescript/security/chmod-permissions-typescript.yml @@ -0,0 +1,35 @@ +id: chmod-permissions-typescript +severity: warning +language: typescript +message: >- + Do not give 777 permissions to a file. Always make sure you restrict the + permissions of your application files. Applications should not allow write + and execution for other users. +note: >- + [CWE-732] Incorrect Permission Assignment for Critical Resource. +ast-grep-essentials: true +utils: + MATCH_CHMOD_777: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^chmod$" + - regex: "^chmodSync$" + - has: + stopBy: neighbor + kind: arguments + all: + - has: + stopBy: neighbor + kind: number + regex: "^0o777$" +rule: + kind: call_expression + any: + - matches: MATCH_CHMOD_777 diff --git a/rules/typescript/security/command-injection-typescript.yml b/rules/typescript/security/command-injection-typescript.yml new file mode 100644 index 00000000..aa54845a --- /dev/null +++ b/rules/typescript/security/command-injection-typescript.yml @@ -0,0 +1,35 @@ +id: command-injection-typescript +severity: warning +language: typescript +message: >- + Avoid command injection. When executing a command, never use unchecked variables. + Make sure that each variable of the command has been checked. +note: >- + [CWE-78] OS Command Injection. +ast-grep-essentials: true +utils: + MATCH_COMMAND_INJECTION: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + has: + stopBy: neighbor + kind: property_identifier + regex: "^(exec|execSync|spawn|spawnSync)$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + any: + - kind: template_string + has: + stopBy: neighbor + kind: template_substitution + - kind: binary_expression +rule: + kind: call_expression + any: + - matches: MATCH_COMMAND_INJECTION diff --git a/rules/typescript/security/crypto-avoid-weak-hash-typescript.yml b/rules/typescript/security/crypto-avoid-weak-hash-typescript.yml new file mode 100644 index 00000000..29770343 --- /dev/null +++ b/rules/typescript/security/crypto-avoid-weak-hash-typescript.yml @@ -0,0 +1,38 @@ +id: crypto-avoid-weak-hash-typescript +severity: warning +language: typescript +message: >- + Avoid weak hash algorithm from CryptoJS. Use of insecure hash functions like + MD5 or SHA1 can expose your application to vulnerabilities. Use stronger hash + algorithms like SHA-256 or SHA-512. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://cryptojs.gitbook.io/docs/#hashing +ast-grep-essentials: true +utils: + MATCH_WEAK_HASH: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^CryptoJS$" + - has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^MD5$" + - regex: "^SHA1$" + - regex: "^HmacMD5$" + - has: + stopBy: neighbor + kind: arguments +rule: + kind: call_expression + any: + - matches: MATCH_WEAK_HASH diff --git a/rules/typescript/security/detect-buffer-noassert-typescript.yml b/rules/typescript/security/detect-buffer-noassert-typescript.yml new file mode 100644 index 00000000..ad8fa0c7 --- /dev/null +++ b/rules/typescript/security/detect-buffer-noassert-typescript.yml @@ -0,0 +1,86 @@ +id: detect-buffer-noassert-typescript +severity: error +language: typescript +message: >- + Avoid calls to 'buffer' with 'noAssert' flag set. If you skip the `offset` + validation it can go beyond the end of the `Buffer`. +note: >- + [CWE-119] Buffer Errors. +ast-grep-essentials: true +utils: + MATCH_BUFFER_NOASSERT_READ: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + has: + stopBy: neighbor + kind: property_identifier + regex: "^(readUInt8|readUInt16LE|readUInt16BE|readUInt32LE|readUInt32BE|readInt8|readInt16LE|readInt16BE|readInt32LE|readInt32BE|readFloatLE|readFloatBE|readDoubleLE|readDoubleBE)$" + - has: + stopBy: neighbor + kind: arguments + all: + - has: + nthChild: + position: 1 + ofRule: + not: + kind: comment + - has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: comment + - has: + stopBy: neighbor + regex: ^true$ + MATCH_BUFFER_NOASSERT_WRITE: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + has: + stopBy: neighbor + kind: property_identifier + regex: "^(writeUInt8|writeUInt16LE|writeUInt16BE|writeUInt32LE|writeUInt32BE|writeInt8|writeInt16LE|writeInt16BE|writeInt32LE|writeInt32BE|writeFloatLE|writeFloatBE|writeDoubleLE|writeDoubleBE)$" + - has: + stopBy: neighbor + kind: arguments + all: + - has: + nthChild: + position: 1 + ofRule: + not: + kind: comment + - has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + - has: + nthChild: + position: 3 + ofRule: + not: + kind: comment + - has: + stopBy: neighbor + regex: ^true$ +rule: + kind: call_expression + any: + - matches: MATCH_BUFFER_NOASSERT_READ + - matches: MATCH_BUFFER_NOASSERT_WRITE diff --git a/rules/typescript/security/detect-eval-with-expression-typescript.yml b/rules/typescript/security/detect-eval-with-expression-typescript.yml new file mode 100644 index 00000000..67e76d1b --- /dev/null +++ b/rules/typescript/security/detect-eval-with-expression-typescript.yml @@ -0,0 +1,46 @@ +id: detect-eval-with-expression-typescript +severity: warning +language: typescript +message: >- + Avoid `eval` with expressions. The `eval` function could execute malicious code + if used with non-literal values. Never use eval with variables or expressions. +note: >- + [CWE-95] Improper Neutralization of Directives in Dynamically Evaluated Code. +ast-grep-essentials: true +utils: + MATCH_EVAL_WITH_EXPRESSION: + kind: call_expression + all: + - has: + stopBy: neighbor + any: + - kind: identifier + regex: "^eval$" + - kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + any: + - regex: "^global$" + - regex: "^globalThis$" + - has: + stopBy: neighbor + kind: property_identifier + regex: "^eval$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + any: + - kind: identifier + - kind: template_string + - kind: binary_expression + - kind: call_expression + - kind: member_expression + - kind: ternary_expression +rule: + kind: call_expression + any: + - matches: MATCH_EVAL_WITH_EXPRESSION diff --git a/rules/typescript/security/detect-new-buffer-typescript.yml b/rules/typescript/security/detect-new-buffer-typescript.yml new file mode 100644 index 00000000..cab84dd2 --- /dev/null +++ b/rules/typescript/security/detect-new-buffer-typescript.yml @@ -0,0 +1,27 @@ +id: detect-new-buffer-typescript +severity: warning +language: typescript +message: >- + Avoid Buffer(argument) with non-literal values. Using Buffer constructor with + variables can lead to security vulnerabilities like denial of service attacks. +note: >- + [CWE-770] Allocation of Resources Without Limits or Throttling. +ast-grep-essentials: true +utils: + MATCH_NEW_BUFFER: + kind: new_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^Buffer$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + kind: identifier +rule: + kind: new_expression + any: + - matches: MATCH_NEW_BUFFER diff --git a/rules/typescript/security/detect-non-literal-regexp-typescript.yml b/rules/typescript/security/detect-non-literal-regexp-typescript.yml new file mode 100644 index 00000000..bf8d9af2 --- /dev/null +++ b/rules/typescript/security/detect-non-literal-regexp-typescript.yml @@ -0,0 +1,36 @@ +id: detect-non-literal-regexp-typescript +severity: warning +language: typescript +message: >- + Detects non-literal values in regular expressions. Creating a regular expression + with user input is a security vulnerability as it could lead to a Regular + Expression Denial of Service attack. +note: >- + [CWE-1333] Inefficient Regular Expression Complexity. +ast-grep-essentials: true +utils: + MATCH_NON_LITERAL_REGEXP: + kind: new_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^RegExp$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + any: + - all: + - kind: identifier + - not: + regex: "^[A-Z_][A-Z0-9_]*$" + - kind: binary_expression + - kind: call_expression + - kind: member_expression + - kind: template_string +rule: + kind: new_expression + any: + - matches: MATCH_NON_LITERAL_REGEXP diff --git a/rules/typescript/security/detect-non-literal-require-typescript.yml b/rules/typescript/security/detect-non-literal-require-typescript.yml new file mode 100644 index 00000000..cd59e4a2 --- /dev/null +++ b/rules/typescript/security/detect-non-literal-require-typescript.yml @@ -0,0 +1,33 @@ +id: detect-non-literal-require-typescript +severity: warning +language: typescript +message: >- + Avoid require with non-literal values. Importing packages from dynamic paths + can be a security vulnerability. An attacker might provide an undesired path + that leads to running arbitrary code. +note: >- + [CWE-829] Inclusion of Functionality from Untrusted Control Sphere. +ast-grep-essentials: true +utils: + MATCH_NON_LITERAL_REQUIRE: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^require$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + any: + - kind: identifier + - kind: template_string + has: + stopBy: neighbor + kind: template_substitution +rule: + kind: call_expression + any: + - matches: MATCH_NON_LITERAL_REQUIRE diff --git a/rules/typescript/security/detected-jwt-token-typescript.yml b/rules/typescript/security/detected-jwt-token-typescript.yml new file mode 100644 index 00000000..4daebedc --- /dev/null +++ b/rules/typescript/security/detected-jwt-token-typescript.yml @@ -0,0 +1,22 @@ +id: detected-jwt-token-typescript +severity: error +language: typescript +message: >- + Detects hardcoded JWT tokens within the codebase. Potential JWT token detected. + Avoid hardcoding JWT tokens in the code as it may lead to security vulnerabilities. +note: >- + [CWE-798] Use of Hard-coded Credentials. +ast-grep-essentials: true +utils: + MATCH_JWT_TOKEN: + any: + - kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: 'eyJ[A-Za-z0-9-_=]{14,}\.[A-Za-z0-9-_=]{13,}(\.[A-Za-z0-9-_.+/=]*)?' + - kind: template_string + regex: 'eyJ[A-Za-z0-9-_=]{14,}\.[A-Za-z0-9-_=]{13,}(\.[A-Za-z0-9-_.+/=]*)?' +rule: + any: + - matches: MATCH_JWT_TOKEN diff --git a/rules/typescript/security/hardcoded-hmac-key-typescript.yml b/rules/typescript/security/hardcoded-hmac-key-typescript.yml new file mode 100644 index 00000000..6c561785 --- /dev/null +++ b/rules/typescript/security/hardcoded-hmac-key-typescript.yml @@ -0,0 +1,96 @@ +id: hardcoded-hmac-key-typescript +severity: warning +language: typescript +message: >- + Detects hardcoded HMAC keys. Detected hardcoded cryptographic key. Avoid using + hardcoded secrets; consider storing them securely, such as in environment + variables or a secure configuration file. +note: >- + [CWE-798] Use of Hard-coded Credentials. +ast-grep-essentials: true +utils: + MATCH_CRYPTO_IMPORT: + kind: import_statement + all: + - has: + stopBy: neighbor + kind: import_clause + has: + stopBy: neighbor + kind: identifier + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: "^crypto$" + MATCH_HARDCODED_HMAC: + kind: call_expression + all: + - has: + stopBy: neighbor + any: + - kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + - has: + stopBy: neighbor + kind: property_identifier + regex: "^createHmac$" + - kind: identifier + regex: "^createHmac$" + - has: + stopBy: neighbor + kind: arguments + all: + - has: + nthChild: + position: 1 + ofRule: + not: + kind: comment + - has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: comment + - has: + nthChild: + position: 2 + ofRule: + any: + - kind: string + has: + kind: string_fragment + regex: ".{3,}" + - kind: identifier + not: + any: + - regex: "^safely_stored_key$" + - inside: + kind: member_expression + has: + field: object + any: + - regex: "^process$" + - regex: "^config$" + - inside: + kind: call_expression + has: + field: function + kind: member_expression +rule: + kind: call_expression + any: + - matches: MATCH_HARDCODED_HMAC diff --git a/rules/typescript/security/insecure-hash-typescript.yml b/rules/typescript/security/insecure-hash-typescript.yml new file mode 100644 index 00000000..272bdd79 --- /dev/null +++ b/rules/typescript/security/insecure-hash-typescript.yml @@ -0,0 +1,43 @@ +id: insecure-hash-typescript +severity: warning +language: typescript +message: >- + Do not use weak hash functions. Do not use weak hash algorithms such as MD5 + or SHA1. Use stronger algorithms like SHA-256 or SHA-512. +note: >- + [CWE-328] Use of Weak Hash. +ast-grep-essentials: true +utils: + MATCH_INSECURE_HASH: + kind: call_expression + all: + - has: + stopBy: neighbor + any: + - kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + - has: + stopBy: neighbor + kind: property_identifier + regex: "^createHash$" + - kind: identifier + regex: "^createHash$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + any: + - regex: "^md5$" + - regex: "^sha1$" +rule: + kind: call_expression + any: + - matches: MATCH_INSECURE_HASH diff --git a/rules/typescript/security/jwt-sensitive-data-typescript.yml b/rules/typescript/security/jwt-sensitive-data-typescript.yml new file mode 100644 index 00000000..823549ba --- /dev/null +++ b/rules/typescript/security/jwt-sensitive-data-typescript.yml @@ -0,0 +1,60 @@ +id: jwt-sensitive-data-typescript +severity: warning +language: typescript +message: >- + Do not put sensitive data in objects. Never include sensitive information in a JWT. + Instead, only use non-personal information to identify the end-user. +note: >- + [CWE-312] Cleartext Storage of Sensitive Information. +ast-grep-essentials: true +utils: + MATCH_JWT_SENSITIVE_DATA: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^jwt$" + - has: + stopBy: neighbor + kind: property_identifier + regex: "^sign$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + kind: object + has: + stopBy: neighbor + kind: pair + any: + - has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^email$" + - regex: "^mail$" + - regex: "^firstname$" + - regex: "^lastname$" + - has: + kind: object + has: + stopBy: neighbor + kind: pair + has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^email$" + - regex: "^mail$" + - regex: "^firstname$" + - regex: "^lastname$" +rule: + kind: call_expression + any: + - matches: MATCH_JWT_SENSITIVE_DATA diff --git a/rules/typescript/security/jwt-weak-encryption-typescript.yml b/rules/typescript/security/jwt-weak-encryption-typescript.yml new file mode 100644 index 00000000..8d32e7c3 --- /dev/null +++ b/rules/typescript/security/jwt-weak-encryption-typescript.yml @@ -0,0 +1,54 @@ +id: jwt-weak-encryption-typescript +severity: warning +language: typescript +message: >- + Use default encryption from the JWT library. Do not use `none` as a validation + algorithm for a JWT token. The none algorithm assumes that the token has been + verified, which would allow attacker to create a token that would be automatically validated. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. +ast-grep-essentials: true +utils: + MATCH_JWT_WEAK_ENCRYPTION: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^jwt$" + - has: + stopBy: neighbor + kind: property_identifier + regex: "^verify$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + kind: object + has: + stopBy: neighbor + kind: pair + all: + - has: + stopBy: neighbor + kind: property_identifier + regex: "^algorithms$" + - has: + stopBy: neighbor + kind: array + has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: "^none$" +rule: + kind: call_expression + any: + - matches: MATCH_JWT_WEAK_ENCRYPTION diff --git a/rules/typescript/security/log-sensitive-data-typescript.yml b/rules/typescript/security/log-sensitive-data-typescript.yml new file mode 100644 index 00000000..24bd7ab9 --- /dev/null +++ b/rules/typescript/security/log-sensitive-data-typescript.yml @@ -0,0 +1,105 @@ +id: log-sensitive-data-typescript +severity: warning +language: typescript +message: >- + Avoid logging sensitive data. Do not log sensitive data such as user id, email + or other personal data (first name, last name, etc). +note: >- + [CWE-532] Information Exposure Through Log Files. +ast-grep-essentials: true +utils: + MATCH_LOG_SENSITIVE_DATA: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: member_expression + all: + - has: + stopBy: neighbor + kind: identifier + any: + - regex: "^console$" + - regex: "^logger$" + - regex: "^log$" + - has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^warn$" + - regex: "^info$" + - regex: "^error$" + - regex: "^fatal$" + - regex: "^log$" + - has: + stopBy: neighbor + kind: arguments + has: + stopBy: neighbor + any: + - kind: identifier + any: + - regex: "^email$" + - regex: "^firstname$" + - regex: "^lastname$" + - regex: "^address$" + - regex: "^mail$" + - regex: "^zipcode$" + - regex: "^username$" + - kind: template_string + has: + stopBy: neighbor + kind: template_substitution + has: + stopBy: neighbor + any: + - kind: identifier + any: + - regex: "^email$" + - regex: "^firstname$" + - regex: "^lastname$" + - regex: "^address$" + - regex: "^mail$" + - regex: "^zipcode$" + - regex: "^username$" + - kind: member_expression + has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^email$" + - regex: "^firstname$" + - regex: "^lastname$" + - regex: "^address$" + - regex: "^mail$" + - regex: "^zipcode$" + - regex: "^username$" + - kind: binary_expression + has: + stopBy: neighbor + any: + - kind: identifier + any: + - regex: "^email$" + - regex: "^firstname$" + - regex: "^lastname$" + - regex: "^address$" + - regex: "^mail$" + - regex: "^zipcode$" + - regex: "^username$" + - kind: member_expression + has: + stopBy: neighbor + kind: property_identifier + any: + - regex: "^email$" + - regex: "^firstname$" + - regex: "^lastname$" + - regex: "^address$" + - regex: "^mail$" + - regex: "^zipcode$" + - regex: "^username$" +rule: + kind: call_expression + any: + - matches: MATCH_LOG_SENSITIVE_DATA diff --git a/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml b/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml index a9a5acbe..00b08452 100644 --- a/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml +++ b/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml @@ -170,4 +170,4 @@ utils: rule: any: - matches: Match_pattern_directly - - matches: Match_pattern_with_Instance \ No newline at end of file + - matches: Match_pattern_with_Instance diff --git a/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml b/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml index 8e80b2cd..feb59c62 100644 --- a/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml +++ b/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml @@ -155,4 +155,4 @@ utils: rule: any: - matches: Match_pattern_directly - - matches: Match_pattern_with_Instance \ No newline at end of file + - matches: Match_pattern_with_Instance diff --git a/rules/typescript/security/sql-injection-typescript.yml b/rules/typescript/security/sql-injection-typescript.yml new file mode 100644 index 00000000..eef6c3b5 --- /dev/null +++ b/rules/typescript/security/sql-injection-typescript.yml @@ -0,0 +1,45 @@ +id: sql-injection-typescript +severity: error +language: typescript +message: >- + Avoid SQL injection. Check for variable declarations in a SQL statement where + there is potential for SQL injections. Use parameterized queries instead. +note: >- + [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. +ast-grep-essentials: true +utils: + MATCH_SQL_STRING_CONCAT: + kind: binary_expression + pattern: "$SQL + $VAR" + has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_fragment + regex: ".*(SELECT|INSERT|UPDATE|DELETE).*" + MATCH_SQL_TEMPLATE_STRING: + kind: template_string + all: + - has: + stopBy: neighbor + kind: template_substitution + - regex: ".*(SELECT|INSERT|UPDATE|DELETE).*" + - not: + inside: + kind: call_expression + has: + kind: member_expression + has: + field: property + regex: ".*queryRaw.*|.*query.*" + - not: + inside: + kind: call_expression + has: + kind: identifier + regex: "sql|query" +rule: + any: + - matches: MATCH_SQL_STRING_CONCAT + - matches: MATCH_SQL_TEMPLATE_STRING diff --git a/sgconfig.yml b/sgconfig.yml index 861e99e5..37ca5efb 100644 --- a/sgconfig.yml +++ b/sgconfig.yml @@ -4,4 +4,4 @@ ruleDirs: utilDirs: - utils testConfigs: - - testDir: tests \ No newline at end of file + - testDir: tests diff --git a/tests/__snapshots__/argon2-weak-type-typescript-snapshot.yml b/tests/__snapshots__/argon2-weak-type-typescript-snapshot.yml new file mode 100644 index 00000000..1a247295 --- /dev/null +++ b/tests/__snapshots__/argon2-weak-type-typescript-snapshot.yml @@ -0,0 +1,98 @@ +id: argon2-weak-type-typescript +snapshots: + ? |- + await argon2.hash('password', {type: argon2.argon2d}) + await argon2.hash('password', {type: argon2.argon2i}) + : labels: + - source: 'argon2.hash(''password'', {type: argon2.argon2d})' + style: primary + start: 6 + end: 53 + - source: argon2 + style: secondary + start: 6 + end: 12 + - source: hash + style: secondary + start: 13 + end: 17 + - source: argon2.hash + style: secondary + start: 6 + end: 17 + - source: type + style: secondary + start: 31 + end: 35 + - source: argon2 + style: secondary + start: 37 + end: 43 + - source: argon2d + style: secondary + start: 44 + end: 51 + - source: argon2.argon2d + style: secondary + start: 37 + end: 51 + - source: 'type: argon2.argon2d' + style: secondary + start: 31 + end: 51 + - source: '{type: argon2.argon2d}' + style: secondary + start: 30 + end: 52 + - source: '(''password'', {type: argon2.argon2d})' + style: secondary + start: 17 + end: 53 + ? | + await argon2.hash('password', {type: argon2.argon2d}) + await argon2.hash('password', {type: argon2.argon2i}) + : labels: + - source: 'argon2.hash(''password'', {type: argon2.argon2d})' + style: primary + start: 6 + end: 53 + - source: argon2 + style: secondary + start: 6 + end: 12 + - source: hash + style: secondary + start: 13 + end: 17 + - source: argon2.hash + style: secondary + start: 6 + end: 17 + - source: type + style: secondary + start: 31 + end: 35 + - source: argon2 + style: secondary + start: 37 + end: 43 + - source: argon2d + style: secondary + start: 44 + end: 51 + - source: argon2.argon2d + style: secondary + start: 37 + end: 51 + - source: 'type: argon2.argon2d' + style: secondary + start: 31 + end: 51 + - source: '{type: argon2.argon2d}' + style: secondary + start: 30 + end: 52 + - source: '(''password'', {type: argon2.argon2d})' + style: secondary + start: 17 + end: 53 diff --git a/tests/__snapshots__/avoid-crypto-rc4-typescript-snapshot.yml b/tests/__snapshots__/avoid-crypto-rc4-typescript-snapshot.yml new file mode 100644 index 00000000..68c81411 --- /dev/null +++ b/tests/__snapshots__/avoid-crypto-rc4-typescript-snapshot.yml @@ -0,0 +1,58 @@ +id: avoid-crypto-rc4-typescript +snapshots: + ? |- + const encrypted = CryptoJS.RC4.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.RC4.decrypt(encrypted, "Secret Passphrase"); + : labels: + - source: CryptoJS.RC4.encrypt("Message", "Secret Passphrase") + style: primary + start: 18 + end: 70 + - source: CryptoJS + style: secondary + start: 18 + end: 26 + - source: RC4 + style: secondary + start: 27 + end: 30 + - source: CryptoJS.RC4 + style: secondary + start: 18 + end: 30 + - source: encrypt + style: secondary + start: 31 + end: 38 + - source: CryptoJS.RC4.encrypt + style: secondary + start: 18 + end: 38 + ? | + const encrypted = CryptoJS.RC4.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.RC4.decrypt(encrypted, "Secret Passphrase"); + : labels: + - source: CryptoJS.RC4.encrypt("Message", "Secret Passphrase") + style: primary + start: 18 + end: 70 + - source: CryptoJS + style: secondary + start: 18 + end: 26 + - source: RC4 + style: secondary + start: 27 + end: 30 + - source: CryptoJS.RC4 + style: secondary + start: 18 + end: 30 + - source: encrypt + style: secondary + start: 31 + end: 38 + - source: CryptoJS.RC4.encrypt + style: secondary + start: 18 + end: 38 diff --git a/tests/__snapshots__/avoid-crypto-sha1-typescript-snapshot.yml b/tests/__snapshots__/avoid-crypto-sha1-typescript-snapshot.yml new file mode 100644 index 00000000..6df3902c --- /dev/null +++ b/tests/__snapshots__/avoid-crypto-sha1-typescript-snapshot.yml @@ -0,0 +1,47 @@ +id: avoid-crypto-sha1-typescript +snapshots: + const hash = CryptoJS.HmacSHA1("Message", "Secret Passphrase");: + labels: + - source: CryptoJS.HmacSHA1("Message", "Secret Passphrase") + style: primary + start: 13 + end: 62 + - source: CryptoJS + style: secondary + start: 13 + end: 21 + - source: HmacSHA1 + style: secondary + start: 22 + end: 30 + - source: CryptoJS.HmacSHA1 + style: secondary + start: 13 + end: 30 + - source: ("Message", "Secret Passphrase") + style: secondary + start: 30 + end: 62 + ? | + const hash = CryptoJS.HmacSHA1("Message", "Secret Passphrase"); + : labels: + - source: CryptoJS.HmacSHA1("Message", "Secret Passphrase") + style: primary + start: 13 + end: 62 + - source: CryptoJS + style: secondary + start: 13 + end: 21 + - source: HmacSHA1 + style: secondary + start: 22 + end: 30 + - source: CryptoJS.HmacSHA1 + style: secondary + start: 13 + end: 30 + - source: ("Message", "Secret Passphrase") + style: secondary + start: 30 + end: 62 diff --git a/tests/__snapshots__/avoid-des-typescript-snapshot.yml b/tests/__snapshots__/avoid-des-typescript-snapshot.yml new file mode 100644 index 00000000..4c13ac66 --- /dev/null +++ b/tests/__snapshots__/avoid-des-typescript-snapshot.yml @@ -0,0 +1,62 @@ +id: avoid-des-typescript +snapshots: + ? |- + const encrypted = CryptoJS.DES.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.DES.decrypt(encrypted, "Secret Passphrase"); + const encrypted = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.TripleDES.decrypt(encrypted, "Secret Passphrase"); + : labels: + - source: CryptoJS.DES.encrypt("Message", "Secret Passphrase") + style: primary + start: 18 + end: 70 + - source: CryptoJS + style: secondary + start: 18 + end: 26 + - source: DES + style: secondary + start: 27 + end: 30 + - source: CryptoJS.DES + style: secondary + start: 18 + end: 30 + - source: encrypt + style: secondary + start: 31 + end: 38 + - source: CryptoJS.DES.encrypt + style: secondary + start: 18 + end: 38 + ? | + const encrypted = CryptoJS.DES.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.DES.decrypt(encrypted, "Secret Passphrase"); + const encrypted = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.TripleDES.decrypt(encrypted, "Secret Passphrase"); + : labels: + - source: CryptoJS.DES.encrypt("Message", "Secret Passphrase") + style: primary + start: 18 + end: 70 + - source: CryptoJS + style: secondary + start: 18 + end: 26 + - source: DES + style: secondary + start: 27 + end: 30 + - source: CryptoJS.DES + style: secondary + start: 18 + end: 30 + - source: encrypt + style: secondary + start: 31 + end: 38 + - source: CryptoJS.DES.encrypt + style: secondary + start: 18 + end: 38 diff --git a/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml index b9482edc..477ef02d 100644 --- a/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml +++ b/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml @@ -121,6 +121,58 @@ snapshots: style: secondary start: 36 end: 43 + ? | + let password: Array = Array("s33krit".utf8) + Blowfish(key: password, iv: "123") + : labels: + - source: 'Blowfish(key: password, iv: "123")' + style: primary + start: 51 + end: 85 + - source: Blowfish + style: secondary + start: 51 + end: 59 + - source: key + style: secondary + start: 60 + end: 63 + - source: password + style: secondary + start: 65 + end: 73 + - source: 'key: password' + style: secondary + start: 60 + end: 73 + - source: '(key: password, iv: "123")' + style: secondary + start: 59 + end: 85 + - source: '(key: password, iv: "123")' + style: secondary + start: 59 + end: 85 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 ? | let password: Array = Array("s33krit".utf8) try Blowfish(key: password, iv: "123") diff --git a/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml index bb3255a8..5ef367e9 100644 --- a/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml +++ b/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml @@ -87,6 +87,58 @@ snapshots: style: secondary start: 36 end: 43 + ? | + let password: Array = Array("s33krit".utf8) + ChaCha20(key: password, iv: "123") + : labels: + - source: 'ChaCha20(key: password, iv: "123")' + style: primary + start: 51 + end: 85 + - source: ChaCha20 + style: secondary + start: 51 + end: 59 + - source: key + style: secondary + start: 60 + end: 63 + - source: password + style: secondary + start: 65 + end: 73 + - source: 'key: password' + style: secondary + start: 60 + end: 73 + - source: '(key: password, iv: "123")' + style: secondary + start: 59 + end: 85 + - source: '(key: password, iv: "123")' + style: secondary + start: 59 + end: 85 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 ? | let password: Array = Array("s33krit".utf8) try ChaCha20(key: password, iv: "123") diff --git a/tests/__snapshots__/chmod-permissions-typescript-snapshot.yml b/tests/__snapshots__/chmod-permissions-typescript-snapshot.yml new file mode 100644 index 00000000..16f10b81 --- /dev/null +++ b/tests/__snapshots__/chmod-permissions-typescript-snapshot.yml @@ -0,0 +1,56 @@ +id: chmod-permissions-typescript +snapshots: + ? |- + const fs = require('fs'); + const fsPromises = fs.promises; + + fs.chmodSync("/tmp/myfile", 0o777); + fsPromises.chmod("/tmp/fsPromises", 0o777); + : labels: + - source: fs.chmodSync("/tmp/myfile", 0o777) + style: primary + start: 59 + end: 93 + - source: chmodSync + style: secondary + start: 62 + end: 71 + - source: fs.chmodSync + style: secondary + start: 59 + end: 71 + - source: '0o777' + style: secondary + start: 87 + end: 92 + - source: ("/tmp/myfile", 0o777) + style: secondary + start: 71 + end: 93 + ? | + const fs = require('fs'); + const fsPromises = fs.promises; + + fs.chmodSync("/tmp/myfile", 0o777); + fsPromises.chmod("/tmp/fsPromises", 0o777); + : labels: + - source: fs.chmodSync("/tmp/myfile", 0o777) + style: primary + start: 59 + end: 93 + - source: chmodSync + style: secondary + start: 62 + end: 71 + - source: fs.chmodSync + style: secondary + start: 59 + end: 71 + - source: '0o777' + style: secondary + start: 87 + end: 92 + - source: ("/tmp/myfile", 0o777) + style: secondary + start: 71 + end: 93 diff --git a/tests/__snapshots__/command-injection-typescript-snapshot.yml b/tests/__snapshots__/command-injection-typescript-snapshot.yml new file mode 100644 index 00000000..3e1f86d6 --- /dev/null +++ b/tests/__snapshots__/command-injection-typescript-snapshot.yml @@ -0,0 +1,58 @@ +id: command-injection-typescript +snapshots: + ? |- + childprocess.exec(`mv ${src} ${dst}`, (error, stdout, stderr) => {}); + childprocess.exec('mv ' + src + " " + dst, (error, stdout, stderr) => {}); + : labels: + - source: childprocess.exec(`mv ${src} ${dst}`, (error, stdout, stderr) => {}) + style: primary + start: 0 + end: 68 + - source: exec + style: secondary + start: 13 + end: 17 + - source: childprocess.exec + style: secondary + start: 0 + end: 17 + - source: ${src} + style: secondary + start: 22 + end: 28 + - source: '`mv ${src} ${dst}`' + style: secondary + start: 18 + end: 36 + - source: (`mv ${src} ${dst}`, (error, stdout, stderr) => {}) + style: secondary + start: 17 + end: 68 + ? | + childprocess.exec(`mv ${src} ${dst}`, (error, stdout, stderr) => {}); + childprocess.exec('mv ' + src + " " + dst, (error, stdout, stderr) => {}); + : labels: + - source: childprocess.exec(`mv ${src} ${dst}`, (error, stdout, stderr) => {}) + style: primary + start: 0 + end: 68 + - source: exec + style: secondary + start: 13 + end: 17 + - source: childprocess.exec + style: secondary + start: 0 + end: 17 + - source: ${src} + style: secondary + start: 22 + end: 28 + - source: '`mv ${src} ${dst}`' + style: secondary + start: 18 + end: 36 + - source: (`mv ${src} ${dst}`, (error, stdout, stderr) => {}) + style: secondary + start: 17 + end: 68 diff --git a/tests/__snapshots__/crypto-avoid-weak-hash-typescript-snapshot.yml b/tests/__snapshots__/crypto-avoid-weak-hash-typescript-snapshot.yml new file mode 100644 index 00000000..48679a55 --- /dev/null +++ b/tests/__snapshots__/crypto-avoid-weak-hash-typescript-snapshot.yml @@ -0,0 +1,92 @@ +id: crypto-avoid-weak-hash-typescript +snapshots: + ? |- + const hash = CryptoJS.MD5("Message", "Secret Passphrase"); + const hash = CryptoJS.SHA1("Message", "Secret Passphrase"); + const hash = CryptoJS.HmacMD5("Message", "Secret Passphrase"); + : labels: + - source: CryptoJS.MD5("Message", "Secret Passphrase") + style: primary + start: 13 + end: 57 + - source: CryptoJS + style: secondary + start: 13 + end: 21 + - source: MD5 + style: secondary + start: 22 + end: 25 + - source: CryptoJS.MD5 + style: secondary + start: 13 + end: 25 + - source: ("Message", "Secret Passphrase") + style: secondary + start: 25 + end: 57 + - source: CryptoJS.SHA1("Message", "Secret Passphrase") + style: primary + start: 71 + end: 115 + - source: CryptoJS + style: secondary + start: 71 + end: 79 + - source: SHA1 + style: secondary + start: 80 + end: 84 + - source: CryptoJS.SHA1 + style: secondary + start: 71 + end: 84 + - source: ("Message", "Secret Passphrase") + style: secondary + start: 84 + end: 115 + - source: CryptoJS.HmacMD5("Message", "Secret Passphrase") + style: primary + start: 129 + end: 177 + - source: CryptoJS + style: secondary + start: 129 + end: 137 + - source: HmacMD5 + style: secondary + start: 138 + end: 145 + - source: CryptoJS.HmacMD5 + style: secondary + start: 129 + end: 145 + - source: ("Message", "Secret Passphrase") + style: secondary + start: 145 + end: 177 + ? | + const hash = CryptoJS.MD5("Message", "Secret Passphrase"); + const hash = CryptoJS.SHA1("Message", "Secret Passphrase"); + const hash = CryptoJS.HmacMD5("Message", "Secret Passphrase"); + : labels: + - source: CryptoJS.MD5("Message", "Secret Passphrase") + style: primary + start: 13 + end: 57 + - source: CryptoJS + style: secondary + start: 13 + end: 21 + - source: MD5 + style: secondary + start: 22 + end: 25 + - source: CryptoJS.MD5 + style: secondary + start: 13 + end: 25 + - source: ("Message", "Secret Passphrase") + style: secondary + start: 25 + end: 57 diff --git a/tests/__snapshots__/datanucleus-hardcoded-connection-password-java-snapshot.yml b/tests/__snapshots__/datanucleus-hardcoded-connection-password-java-snapshot.yml index a21740f8..2fc46df7 100644 --- a/tests/__snapshots__/datanucleus-hardcoded-connection-password-java-snapshot.yml +++ b/tests/__snapshots__/datanucleus-hardcoded-connection-password-java-snapshot.yml @@ -82,6 +82,88 @@ snapshots: style: secondary start: 0 end: 60 + ? | + import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; + public class PeopleTest { + JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); + private String pw = "asdf"; + public void setUp() throws SQLException { + pmf.setConnectionPassword(pw); + } + } + : labels: + - source: setConnectionPassword + style: primary + start: 237 + end: 258 + - source: pw + style: secondary + start: 259 + end: 261 + - source: (pw) + style: secondary + start: 258 + end: 262 + - source: pmf + style: secondary + start: 233 + end: 236 + - source: pmf.setConnectionPassword(pw) + style: secondary + start: 233 + end: 262 + - source: JDOPersistenceManagerFactory + style: secondary + start: 87 + end: 115 + - source: pmf + style: secondary + start: 116 + end: 119 + - source: pmf = new JDOPersistenceManagerFactory(props) + style: secondary + start: 116 + end: 161 + - source: JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); + style: secondary + start: 87 + end: 162 + - source: JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); + style: secondary + start: 87 + end: 162 + - source: pw + style: secondary + start: 178 + end: 180 + - source: asdf + style: secondary + start: 184 + end: 188 + - source: '"asdf"' + style: secondary + start: 183 + end: 189 + - source: pw = "asdf" + style: secondary + start: 178 + end: 189 + - source: private String pw = "asdf"; + style: secondary + start: 163 + end: 190 + - source: private String pw = "asdf"; + style: secondary + start: 163 + end: 190 + - source: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; + style: secondary + start: 0 + end: 60 + - source: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; + style: secondary + start: 0 + end: 60 ? | import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; public class PeopleTest { diff --git a/tests/__snapshots__/debug-enabled-python-snapshot.yml b/tests/__snapshots__/debug-enabled-python-snapshot.yml index 6e09f677..4cf59236 100644 --- a/tests/__snapshots__/debug-enabled-python-snapshot.yml +++ b/tests/__snapshots__/debug-enabled-python-snapshot.yml @@ -45,3 +45,48 @@ snapshots: style: secondary start: 51 end: 81 + ? | + from flask import Flask + if __name__ == "__main__": + app.run("0.0.0.0", debug=True) + : labels: + - source: app.run("0.0.0.0", debug=True) + style: primary + start: 51 + end: 81 + - source: app + style: secondary + start: 51 + end: 54 + - source: run + style: secondary + start: 55 + end: 58 + - source: app.run + style: secondary + start: 51 + end: 58 + - source: debug=True + style: secondary + start: 70 + end: 80 + - source: ("0.0.0.0", debug=True) + style: secondary + start: 58 + end: 81 + - source: Flask + style: secondary + start: 18 + end: 23 + - source: Flask + style: secondary + start: 18 + end: 23 + - source: from flask import Flask + style: secondary + start: 0 + end: 23 + - source: app.run("0.0.0.0", debug=True) + style: secondary + start: 51 + end: 81 diff --git a/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml b/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml index 09fcd42c..bb337d3f 100644 --- a/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml +++ b/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml @@ -30,6 +30,37 @@ snapshots: style: secondary start: 0 end: 27 + ? | + $sceProvider.enabled(false)(false); + : labels: + - source: $sceProvider.enabled(false)(false); + style: primary + start: 0 + end: 35 + - source: $sceProvider + style: secondary + start: 0 + end: 12 + - source: enabled + style: secondary + start: 13 + end: 20 + - source: 'false' + style: secondary + start: 21 + end: 26 + - source: (false) + style: secondary + start: 20 + end: 27 + - source: $sceProvider.enabled + style: secondary + start: 0 + end: 20 + - source: $sceProvider.enabled(false) + style: secondary + start: 0 + end: 27 ? | $sceProvider.enabled(false).someFunction(true).anything("anything"); : labels: diff --git a/tests/__snapshots__/detect-buffer-noassert-typescript-snapshot.yml b/tests/__snapshots__/detect-buffer-noassert-typescript-snapshot.yml new file mode 100644 index 00000000..24d4bc17 --- /dev/null +++ b/tests/__snapshots__/detect-buffer-noassert-typescript-snapshot.yml @@ -0,0 +1,74 @@ +id: detect-buffer-noassert-typescript +snapshots: + ? |- + a.readUInt8(0, true) + a.readUInt16LE(0, true) + a.writeUInt8(0, 0, true) + a.writeInt16LE(0, 0, true) + a.readFloatLE(0, true) + a.writeDoubleLE(0, 0, true) + : labels: + - source: a.readUInt8(0, true) + style: primary + start: 0 + end: 20 + - source: readUInt8 + style: secondary + start: 2 + end: 11 + - source: a.readUInt8 + style: secondary + start: 0 + end: 11 + - source: '0' + style: secondary + start: 12 + end: 13 + - source: 'true' + style: secondary + start: 15 + end: 19 + - source: 'true' + style: secondary + start: 15 + end: 19 + - source: (0, true) + style: secondary + start: 11 + end: 20 + ? | + a.readUInt8(0, true) + a.readUInt16LE(0, true) + a.writeUInt8(0, 0, true) + a.writeInt16LE(0, 0, true) + a.readFloatLE(0, true) + a.writeDoubleLE(0, 0, true) + : labels: + - source: a.readUInt8(0, true) + style: primary + start: 0 + end: 20 + - source: readUInt8 + style: secondary + start: 2 + end: 11 + - source: a.readUInt8 + style: secondary + start: 0 + end: 11 + - source: '0' + style: secondary + start: 12 + end: 13 + - source: 'true' + style: secondary + start: 15 + end: 19 + - source: 'true' + style: secondary + start: 15 + end: 19 + - source: (0, true) + style: secondary + start: 11 + end: 20 diff --git a/tests/__snapshots__/detect-eval-with-expression-typescript-snapshot.yml b/tests/__snapshots__/detect-eval-with-expression-typescript-snapshot.yml new file mode 100644 index 00000000..3069b5b9 --- /dev/null +++ b/tests/__snapshots__/detect-eval-with-expression-typescript-snapshot.yml @@ -0,0 +1,46 @@ +id: detect-eval-with-expression-typescript +snapshots: + ? |- + eval(a); + global.eval(a); + globalThis.eval(a); + const answer = eval(expression) + : labels: + - source: eval(a) + style: primary + start: 0 + end: 7 + - source: eval + style: secondary + start: 0 + end: 4 + - source: a + style: secondary + start: 5 + end: 6 + - source: (a) + style: secondary + start: 4 + end: 7 + ? | + eval(a); + global.eval(a); + globalThis.eval(a); + const answer = eval(expression) + : labels: + - source: eval(a) + style: primary + start: 0 + end: 7 + - source: eval + style: secondary + start: 0 + end: 4 + - source: a + style: secondary + start: 5 + end: 6 + - source: (a) + style: secondary + start: 4 + end: 7 diff --git a/tests/__snapshots__/detect-new-buffer-typescript-snapshot.yml b/tests/__snapshots__/detect-new-buffer-typescript-snapshot.yml new file mode 100644 index 00000000..298bb5f2 --- /dev/null +++ b/tests/__snapshots__/detect-new-buffer-typescript-snapshot.yml @@ -0,0 +1,39 @@ +id: detect-new-buffer-typescript +snapshots: + var a = new Buffer(c): + labels: + - source: new Buffer(c) + style: primary + start: 8 + end: 21 + - source: Buffer + style: secondary + start: 12 + end: 18 + - source: c + style: secondary + start: 19 + end: 20 + - source: (c) + style: secondary + start: 18 + end: 21 + ? | + var a = new Buffer(c) + : labels: + - source: new Buffer(c) + style: primary + start: 8 + end: 21 + - source: Buffer + style: secondary + start: 12 + end: 18 + - source: c + style: secondary + start: 19 + end: 20 + - source: (c) + style: secondary + start: 18 + end: 21 diff --git a/tests/__snapshots__/detect-non-literal-regexp-typescript-snapshot.yml b/tests/__snapshots__/detect-non-literal-regexp-typescript-snapshot.yml new file mode 100644 index 00000000..8318d86a --- /dev/null +++ b/tests/__snapshots__/detect-non-literal-regexp-typescript-snapshot.yml @@ -0,0 +1,39 @@ +id: detect-non-literal-regexp-typescript +snapshots: + var a = new RegExp(c, 'i');: + labels: + - source: new RegExp(c, 'i') + style: primary + start: 8 + end: 26 + - source: RegExp + style: secondary + start: 12 + end: 18 + - source: c + style: secondary + start: 19 + end: 20 + - source: (c, 'i') + style: secondary + start: 18 + end: 26 + ? | + var a = new RegExp(c, 'i'); + : labels: + - source: new RegExp(c, 'i') + style: primary + start: 8 + end: 26 + - source: RegExp + style: secondary + start: 12 + end: 18 + - source: c + style: secondary + start: 19 + end: 20 + - source: (c, 'i') + style: secondary + start: 18 + end: 26 diff --git a/tests/__snapshots__/detect-non-literal-require-typescript-snapshot.yml b/tests/__snapshots__/detect-non-literal-require-typescript-snapshot.yml new file mode 100644 index 00000000..61135751 --- /dev/null +++ b/tests/__snapshots__/detect-non-literal-require-typescript-snapshot.yml @@ -0,0 +1,42 @@ +id: detect-non-literal-require-typescript +snapshots: + ? |- + const a = require(c); + const a = require(`${c}`); + : labels: + - source: require(c) + style: primary + start: 10 + end: 20 + - source: require + style: secondary + start: 10 + end: 17 + - source: c + style: secondary + start: 18 + end: 19 + - source: (c) + style: secondary + start: 17 + end: 20 + ? | + const a = require(c); + const a = require(`${c}`); + : labels: + - source: require(c) + style: primary + start: 10 + end: 20 + - source: require + style: secondary + start: 10 + end: 17 + - source: c + style: secondary + start: 18 + end: 19 + - source: (c) + style: secondary + start: 17 + end: 20 diff --git a/tests/__snapshots__/detected-jwt-token-typescript-snapshot.yml b/tests/__snapshots__/detected-jwt-token-typescript-snapshot.yml new file mode 100644 index 00000000..9a88c2a4 --- /dev/null +++ b/tests/__snapshots__/detected-jwt-token-typescript-snapshot.yml @@ -0,0 +1,28 @@ +id: detected-jwt-token-typescript +snapshots: + ? |- + "eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234" + 'eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234' + `eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234` + : labels: + - source: '"eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234"' + style: primary + start: 0 + end: 72 + - source: eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234 + style: secondary + start: 1 + end: 71 + ? | + "eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234" + 'eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234' + `eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234` + : labels: + - source: '"eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234"' + style: primary + start: 0 + end: 72 + - source: eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234 + style: secondary + start: 1 + end: 71 diff --git a/tests/__snapshots__/ecb-cipher-java-snapshot.yml b/tests/__snapshots__/ecb-cipher-java-snapshot.yml index 2b611b24..73c2e0ec 100644 --- a/tests/__snapshots__/ecb-cipher-java-snapshot.yml +++ b/tests/__snapshots__/ecb-cipher-java-snapshot.yml @@ -34,3 +34,38 @@ snapshots: style: secondary start: 7 end: 50 + ? | + Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); + : labels: + - source: Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); + style: primary + start: 0 + end: 51 + - source: Cipher + style: secondary + start: 0 + end: 6 + - source: c + style: secondary + start: 7 + end: 8 + - source: getInstance + style: secondary + start: 18 + end: 29 + - source: '"AES/ECB/NoPadding"' + style: secondary + start: 30 + end: 49 + - source: ("AES/ECB/NoPadding") + style: secondary + start: 29 + end: 50 + - source: Cipher.getInstance("AES/ECB/NoPadding") + style: secondary + start: 11 + end: 50 + - source: c = Cipher.getInstance("AES/ECB/NoPadding") + style: secondary + start: 7 + end: 50 diff --git a/tests/__snapshots__/empty-password-rust-snapshot.yml b/tests/__snapshots__/empty-password-rust-snapshot.yml index 12bf0bbc..bdd9fd24 100644 --- a/tests/__snapshots__/empty-password-rust-snapshot.yml +++ b/tests/__snapshots__/empty-password-rust-snapshot.yml @@ -93,6 +93,102 @@ snapshots: .connect() .await?; + use_connection(conn); + Ok(()) + } + : labels: + - source: |- + pg.host("secret-host") + .port(2525) + .username("secret-user") + .password("") + style: primary + start: 164 + end: 237 + - source: pg + style: secondary + start: 164 + end: 166 + - source: password + style: secondary + start: 225 + end: 233 + - source: |- + pg.host("secret-host") + .port(2525) + .username("secret-user") + .password + style: secondary + start: 164 + end: 233 + - source: '""' + style: secondary + start: 234 + end: 236 + - source: ("") + style: secondary + start: 233 + end: 237 + - source: sqlx::postgres + style: secondary + start: 4 + end: 18 + - source: PgConnectOptions + style: secondary + start: 21 + end: 37 + - source: '{PgConnectOptions, PgConnection, PgPool, PgSslMode}' + style: secondary + start: 20 + end: 71 + - source: sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode} + style: secondary + start: 4 + end: 71 + - source: use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; + style: secondary + start: 0 + end: 72 + - source: use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; + style: secondary + start: 0 + end: 72 + - source: pg + style: secondary + start: 123 + end: 125 + - source: PgConnectOptions::new + style: secondary + start: 128 + end: 149 + - source: () + style: secondary + start: 149 + end: 151 + - source: PgConnectOptions::new() + style: secondary + start: 128 + end: 151 + - source: let pg = PgConnectOptions::new(); + style: secondary + start: 119 + end: 152 + - source: let pg = PgConnectOptions::new(); + style: secondary + start: 119 + end: 152 + ? | + use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; + async fn test3() -> Result<(), sqlx::Error> { + let pg = PgConnectOptions::new(); + let conn = pg.host("secret-host") + .port(2525) + .username("secret-user") + .password("") + .ssl_mode(PgSslMode::Require) + .connect() + .await?; + use_connection(conn); Ok(()) } diff --git a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml index ae94c35e..c3e6bbe9 100644 --- a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml +++ b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml @@ -181,3 +181,62 @@ snapshots: style: secondary start: 43 end: 116 + ? | + import * as session from 'express-session' + let secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + : labels: + - source: 'secret: ''foo''' + style: primary + start: 74 + end: 87 + - source: secret + style: secondary + start: 74 + end: 80 + - source: foo + style: secondary + start: 83 + end: 86 + - source: '''foo''' + style: secondary + start: 82 + end: 87 + - source: 'secret: ''foo''' + style: secondary + start: 74 + end: 87 + - source: |- + { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + style: secondary + start: 57 + end: 116 + - source: |- + secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + style: secondary + start: 47 + end: 116 + - source: import * as session from 'express-session' + style: secondary + start: 0 + end: 42 + - source: |- + let secret2 = { + resave: false, + secret: 'foo', + saveUninitialized: false, + } + style: secondary + start: 43 + end: 116 diff --git a/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml b/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml index 19e8085e..2c6e640f 100644 --- a/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml +++ b/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml @@ -151,6 +151,87 @@ snapshots: style: secondary start: 0 end: 63 + ? | + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + var storeMultipleHardcoded = sessions.NewCookieStore( + []byte("old-authentication-key"), + []byte("old-encryption-key"), + ) + : labels: + - source: |- + sessions.NewCookieStore( + []byte("old-authentication-key"), + []byte("old-encryption-key"), + ) + style: primary + start: 93 + end: 185 + - source: sessions + style: secondary + start: 93 + end: 101 + - source: NewCookieStore + style: secondary + start: 102 + end: 116 + - source: sessions.NewCookieStore + style: secondary + start: 93 + end: 116 + - source: byte + style: secondary + start: 121 + end: 125 + - source: '[]byte' + style: secondary + start: 119 + end: 125 + - source: '"old-authentication-key"' + style: secondary + start: 126 + end: 150 + - source: '[]byte("old-authentication-key")' + style: secondary + start: 119 + end: 151 + - source: |- + ( + []byte("old-authentication-key"), + []byte("old-encryption-key"), + ) + style: secondary + start: 116 + end: 185 + - source: '"github.com/gorilla/sessions"' + style: secondary + start: 32 + end: 61 + - source: '"github.com/gorilla/sessions"' + style: secondary + start: 32 + end: 61 + - source: |- + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + style: secondary + start: 0 + end: 63 + - source: |- + import ( + "crypto/rand" + "fmt" + "github.com/gorilla/sessions" + ) + style: secondary + start: 0 + end: 63 ? | import ( "github.com/gorilla/sessions" diff --git a/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml b/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml index 2e20a442..b8a1183d 100644 --- a/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml +++ b/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml @@ -126,3 +126,66 @@ snapshots: style: secondary start: 0 end: 36 + ? | + import ( + "github.com/gorilla/csrf" + ) + func main() { + http.ListenAndServe(":8000", + csrf.Protect([]byte("32-byte-long-auth-key"))(r)) + } + : labels: + - source: csrf.Protect([]byte("32-byte-long-auth-key")) + style: primary + start: 84 + end: 129 + - source: csrf + style: secondary + start: 84 + end: 88 + - source: Protect + style: secondary + start: 89 + end: 96 + - source: csrf.Protect + style: secondary + start: 84 + end: 96 + - source: byte + style: secondary + start: 99 + end: 103 + - source: '[]byte' + style: secondary + start: 97 + end: 103 + - source: '"32-byte-long-auth-key"' + style: secondary + start: 104 + end: 127 + - source: '[]byte("32-byte-long-auth-key")' + style: secondary + start: 97 + end: 128 + - source: ([]byte("32-byte-long-auth-key")) + style: secondary + start: 96 + end: 129 + - source: '"github.com/gorilla/csrf"' + style: secondary + start: 9 + end: 34 + - source: |- + import ( + "github.com/gorilla/csrf" + ) + style: secondary + start: 0 + end: 36 + - source: |- + import ( + "github.com/gorilla/csrf" + ) + style: secondary + start: 0 + end: 36 diff --git a/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml b/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml index 4b883430..3690fa34 100644 --- a/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml +++ b/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml @@ -46,3 +46,50 @@ snapshots: style: secondary start: 22 end: 52 + ? | + conn, err := grpc.Dial(address, grpc.WithInsecure()) + : labels: + - source: grpc.Dial(address, grpc.WithInsecure()) + style: primary + start: 13 + end: 52 + - source: grpc + style: secondary + start: 13 + end: 17 + - source: Dial + style: secondary + start: 18 + end: 22 + - source: grpc.Dial + style: secondary + start: 13 + end: 22 + - source: address + style: secondary + start: 23 + end: 30 + - source: grpc + style: secondary + start: 32 + end: 36 + - source: WithInsecure + style: secondary + start: 37 + end: 49 + - source: grpc.WithInsecure + style: secondary + start: 32 + end: 49 + - source: () + style: secondary + start: 49 + end: 51 + - source: grpc.WithInsecure() + style: secondary + start: 32 + end: 51 + - source: (address, grpc.WithInsecure()) + style: secondary + start: 22 + end: 52 diff --git a/tests/__snapshots__/hardcoded-connection-password-java-snapshot.yml b/tests/__snapshots__/hardcoded-connection-password-java-snapshot.yml index 4b6aee6f..92582fc4 100644 --- a/tests/__snapshots__/hardcoded-connection-password-java-snapshot.yml +++ b/tests/__snapshots__/hardcoded-connection-password-java-snapshot.yml @@ -83,6 +83,89 @@ snapshots: style: secondary start: 61 end: 104 + ? | + import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; + import javax.jdo.PersistenceManagerFactory; + public class PeopleTest { + private PersistenceManagerFactory pmf; + private String pw = "asdf"; + public void setUp() throws SQLException { + pmf.setConnectionPassword(pw); + } + } + : labels: + - source: setConnectionPassword + style: primary + start: 244 + end: 265 + - source: pw + style: secondary + start: 266 + end: 268 + - source: (pw) + style: secondary + start: 265 + end: 269 + - source: pmf + style: secondary + start: 240 + end: 243 + - source: pmf.setConnectionPassword(pw) + style: secondary + start: 240 + end: 269 + - source: PersistenceManagerFactory + style: secondary + start: 139 + end: 164 + - source: pmf + style: secondary + start: 165 + end: 168 + - source: pmf + style: secondary + start: 165 + end: 168 + - source: private PersistenceManagerFactory pmf; + style: secondary + start: 131 + end: 169 + - source: private PersistenceManagerFactory pmf; + style: secondary + start: 131 + end: 169 + - source: pw + style: secondary + start: 185 + end: 187 + - source: asdf + style: secondary + start: 191 + end: 195 + - source: '"asdf"' + style: secondary + start: 190 + end: 196 + - source: pw = "asdf" + style: secondary + start: 185 + end: 196 + - source: private String pw = "asdf"; + style: secondary + start: 170 + end: 197 + - source: private String pw = "asdf"; + style: secondary + start: 170 + end: 197 + - source: import javax.jdo.PersistenceManagerFactory; + style: secondary + start: 61 + end: 104 + - source: import javax.jdo.PersistenceManagerFactory; + style: secondary + start: 61 + end: 104 ? | import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; import javax.jdo.PersistenceManagerFactory; diff --git a/tests/__snapshots__/hardcoded-hmac-key-typescript-snapshot.yml b/tests/__snapshots__/hardcoded-hmac-key-typescript-snapshot.yml new file mode 100644 index 00000000..dc56189b --- /dev/null +++ b/tests/__snapshots__/hardcoded-hmac-key-typescript-snapshot.yml @@ -0,0 +1,148 @@ +id: hardcoded-hmac-key-typescript +snapshots: + ? |- + import crypto from "crypto"; + + crypto.createHmac('sha256', 'pa4qacea4VK9t9nGv7yZtwmj').update(data).digest('hex'); + + const key = 'private'; + const secret = key; + const fail = crypto.createHmac('sha256', secret); + : labels: + - source: crypto.createHmac('sha256', 'pa4qacea4VK9t9nGv7yZtwmj') + style: primary + start: 30 + end: 85 + - source: crypto + style: secondary + start: 30 + end: 36 + - source: createHmac + style: secondary + start: 37 + end: 47 + - source: crypto.createHmac + style: secondary + start: 30 + end: 47 + - source: '''sha256''' + style: secondary + start: 48 + end: 56 + - source: '''pa4qacea4VK9t9nGv7yZtwmj''' + style: secondary + start: 58 + end: 84 + - source: sha256 + style: secondary + start: 49 + end: 55 + - source: pa4qacea4VK9t9nGv7yZtwmj + style: secondary + start: 59 + end: 83 + - source: sha256 + style: secondary + start: 49 + end: 55 + - source: pa4qacea4VK9t9nGv7yZtwmj + style: secondary + start: 59 + end: 83 + - source: sha256 + style: secondary + start: 49 + end: 55 + - source: pa4qacea4VK9t9nGv7yZtwmj + style: secondary + start: 59 + end: 83 + - source: sha256 + style: secondary + start: 49 + end: 55 + - source: pa4qacea4VK9t9nGv7yZtwmj + style: secondary + start: 59 + end: 83 + - source: '''pa4qacea4VK9t9nGv7yZtwmj''' + style: secondary + start: 58 + end: 84 + - source: ('sha256', 'pa4qacea4VK9t9nGv7yZtwmj') + style: secondary + start: 47 + end: 85 + ? | + import crypto from "crypto"; + + crypto.createHmac('sha256', 'pa4qacea4VK9t9nGv7yZtwmj').update(data).digest('hex'); + + const key = 'private'; + const secret = key; + const fail = crypto.createHmac('sha256', secret); + : labels: + - source: crypto.createHmac('sha256', 'pa4qacea4VK9t9nGv7yZtwmj') + style: primary + start: 30 + end: 85 + - source: crypto + style: secondary + start: 30 + end: 36 + - source: createHmac + style: secondary + start: 37 + end: 47 + - source: crypto.createHmac + style: secondary + start: 30 + end: 47 + - source: '''sha256''' + style: secondary + start: 48 + end: 56 + - source: '''pa4qacea4VK9t9nGv7yZtwmj''' + style: secondary + start: 58 + end: 84 + - source: sha256 + style: secondary + start: 49 + end: 55 + - source: pa4qacea4VK9t9nGv7yZtwmj + style: secondary + start: 59 + end: 83 + - source: sha256 + style: secondary + start: 49 + end: 55 + - source: pa4qacea4VK9t9nGv7yZtwmj + style: secondary + start: 59 + end: 83 + - source: sha256 + style: secondary + start: 49 + end: 55 + - source: pa4qacea4VK9t9nGv7yZtwmj + style: secondary + start: 59 + end: 83 + - source: sha256 + style: secondary + start: 49 + end: 55 + - source: pa4qacea4VK9t9nGv7yZtwmj + style: secondary + start: 59 + end: 83 + - source: '''pa4qacea4VK9t9nGv7yZtwmj''' + style: secondary + start: 58 + end: 84 + - source: ('sha256', 'pa4qacea4VK9t9nGv7yZtwmj') + style: secondary + start: 47 + end: 85 diff --git a/tests/__snapshots__/hardcoded-http-auth-in-controller-ruby-snapshot.yml b/tests/__snapshots__/hardcoded-http-auth-in-controller-ruby-snapshot.yml index 5043b45e..a2cda645 100644 --- a/tests/__snapshots__/hardcoded-http-auth-in-controller-ruby-snapshot.yml +++ b/tests/__snapshots__/hardcoded-http-auth-in-controller-ruby-snapshot.yml @@ -60,3 +60,63 @@ snapshots: style: secondary start: 95 end: 116 + ? | + class DangerousController < ApplicationController + http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index + puts "do more stuff" + end + : labels: + - source: '"secret"' + style: primary + start: 108 + end: 116 + - source: :password + style: secondary + start: 95 + end: 104 + - source: '"secret"' + style: secondary + start: 108 + end: 116 + - source: http_basic_authenticate_with + style: secondary + start: 50 + end: 78 + - source: DangerousController + style: secondary + start: 6 + end: 25 + - source: ApplicationController + style: secondary + start: 28 + end: 49 + - source: < ApplicationController + style: secondary + start: 26 + end: 49 + - source: |- + class DangerousController < ApplicationController + http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index + puts "do more stuff" + end + style: secondary + start: 0 + end: 160 + - source: |- + http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index + puts "do more stuff" + style: secondary + start: 50 + end: 156 + - source: http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index + style: secondary + start: 50 + end: 135 + - source: :name => "dhh", :password => "secret", :except => :index + style: secondary + start: 79 + end: 135 + - source: :password => "secret" + style: secondary + start: 95 + end: 116 diff --git a/tests/__snapshots__/hardcoded-password-rust-snapshot.yml b/tests/__snapshots__/hardcoded-password-rust-snapshot.yml index abd2b0de..f00fc0e1 100644 --- a/tests/__snapshots__/hardcoded-password-rust-snapshot.yml +++ b/tests/__snapshots__/hardcoded-password-rust-snapshot.yml @@ -97,6 +97,106 @@ snapshots: .connect() .await?; + use_connection(conn); + Ok(()) + } + : labels: + - source: |- + pg.host("secret-host") + .port(2525) + .username("secret-user") + .password("secret-password") + style: primary + start: 164 + end: 252 + - source: pg + style: secondary + start: 164 + end: 166 + - source: password + style: secondary + start: 225 + end: 233 + - source: |- + pg.host("secret-host") + .port(2525) + .username("secret-user") + .password + style: secondary + start: 164 + end: 233 + - source: secret-password + style: secondary + start: 235 + end: 250 + - source: '"secret-password"' + style: secondary + start: 234 + end: 251 + - source: ("secret-password") + style: secondary + start: 233 + end: 252 + - source: sqlx::postgres + style: secondary + start: 4 + end: 18 + - source: PgConnectOptions + style: secondary + start: 21 + end: 37 + - source: '{PgConnectOptions, PgConnection, PgPool, PgSslMode}' + style: secondary + start: 20 + end: 71 + - source: sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode} + style: secondary + start: 4 + end: 71 + - source: use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; + style: secondary + start: 0 + end: 72 + - source: use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; + style: secondary + start: 0 + end: 72 + - source: pg + style: secondary + start: 123 + end: 125 + - source: PgConnectOptions::new + style: secondary + start: 128 + end: 149 + - source: () + style: secondary + start: 149 + end: 151 + - source: PgConnectOptions::new() + style: secondary + start: 128 + end: 151 + - source: let pg = PgConnectOptions::new(); + style: secondary + start: 119 + end: 152 + - source: let pg = PgConnectOptions::new(); + style: secondary + start: 119 + end: 152 + ? | + use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; + async fn test3() -> Result<(), sqlx::Error> { + let pg = PgConnectOptions::new(); + let conn = pg.host("secret-host") + .port(2525) + .username("secret-user") + .password("secret-password") + .ssl_mode(PgSslMode::Require) + .connect() + .await?; + use_connection(conn); Ok(()) } diff --git a/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml b/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml index 780a2eb6..0d5261f2 100644 --- a/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml +++ b/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml @@ -1,6 +1,60 @@ id: hardcoded-secret-in-credentials-java snapshots: ? "import okhttp3.*;\npublic class OkhttpSecretBasicAuth {\nprivate String password = \"hi\";\npublic void run() { \nString credential = Credentials.basic(username, password);\n}\n}" + : labels: + - source: Credentials.basic(username, password) + style: primary + start: 128 + end: 165 + - source: Credentials + style: secondary + start: 128 + end: 139 + - source: basic + style: secondary + start: 140 + end: 145 + - source: password + style: secondary + start: 156 + end: 164 + - source: (username, password) + style: secondary + start: 145 + end: 165 + - source: import okhttp3.*; + style: secondary + start: 0 + end: 17 + - source: import okhttp3.*; + style: secondary + start: 0 + end: 17 + - source: password + style: secondary + start: 70 + end: 78 + - source: hi + style: secondary + start: 82 + end: 84 + - source: '"hi"' + style: secondary + start: 81 + end: 85 + - source: password = "hi" + style: secondary + start: 70 + end: 85 + - source: private String password = "hi"; + style: secondary + start: 55 + end: 86 + - source: private String password = "hi"; + style: secondary + start: 55 + end: 86 + ? "import okhttp3.*;\npublic class OkhttpSecretBasicAuth {\nprivate String password = \"hi\";\npublic void run() { \nString credential = Credentials.basic(username, password);\n}\n}\n" : labels: - source: Credentials.basic(username, password) style: primary diff --git a/tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml b/tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml index 2154f4ee..fe11b3f7 100644 --- a/tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml +++ b/tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml @@ -48,6 +48,54 @@ snapshots: style: secondary start: 0 end: 126 + ? | + from hashids import Hashids + app = Flask(__name__.split('.')[0]) + hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY']) + : labels: + - source: Hashids(min_length=4, salt=app.config['SECRET_KEY']) + style: primary + start: 74 + end: 126 + - source: Hashids + style: secondary + start: 74 + end: 81 + - source: salt + style: secondary + start: 96 + end: 100 + - source: app.config['SECRET_KEY'] + style: secondary + start: 101 + end: 125 + - source: salt=app.config['SECRET_KEY'] + style: secondary + start: 96 + end: 125 + - source: (min_length=4, salt=app.config['SECRET_KEY']) + style: secondary + start: 81 + end: 126 + - source: from hashids import Hashids + style: secondary + start: 0 + end: 27 + - source: app = Flask(__name__.split('.')[0]) + style: secondary + start: 28 + end: 63 + - source: app = Flask(__name__.split('.')[0]) + style: secondary + start: 28 + end: 63 + - source: | + from hashids import Hashids + app = Flask(__name__.split('.')[0]) + hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY']) + style: secondary + start: 0 + end: 127 ? | from hashids import Hashids foo = Flask() diff --git a/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml index b22adcac..2f7e233d 100644 --- a/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml +++ b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml @@ -6,3 +6,10 @@ snapshots: style: primary start: 0 end: 18 + ? | + abc.evaluatePolicy() + : labels: + - source: abc.evaluatePolicy + style: primary + start: 0 + end: 18 diff --git a/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml b/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml index 8ef609ae..484ea265 100644 --- a/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml +++ b/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml @@ -27,6 +27,13 @@ snapshots: style: primary start: 0 end: 33 + ? | + Cryptodome.Cipher.ARC4.new(asdsd) + : labels: + - source: Cryptodome.Cipher.ARC4.new(asdsd) + style: primary + start: 0 + end: 33 ? | from Crypto.Cipher import ARC4 as pycrypto_arc4 cipher = pycrypto_arc4.new(tempkey) diff --git a/tests/__snapshots__/insecure-hash-typescript-snapshot.yml b/tests/__snapshots__/insecure-hash-typescript-snapshot.yml new file mode 100644 index 00000000..f0b08ee0 --- /dev/null +++ b/tests/__snapshots__/insecure-hash-typescript-snapshot.yml @@ -0,0 +1,94 @@ +id: insecure-hash-typescript +snapshots: + ? |- + crypto.createHash("md5") + crypto.createHash("sha1") + : labels: + - source: crypto.createHash("md5") + style: primary + start: 0 + end: 24 + - source: crypto + style: secondary + start: 0 + end: 6 + - source: createHash + style: secondary + start: 7 + end: 17 + - source: crypto.createHash + style: secondary + start: 0 + end: 17 + - source: md5 + style: secondary + start: 19 + end: 22 + - source: '"md5"' + style: secondary + start: 18 + end: 23 + - source: ("md5") + style: secondary + start: 17 + end: 24 + - source: crypto.createHash("sha1") + style: primary + start: 25 + end: 50 + - source: crypto + style: secondary + start: 25 + end: 31 + - source: createHash + style: secondary + start: 32 + end: 42 + - source: crypto.createHash + style: secondary + start: 25 + end: 42 + - source: sha1 + style: secondary + start: 44 + end: 48 + - source: '"sha1"' + style: secondary + start: 43 + end: 49 + - source: ("sha1") + style: secondary + start: 42 + end: 50 + ? | + crypto.createHash("md5") + crypto.createHash("sha1") + : labels: + - source: crypto.createHash("md5") + style: primary + start: 0 + end: 24 + - source: crypto + style: secondary + start: 0 + end: 6 + - source: createHash + style: secondary + start: 7 + end: 17 + - source: crypto.createHash + style: secondary + start: 0 + end: 17 + - source: md5 + style: secondary + start: 19 + end: 22 + - source: '"md5"' + style: secondary + start: 18 + end: 23 + - source: ("md5") + style: secondary + start: 17 + end: 24 diff --git a/tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml index b70769fe..c91c7500 100644 --- a/tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml +++ b/tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml @@ -140,3 +140,86 @@ snapshots: style: secondary start: 76 end: 93 + ? | + import com.auth0.jwt.algorithms.Algorithm; + public class App + { + static String secret = "secret"; + public void bad2() { + try { + Algorithm algorithm = Algorithm.HMAC256(secret); + String token = JWT.create() + .withIssuer("auth0") + .sign(algorithm); + } catch (JWTCreationException exception){ + } + } + : labels: + - source: '"secret"' + style: primary + start: 85 + end: 93 + - source: secret + style: secondary + start: 86 + end: 92 + - source: Algorithm + style: secondary + start: 132 + end: 141 + - source: algorithm + style: secondary + start: 142 + end: 151 + - source: Algorithm + style: secondary + start: 154 + end: 163 + - source: HMAC256 + style: secondary + start: 164 + end: 171 + - source: secret + style: secondary + start: 172 + end: 178 + - source: (secret) + style: secondary + start: 171 + end: 179 + - source: Algorithm.HMAC256(secret) + style: secondary + start: 154 + end: 179 + - source: algorithm = Algorithm.HMAC256(secret) + style: secondary + start: 142 + end: 179 + - source: Algorithm algorithm = Algorithm.HMAC256(secret); + style: secondary + start: 132 + end: 180 + - source: |- + public class App + { + static String secret = "secret"; + public void bad2() { + try { + Algorithm algorithm = Algorithm.HMAC256(secret); + String token = JWT.create() + .withIssuer("auth0") + .sign(algorithm); + } catch (JWTCreationException exception){ + } + } + style: secondary + start: 43 + end: 326 + - source: secret + style: secondary + start: 76 + end: 82 + - source: secret = "secret" + style: secondary + start: 76 + end: 93 diff --git a/tests/__snapshots__/jedis-jedisclientconfig-hardcoded-password-java-snapshot.yml b/tests/__snapshots__/jedis-jedisclientconfig-hardcoded-password-java-snapshot.yml index 440411bd..b1c79bcf 100644 --- a/tests/__snapshots__/jedis-jedisclientconfig-hardcoded-password-java-snapshot.yml +++ b/tests/__snapshots__/jedis-jedisclientconfig-hardcoded-password-java-snapshot.yml @@ -62,6 +62,68 @@ snapshots: style: secondary start: 46 end: 98 + ? | + import redis.clients.jedis.JedisClientConfig; + import redis.clients.jedis.DefaultJedisClientConfig; + public class JedisTest { + void run() { + DefaultJedisClientConfig.Builder builder = DefaultJedisClientConfig.builder(); + builder.password("asdf"); + } + } + : labels: + - source: builder.password("asdf") + style: primary + start: 220 + end: 244 + - source: builder + style: secondary + start: 220 + end: 227 + - source: asdf + style: secondary + start: 238 + end: 242 + - source: '"asdf"' + style: secondary + start: 237 + end: 243 + - source: ("asdf") + style: secondary + start: 236 + end: 244 + - source: password + style: secondary + start: 228 + end: 236 + - source: DefaultJedisClientConfig.Builder + style: secondary + start: 137 + end: 169 + - source: builder + style: secondary + start: 170 + end: 177 + - source: builder = DefaultJedisClientConfig.builder() + style: secondary + start: 170 + end: 214 + - source: DefaultJedisClientConfig.Builder builder = DefaultJedisClientConfig.builder(); + style: secondary + start: 137 + end: 215 + - source: DefaultJedisClientConfig.Builder builder = DefaultJedisClientConfig.builder(); + style: secondary + start: 137 + end: 215 + - source: import redis.clients.jedis.DefaultJedisClientConfig; + style: secondary + start: 46 + end: 98 + - source: import redis.clients.jedis.DefaultJedisClientConfig; + style: secondary + start: 46 + end: 98 ? | import redis.clients.jedis.JedisClientConfig; import redis.clients.jedis.DefaultJedisClientConfig; diff --git a/tests/__snapshots__/jwt-sensitive-data-typescript-snapshot.yml b/tests/__snapshots__/jwt-sensitive-data-typescript-snapshot.yml new file mode 100644 index 00000000..40b5a01d --- /dev/null +++ b/tests/__snapshots__/jwt-sensitive-data-typescript-snapshot.yml @@ -0,0 +1,158 @@ +id: jwt-sensitive-data-typescript +snapshots: + ? |- + jwt.sign( + { user: { email: 'foo@bar.com' }} + ) + + jwt.sign( + { user: { lastname: 'babar' }} + ) + : labels: + - source: |- + jwt.sign( + { user: { email: 'foo@bar.com' }} + ) + style: primary + start: 0 + end: 49 + - source: jwt + style: secondary + start: 0 + end: 3 + - source: sign + style: secondary + start: 4 + end: 8 + - source: jwt.sign + style: secondary + start: 0 + end: 8 + - source: email + style: secondary + start: 24 + end: 29 + - source: 'email: ''foo@bar.com''' + style: secondary + start: 24 + end: 44 + - source: '{ email: ''foo@bar.com'' }' + style: secondary + start: 22 + end: 46 + - source: 'user: { email: ''foo@bar.com'' }' + style: secondary + start: 16 + end: 46 + - source: '{ user: { email: ''foo@bar.com'' }}' + style: secondary + start: 14 + end: 47 + - source: |- + ( + { user: { email: 'foo@bar.com' }} + ) + style: secondary + start: 8 + end: 49 + - source: |- + jwt.sign( + { user: { lastname: 'babar' }} + ) + style: primary + start: 51 + end: 95 + - source: jwt + style: secondary + start: 51 + end: 54 + - source: sign + style: secondary + start: 55 + end: 59 + - source: jwt.sign + style: secondary + start: 51 + end: 59 + - source: lastname + style: secondary + start: 73 + end: 81 + - source: 'lastname: ''babar''' + style: secondary + start: 73 + end: 87 + - source: '{ lastname: ''babar'' }' + style: secondary + start: 71 + end: 89 + - source: 'user: { lastname: ''babar'' }' + style: secondary + start: 65 + end: 89 + - source: '{ user: { lastname: ''babar'' }}' + style: secondary + start: 63 + end: 90 + - source: |- + ( + { user: { lastname: 'babar' }} + ) + style: secondary + start: 59 + end: 95 + ? | + jwt.sign( + { user: { email: 'foo@bar.com' }} + ) + + jwt.sign( + { user: { lastname: 'babar' }} + ) + : labels: + - source: |- + jwt.sign( + { user: { email: 'foo@bar.com' }} + ) + style: primary + start: 0 + end: 49 + - source: jwt + style: secondary + start: 0 + end: 3 + - source: sign + style: secondary + start: 4 + end: 8 + - source: jwt.sign + style: secondary + start: 0 + end: 8 + - source: email + style: secondary + start: 24 + end: 29 + - source: 'email: ''foo@bar.com''' + style: secondary + start: 24 + end: 44 + - source: '{ email: ''foo@bar.com'' }' + style: secondary + start: 22 + end: 46 + - source: 'user: { email: ''foo@bar.com'' }' + style: secondary + start: 16 + end: 46 + - source: '{ user: { email: ''foo@bar.com'' }}' + style: secondary + start: 14 + end: 47 + - source: |- + ( + { user: { email: 'foo@bar.com' }} + ) + style: secondary + start: 8 + end: 49 diff --git a/tests/__snapshots__/jwt-weak-encryption-typescript-snapshot.yml b/tests/__snapshots__/jwt-weak-encryption-typescript-snapshot.yml new file mode 100644 index 00000000..2eb882a8 --- /dev/null +++ b/tests/__snapshots__/jwt-weak-encryption-typescript-snapshot.yml @@ -0,0 +1,98 @@ +id: jwt-weak-encryption-typescript +snapshots: + ? |- + jwt.verify(token, secret, { algorithms: ['RS256', 'none'] }, func); + jwt.verify(token, secret, { algorithms: ['none', 'RS256'] }, func); + : labels: + - source: 'jwt.verify(token, secret, { algorithms: [''RS256'', ''none''] }, func)' + style: primary + start: 0 + end: 66 + - source: jwt + style: secondary + start: 0 + end: 3 + - source: verify + style: secondary + start: 4 + end: 10 + - source: jwt.verify + style: secondary + start: 0 + end: 10 + - source: algorithms + style: secondary + start: 28 + end: 38 + - source: none + style: secondary + start: 51 + end: 55 + - source: '''none''' + style: secondary + start: 50 + end: 56 + - source: '[''RS256'', ''none'']' + style: secondary + start: 40 + end: 57 + - source: 'algorithms: [''RS256'', ''none'']' + style: secondary + start: 28 + end: 57 + - source: '{ algorithms: [''RS256'', ''none''] }' + style: secondary + start: 26 + end: 59 + - source: '(token, secret, { algorithms: [''RS256'', ''none''] }, func)' + style: secondary + start: 10 + end: 66 + ? | + jwt.verify(token, secret, { algorithms: ['RS256', 'none'] }, func); + jwt.verify(token, secret, { algorithms: ['none', 'RS256'] }, func); + : labels: + - source: 'jwt.verify(token, secret, { algorithms: [''RS256'', ''none''] }, func)' + style: primary + start: 0 + end: 66 + - source: jwt + style: secondary + start: 0 + end: 3 + - source: verify + style: secondary + start: 4 + end: 10 + - source: jwt.verify + style: secondary + start: 0 + end: 10 + - source: algorithms + style: secondary + start: 28 + end: 38 + - source: none + style: secondary + start: 51 + end: 55 + - source: '''none''' + style: secondary + start: 50 + end: 56 + - source: '[''RS256'', ''none'']' + style: secondary + start: 40 + end: 57 + - source: 'algorithms: [''RS256'', ''none'']' + style: secondary + start: 28 + end: 57 + - source: '{ algorithms: [''RS256'', ''none''] }' + style: secondary + start: 26 + end: 59 + - source: '(token, secret, { algorithms: [''RS256'', ''none''] }, func)' + style: secondary + start: 10 + end: 66 diff --git a/tests/__snapshots__/log-sensitive-data-typescript-snapshot.yml b/tests/__snapshots__/log-sensitive-data-typescript-snapshot.yml new file mode 100644 index 00000000..288bf8bc --- /dev/null +++ b/tests/__snapshots__/log-sensitive-data-typescript-snapshot.yml @@ -0,0 +1,78 @@ +id: log-sensitive-data-typescript +snapshots: + ? |- + console.log("email from user" + user.email); + console.log(`email from user ${user.email}`); + logger.info(`email from user ${user.email}`); + logger.warn(email); + : labels: + - source: console.log("email from user" + user.email) + style: primary + start: 0 + end: 43 + - source: console + style: secondary + start: 0 + end: 7 + - source: log + style: secondary + start: 8 + end: 11 + - source: console.log + style: secondary + start: 0 + end: 11 + - source: email + style: secondary + start: 37 + end: 42 + - source: user.email + style: secondary + start: 32 + end: 42 + - source: '"email from user" + user.email' + style: secondary + start: 12 + end: 42 + - source: ("email from user" + user.email) + style: secondary + start: 11 + end: 43 + ? | + console.log("email from user" + user.email); + console.log(`email from user ${user.email}`); + logger.info(`email from user ${user.email}`); + logger.warn(email); + : labels: + - source: console.log("email from user" + user.email) + style: primary + start: 0 + end: 43 + - source: console + style: secondary + start: 0 + end: 7 + - source: log + style: secondary + start: 8 + end: 11 + - source: console.log + style: secondary + start: 0 + end: 11 + - source: email + style: secondary + start: 37 + end: 42 + - source: user.email + style: secondary + start: 32 + end: 42 + - source: '"email from user" + user.email' + style: secondary + start: 12 + end: 42 + - source: ("email from user" + user.email) + style: secondary + start: 11 + end: 43 diff --git a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml index 53491e43..67556d99 100644 --- a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml +++ b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml @@ -76,6 +76,82 @@ snapshots: style: secondary start: 40 end: 71 + ? | + const Sequelize = require('sequelize'); + const passwordFromEnv = 'test'; + const sequelize2 = new Sequelize('database', 'username', passwordFromEnv, { + host: 'localhost', + port: 5432, + dialect: 'postgres' + }); + : labels: + - source: passwordFromEnv + style: primary + start: 129 + end: 144 + - source: |- + { + host: 'localhost', + port: 5432, + dialect: 'postgres' + } + style: secondary + start: 146 + end: 200 + - source: Sequelize + style: secondary + start: 95 + end: 104 + - source: const Sequelize = require('sequelize'); + style: secondary + start: 0 + end: 39 + - source: const Sequelize = require('sequelize'); + style: secondary + start: 0 + end: 39 + - source: |- + new Sequelize('database', 'username', passwordFromEnv, { + host: 'localhost', + port: 5432, + dialect: 'postgres' + }) + style: secondary + start: 91 + end: 201 + - source: |- + ('database', 'username', passwordFromEnv, { + host: 'localhost', + port: 5432, + dialect: 'postgres' + }) + style: secondary + start: 104 + end: 201 + - source: passwordFromEnv + style: secondary + start: 46 + end: 61 + - source: test + style: secondary + start: 65 + end: 69 + - source: '''test''' + style: secondary + start: 64 + end: 70 + - source: passwordFromEnv = 'test' + style: secondary + start: 46 + end: 70 + - source: const passwordFromEnv = 'test'; + style: secondary + start: 40 + end: 71 + - source: const passwordFromEnv = 'test'; + style: secondary + start: 40 + end: 71 ? | const Sequelize = require('sequelize'); const sequelize = new Sequelize('database', 'username', 'password', { diff --git a/tests/__snapshots__/null-library-function-c-snapshot.yml b/tests/__snapshots__/null-library-function-c-snapshot.yml index ca60a298..0f4191a3 100644 --- a/tests/__snapshots__/null-library-function-c-snapshot.yml +++ b/tests/__snapshots__/null-library-function-c-snapshot.yml @@ -63,6 +63,39 @@ snapshots: style: secondary start: 32 end: 62 + ? | + void test_getc() { + int c = getc(fptr = fopen(file_name, "r")); + } + : labels: + - source: getc(fptr = fopen(file_name, "r")) + style: primary + start: 28 + end: 62 + - source: getc + style: secondary + start: 28 + end: 32 + - source: fptr + style: secondary + start: 33 + end: 37 + - source: fopen + style: secondary + start: 40 + end: 45 + - source: fopen(file_name, "r") + style: secondary + start: 40 + end: 61 + - source: fptr = fopen(file_name, "r") + style: secondary + start: 33 + end: 61 + - source: (fptr = fopen(file_name, "r")) + style: secondary + start: 32 + end: 62 ? | { FILE *fptr; diff --git a/tests/__snapshots__/null-library-function-cpp-snapshot.yml b/tests/__snapshots__/null-library-function-cpp-snapshot.yml index e8d68475..a08fbdeb 100644 --- a/tests/__snapshots__/null-library-function-cpp-snapshot.yml +++ b/tests/__snapshots__/null-library-function-cpp-snapshot.yml @@ -63,6 +63,39 @@ snapshots: style: secondary start: 32 end: 62 + ? | + void test_getc() { + int c = getc(fptr = fopen(file_name, "r")); + } + : labels: + - source: getc(fptr = fopen(file_name, "r")) + style: primary + start: 28 + end: 62 + - source: getc + style: secondary + start: 28 + end: 32 + - source: fptr + style: secondary + start: 33 + end: 37 + - source: fopen + style: secondary + start: 40 + end: 45 + - source: fopen(file_name, "r") + style: secondary + start: 40 + end: 61 + - source: fptr = fopen(file_name, "r") + style: secondary + start: 33 + end: 61 + - source: (fptr = fopen(file_name, "r")) + style: secondary + start: 32 + end: 62 ? | { FILE *fptr; diff --git a/tests/__snapshots__/passwordauthentication-hardcoded-password-java-snapshot.yml b/tests/__snapshots__/passwordauthentication-hardcoded-password-java-snapshot.yml index 6b525c99..41417db0 100644 --- a/tests/__snapshots__/passwordauthentication-hardcoded-password-java-snapshot.yml +++ b/tests/__snapshots__/passwordauthentication-hardcoded-password-java-snapshot.yml @@ -179,3 +179,82 @@ snapshots: style: secondary start: 457 end: 481 + ? | + import java.net.http.HttpRequest; + import java.net.PasswordAuthentication; + public class UhOh { + public void run(){ + String b64token = "d293ZWU6d2Fob28="; + String basictoken = "Basic d293ZWU6d2Fob28=" + + var authClient = HttpClient + .newBuilder() + .authenticator(new Authenticator() { + @Override + protected PasswordAuthentication getPasswordAuthentication() { + new PasswordAuthentication("postman", "password".toCharArray()); + }) + .build(); + } + } + : labels: + - source: '"password"' + style: primary + start: 457 + end: 467 + - source: '"password"' + style: secondary + start: 457 + end: 467 + - source: toCharArray + style: secondary + start: 468 + end: 479 + - source: () + style: secondary + start: 479 + end: 481 + - source: PasswordAuthentication + style: secondary + start: 423 + end: 445 + - source: ("postman", "password".toCharArray()) + style: secondary + start: 445 + end: 482 + - source: java + style: secondary + start: 41 + end: 45 + - source: net + style: secondary + start: 46 + end: 49 + - source: java.net + style: secondary + start: 41 + end: 49 + - source: PasswordAuthentication + style: secondary + start: 50 + end: 72 + - source: java.net.PasswordAuthentication + style: secondary + start: 41 + end: 72 + - source: import java.net.PasswordAuthentication; + style: secondary + start: 34 + end: 73 + - source: import java.net.PasswordAuthentication; + style: secondary + start: 34 + end: 73 + - source: new PasswordAuthentication("postman", "password".toCharArray()) + style: secondary + start: 419 + end: 482 + - source: '"password".toCharArray()' + style: secondary + start: 457 + end: 481 diff --git a/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml b/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml index 725281f7..e7186339 100644 --- a/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml +++ b/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml @@ -356,6 +356,109 @@ snapshots: style: secondary start: 55 end: 224 + ? | + fn test1() { + let mut config = postgres::Config::new(); + config + .host(std::env::var("HOST").expect("set HOST")) + .user(std::env::var("USER").expect("set USER")) + .password("") + .port(std::env::var("PORT").expect("set PORT")); + let (client, connection) = config.connect(NoTls); + Ok(()) + } + : labels: + - source: |- + config + .host(std::env::var("HOST").expect("set HOST")) + .user(std::env::var("USER").expect("set USER")) + .password("") + style: primary + start: 55 + end: 174 + - source: config + style: secondary + start: 55 + end: 61 + - source: |- + config + .host + style: secondary + start: 55 + end: 68 + - source: (std::env::var("HOST").expect("set HOST")) + style: secondary + start: 68 + end: 110 + - source: |- + config + .host(std::env::var("HOST").expect("set HOST")) + style: secondary + start: 55 + end: 110 + - source: user + style: secondary + start: 113 + end: 117 + - source: |- + config + .host(std::env::var("HOST").expect("set HOST")) + .user + style: secondary + start: 55 + end: 117 + - source: (std::env::var("USER").expect("set USER")) + style: secondary + start: 117 + end: 159 + - source: |- + config + .host(std::env::var("HOST").expect("set HOST")) + .user(std::env::var("USER").expect("set USER")) + style: secondary + start: 55 + end: 159 + - source: password + style: secondary + start: 162 + end: 170 + - source: |- + config + .host(std::env::var("HOST").expect("set HOST")) + .user(std::env::var("USER").expect("set USER")) + .password + style: secondary + start: 55 + end: 170 + - source: '""' + style: secondary + start: 171 + end: 173 + - source: ("") + style: secondary + start: 170 + end: 174 + - source: config + style: secondary + start: 21 + end: 27 + - source: postgres::Config::new() + style: secondary + start: 30 + end: 53 + - source: let mut config = postgres::Config::new(); + style: secondary + start: 13 + end: 54 + - source: |- + config + .host(std::env::var("HOST").expect("set HOST")) + .user(std::env::var("USER").expect("set USER")) + .password("") + .port(std::env::var("PORT").expect("set PORT")); + style: secondary + start: 55 + end: 224 ? | fn test1() { let mut config = postgres::Config::new(); diff --git a/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml b/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml index 7f8eec81..38841726 100644 --- a/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml +++ b/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml @@ -75,3 +75,51 @@ snapshots: style: secondary start: 0 end: 9 + ? | + test = "" + ldap3.Connection(password=test) + : labels: + - source: ldap3.Connection(password=test) + style: primary + start: 10 + end: 41 + - source: ldap3.Connection + style: secondary + start: 10 + end: 26 + - source: password + style: secondary + start: 27 + end: 35 + - source: test + style: secondary + start: 36 + end: 40 + - source: password=test + style: secondary + start: 27 + end: 40 + - source: (password=test) + style: secondary + start: 26 + end: 41 + - source: test + style: secondary + start: 0 + end: 4 + - source: '""' + style: secondary + start: 7 + end: 9 + - source: test = "" + style: secondary + start: 0 + end: 9 + - source: test = "" + style: secondary + start: 0 + end: 9 + - source: test = "" + style: secondary + start: 0 + end: 9 diff --git a/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml index 43869edd..cf2ed1b9 100644 --- a/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml +++ b/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml @@ -99,3 +99,63 @@ snapshots: style: secondary start: 18 end: 34 + ? | + test = "password" + ldap3.Connection(password=test) + : labels: + - source: ldap3.Connection(password=test) + style: primary + start: 18 + end: 49 + - source: password + style: secondary + start: 35 + end: 43 + - source: test + style: secondary + start: 0 + end: 4 + - source: '"' + style: secondary + start: 7 + end: 8 + - source: password + style: secondary + start: 8 + end: 16 + - source: '"' + style: secondary + start: 16 + end: 17 + - source: '"password"' + style: secondary + start: 7 + end: 17 + - source: test = "password" + style: secondary + start: 0 + end: 17 + - source: test = "password" + style: secondary + start: 0 + end: 17 + - source: test = "password" + style: secondary + start: 0 + end: 17 + - source: test + style: secondary + start: 44 + end: 48 + - source: password=test + style: secondary + start: 35 + end: 48 + - source: (password=test) + style: secondary + start: 34 + end: 49 + - source: ldap3.Connection + style: secondary + start: 18 + end: 34 diff --git a/tests/__snapshots__/python-mysql-empty-password-python-snapshot.yml b/tests/__snapshots__/python-mysql-empty-password-python-snapshot.yml index 18c7ac76..06e32b2c 100644 --- a/tests/__snapshots__/python-mysql-empty-password-python-snapshot.yml +++ b/tests/__snapshots__/python-mysql-empty-password-python-snapshot.yml @@ -120,6 +120,70 @@ snapshots: style: secondary start: 0 end: 34 + ? | + import mysql.connector as mysql123 + mysql123.connect(host="localhost",user="root",passwd="",database="aaa") + : labels: + - source: mysql123.connect(host="localhost",user="root",passwd="",database="aaa") + style: primary + start: 35 + end: 106 + - source: mysql123 + style: secondary + start: 35 + end: 43 + - source: connect + style: secondary + start: 44 + end: 51 + - source: passwd + style: secondary + start: 81 + end: 87 + - source: '"' + style: secondary + start: 88 + end: 89 + - source: '"' + style: secondary + start: 89 + end: 90 + - source: '""' + style: secondary + start: 88 + end: 90 + - source: passwd="" + style: secondary + start: 81 + end: 90 + - source: (host="localhost",user="root",passwd="",database="aaa") + style: secondary + start: 51 + end: 106 + - source: mysql123.connect + style: secondary + start: 35 + end: 51 + - source: mysql123 + style: secondary + start: 26 + end: 34 + - source: mysql.connector + style: secondary + start: 7 + end: 22 + - source: mysql.connector as mysql123 + style: secondary + start: 7 + end: 34 + - source: import mysql.connector as mysql123 + style: secondary + start: 0 + end: 34 + - source: import mysql.connector as mysql123 + style: secondary + start: 0 + end: 34 ? | mysql.connector.connect(password="") : labels: diff --git a/tests/__snapshots__/python-mysql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-mysql-hardcoded-secret-python-snapshot.yml index aa616f55..310d4a2c 100644 --- a/tests/__snapshots__/python-mysql-hardcoded-secret-python-snapshot.yml +++ b/tests/__snapshots__/python-mysql-hardcoded-secret-python-snapshot.yml @@ -128,6 +128,74 @@ snapshots: style: secondary start: 0 end: 34 + ? | + import mysql.connector as mysql123 + mysql123.connect(host="localhost",user="root",passwd="password",database="aaa") + : labels: + - source: mysql123.connect(host="localhost",user="root",passwd="password",database="aaa") + style: primary + start: 35 + end: 114 + - source: mysql123 + style: secondary + start: 35 + end: 43 + - source: connect + style: secondary + start: 44 + end: 51 + - source: passwd + style: secondary + start: 81 + end: 87 + - source: '"' + style: secondary + start: 88 + end: 89 + - source: password + style: secondary + start: 89 + end: 97 + - source: '"' + style: secondary + start: 97 + end: 98 + - source: '"password"' + style: secondary + start: 88 + end: 98 + - source: passwd="password" + style: secondary + start: 81 + end: 98 + - source: (host="localhost",user="root",passwd="password",database="aaa") + style: secondary + start: 51 + end: 114 + - source: mysql123.connect + style: secondary + start: 35 + end: 51 + - source: mysql123 + style: secondary + start: 26 + end: 34 + - source: mysql.connector + style: secondary + start: 7 + end: 22 + - source: mysql.connector as mysql123 + style: secondary + start: 7 + end: 34 + - source: import mysql.connector as mysql123 + style: secondary + start: 0 + end: 34 + - source: import mysql.connector as mysql123 + style: secondary + start: 0 + end: 34 ? | mysql.connector.connect(password="password") : labels: diff --git a/tests/__snapshots__/python-neo4j-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-neo4j-hardcoded-secret-python-snapshot.yml index 110188d4..792e8281 100644 --- a/tests/__snapshots__/python-neo4j-hardcoded-secret-python-snapshot.yml +++ b/tests/__snapshots__/python-neo4j-hardcoded-secret-python-snapshot.yml @@ -216,6 +216,71 @@ snapshots: style: secondary start: 0 end: 81 + ? | + from neo4j import ( + basic_auth, + kerberos_auth, + bearer_auth, + AsyncGraphDatabase, + ) + driver = GraphDatabase.driver(uri, auth=bearer_auth("token")) + : labels: + - source: bearer_auth("token") + style: primary + start: 122 + end: 142 + - source: '"' + style: secondary + start: 134 + end: 135 + - source: token + style: secondary + start: 135 + end: 140 + - source: '"' + style: secondary + start: 140 + end: 141 + - source: '"token"' + style: secondary + start: 134 + end: 141 + - source: ("token") + style: secondary + start: 133 + end: 142 + - source: bearer_auth + style: secondary + start: 122 + end: 133 + - source: bearer_auth + style: secondary + start: 47 + end: 58 + - source: neo4j + style: secondary + start: 5 + end: 10 + - source: |- + from neo4j import ( + basic_auth, + kerberos_auth, + bearer_auth, + AsyncGraphDatabase, + ) + style: secondary + start: 0 + end: 81 + - source: |- + from neo4j import ( + basic_auth, + kerberos_auth, + bearer_auth, + AsyncGraphDatabase, + ) + style: secondary + start: 0 + end: 81 ? "from neo4j import (\nbasic_auth,\nkerberos_auth,\nbearer_auth,\nAsyncGraphDatabase,\n)\nuri = \"neo4j://example.com:7687\" \ndriver = GraphDatabase.driver(uri, auth=kerberos_auth(\"token\"))\n" : labels: - source: kerberos_auth("token") diff --git a/tests/__snapshots__/python-peewee-mysql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-peewee-mysql-hardcoded-secret-python-snapshot.yml index ff63f255..5a734eaa 100644 --- a/tests/__snapshots__/python-peewee-mysql-hardcoded-secret-python-snapshot.yml +++ b/tests/__snapshots__/python-peewee-mysql-hardcoded-secret-python-snapshot.yml @@ -30,3 +30,33 @@ snapshots: style: secondary start: 25 end: 99 + ? "mysql_db1 = MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306) \n" + : labels: + - source: MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306) + style: primary + start: 12 + end: 99 + - source: MySQLDatabase + style: secondary + start: 12 + end: 25 + - source: password + style: secondary + start: 48 + end: 56 + - source: db_password + style: secondary + start: 58 + end: 69 + - source: '''db_password''' + style: secondary + start: 57 + end: 70 + - source: password='db_password' + style: secondary + start: 48 + end: 70 + - source: ('my_app', user='app', password='db_password', host='10.1.0.8', port=3306) + style: secondary + start: 25 + end: 99 diff --git a/tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml b/tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml index b55cb759..b1023029 100644 --- a/tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml +++ b/tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml @@ -26,3 +26,29 @@ snapshots: style: secondary start: 20 end: 66 + ? "c = psycopg2.connect(user, database=dbname, password=\"\", **params).abc() \n" + : labels: + - source: psycopg2.connect(user, database=dbname, password="", **params) + style: primary + start: 4 + end: 66 + - source: psycopg2.connect + style: secondary + start: 4 + end: 20 + - source: password + style: secondary + start: 44 + end: 52 + - source: '""' + style: secondary + start: 53 + end: 55 + - source: password="" + style: secondary + start: 44 + end: 55 + - source: (user, database=dbname, password="", **params) + style: secondary + start: 20 + end: 66 diff --git a/tests/__snapshots__/python-psycopg2-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-psycopg2-hardcoded-secret-python-snapshot.yml index 74208122..73c17ebe 100644 --- a/tests/__snapshots__/python-psycopg2-hardcoded-secret-python-snapshot.yml +++ b/tests/__snapshots__/python-psycopg2-hardcoded-secret-python-snapshot.yml @@ -30,3 +30,33 @@ snapshots: style: secondary start: 20 end: 69 + ? "c = psycopg2.connect(user, database=dbname, password=\"abc\", **params).abc() \n" + : labels: + - source: psycopg2.connect(user, database=dbname, password="abc", **params) + style: primary + start: 4 + end: 69 + - source: psycopg2.connect + style: secondary + start: 4 + end: 20 + - source: password + style: secondary + start: 44 + end: 52 + - source: abc + style: secondary + start: 54 + end: 57 + - source: '"abc"' + style: secondary + start: 53 + end: 58 + - source: password="abc" + style: secondary + start: 44 + end: 58 + - source: (user, database=dbname, password="abc", **params) + style: secondary + start: 20 + end: 69 diff --git a/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml index 738d78aa..a37c9c84 100644 --- a/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml +++ b/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml @@ -48,3 +48,51 @@ snapshots: style: secondary start: 23 end: 107 + ? | + conn1 = pymssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase', + ) + : labels: + - source: |- + pymssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase', + ) + style: primary + start: 8 + end: 107 + - source: pymssql.connect + style: secondary + start: 8 + end: 23 + - source: password + style: secondary + start: 60 + end: 68 + - source: password + style: secondary + start: 70 + end: 78 + - source: '''password''' + style: secondary + start: 69 + end: 79 + - source: password='password' + style: secondary + start: 60 + end: 79 + - source: |- + ( + server='SQL01', + user='user', + password='password', + database='mydatabase', + ) + style: secondary + start: 23 + end: 107 diff --git a/tests/__snapshots__/python-pymysql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pymysql-hardcoded-secret-python-snapshot.yml index edbacdd2..5b4cab4c 100644 --- a/tests/__snapshots__/python-pymysql-hardcoded-secret-python-snapshot.yml +++ b/tests/__snapshots__/python-pymysql-hardcoded-secret-python-snapshot.yml @@ -30,3 +30,34 @@ snapshots: style: secondary start: 15 end: 29 + ? | + pymysql.connect(password="a") + : labels: + - source: pymysql.connect(password="a") + style: primary + start: 0 + end: 29 + - source: pymysql.connect + style: secondary + start: 0 + end: 15 + - source: password + style: secondary + start: 16 + end: 24 + - source: a + style: secondary + start: 26 + end: 27 + - source: '"a"' + style: secondary + start: 25 + end: 28 + - source: password="a" + style: secondary + start: 16 + end: 28 + - source: (password="a") + style: secondary + start: 15 + end: 29 diff --git a/tests/__snapshots__/python-redis-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-redis-hardcoded-secret-python-snapshot.yml index 50c4f423..cbbe07e4 100644 --- a/tests/__snapshots__/python-redis-hardcoded-secret-python-snapshot.yml +++ b/tests/__snapshots__/python-redis-hardcoded-secret-python-snapshot.yml @@ -48,3 +48,51 @@ snapshots: style: secondary start: 26 end: 87 + ? | + redis_client = redis.Redis( + host='localhost', + port=6379, + password="abc", + db=5 + ) + : labels: + - source: |- + redis.Redis( + host='localhost', + port=6379, + password="abc", + db=5 + ) + style: primary + start: 15 + end: 87 + - source: redis.Redis + style: secondary + start: 15 + end: 26 + - source: password + style: secondary + start: 63 + end: 71 + - source: abc + style: secondary + start: 73 + end: 76 + - source: '"abc"' + style: secondary + start: 72 + end: 77 + - source: password="abc" + style: secondary + start: 63 + end: 77 + - source: |- + ( + host='localhost', + port=6379, + password="abc", + db=5 + ) + style: secondary + start: 26 + end: 87 diff --git a/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml b/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml index 7d5c779e..b5b78173 100644 --- a/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml +++ b/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml @@ -54,3 +54,21 @@ snapshots: style: secondary start: 89 end: 105 + ? "requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('username', '')) \n" + : labels: + - source: requests.auth.HTTPBasicAuth('username', '') + style: primary + start: 62 + end: 105 + - source: requests.auth.HTTPBasicAuth + style: secondary + start: 62 + end: 89 + - source: '''''' + style: secondary + start: 102 + end: 104 + - source: ('username', '') + style: secondary + start: 89 + end: 105 diff --git a/tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml index 4af97a08..d55e17d6 100644 --- a/tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml +++ b/tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml @@ -30,3 +30,34 @@ snapshots: style: secondary start: 25 end: 48 + ? | + urllib3.util.make_headers(basic_auth="user:123") + : labels: + - source: urllib3.util.make_headers(basic_auth="user:123") + style: primary + start: 0 + end: 48 + - source: urllib3.util.make_headers + style: secondary + start: 0 + end: 25 + - source: basic_auth + style: secondary + start: 26 + end: 36 + - source: user:123 + style: secondary + start: 38 + end: 46 + - source: '"user:123"' + style: secondary + start: 37 + end: 47 + - source: basic_auth="user:123" + style: secondary + start: 26 + end: 47 + - source: (basic_auth="user:123") + style: secondary + start: 25 + end: 48 diff --git a/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml index c56f9648..2b54ffb1 100644 --- a/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml +++ b/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml @@ -87,6 +87,58 @@ snapshots: style: secondary start: 36 end: 43 + ? | + let password: Array = Array("s33krit".utf8) + Rabbit(key: password, iv: "123") + : labels: + - source: 'Rabbit(key: password, iv: "123")' + style: primary + start: 51 + end: 83 + - source: Rabbit + style: secondary + start: 51 + end: 57 + - source: key + style: secondary + start: 58 + end: 61 + - source: password + style: secondary + start: 63 + end: 71 + - source: 'key: password' + style: secondary + start: 58 + end: 71 + - source: '(key: password, iv: "123")' + style: secondary + start: 57 + end: 83 + - source: '(key: password, iv: "123")' + style: secondary + start: 57 + end: 83 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 ? | let password: Array = Array("s33krit".utf8) try Rabbit(key: password, iv: "123") diff --git a/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml index 45eae8b2..01a79cee 100644 --- a/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml +++ b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml @@ -20,6 +20,12 @@ snapshots: style: primary start: 0 end: 104 + ? "reqwest::Client::builder().user_agent(\"USER AGENT\").cookie_store(true).danger_accept_invalid_certs(true) \n" + : labels: + - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) + style: primary + start: 0 + end: 104 ? | reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) : labels: diff --git a/tests/__snapshots__/ruby-aws-sdk-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-aws-sdk-hardcoded-secret-ruby-snapshot.yml index b364f5e4..e498122c 100644 --- a/tests/__snapshots__/ruby-aws-sdk-hardcoded-secret-ruby-snapshot.yml +++ b/tests/__snapshots__/ruby-aws-sdk-hardcoded-secret-ruby-snapshot.yml @@ -105,3 +105,65 @@ snapshots: style: secondary start: 0 end: 22 + ? | + require 'aws-sdk-core' + secsec = 'secret' + creds = Aws::Credentials.new('akid', secsec) + Aws.config.update(region: 'us-west-2', credentials: creds) + : labels: + - source: Aws::Credentials.new('akid', secsec) + style: primary + start: 49 + end: 85 + - source: Aws::Credentials + style: secondary + start: 49 + end: 65 + - source: . + style: secondary + start: 65 + end: 66 + - source: new + style: secondary + start: 66 + end: 69 + - source: '''akid''' + style: secondary + start: 70 + end: 76 + - source: secsec + style: secondary + start: 78 + end: 84 + - source: ('akid', secsec) + style: secondary + start: 69 + end: 85 + - source: secsec + style: secondary + start: 23 + end: 29 + - source: secret + style: secondary + start: 33 + end: 39 + - source: '''secret''' + style: secondary + start: 32 + end: 40 + - source: secsec = 'secret' + style: secondary + start: 23 + end: 40 + - source: secsec = 'secret' + style: secondary + start: 23 + end: 40 + - source: require 'aws-sdk-core' + style: secondary + start: 0 + end: 22 + - source: require 'aws-sdk-core' + style: secondary + start: 0 + end: 22 diff --git a/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml index 343fb23b..7c9546e3 100644 --- a/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml +++ b/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml @@ -137,6 +137,43 @@ snapshots: style: secondary start: 26 end: 46 + ? | + require "faraday" + pass = 'authentication-token' + conn.request :token_auth, pass, **options + : labels: + - source: conn.request :token_auth, pass, **options + style: primary + start: 48 + end: 89 + - source: request + style: secondary + start: 53 + end: 60 + - source: :token_auth + style: secondary + start: 61 + end: 72 + - source: pass + style: secondary + start: 74 + end: 78 + - source: :token_auth, pass, **options + style: secondary + start: 61 + end: 89 + - source: require "faraday" + style: secondary + start: 0 + end: 17 + - source: pass = 'authentication-token' + style: secondary + start: 18 + end: 47 + - source: authentication-token + style: secondary + start: 26 + end: 46 ? | require "faraday" pass = 'authentication-token' diff --git a/tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml b/tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml index 0950774f..a7f2975f 100644 --- a/tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml +++ b/tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml @@ -58,3 +58,61 @@ snapshots: style: secondary start: 17 end: 151 + ? | + con1 = PG.connect( + :dbname => 'database', + :host => 'host', + :port => 1234, + :user => 'user', + :password => '', + :sslmode => 'prefer' + ) + : labels: + - source: |- + PG.connect( + :dbname => 'database', + :host => 'host', + :port => 1234, + :user => 'user', + :password => '', + :sslmode => 'prefer' + ) + style: primary + start: 7 + end: 151 + - source: PG + style: secondary + start: 7 + end: 9 + - source: . + style: secondary + start: 9 + end: 10 + - source: connect + style: secondary + start: 10 + end: 17 + - source: :password + style: secondary + start: 110 + end: 119 + - source: '''''' + style: secondary + start: 123 + end: 125 + - source: :password => '' + style: secondary + start: 110 + end: 125 + - source: |- + ( + :dbname => 'database', + :host => 'host', + :port => 1234, + :user => 'user', + :password => '', + :sslmode => 'prefer' + ) + style: secondary + start: 17 + end: 151 diff --git a/tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml index a7230acc..6ef76414 100644 --- a/tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml +++ b/tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml @@ -67,3 +67,70 @@ snapshots: style: secondary start: 0 end: 12 + ? | + require "pg" + PG.connect( + :dbname => 'database', + :host => 'host', + :port => 1234, + :user => 'user', + :password => 'password', + :sslmode => 'prefer' + ) + : labels: + - source: |- + PG.connect( + :dbname => 'database', + :host => 'host', + :port => 1234, + :user => 'user', + :password => 'password', + :sslmode => 'prefer' + ) + style: primary + start: 13 + end: 171 + - source: PG + style: secondary + start: 13 + end: 15 + - source: . + style: secondary + start: 15 + end: 16 + - source: connect + style: secondary + start: 16 + end: 23 + - source: :password + style: secondary + start: 121 + end: 130 + - source: password + style: secondary + start: 135 + end: 143 + - source: '''password''' + style: secondary + start: 134 + end: 144 + - source: :password => 'password' + style: secondary + start: 121 + end: 144 + - source: |- + ( + :dbname => 'database', + :host => 'host', + :port => 1234, + :user => 'user', + :password => 'password', + :sslmode => 'prefer' + ) + style: secondary + start: 23 + end: 171 + - source: require "pg" + style: secondary + start: 0 + end: 12 diff --git a/tests/__snapshots__/secrets-reqwest-hardcoded-auth-rust-snapshot.yml b/tests/__snapshots__/secrets-reqwest-hardcoded-auth-rust-snapshot.yml index 354314f6..486fa168 100644 --- a/tests/__snapshots__/secrets-reqwest-hardcoded-auth-rust-snapshot.yml +++ b/tests/__snapshots__/secrets-reqwest-hardcoded-auth-rust-snapshot.yml @@ -116,3 +116,53 @@ snapshots: style: secondary start: 171 end: 190 + ? "use reqwest::Client; \nasync fn test2() -> Result<(), reqwest::Error> {\nlet client = reqwest::Client::new();\nlet resp = client.put(\"http://httpbin.org/delete\")\n.bearer_auth(\"hardcoded-token\")\n.send()\n.await?;\nprintln!(\"body = {:?}\", resp);\nOk(())\n}\n" + : labels: + - source: |- + client.put("http://httpbin.org/delete") + .bearer_auth("hardcoded-token") + style: primary + start: 119 + end: 190 + - source: client + style: secondary + start: 119 + end: 125 + - source: bearer_auth + style: secondary + start: 160 + end: 171 + - source: |- + client.put("http://httpbin.org/delete") + .bearer_auth + style: secondary + start: 119 + end: 171 + - source: client + style: secondary + start: 75 + end: 81 + - source: reqwest::Client::new() + style: secondary + start: 84 + end: 106 + - source: let client = reqwest::Client::new(); + style: secondary + start: 71 + end: 107 + - source: let client = reqwest::Client::new(); + style: secondary + start: 71 + end: 107 + - source: hardcoded-token + style: secondary + start: 173 + end: 188 + - source: '"hardcoded-token"' + style: secondary + start: 172 + end: 189 + - source: ("hardcoded-token") + style: secondary + start: 171 + end: 190 diff --git a/tests/__snapshots__/sql-injection-typescript-snapshot.yml b/tests/__snapshots__/sql-injection-typescript-snapshot.yml new file mode 100644 index 00000000..eda2b63b --- /dev/null +++ b/tests/__snapshots__/sql-injection-typescript-snapshot.yml @@ -0,0 +1,45 @@ +id: sql-injection-typescript +snapshots: + ? | + connection.query("SELECT * FROM users WHERE id=" + userId,(err, result) => { + res.json(result); + }); + : labels: + - source: '"SELECT * FROM users WHERE id=" + userId' + style: primary + start: 17 + end: 57 + - source: SELECT * FROM users WHERE id= + style: secondary + start: 18 + end: 47 + - source: '"SELECT * FROM users WHERE id="' + style: secondary + start: 17 + end: 48 + ? | + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + : labels: + - source: '`SELECT * FROM Products WHERE ((name LIKE ''%${criteria}%'' OR description LIKE ''%${criteria}%'') AND deletedAt IS NULL) ORDER BY name`' + style: primary + start: 23 + end: 155 + - source: ${criteria} + style: secondary + start: 67 + end: 78 + ? | + sequelize.query('SELECT * FROM Products WHERE name LIKE ' + req.body.username); + : labels: + - source: '''SELECT * FROM Products WHERE name LIKE '' + req.body.username' + style: primary + start: 16 + end: 78 + - source: 'SELECT * FROM Products WHERE name LIKE ' + style: secondary + start: 17 + end: 56 + - source: '''SELECT * FROM Products WHERE name LIKE ''' + style: secondary + start: 16 + end: 57 diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml index 676d8e10..14c91e19 100644 --- a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml +++ b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml @@ -69,3 +69,38 @@ snapshots: style: secondary start: 55 end: 65 + ? | + System.setProperty("javax.net.ssl.trustStorePassword", "password"); + : labels: + - source: password + style: primary + start: 56 + end: 64 + - source: javax.net.ssl.trustStorePassword + style: secondary + start: 20 + end: 52 + - source: '"javax.net.ssl.trustStorePassword"' + style: secondary + start: 19 + end: 53 + - source: System + style: secondary + start: 0 + end: 6 + - source: setProperty + style: secondary + start: 7 + end: 18 + - source: System.setProperty("javax.net.ssl.trustStorePassword", "password") + style: secondary + start: 0 + end: 66 + - source: ("javax.net.ssl.trustStorePassword", "password") + style: secondary + start: 18 + end: 66 + - source: '"password"' + style: secondary + start: 55 + end: 65 diff --git a/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml b/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml index 199a0f9e..c5b7e49e 100644 --- a/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml +++ b/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml @@ -52,3 +52,55 @@ snapshots: style: secondary start: 180 end: 184 + ? | + async fn okTest2() -> Result<(), anyhow::Error> { + let (client, connection) = tokio_postgres::Config::new() + .host(shard_host_name.as_str()) + .user("postgres") + .password("") + .dbname("ninja") + .keepalives_idle(std::time::Duration::from_secs(30)) + .connect(NoTls) + .await + .map_err(|e| { + error!(log, "failed to connect to {}: {}", &shard_host_name, e); + Error::new(ErrorKind::Other, e) + })?; + + tokio::spawn(async move { + if let Err(e) = connection.await { + tracing::error!("postgres db connection error: {}", e); + } + }); + + Ok(()) + } + : labels: + - source: |- + tokio_postgres::Config::new() + .host(shard_host_name.as_str()) + .user("postgres") + .password("") + style: primary + start: 79 + end: 184 + - source: tokio_postgres::Config::new + style: secondary + start: 79 + end: 106 + - source: |- + tokio_postgres::Config::new() + .host(shard_host_name.as_str()) + .user("postgres") + .password + style: secondary + start: 79 + end: 180 + - source: '""' + style: secondary + start: 181 + end: 183 + - source: ("") + style: secondary + start: 180 + end: 184 diff --git a/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml b/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml index 211d2a32..87767311 100644 --- a/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml +++ b/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml @@ -56,3 +56,59 @@ snapshots: style: secondary start: 180 end: 194 + ? | + async fn okTest2() -> Result<(), anyhow::Error> { + let (client, connection) = tokio_postgres::Config::new() + .host(shard_host_name.as_str()) + .user("postgres") + .password("myPassword") + .dbname("ninja") + .keepalives_idle(std::time::Duration::from_secs(30)) + .connect(NoTls) + .await + .map_err(|e| { + error!(log, "failed to connect to {}: {}", &shard_host_name, e); + Error::new(ErrorKind::Other, e) + })?; + + tokio::spawn(async move { + if let Err(e) = connection.await { + tracing::error!("postgres db connection error: {}", e); + } + }); + + Ok(()) + } + : labels: + - source: |- + tokio_postgres::Config::new() + .host(shard_host_name.as_str()) + .user("postgres") + .password("myPassword") + style: primary + start: 79 + end: 194 + - source: tokio_postgres::Config::new + style: secondary + start: 79 + end: 106 + - source: |- + tokio_postgres::Config::new() + .host(shard_host_name.as_str()) + .user("postgres") + .password + style: secondary + start: 79 + end: 180 + - source: myPassword + style: secondary + start: 182 + end: 192 + - source: '"myPassword"' + style: secondary + start: 181 + end: 193 + - source: ("myPassword") + style: secondary + start: 180 + end: 194 diff --git a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml index 4b759223..6a1d0662 100644 --- a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml +++ b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml @@ -25,6 +25,31 @@ snapshots: style: secondary start: 49 end: 61 + ? | + public void useofBlowfish2() { + Cipher.getInstance("Blowfish"); + } + : labels: + - source: Cipher.getInstance("Blowfish") + style: primary + start: 31 + end: 61 + - source: getInstance + style: secondary + start: 38 + end: 49 + - source: Blowfish + style: secondary + start: 51 + end: 59 + - source: '"Blowfish"' + style: secondary + start: 50 + end: 60 + - source: ("Blowfish") + style: secondary + start: 49 + end: 61 ? | public void useofBlowfish2() { useCipher(Cipher.getInstance("Blowfish")); diff --git a/tests/__snapshots__/use-of-default-aes-java-snapshot.yml b/tests/__snapshots__/use-of-default-aes-java-snapshot.yml index f50c332c..2a62aa2d 100644 --- a/tests/__snapshots__/use-of-default-aes-java-snapshot.yml +++ b/tests/__snapshots__/use-of-default-aes-java-snapshot.yml @@ -76,3 +76,41 @@ snapshots: style: secondary start: 55 end: 58 + ? | + import javax.crypto.*; + { + useCipher(Cipher.getInstance("AES")); + } + : labels: + - source: Cipher.getInstance("AES") + style: primary + start: 35 + end: 60 + - source: Cipher + style: secondary + start: 35 + end: 41 + - source: getInstance + style: secondary + start: 42 + end: 53 + - source: '"AES"' + style: secondary + start: 54 + end: 59 + - source: ("AES") + style: secondary + start: 53 + end: 60 + - source: import javax.crypto.*; + style: secondary + start: 0 + end: 22 + - source: import javax.crypto.*; + style: secondary + start: 0 + end: 22 + - source: AES + style: secondary + start: 55 + end: 58 diff --git a/tests/__snapshots__/use-of-sha1-java-snapshot.yml b/tests/__snapshots__/use-of-sha1-java-snapshot.yml index 994f88ec..67f3cbe8 100644 --- a/tests/__snapshots__/use-of-sha1-java-snapshot.yml +++ b/tests/__snapshots__/use-of-sha1-java-snapshot.yml @@ -41,6 +41,47 @@ snapshots: style: secondary start: 0 end: 35 + ? | + import java.security.MessageDigest; + public byte[] bad1(String password) { + MessageDigest sha1Digest = MessageDigest.getInstance("SHA-1"); + sha1Digest.update(password.getBytes()); + byte[] hashValue = sha1Digest.digest(); + return hashValue; + } + : labels: + - source: MessageDigest.getInstance("SHA-1") + style: primary + start: 101 + end: 135 + - source: MessageDigest + style: secondary + start: 101 + end: 114 + - source: getInstance + style: secondary + start: 115 + end: 126 + - source: SHA-1 + style: secondary + start: 128 + end: 133 + - source: '"SHA-1"' + style: secondary + start: 127 + end: 134 + - source: ("SHA-1") + style: secondary + start: 126 + end: 135 + - source: import java.security.MessageDigest; + style: secondary + start: 0 + end: 35 + - source: import java.security.MessageDigest; + style: secondary + start: 0 + end: 35 ? | public byte[] bad2(String password) { byte[] hashValue = DigestUtils.getSha1Digest().digest(password.getBytes()); diff --git a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml index 761098a7..80e1d70d 100644 --- a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml +++ b/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml @@ -107,3 +107,30 @@ snapshots: style: secondary start: 27 end: 45 + ? | + pvk, err := rsa.GenerateKey(rand.Reader, 192) + : labels: + - source: '192' + style: primary + start: 41 + end: 44 + - source: rsa.GenerateKey + style: secondary + start: 12 + end: 27 + - source: '192' + style: secondary + start: 41 + end: 44 + - source: (rand.Reader, 192) + style: secondary + start: 27 + end: 45 + - source: rsa.GenerateKey(rand.Reader, 192) + style: secondary + start: 12 + end: 45 + - source: (rand.Reader, 192) + style: secondary + start: 27 + end: 45 diff --git a/tests/c/null-library-function-c-test.yml b/tests/c/null-library-function-c-test.yml index d5fbbf3a..942bda23 100644 --- a/tests/c/null-library-function-c-test.yml +++ b/tests/c/null-library-function-c-test.yml @@ -26,4 +26,4 @@ invalid: - | void test_getc() { int c = getc(fptr = fopen(file_name, "r")); - } \ No newline at end of file + } diff --git a/tests/cpp/null-library-function-cpp-test.yml b/tests/cpp/null-library-function-cpp-test.yml index ac8f268e..9ffe1c71 100644 --- a/tests/cpp/null-library-function-cpp-test.yml +++ b/tests/cpp/null-library-function-cpp-test.yml @@ -26,4 +26,4 @@ invalid: - | void test_getc() { int c = getc(fptr = fopen(file_name, "r")); - } \ No newline at end of file + } diff --git a/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml b/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml index fb44f605..7998bc6a 100644 --- a/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml +++ b/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml @@ -30,4 +30,4 @@ invalid: var storeMultipleHardcoded = sessions.NewCookieStore( []byte("old-authentication-key"), []byte("old-encryption-key"), - ) \ No newline at end of file + ) diff --git a/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml b/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml index eb070dd1..eeb0b5c7 100644 --- a/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml +++ b/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml @@ -16,4 +16,4 @@ invalid: func main() { http.ListenAndServe(":8000", csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - } \ No newline at end of file + } diff --git a/tests/go/grpc-client-insecure-connection-go-test.yml b/tests/go/grpc-client-insecure-connection-go-test.yml index 6002ca6e..dcd502ef 100644 --- a/tests/go/grpc-client-insecure-connection-go-test.yml +++ b/tests/go/grpc-client-insecure-connection-go-test.yml @@ -4,4 +4,4 @@ valid: conn, err := grpc.Dial(address) invalid: - | - conn, err := grpc.Dial(address, grpc.WithInsecure()) \ No newline at end of file + conn, err := grpc.Dial(address, grpc.WithInsecure()) diff --git a/tests/go/use-of-weak-rsa-key-go-test.yml b/tests/go/use-of-weak-rsa-key-go-test.yml index 8b65375e..fa33ea3d 100644 --- a/tests/go/use-of-weak-rsa-key-go-test.yml +++ b/tests/go/use-of-weak-rsa-key-go-test.yml @@ -10,4 +10,4 @@ invalid: - | pvk, err := rsa.GenerateKey(rand.Reader, 102.5) - | - pvk, err := rsa.GenerateKey(rand.Reader, 192) \ No newline at end of file + pvk, err := rsa.GenerateKey(rand.Reader, 192) diff --git a/tests/java/datanucleus-hardcoded-connection-password-java-test.yml b/tests/java/datanucleus-hardcoded-connection-password-java-test.yml index 0fa882aa..fb95170c 100644 --- a/tests/java/datanucleus-hardcoded-connection-password-java-test.yml +++ b/tests/java/datanucleus-hardcoded-connection-password-java-test.yml @@ -25,4 +25,4 @@ invalid: public void setUp() throws SQLException { pmf.setConnectionPassword(pw); } - } \ No newline at end of file + } diff --git a/tests/java/ecb-cipher-java-test.yml b/tests/java/ecb-cipher-java-test.yml index db626ccc..b9089221 100644 --- a/tests/java/ecb-cipher-java-test.yml +++ b/tests/java/ecb-cipher-java-test.yml @@ -4,4 +4,4 @@ valid: Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); invalid: - | - Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); \ No newline at end of file + Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); diff --git a/tests/java/hardcoded-connection-password-java-test.yml b/tests/java/hardcoded-connection-password-java-test.yml index a10f982e..2cdc26fe 100644 --- a/tests/java/hardcoded-connection-password-java-test.yml +++ b/tests/java/hardcoded-connection-password-java-test.yml @@ -28,4 +28,4 @@ invalid: public void setUp() throws SQLException { pmf.setConnectionPassword(pw); } - } \ No newline at end of file + } diff --git a/tests/java/hardcoded-secret-in-credentials-java-test.yml b/tests/java/hardcoded-secret-in-credentials-java-test.yml index aa8e46b7..975280a1 100644 --- a/tests/java/hardcoded-secret-in-credentials-java-test.yml +++ b/tests/java/hardcoded-secret-in-credentials-java-test.yml @@ -17,4 +17,4 @@ invalid: public void run() { String credential = Credentials.basic(username, password); } - } \ No newline at end of file + } diff --git a/tests/java/java-jwt-hardcoded-secret-java-test.yml b/tests/java/java-jwt-hardcoded-secret-java-test.yml index 4aad76df..af012b1c 100644 --- a/tests/java/java-jwt-hardcoded-secret-java-test.yml +++ b/tests/java/java-jwt-hardcoded-secret-java-test.yml @@ -43,4 +43,4 @@ invalid: .sign(algorithm); } catch (JWTCreationException exception){ } - } \ No newline at end of file + } diff --git a/tests/java/jedis-jedisclientconfig-hardcoded-password-java-test.yml b/tests/java/jedis-jedisclientconfig-hardcoded-password-java-test.yml index e4684c5d..a2862fea 100644 --- a/tests/java/jedis-jedisclientconfig-hardcoded-password-java-test.yml +++ b/tests/java/jedis-jedisclientconfig-hardcoded-password-java-test.yml @@ -52,4 +52,4 @@ invalid: DefaultJedisClientConfig.Builder builder = DefaultJedisClientConfig.builder(); builder.password("asdf"); } - } \ No newline at end of file + } diff --git a/tests/java/passwordauthentication-hardcoded-password-java-test.yml b/tests/java/passwordauthentication-hardcoded-password-java-test.yml index f7ab8806..60bdca15 100644 --- a/tests/java/passwordauthentication-hardcoded-password-java-test.yml +++ b/tests/java/passwordauthentication-hardcoded-password-java-test.yml @@ -57,4 +57,4 @@ invalid: }) .build(); } - } \ No newline at end of file + } diff --git a/tests/java/system-setproperty-hardcoded-secret-java-test.yml b/tests/java/system-setproperty-hardcoded-secret-java-test.yml index 6c0f416b..4c7dc1e3 100644 --- a/tests/java/system-setproperty-hardcoded-secret-java-test.yml +++ b/tests/java/system-setproperty-hardcoded-secret-java-test.yml @@ -6,4 +6,4 @@ invalid: - | System.setProperty("javax.net.ssl.keyStorePassword", "password"); - | - System.setProperty("javax.net.ssl.trustStorePassword", "password"); \ No newline at end of file + System.setProperty("javax.net.ssl.trustStorePassword", "password"); diff --git a/tests/java/use-of-blowfish-java-test.yml b/tests/java/use-of-blowfish-java-test.yml index b30073d6..2e1fb897 100644 --- a/tests/java/use-of-blowfish-java-test.yml +++ b/tests/java/use-of-blowfish-java-test.yml @@ -10,4 +10,4 @@ invalid: - | public void useofBlowfish2() { Cipher.getInstance("Blowfish"); - } \ No newline at end of file + } diff --git a/tests/java/use-of-default-aes-java-test.yml b/tests/java/use-of-default-aes-java-test.yml index 10e4909f..ca4a2bbb 100644 --- a/tests/java/use-of-default-aes-java-test.yml +++ b/tests/java/use-of-default-aes-java-test.yml @@ -12,4 +12,4 @@ invalid: import javax.crypto.*; { useCipher(Cipher.getInstance("AES")); - } \ No newline at end of file + } diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml index 7b084ff7..5dd8f067 100644 --- a/tests/java/use-of-rc2-java-test.yml +++ b/tests/java/use-of-rc2-java-test.yml @@ -36,4 +36,4 @@ invalid: } break; } - } \ No newline at end of file + } diff --git a/tests/java/use-of-sha1-java-test.yml b/tests/java/use-of-sha1-java-test.yml index 0120d110..a376948a 100644 --- a/tests/java/use-of-sha1-java-test.yml +++ b/tests/java/use-of-sha1-java-test.yml @@ -19,4 +19,4 @@ invalid: sha1Digest.update(password.getBytes()); byte[] hashValue = sha1Digest.digest(); return hashValue; - } \ No newline at end of file + } diff --git a/tests/javascript/express-session-hardcoded-secret-javascript-test.yml b/tests/javascript/express-session-hardcoded-secret-javascript-test.yml index b5059282..3789b840 100644 --- a/tests/javascript/express-session-hardcoded-secret-javascript-test.yml +++ b/tests/javascript/express-session-hardcoded-secret-javascript-test.yml @@ -28,4 +28,4 @@ invalid: resave: false, secret: 'foo', saveUninitialized: false, - } \ No newline at end of file + } diff --git a/tests/python/debug-enabled-python-test.yml b/tests/python/debug-enabled-python-test.yml index 66561dc1..3c0be8da 100644 --- a/tests/python/debug-enabled-python-test.yml +++ b/tests/python/debug-enabled-python-test.yml @@ -7,4 +7,4 @@ invalid: - | from flask import Flask if __name__ == "__main__": - app.run("0.0.0.0", debug=True) \ No newline at end of file + app.run("0.0.0.0", debug=True) diff --git a/tests/python/hashids-with-flask-secret-python-test.yml b/tests/python/hashids-with-flask-secret-python-test.yml index 88897471..34e48e7a 100644 --- a/tests/python/hashids-with-flask-secret-python-test.yml +++ b/tests/python/hashids-with-flask-secret-python-test.yml @@ -22,4 +22,4 @@ invalid: - | from hashids import Hashids app = Flask(__name__.split('.')[0]) - hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY']) \ No newline at end of file + hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY']) diff --git a/tests/python/insecure-cipher-algorithm-rc4-python-test.yml b/tests/python/insecure-cipher-algorithm-rc4-python-test.yml index b9f0870f..750d1dd3 100644 --- a/tests/python/insecure-cipher-algorithm-rc4-python-test.yml +++ b/tests/python/insecure-cipher-algorithm-rc4-python-test.yml @@ -23,4 +23,4 @@ invalid: - | Cryptodome.Cipher.ARC4.new() - | - Cryptodome.Cipher.ARC4.new(asdsd) \ No newline at end of file + Cryptodome.Cipher.ARC4.new(asdsd) diff --git a/tests/python/jwt-python-hardcoded-secret-python-test.yml b/tests/python/jwt-python-hardcoded-secret-python-test.yml index 968557cf..8134e69e 100644 --- a/tests/python/jwt-python-hardcoded-secret-python-test.yml +++ b/tests/python/jwt-python-hardcoded-secret-python-test.yml @@ -19,4 +19,4 @@ invalid: secret_const = "this-is-secret" def bad2(): encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256") - \ No newline at end of file + diff --git a/tests/python/python-ldap3-empty-password-python-test.yml b/tests/python/python-ldap3-empty-password-python-test.yml index 8544a9c8..dd8a0335 100644 --- a/tests/python/python-ldap3-empty-password-python-test.yml +++ b/tests/python/python-ldap3-empty-password-python-test.yml @@ -7,4 +7,4 @@ invalid: ldap3.Connection(password="") - | test = "" - ldap3.Connection(password=test) \ No newline at end of file + ldap3.Connection(password=test) diff --git a/tests/python/python-ldap3-hardcoded-secret-python-test.yml b/tests/python/python-ldap3-hardcoded-secret-python-test.yml index 9deceec1..86b3510a 100644 --- a/tests/python/python-ldap3-hardcoded-secret-python-test.yml +++ b/tests/python/python-ldap3-hardcoded-secret-python-test.yml @@ -7,4 +7,4 @@ invalid: ldap3.Connection(password="test") - | test = "password" - ldap3.Connection(password=test) \ No newline at end of file + ldap3.Connection(password=test) diff --git a/tests/python/python-mysql-empty-password-python-test.yml b/tests/python/python-mysql-empty-password-python-test.yml index 697d5d91..d5cd9cf3 100644 --- a/tests/python/python-mysql-empty-password-python-test.yml +++ b/tests/python/python-mysql-empty-password-python-test.yml @@ -10,4 +10,4 @@ invalid: conn = mysql.connector.connect(password=PASSWORD1) - | import mysql.connector as mysql123 - mysql123.connect(host="localhost",user="root",passwd="",database="aaa") \ No newline at end of file + mysql123.connect(host="localhost",user="root",passwd="",database="aaa") diff --git a/tests/python/python-mysql-hardcoded-secret-python-test.yml b/tests/python/python-mysql-hardcoded-secret-python-test.yml index 7e11e163..99f9fe26 100644 --- a/tests/python/python-mysql-hardcoded-secret-python-test.yml +++ b/tests/python/python-mysql-hardcoded-secret-python-test.yml @@ -10,4 +10,4 @@ invalid: conn = mysql.connector.connect(password=PASSWORD1) - | import mysql.connector as mysql123 - mysql123.connect(host="localhost",user="root",passwd="password",database="aaa") \ No newline at end of file + mysql123.connect(host="localhost",user="root",passwd="password",database="aaa") diff --git a/tests/python/python-neo4j-empty-password-python-test.yml b/tests/python/python-neo4j-empty-password-python-test.yml index 0357ad00..27543c91 100644 --- a/tests/python/python-neo4j-empty-password-python-test.yml +++ b/tests/python/python-neo4j-empty-password-python-test.yml @@ -37,4 +37,4 @@ invalid: AsyncGraphDatabase, ) driver = GraphDatabase.driver(uri, auth=bearer_auth("")) - \ No newline at end of file + diff --git a/tests/python/python-neo4j-hardcoded-secret-python-test.yml b/tests/python/python-neo4j-hardcoded-secret-python-test.yml index 492af97b..c1c33832 100644 --- a/tests/python/python-neo4j-hardcoded-secret-python-test.yml +++ b/tests/python/python-neo4j-hardcoded-secret-python-test.yml @@ -36,4 +36,4 @@ invalid: bearer_auth, AsyncGraphDatabase, ) - driver = GraphDatabase.driver(uri, auth=bearer_auth("token")) \ No newline at end of file + driver = GraphDatabase.driver(uri, auth=bearer_auth("token")) diff --git a/tests/python/python-peewee-mysql-empty-password-python-test.yml b/tests/python/python-peewee-mysql-empty-password-python-test.yml index fa84c49f..77636d34 100644 --- a/tests/python/python-peewee-mysql-empty-password-python-test.yml +++ b/tests/python/python-peewee-mysql-empty-password-python-test.yml @@ -5,4 +5,4 @@ valid: invalid: - | mysql_db1 = MySQLDatabase('my_app', user='app', password='', host='10.1.0.8', port=3306) - \ No newline at end of file + diff --git a/tests/python/python-peewee-mysql-hardcoded-secret-python-test.yml b/tests/python/python-peewee-mysql-hardcoded-secret-python-test.yml index ad3c1035..6a4890d5 100644 --- a/tests/python/python-peewee-mysql-hardcoded-secret-python-test.yml +++ b/tests/python/python-peewee-mysql-hardcoded-secret-python-test.yml @@ -4,4 +4,4 @@ valid: mysql_db1 = MySQLDatabe('my_app', user='app', password=os.env['password'], host='10.1.0.8', port=3306) invalid: - | - mysql_db1 = MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306) \ No newline at end of file + mysql_db1 = MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306) diff --git a/tests/python/python-peewee-pg-empty-password-python-test.yml b/tests/python/python-peewee-pg-empty-password-python-test.yml index 0720a3a7..2303dbce 100644 --- a/tests/python/python-peewee-pg-empty-password-python-test.yml +++ b/tests/python/python-peewee-pg-empty-password-python-test.yml @@ -5,4 +5,4 @@ valid: invalid: - | pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432) - \ No newline at end of file + diff --git a/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml b/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml index 51e051be..475d468d 100644 --- a/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml +++ b/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml @@ -5,4 +5,4 @@ valid: invalid: - | pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) - \ No newline at end of file + diff --git a/tests/python/python-psycopg2-empty-password-python-test.yml b/tests/python/python-psycopg2-empty-password-python-test.yml index 77c7a5d6..1d5b8d01 100644 --- a/tests/python/python-psycopg2-empty-password-python-test.yml +++ b/tests/python/python-psycopg2-empty-password-python-test.yml @@ -4,4 +4,4 @@ valid: c = psycopg2.connect(user, database=dbname, password="abc", **params).abc() invalid: - | - c = psycopg2.connect(user, database=dbname, password="", **params).abc() \ No newline at end of file + c = psycopg2.connect(user, database=dbname, password="", **params).abc() diff --git a/tests/python/python-psycopg2-hardcoded-secret-python-test.yml b/tests/python/python-psycopg2-hardcoded-secret-python-test.yml index 3fe568dc..a912bce8 100644 --- a/tests/python/python-psycopg2-hardcoded-secret-python-test.yml +++ b/tests/python/python-psycopg2-hardcoded-secret-python-test.yml @@ -4,4 +4,4 @@ valid: c = psycopg2.connect(user, database=dbname, password=os.env['pass'], **params).abc() invalid: - | - c = psycopg2.connect(user, database=dbname, password="abc", **params).abc() \ No newline at end of file + c = psycopg2.connect(user, database=dbname, password="abc", **params).abc() diff --git a/tests/python/python-pymssql-hardcoded-secret-python-test.yml b/tests/python/python-pymssql-hardcoded-secret-python-test.yml index 82642224..40b7f868 100644 --- a/tests/python/python-pymssql-hardcoded-secret-python-test.yml +++ b/tests/python/python-pymssql-hardcoded-secret-python-test.yml @@ -14,4 +14,4 @@ invalid: user='user', password='password', database='mydatabase', - ) \ No newline at end of file + ) diff --git a/tests/python/python-pymysql-hardcoded-secret-python-test.yml b/tests/python/python-pymysql-hardcoded-secret-python-test.yml index 01668462..0dedf18a 100644 --- a/tests/python/python-pymysql-hardcoded-secret-python-test.yml +++ b/tests/python/python-pymysql-hardcoded-secret-python-test.yml @@ -6,4 +6,4 @@ valid: pymysql.connect(password=os.getenv('secret')) invalid: - | - pymysql.connect(password="a") \ No newline at end of file + pymysql.connect(password="a") diff --git a/tests/python/python-redis-hardcoded-secret-python-test.yml b/tests/python/python-redis-hardcoded-secret-python-test.yml index 9bc1b57b..549549ba 100644 --- a/tests/python/python-redis-hardcoded-secret-python-test.yml +++ b/tests/python/python-redis-hardcoded-secret-python-test.yml @@ -14,4 +14,4 @@ invalid: port=6379, password="abc", db=5 - ) \ No newline at end of file + ) diff --git a/tests/python/python-requests-empty-password-python-test.yml b/tests/python/python-requests-empty-password-python-test.yml index 5f01628d..72b05bc2 100644 --- a/tests/python/python-requests-empty-password-python-test.yml +++ b/tests/python/python-requests-empty-password-python-test.yml @@ -6,4 +6,4 @@ invalid: - | requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('user', '')) - | - requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('username', '')) \ No newline at end of file + requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('username', '')) diff --git a/tests/python/python-urllib3-hardcoded-secret-python-test.yml b/tests/python/python-urllib3-hardcoded-secret-python-test.yml index c7c3d4cb..84e8a3b1 100644 --- a/tests/python/python-urllib3-hardcoded-secret-python-test.yml +++ b/tests/python/python-urllib3-hardcoded-secret-python-test.yml @@ -4,4 +4,4 @@ valid: urllib3.util.make_headers(basic_auth=os.env['auth']) invalid: - | - urllib3.util.make_headers(basic_auth="user:123") \ No newline at end of file + urllib3.util.make_headers(basic_auth="user:123") diff --git a/tests/ruby/hardcoded-http-auth-in-controller-ruby-test.yml b/tests/ruby/hardcoded-http-auth-in-controller-ruby-test.yml index 88232950..cdb2f94c 100644 --- a/tests/ruby/hardcoded-http-auth-in-controller-ruby-test.yml +++ b/tests/ruby/hardcoded-http-auth-in-controller-ruby-test.yml @@ -15,4 +15,4 @@ invalid: class DangerousController < ApplicationController http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index puts "do more stuff" - end \ No newline at end of file + end diff --git a/tests/ruby/ruby-aws-sdk-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-aws-sdk-hardcoded-secret-ruby-test.yml index bab7fa0c..0430a76a 100644 --- a/tests/ruby/ruby-aws-sdk-hardcoded-secret-ruby-test.yml +++ b/tests/ruby/ruby-aws-sdk-hardcoded-secret-ruby-test.yml @@ -13,4 +13,4 @@ invalid: require 'aws-sdk-core' secsec = 'secret' creds = Aws::Credentials.new('akid', secsec) - Aws.config.update(region: 'us-west-2', credentials: creds) \ No newline at end of file + Aws.config.update(region: 'us-west-2', credentials: creds) diff --git a/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml index 26273b35..681cc020 100644 --- a/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml +++ b/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml @@ -27,4 +27,4 @@ invalid: - | require "faraday" pass = 'authentication-token' - conn.request :token_auth, pass, **options \ No newline at end of file + conn.request :token_auth, pass, **options diff --git a/tests/ruby/ruby-pg-empty-password-ruby-test.yml b/tests/ruby/ruby-pg-empty-password-ruby-test.yml index 5ccb5465..206a0133 100644 --- a/tests/ruby/ruby-pg-empty-password-ruby-test.yml +++ b/tests/ruby/ruby-pg-empty-password-ruby-test.yml @@ -18,4 +18,4 @@ invalid: :user => 'user', :password => '', :sslmode => 'prefer' - ) \ No newline at end of file + ) diff --git a/tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml index 55f14f1b..dbda0b6f 100644 --- a/tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml +++ b/tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml @@ -18,4 +18,4 @@ invalid: :user => 'user', :password => 'password', :sslmode => 'prefer' - ) \ No newline at end of file + ) diff --git a/tests/rust/empty-password-rust-test.yml b/tests/rust/empty-password-rust-test.yml index 11c27ab3..79bcb839 100644 --- a/tests/rust/empty-password-rust-test.yml +++ b/tests/rust/empty-password-rust-test.yml @@ -39,4 +39,4 @@ invalid: use_connection(conn); Ok(()) - } \ No newline at end of file + } diff --git a/tests/rust/hardcoded-password-rust-test.yml b/tests/rust/hardcoded-password-rust-test.yml index f639f33f..ba687623 100644 --- a/tests/rust/hardcoded-password-rust-test.yml +++ b/tests/rust/hardcoded-password-rust-test.yml @@ -39,4 +39,4 @@ invalid: use_connection(conn); Ok(()) - } \ No newline at end of file + } diff --git a/tests/rust/postgres-empty-password-rust-test.yml b/tests/rust/postgres-empty-password-rust-test.yml index 247c5bf7..ef8c173b 100644 --- a/tests/rust/postgres-empty-password-rust-test.yml +++ b/tests/rust/postgres-empty-password-rust-test.yml @@ -65,4 +65,4 @@ invalid: .port(std::env::var("PORT").expect("set PORT")); let (client, connection) = config.connect(NoTls); Ok(()) - } \ No newline at end of file + } diff --git a/tests/rust/reqwest-accept-invalid-rust-test.yml b/tests/rust/reqwest-accept-invalid-rust-test.yml index f31bbc35..1eddb1d8 100644 --- a/tests/rust/reqwest-accept-invalid-rust-test.yml +++ b/tests/rust/reqwest-accept-invalid-rust-test.yml @@ -10,4 +10,4 @@ invalid: - | reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) - | - reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) \ No newline at end of file + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) diff --git a/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml b/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml index df5952cd..db4636f1 100644 --- a/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml +++ b/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml @@ -33,4 +33,4 @@ invalid: .await?; println!("body = {:?}", resp); Ok(()) - } \ No newline at end of file + } diff --git a/tests/rust/tokio-postgres-empty-password-rust-test.yml b/tests/rust/tokio-postgres-empty-password-rust-test.yml index 2b85b2c4..0f09d689 100644 --- a/tests/rust/tokio-postgres-empty-password-rust-test.yml +++ b/tests/rust/tokio-postgres-empty-password-rust-test.yml @@ -47,4 +47,4 @@ invalid: }); Ok(()) - } \ No newline at end of file + } diff --git a/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml b/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml index 895e52e4..5e3eca3a 100644 --- a/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml +++ b/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml @@ -47,4 +47,4 @@ invalid: }); Ok(()) - } \ No newline at end of file + } diff --git a/tests/swift/blowfish-hardcoded-secret-swift-test.yml b/tests/swift/blowfish-hardcoded-secret-swift-test.yml index 4f5dcfb4..2a412559 100644 --- a/tests/swift/blowfish-hardcoded-secret-swift-test.yml +++ b/tests/swift/blowfish-hardcoded-secret-swift-test.yml @@ -12,4 +12,4 @@ invalid: try Blowfish(key: password, iv: "123") - | let password: Array = Array("s33krit".utf8) - Blowfish(key: password, iv: "123") \ No newline at end of file + Blowfish(key: password, iv: "123") diff --git a/tests/swift/chacha20-hardcoded-secret-swift-test.yml b/tests/swift/chacha20-hardcoded-secret-swift-test.yml index 62ce7b25..e620a632 100644 --- a/tests/swift/chacha20-hardcoded-secret-swift-test.yml +++ b/tests/swift/chacha20-hardcoded-secret-swift-test.yml @@ -12,4 +12,4 @@ invalid: try ChaCha20(key: password, iv: "123") - | let password: Array = Array("s33krit".utf8) - ChaCha20(key: password, iv: "123") \ No newline at end of file + ChaCha20(key: password, iv: "123") diff --git a/tests/swift/insecure-biometrics-swift-test.yml b/tests/swift/insecure-biometrics-swift-test.yml index 3c6d2c1c..6b8c5748 100644 --- a/tests/swift/insecure-biometrics-swift-test.yml +++ b/tests/swift/insecure-biometrics-swift-test.yml @@ -4,4 +4,4 @@ valid: abc.anyFunc() invalid: - | - abc.evaluatePolicy() \ No newline at end of file + abc.evaluatePolicy() diff --git a/tests/swift/rabbit-hardcoded-secret-swift-test.yml b/tests/swift/rabbit-hardcoded-secret-swift-test.yml index 9f1bad27..4c9fecdf 100644 --- a/tests/swift/rabbit-hardcoded-secret-swift-test.yml +++ b/tests/swift/rabbit-hardcoded-secret-swift-test.yml @@ -12,4 +12,4 @@ invalid: try Rabbit(key: password, iv: "123") - | let password: Array = Array("s33krit".utf8) - Rabbit(key: password, iv: "123") \ No newline at end of file + Rabbit(key: password, iv: "123") diff --git a/tests/typescript/argon2-weak-type-typescript-test.yml b/tests/typescript/argon2-weak-type-typescript-test.yml new file mode 100644 index 00000000..6301f3f1 --- /dev/null +++ b/tests/typescript/argon2-weak-type-typescript-test.yml @@ -0,0 +1,9 @@ +id: argon2-weak-type-typescript +valid: + - | + await argon2.hash('password', {type: argon2.argon2id}) + await argon2.hash('password', {}) +invalid: + - | + await argon2.hash('password', {type: argon2.argon2d}) + await argon2.hash('password', {type: argon2.argon2i}) diff --git a/tests/typescript/avoid-crypto-rc4-typescript-test.yml b/tests/typescript/avoid-crypto-rc4-typescript-test.yml new file mode 100644 index 00000000..2c488f39 --- /dev/null +++ b/tests/typescript/avoid-crypto-rc4-typescript-test.yml @@ -0,0 +1,9 @@ +id: avoid-crypto-rc4-typescript +valid: + - | + const encrypted = CryptoJS.AES.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.AES.decrypt(encrypted, "Secret Passphrase"); +invalid: + - | + const encrypted = CryptoJS.RC4.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.RC4.decrypt(encrypted, "Secret Passphrase"); diff --git a/tests/typescript/avoid-crypto-sha1-typescript-test.yml b/tests/typescript/avoid-crypto-sha1-typescript-test.yml new file mode 100644 index 00000000..6ffbe797 --- /dev/null +++ b/tests/typescript/avoid-crypto-sha1-typescript-test.yml @@ -0,0 +1,8 @@ +id: avoid-crypto-sha1-typescript +valid: + - | + const hash = CryptoJS.HmacSHA256("Message", "Secret Passphrase"); + const hash = CryptoJS.SHA256("Message"); +invalid: + - | + const hash = CryptoJS.HmacSHA1("Message", "Secret Passphrase"); diff --git a/tests/typescript/avoid-des-typescript-test.yml b/tests/typescript/avoid-des-typescript-test.yml new file mode 100644 index 00000000..b8bb5669 --- /dev/null +++ b/tests/typescript/avoid-des-typescript-test.yml @@ -0,0 +1,11 @@ +id: avoid-des-typescript +valid: + - | + const encrypted = CryptoJS.AES.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.AES.decrypt(encrypted, "Secret Passphrase"); +invalid: + - | + const encrypted = CryptoJS.DES.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.DES.decrypt(encrypted, "Secret Passphrase"); + const encrypted = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase"); + const decrypted = CryptoJS.TripleDES.decrypt(encrypted, "Secret Passphrase"); diff --git a/tests/typescript/chmod-permissions-typescript-test.yml b/tests/typescript/chmod-permissions-typescript-test.yml new file mode 100644 index 00000000..2c764ddd --- /dev/null +++ b/tests/typescript/chmod-permissions-typescript-test.yml @@ -0,0 +1,15 @@ +id: chmod-permissions-typescript +valid: + - | + const fs = require('fs'); + const fsPromises = fs.promises; + + fs.chmodSync(myPath, 0o770); + fsPromises.chmod("/tmp/fsPromises", 0o770); +invalid: + - | + const fs = require('fs'); + const fsPromises = fs.promises; + + fs.chmodSync("/tmp/myfile", 0o777); + fsPromises.chmod("/tmp/fsPromises", 0o777); diff --git a/tests/typescript/command-injection-typescript-test.yml b/tests/typescript/command-injection-typescript-test.yml new file mode 100644 index 00000000..6e74dffd --- /dev/null +++ b/tests/typescript/command-injection-typescript-test.yml @@ -0,0 +1,8 @@ +id: command-injection-typescript +valid: + - | + childprocess.exec('mv /tmp/src /tmp/dst', (error, stdout, stderr) => {}); +invalid: + - | + childprocess.exec(`mv ${src} ${dst}`, (error, stdout, stderr) => {}); + childprocess.exec('mv ' + src + " " + dst, (error, stdout, stderr) => {}); diff --git a/tests/typescript/crypto-avoid-weak-hash-typescript-test.yml b/tests/typescript/crypto-avoid-weak-hash-typescript-test.yml new file mode 100644 index 00000000..721f4d07 --- /dev/null +++ b/tests/typescript/crypto-avoid-weak-hash-typescript-test.yml @@ -0,0 +1,10 @@ +id: crypto-avoid-weak-hash-typescript +valid: + - | + const hash = CryptoJS.SHA256("Message", "Secret Passphrase"); + const hash = CryptoJS.SHA512("Message"); +invalid: + - | + const hash = CryptoJS.MD5("Message", "Secret Passphrase"); + const hash = CryptoJS.SHA1("Message", "Secret Passphrase"); + const hash = CryptoJS.HmacMD5("Message", "Secret Passphrase"); diff --git a/tests/typescript/detect-angular-sce-disabled-typescript.yml b/tests/typescript/detect-angular-sce-disabled-typescript.yml index fdf91998..c243a57a 100644 --- a/tests/typescript/detect-angular-sce-disabled-typescript.yml +++ b/tests/typescript/detect-angular-sce-disabled-typescript.yml @@ -8,4 +8,4 @@ invalid: - | $sceProvider.enabled(false).someFunction(true).anything("anything"); - | - $sceProvider.enabled(false)(false); \ No newline at end of file + $sceProvider.enabled(false)(false); diff --git a/tests/typescript/detect-buffer-noassert-typescript-test.yml b/tests/typescript/detect-buffer-noassert-typescript-test.yml new file mode 100644 index 00000000..309f5e29 --- /dev/null +++ b/tests/typescript/detect-buffer-noassert-typescript-test.yml @@ -0,0 +1,17 @@ +id: detect-buffer-noassert-typescript +valid: + - | + a.readUInt8(0) + a.readUInt16LE(0) + a.writeUInt8(0, 0) + a.writeInt16LE(0, 0) + a.readUInt8(0, false) + a.writeUInt8(0, 0, false) +invalid: + - | + a.readUInt8(0, true) + a.readUInt16LE(0, true) + a.writeUInt8(0, 0, true) + a.writeInt16LE(0, 0, true) + a.readFloatLE(0, true) + a.writeDoubleLE(0, 0, true) diff --git a/tests/typescript/detect-eval-with-expression-typescript-test.yml b/tests/typescript/detect-eval-with-expression-typescript-test.yml new file mode 100644 index 00000000..6054cf4e --- /dev/null +++ b/tests/typescript/detect-eval-with-expression-typescript-test.yml @@ -0,0 +1,12 @@ +id: detect-eval-with-expression-typescript +valid: + - | + eval('alert()') + global.eval('a'); + globalThis.eval('a'); +invalid: + - | + eval(a); + global.eval(a); + globalThis.eval(a); + const answer = eval(expression) diff --git a/tests/typescript/detect-new-buffer-typescript-test.yml b/tests/typescript/detect-new-buffer-typescript-test.yml new file mode 100644 index 00000000..0ff27fed --- /dev/null +++ b/tests/typescript/detect-new-buffer-typescript-test.yml @@ -0,0 +1,8 @@ +id: detect-new-buffer-typescript +valid: + - | + var a = new Buffer('test') + var b = Buffer.from('test') +invalid: + - | + var a = new Buffer(c) diff --git a/tests/typescript/detect-non-literal-regexp-typescript-test.yml b/tests/typescript/detect-non-literal-regexp-typescript-test.yml new file mode 100644 index 00000000..539ab22f --- /dev/null +++ b/tests/typescript/detect-non-literal-regexp-typescript-test.yml @@ -0,0 +1,9 @@ +id: detect-non-literal-regexp-typescript +valid: + - | + const REGEX = "regex" + const a = new RegExp('ab+c', 'i'); + const b = new RegExp(REGEX, 'i'); +invalid: + - | + var a = new RegExp(c, 'i'); diff --git a/tests/typescript/detect-non-literal-require-typescript-test.yml b/tests/typescript/detect-non-literal-require-typescript-test.yml new file mode 100644 index 00000000..b51e5c74 --- /dev/null +++ b/tests/typescript/detect-non-literal-require-typescript-test.yml @@ -0,0 +1,9 @@ +id: detect-non-literal-require-typescript +valid: + - | + var a = require('b'); + var a = require(`b`); +invalid: + - | + const a = require(c); + const a = require(`${c}`); diff --git a/tests/typescript/detected-jwt-token-typescript-test.yml b/tests/typescript/detected-jwt-token-typescript-test.yml new file mode 100644 index 00000000..e3b3f2b3 --- /dev/null +++ b/tests/typescript/detected-jwt-token-typescript-test.yml @@ -0,0 +1,11 @@ +id: detected-jwt-token-typescript +valid: + - | + "eyfoo" + `eybaz` + 'eyJ12345678901234-1234_123456789012' +invalid: + - | + "eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234" + 'eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234' + `eyJ12345678901234-1234_1234.1234567890123-1234_1234.12345678-1234_1234` diff --git a/tests/typescript/hardcoded-hmac-key-typescript-test.yml b/tests/typescript/hardcoded-hmac-key-typescript-test.yml new file mode 100644 index 00000000..be1760a7 --- /dev/null +++ b/tests/typescript/hardcoded-hmac-key-typescript-test.yml @@ -0,0 +1,19 @@ +id: hardcoded-hmac-key-typescript +valid: + - | + import crypto from "crypto"; + import config from "./config"; + + const safely_stored_key = config.get('AWS_KEY') + const safe_hmac = crypto.createHmac('sha256', safely_stored_key) + + crypto.createHmac('sha256', process.env.KEY); +invalid: + - | + import crypto from "crypto"; + + crypto.createHmac('sha256', 'pa4qacea4VK9t9nGv7yZtwmj').update(data).digest('hex'); + + const key = 'private'; + const secret = key; + const fail = crypto.createHmac('sha256', secret); diff --git a/tests/typescript/insecure-hash-typescript-test.yml b/tests/typescript/insecure-hash-typescript-test.yml new file mode 100644 index 00000000..06d76535 --- /dev/null +++ b/tests/typescript/insecure-hash-typescript-test.yml @@ -0,0 +1,9 @@ +id: insecure-hash-typescript +valid: + - | + crypto.createHash("sha256") + crypto.createHash("sha512") +invalid: + - | + crypto.createHash("md5") + crypto.createHash("sha1") diff --git a/tests/typescript/jwt-sensitive-data-typescript-test.yml b/tests/typescript/jwt-sensitive-data-typescript-test.yml new file mode 100644 index 00000000..452c2591 --- /dev/null +++ b/tests/typescript/jwt-sensitive-data-typescript-test.yml @@ -0,0 +1,15 @@ +id: jwt-sensitive-data-typescript +valid: + - | + jwt.sign( + {user: { id: 42 }} + ) +invalid: + - | + jwt.sign( + { user: { email: 'foo@bar.com' }} + ) + + jwt.sign( + { user: { lastname: 'babar' }} + ) diff --git a/tests/typescript/jwt-weak-encryption-typescript-test.yml b/tests/typescript/jwt-weak-encryption-typescript-test.yml new file mode 100644 index 00000000..dc46dc2e --- /dev/null +++ b/tests/typescript/jwt-weak-encryption-typescript-test.yml @@ -0,0 +1,8 @@ +id: jwt-weak-encryption-typescript +valid: + - | + jwt.verify(token, secret, { algorithms: ['RS256', 'HS256'] }, func); +invalid: + - | + jwt.verify(token, secret, { algorithms: ['RS256', 'none'] }, func); + jwt.verify(token, secret, { algorithms: ['none', 'RS256'] }, func); diff --git a/tests/typescript/log-sensitive-data-typescript-test.yml b/tests/typescript/log-sensitive-data-typescript-test.yml new file mode 100644 index 00000000..c8f9bc6f --- /dev/null +++ b/tests/typescript/log-sensitive-data-typescript-test.yml @@ -0,0 +1,11 @@ +id: log-sensitive-data-typescript +valid: + - | + console.log("email from user" + user.id); + console.log(`email from user ${user.uuid}`); +invalid: + - | + console.log("email from user" + user.email); + console.log(`email from user ${user.email}`); + logger.info(`email from user ${user.email}`); + logger.warn(email); diff --git a/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml b/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml index 2871d52d..6ae05887 100644 --- a/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml +++ b/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml @@ -23,4 +23,4 @@ invalid: host: 'localhost', port: 5432, dialect: 'postgres' - }); \ No newline at end of file + }); diff --git a/tests/typescript/sql-injection-typescript-test.yml b/tests/typescript/sql-injection-typescript-test.yml new file mode 100644 index 00000000..31629388 --- /dev/null +++ b/tests/typescript/sql-injection-typescript-test.yml @@ -0,0 +1,18 @@ +id: sql-injection-typescript +valid: + - | + models.sequelize.query('SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL', + { bind: [ req.body.email, req.body.password ], model: models.User, plain: true }) + - | + // SQL statements inside tagged templates are assumed to be escaped correctly. + return prisma.$queryRaw`SELECT id FROM User WHERE name = ${input}`; + return sql`SELECT id FROM User WHERE name = ${input}`; +invalid: + - | + models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + - | + connection.query("SELECT * FROM users WHERE id=" + userId,(err, result) => { + res.json(result); + }); + - | + sequelize.query('SELECT * FROM Products WHERE name LIKE ' + req.body.username);