feat: add javascript rule for google tag manager (#554)

feat: add google tag manager

integration/rules/javascript_test.go

@@ -81,3 +81,13 @@ func TestJavascriptLangFileGenerationDataflow(t *testing.T) {
 	t.Parallel()
 	runRulesTest("javascript/lang/file_generation", "dataflow", "javascript_lang_file_generation", t)
 }
+
+func TestJavascriptGTMDataflow(t *testing.T) {
+	t.Parallel()
+	runRulesTest("javascript/third_parties/google_tag_manager", "dataflow", "javascript_google_tag_manager", t)
+}
+
+func TestJavascriptGTMSummary(t *testing.T) {
+	t.Parallel()
+	runRulesTest("javascript/third_parties/google_tag_manager", "summary", "javascript_google_tag_manager", t)
+}

pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager.yml

@@ -0,0 +1,52 @@
+patterns:
+  - pattern: |
+      dataLayer.push($<DATA_TYPE>)
+    filters:
+      - variable: DATA_TYPE
+        detection: datatype
+  - pattern: |
+      window.dataLayer.push($<DATA_TYPE>)
+    filters:
+      - variable: DATA_TYPE
+        detection: datatype
+languages:
+  - javascript
+trigger: local
+severity:
+  default: low
+  PII: critical
+  PHI: medium
+  PD: high
+metadata:
+  description: "Do not send sensitive data to google tag manager."
+  remediation_message: |
+    ## Description
+
+    Leaking sensitive data to third parties is a common cause of data leaks and can lead to data breaches. This rule looks for instances of leaking sensitive data to third parties using google tag manager.
+
+    ❌ Avoid sending sensitive data to third parties:
+
+    ```javascript
+    datalayer.push({
+      user: {
+        email: user.email
+      }
+    })
+    ```
+
+    ✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:
+
+    ```javascript
+    datalayer.push({
+      user: {
+        uuid: user.uuid
+      }
+    })
+    ```
+
+    <!--
+    ## Resources
+    Coming soon.
+    -->
+  dsr_id: DSR-1
+  id: "javascript_google_tag_manager"

pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/.snapshots/TestJavascriptGTMDataflow-dataflow_javascript_third_parties_google_tag_manager_secure.js

@@ -0,0 +1,5 @@
+components: []
+
+
+--
+

pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/.snapshots/TestJavascriptGTMDataflow-dataflow_javascript_third_parties_google_tag_manager_unsecure.js

@@ -0,0 +1,47 @@
+data_types:
+    - name: Email Address
+      detectors:
+        - name: javascript
+          locations:
+            - filename: pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/testdata/unsecure.js
+              line_number: 1
+              field_name: email
+              object_name: user
+              subject_name: User
+            - filename: pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/testdata/unsecure.js
+              line_number: 4
+              field_name: email
+              object_name: push
+risks:
+    - detector_id: javascript_google_tag_manager
+      data_types:
+        - name: Email Address
+          stored: false
+          locations:
+            - filename: pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/testdata/unsecure.js
+              line_number: 1
+              parent:
+                line_number: 3
+                content: |-
+                    window.dataLayer.push({
+                    	email: user.email,
+                    })
+              field_name: email
+              object_name: user
+              subject_name: User
+            - filename: pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/testdata/unsecure.js
+              line_number: 4
+              parent:
+                line_number: 3
+                content: |-
+                    window.dataLayer.push({
+                    	email: user.email,
+                    })
+              field_name: email
+              object_name: user
+              subject_name: User
+components: []
+
+
+--
+

pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/.snapshots/TestJavascriptGTMSummary-summary_javascript_third_parties_google_tag_manager_secure.js

@@ -0,0 +1,5 @@
+{}
+
+
+--
+

pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/.snapshots/TestJavascriptGTMSummary-summary_javascript_third_parties_google_tag_manager_unsecure.js

@@ -0,0 +1,31 @@
+critical:
+    - rule_dsrid: DSR-1
+      rule_display_id: javascript_google_tag_manager
+      rule_description: Do not send sensitive data to google tag manager.
+      rule_documentation_url: https://curio.sh/reference/rules/javascript_google_tag_manager
+      line_number: 1
+      filename: pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/testdata/unsecure.js
+      category_groups:
+        - PII
+      parent_line_number: 3
+      parent_content: |-
+        window.dataLayer.push({
+        	email: user.email,
+        })
+    - rule_dsrid: DSR-1
+      rule_display_id: javascript_google_tag_manager
+      rule_description: Do not send sensitive data to google tag manager.
+      rule_documentation_url: https://curio.sh/reference/rules/javascript_google_tag_manager
+      line_number: 4
+      filename: pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/testdata/unsecure.js
+      category_groups:
+        - PII
+      parent_line_number: 3
+      parent_content: |-
+        window.dataLayer.push({
+        	email: user.email,
+        })
+
+
+--
+

pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/testdata/secure.js

@@ -0,0 +1,5 @@
+const user = { uuid: "28fecfa3-af3d-4503-8459-a4a7c0287e14" };
+
+window.dataLayer.push({
+	uuid: user.uuid,
+});

pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager/testdata/unsecure.js

@@ -0,0 +1,5 @@
+const user = { email: "jhon@gmail.com" };
+
+window.dataLayer.push({
+	email: user.email,
+});