Skip to content

Commit

Permalink
feat: javascript http insecure rule (#551)
Browse files Browse the repository at this point in the history 
* feat: add description to weak encryption

* feat: add jwt rule

* feat: add javascript http insecure rule
  • Loading branch information
@vjerci
vjerci committed Feb 13, 2023
1 parent c9b815d commit e4fc9ba
Show file tree
Hide file tree
Showing 21 changed files with 223 additions and 1 deletion.
10 changes: 10 additions & 0 deletions integration/rules/javascript_test.go
View file
Expand Up @@ -52,6 +52,16 @@ func TestJavascriptJWTSummary(t *testing.T) {
runRulesTest("javascript/lang/jwt", "summary", "javascript_jwt", t)
}

func TestJavascriptHTTPInsecureDataflow(t *testing.T) {
t.Parallel()
runRulesTest("javascript/lang/http_insecure", "dataflow", "javascript_http_insecure", t)
}

func TestJavascriptHTTPInsecureSummary(t *testing.T) {
t.Parallel()
runRulesTest("javascript/lang/http_insecure", "summary", "javascript_http_insecure", t)
}

func TestJavascriptThirdPartySentrySummary(t *testing.T) {
t.Parallel()
runRulesTest("javascript/third_parties/sentry", "summary", "javascript_third_parties_sentry", t)
Expand Down
61 changes: 61 additions & 0 deletions pkg/commands/process/settings/rules/javascript/lang/http_insecure.yml
View file
@@ -0,0 +1,61 @@
patterns:
- pattern: |
$<LIBRARY>.$<METHOD>($<INSECURE_URL>)
filters:
- variable: INSECURE_URL
detection: insecure_url
- variable: LIBRARY
values:
- axios
- http
- variable: METHOD
values:
- get
- post
- patch
- delete
- pattern: |
fetch($<INSECURE_URL>)
filters:
- variable: INSECURE_URL
detection: insecure_url
- pattern: |
$<REQUEST>.open($<_>, $<INSECURE_URL>);
filters:
- variable: INSECURE_URL
detection: insecure_url
- variable: REQUEST
values:
- req
- request
- xhttp
languages:
- javascript
trigger: presence
severity:
default: low
metadata:
description: "Only communicate using HTTPS connections."
remediation_message: |
## Description
Applications processing sensitive data should only connect using HTTPS connections. This rule checks that all HTTP connections use HTTPS.
❌ Avoid using unsecured outgoing HTTP communication, especially in the context of API calls:
```javascript
const response = axios.get('http://insecure-api.com')
```
✅ Ensure to always connect though HTTPS:
```javascript
const response = axios.get('https://secure-api.com')
```
<!--
## Resources
Coming soon.
-->
dsr_id: "DSR-5"
id: "javascript_http_insecure"
22 changes: 22 additions & 0 deletions ...stJavascriptHTTPInsecureDataflow-dataflow_javascript_lang_http_insecure_axios_insecure.js
View file
@@ -0,0 +1,22 @@
risks:
- detector_id: javascript_http_insecure
locations:
- filename: pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/axios_insecure.js
line_number: 2
parent:
line_number: 2
content: axios.get(insecure_url)
content: |
$<LIBRARY>.$<METHOD>($<INSECURE_URL>)
components:
- name: http://domain.com/api/movies
type: ""
sub_type: ""
locations:
- detector: javascript
filename: pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/axios_insecure.js
line_number: 1


--

12 changes: 12 additions & 0 deletions ...TestJavascriptHTTPInsecureDataflow-dataflow_javascript_lang_http_insecure_axios_secure.js
View file
@@ -0,0 +1,12 @@
components:
- name: https://domain.com/api/movies
type: ""
sub_type: ""
locations:
- detector: javascript
filename: pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/axios_secure.js
line_number: 1


--

15 changes: 15 additions & 0 deletions ...stJavascriptHTTPInsecureDataflow-dataflow_javascript_lang_http_insecure_fetch_insecure.js
View file
@@ -0,0 +1,15 @@
risks:
- detector_id: javascript_http_insecure
locations:
- filename: pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/fetch_insecure.js
line_number: 3
parent:
line_number: 3
content: fetch(insecure_url)
content: |
fetch($<INSECURE_URL>)
components: []


--

5 changes: 5 additions & 0 deletions ...TestJavascriptHTTPInsecureDataflow-dataflow_javascript_lang_http_insecure_fetch_secure.js
View file
@@ -0,0 +1,5 @@
components: []


--

15 changes: 15 additions & 0 deletions ...JavascriptHTTPInsecureDataflow-dataflow_javascript_lang_http_insecure_request_insecure.js
View file
@@ -0,0 +1,15 @@
risks:
- detector_id: javascript_http_insecure
locations:
- filename: pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/request_insecure.js
line_number: 5
parent:
line_number: 5
content: xhttp.open("GET", insecure_url, true)
content: |
$<REQUEST>.open($<_>, $<INSECURE_URL>);
components: []


--

5 changes: 5 additions & 0 deletions ...stJavascriptHTTPInsecureDataflow-dataflow_javascript_lang_http_insecure_request_secure.js
View file
@@ -0,0 +1,5 @@
components: []


--

13 changes: 13 additions & 0 deletions ...TestJavascriptHTTPInsecureSummary-summary_javascript_lang_http_insecure_axios_insecure.js
View file
@@ -0,0 +1,13 @@
low:
- rule_dsrid: DSR-5
rule_display_id: javascript_http_insecure
rule_description: Only communicate using HTTPS connections.
rule_documentation_url: https://curio.sh/reference/rules/javascript_http_insecure
line_number: 2
filename: pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/axios_insecure.js
parent_line_number: 2
parent_content: axios.get(insecure_url)


--

5 changes: 5 additions & 0 deletions ...s/TestJavascriptHTTPInsecureSummary-summary_javascript_lang_http_insecure_axios_secure.js
View file
@@ -0,0 +1,5 @@
{}


--

13 changes: 13 additions & 0 deletions ...TestJavascriptHTTPInsecureSummary-summary_javascript_lang_http_insecure_fetch_insecure.js
View file
@@ -0,0 +1,13 @@
low:
- rule_dsrid: DSR-5
rule_display_id: javascript_http_insecure
rule_description: Only communicate using HTTPS connections.
rule_documentation_url: https://curio.sh/reference/rules/javascript_http_insecure
line_number: 3
filename: pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/fetch_insecure.js
parent_line_number: 3
parent_content: fetch(insecure_url)


--

5 changes: 5 additions & 0 deletions ...s/TestJavascriptHTTPInsecureSummary-summary_javascript_lang_http_insecure_fetch_secure.js
View file
@@ -0,0 +1,5 @@
{}


--

13 changes: 13 additions & 0 deletions ...stJavascriptHTTPInsecureSummary-summary_javascript_lang_http_insecure_request_insecure.js
View file
@@ -0,0 +1,13 @@
low:
- rule_dsrid: DSR-5
rule_display_id: javascript_http_insecure
rule_description: Only communicate using HTTPS connections.
rule_documentation_url: https://curio.sh/reference/rules/javascript_http_insecure
line_number: 5
filename: pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/request_insecure.js
parent_line_number: 5
parent_content: xhttp.open("GET", insecure_url, true)


--

5 changes: 5 additions & 0 deletions ...TestJavascriptHTTPInsecureSummary-summary_javascript_lang_http_insecure_request_secure.js
View file
@@ -0,0 +1,5 @@
{}


--

2 changes: 2 additions & 0 deletions pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/axios_insecure.js
View file
@@ -0,0 +1,2 @@
const insecure_url = "http://domain.com/api/movies";
axios.get(insecure_url);
2 changes: 2 additions & 0 deletions pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/axios_secure.js
View file
@@ -0,0 +1,2 @@
const secure_url = "https://domain.com/api/movies";
axios.get(secure_url);
5 changes: 5 additions & 0 deletions pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/fetch_insecure.js
View file
@@ -0,0 +1,5 @@
const insecure_url = "http://example.com/movies.json";

fetch(insecure_url)
.then((response) => response.json())
.then((data) => console.log(data));
5 changes: 5 additions & 0 deletions pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/fetch_secure.js
View file
@@ -0,0 +1,5 @@
const secure_url = "https://example.com/movies.json";

fetch(secure_url)
.then((response) => response.json())
.then((data) => console.log(data));
5 changes: 5 additions & 0 deletions ...ommands/process/settings/rules/javascript/lang/http_insecure/testdata/request_insecure.js
View file
@@ -0,0 +1,5 @@
var xhttp = new XMLHttpRequest();

var insecure_url = "http://domain.com/movie";

xhttp.open("GET", insecure_url, true);
4 changes: 4 additions & 0 deletions pkg/commands/process/settings/rules/javascript/lang/http_insecure/testdata/request_secure.js
View file
@@ -0,0 +1,4 @@
var secure_url = "https://domain.com/movie";

var xhttp = new XMLHttpRequest();
xhttp.open("GET", secure_url, true);
2 changes: 1 addition & 1 deletion pkg/commands/process/settings/rules/ruby/lang/http_insecure.yml
View file
Expand Up @@ -56,7 +56,7 @@ metadata:
❌ Avoid using unsecured outgoing HTTP communication, especially in the context of API calls:
```ruby
response = HTTParty.get('http://usecure-api.com')
response = HTTParty.get('http://insecure-api.com')
```
✅ Ensure to always connect though HTTPS:
Expand Down

0 comments on commit e4fc9ba

Please sign in to comment.