Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule S4507: Delivering code in production with debug features activated is security-sensitive (deprecates S1442 and S1525) #1839

Closed
eric-therond-sonarsource opened this issue Jan 3, 2020 · 1 comment · Fixed by #2061
Closed

Rule S4507: Delivering code in production with debug features activated is security-sensitive (deprecates S1442 and S1525) #1839

eric-therond-sonarsource opened this issue Jan 3, 2020 · 1 comment · Fixed by #2061
Assignees
@vilchik-elena
Milestone
6.4

Comments

@eric-therond-sonarsource
Copy link

eric-therond-sonarsource commented Jan 3, 2020
edited by vilchik-elena

New rule to implement RSPEC-4507
Since it's implemented, rules S1442 (#1078) and S1525 (#1418) should be deprecated (#1182)

Code examples:
https://github.com/SonarSource/security-expected-issues/tree/master/javascript/rules/hotspots/RSPEC-4507

We should report on usages of errorhandler middleware in production environment.

const errorhandler = require('errorhandler');
if (process.env.NODE_ENV === 'development') {
  // only use in development
  app.use(errorhandler()); // Compliant
}
app2.use(errorhandler()); // Noncompliant

Simple way to do it is to raise when errorhandler is used outside of any if statement.
A more sophisticated logic could be in addition to check that condition expression involves process.env.NODE_ENV.
@vilchik-elena vilchik-elena changed the title Deprecate S1442 and S1525 in favor of S4507 Rule S4507: Delivering code in production with debug features activated is security-sensitive (deprecate S1442 and S1525) Mar 18, 2020
@vilchik-elena vilchik-elena changed the title Rule S4507: Delivering code in production with debug features activated is security-sensitive (deprecate S1442 and S1525) Rule S4507: Delivering code in production with debug features activated is security-sensitive (deprecates S1442 and S1525) Mar 18, 2020
@vilchik-elena vilchik-elena removed the rule label Jul 1, 2020
@agigleux
Copy link
Member

This rule should also raise an issue when sequelize is configured to log (which is the default):

var sequelize = new Sequelize(config.database, config.username, config.password, { host: config.host, dialect: config.dialect });

In this configuration sequelize is logging, so sharing debugging information.
It's safer to turn that feature off for prod.

logging: false

@saberduck saberduck added this to the 6.4 milestone Aug 3, 2020
@vilchik-elena vilchik-elena self-assigned this Aug 10, 2020
@vilchik-elena vilchik-elena mentioned this issue Aug 11, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vilchik-elena vilchik-elena

Labels
None yet
Projects
None yet
Milestone
6.4
Development

Successfully merging a pull request may close this issue.

Rule S4507: debug features activated in production (deprecate S1442 and S1525) SonarSource/SonarJS
4 participants
@saberduck @agigleux @vilchik-elena @eric-therond-sonarsource