@appland/scanner 1.33.1 → 1.33.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/built/analyzer/secretsRegexes.js +4 -0
- package/built/analyzer/secretsRegexes.js.map +1 -1
- package/built/rules/insecureCompare.js +5 -14
- package/built/rules/insecureCompare.js.map +1 -1
- package/built/rules/secretInLog.js +98 -28
- package/built/rules/secretInLog.js.map +1 -1
- package/package.json +1 -1
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.looksSecret = void 0;
|
|
3
4
|
var fs_1 = require("fs");
|
|
4
5
|
var path_1 = require("path");
|
|
5
6
|
var regexData = JSON.parse((0, fs_1.readFileSync)((0, path_1.join)(__dirname, 'secretsRegexesData.json')).toString());
|
|
@@ -9,5 +10,8 @@ var REGEXES = Object.keys(regexData).reduce(function (memo, key) {
|
|
|
9
10
|
memo[key] = regexes.map(function (regex) { return new RegExp(regex); });
|
|
10
11
|
return memo;
|
|
11
12
|
}, {});
|
|
13
|
+
var AnySecretRE = new RegExp('(?:' + Object.values(regexData).flat().join(')|(?:') + ')');
|
|
14
|
+
// Check if a string contains any defined secret regex
|
|
15
|
+
exports.looksSecret = AnySecretRE.test.bind(AnySecretRE);
|
|
12
16
|
exports.default = REGEXES;
|
|
13
17
|
//# sourceMappingURL=secretsRegexes.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secretsRegexes.js","sourceRoot":"","sources":["../../src/analyzer/secretsRegexes.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"secretsRegexes.js","sourceRoot":"","sources":["../../src/analyzer/secretsRegexes.ts"],"names":[],"mappings":";;;AAAA,yBAAkC;AAClC,6BAA4B;AAI5B,IAAM,SAAS,GAAyC,IAAI,CAAC,KAAK,CAChE,IAAA,iBAAY,EAAC,IAAA,WAAI,EAAC,SAAS,EAAE,yBAAyB,CAAC,CAAC,CAAC,QAAQ,EAAE,CACpE,CAAC;AAEF,IAAM,OAAO,GAAgC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,UAAC,IAAI,EAAE,GAAG;IACnF,IAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IACvD,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,UAAC,KAAK,IAAK,OAAA,IAAI,MAAM,CAAC,KAAK,CAAC,EAAjB,CAAiB,CAAC,CAAC;IACtD,OAAO,IAAI,CAAC;AACd,CAAC,EAAE,EAAiC,CAAC,CAAC;AAEtC,IAAM,WAAW,GAAG,IAAI,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC;AAE5F,sDAAsD;AACzC,QAAA,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AAE9D,kBAAe,OAAO,CAAC"}
|
|
@@ -4,38 +4,29 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
var recordSecrets_1 = __importDefault(require("../analyzer/recordSecrets"));
|
|
7
|
-
var secretsRegexes_1 =
|
|
7
|
+
var secretsRegexes_1 = require("../analyzer/secretsRegexes");
|
|
8
8
|
var BCRYPT_REGEXP = /^[$]2[abxy]?[$](?:0[4-9]|[12][0-9]|3[01])[$][./0-9a-zA-Z]{53}$/;
|
|
9
9
|
var secrets = new Set();
|
|
10
10
|
function stringEquals(e) {
|
|
11
11
|
if (!e.parameters || !e.receiver || e.parameters.length !== 1) {
|
|
12
|
-
return;
|
|
12
|
+
return false;
|
|
13
13
|
}
|
|
14
14
|
var args = [e.receiver.value, e.parameters[0].value];
|
|
15
15
|
function isBcrypt(str) {
|
|
16
16
|
return BCRYPT_REGEXP.test(str);
|
|
17
17
|
}
|
|
18
18
|
function isSecret(str) {
|
|
19
|
-
|
|
20
|
-
return true;
|
|
21
|
-
}
|
|
22
|
-
return !!Object.keys(secretsRegexes_1.default).find(function (key) { return !!secretsRegexes_1.default[key].find(function (re) { return re.test(str); }); });
|
|
19
|
+
return secrets.has(str) || (0, secretsRegexes_1.looksSecret)(str);
|
|
23
20
|
}
|
|
24
21
|
// BCrypted strings are safe to compare using equals()
|
|
25
|
-
|
|
26
|
-
return;
|
|
27
|
-
}
|
|
28
|
-
if (!args.every(isSecret)) {
|
|
29
|
-
return;
|
|
30
|
-
}
|
|
31
|
-
return true;
|
|
22
|
+
return args.some(isSecret) && !args.some(isBcrypt);
|
|
32
23
|
}
|
|
33
24
|
function build() {
|
|
34
25
|
function matcher(e) {
|
|
35
26
|
if (e.codeObject.labels.has(Secret)) {
|
|
36
27
|
(0, recordSecrets_1.default)(secrets, e);
|
|
37
28
|
}
|
|
38
|
-
if (e.
|
|
29
|
+
if (e.codeObject.labels.has(StringEquals)) {
|
|
39
30
|
return stringEquals(e);
|
|
40
31
|
}
|
|
41
32
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"insecureCompare.js","sourceRoot":"","sources":["../../src/rules/insecureCompare.ts"],"names":[],"mappings":";;;;;AACA,4EAAsD;AACtD,
|
|
1
|
+
{"version":3,"file":"insecureCompare.js","sourceRoot":"","sources":["../../src/rules/insecureCompare.ts"],"names":[],"mappings":";;;;;AACA,4EAAsD;AACtD,6DAAyD;AAGzD,IAAM,aAAa,GAAG,gEAAgE,CAAC;AAEvF,IAAM,OAAO,GAAgB,IAAI,GAAG,EAAE,CAAC;AAEvC,SAAS,YAAY,CAAC,CAAQ;IAC5B,IAAI,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,UAAW,CAAC,MAAM,KAAK,CAAC,EAAE;QAC9D,OAAO,KAAK,CAAC;KACd;IAED,IAAM,IAAI,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAEvD,SAAS,QAAQ,CAAC,GAAW;QAC3B,OAAO,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAED,SAAS,QAAQ,CAAC,GAAW;QAC3B,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAA,4BAAW,EAAC,GAAG,CAAC,CAAC;IAC9C,CAAC;IAED,sDAAsD;IACtD,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,CAAQ;QACvB,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE;YACnC,IAAA,uBAAa,EAAC,OAAO,EAAE,CAAC,CAAC,CAAC;SAC3B;QACD,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE;YACzC,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;SACxB;IACH,CAAC;IAED,SAAS,KAAK,CAAC,CAAQ;QACrB,OAAO,CACL,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAC3F,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,SAAA;QACP,KAAK,OAAA;KACN,CAAC;AACJ,CAAC;AAED,IAAM,MAAM,GAAG,QAAQ,CAAC;AACxB,IAAM,YAAY,GAAG,eAAe,CAAC;AAErC,kBAAe;IACb,EAAE,EAAE,kBAAkB;IACtB,KAAK,EAAE,gCAAgC;IACvC,MAAM,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,cAAc,EAAE,IAAI;IACpB,KAAK,OAAA;CACE,CAAC"}
|
|
@@ -1,9 +1,64 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
|
|
5
|
+
}) : (function(o, m, k, k2) {
|
|
6
|
+
if (k2 === undefined) k2 = k;
|
|
7
|
+
o[k2] = m[k];
|
|
8
|
+
}));
|
|
9
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
10
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
11
|
+
}) : function(o, v) {
|
|
12
|
+
o["default"] = v;
|
|
13
|
+
});
|
|
14
|
+
var __importStar = (this && this.__importStar) || function (mod) {
|
|
15
|
+
if (mod && mod.__esModule) return mod;
|
|
16
|
+
var result = {};
|
|
17
|
+
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
|
18
|
+
__setModuleDefault(result, mod);
|
|
19
|
+
return result;
|
|
20
|
+
};
|
|
21
|
+
var __read = (this && this.__read) || function (o, n) {
|
|
22
|
+
var m = typeof Symbol === "function" && o[Symbol.iterator];
|
|
23
|
+
if (!m) return o;
|
|
24
|
+
var i = m.call(o), r, ar = [], e;
|
|
25
|
+
try {
|
|
26
|
+
while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
|
|
27
|
+
}
|
|
28
|
+
catch (error) { e = { error: error }; }
|
|
29
|
+
finally {
|
|
30
|
+
try {
|
|
31
|
+
if (r && !r.done && (m = i["return"])) m.call(i);
|
|
32
|
+
}
|
|
33
|
+
finally { if (e) throw e.error; }
|
|
34
|
+
}
|
|
35
|
+
return ar;
|
|
36
|
+
};
|
|
37
|
+
var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
|
|
38
|
+
if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
|
|
39
|
+
if (ar || !(i in from)) {
|
|
40
|
+
if (!ar) ar = Array.prototype.slice.call(from, 0, i);
|
|
41
|
+
ar[i] = from[i];
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
return to.concat(ar || Array.prototype.slice.call(from));
|
|
45
|
+
};
|
|
46
|
+
var __values = (this && this.__values) || function(o) {
|
|
47
|
+
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
48
|
+
if (m) return m.call(o);
|
|
49
|
+
if (o && typeof o.length === "number") return {
|
|
50
|
+
next: function () {
|
|
51
|
+
if (o && i >= o.length) o = void 0;
|
|
52
|
+
return { value: o && o[i++], done: !o };
|
|
53
|
+
}
|
|
54
|
+
};
|
|
55
|
+
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
|
|
56
|
+
};
|
|
2
57
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
58
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
59
|
};
|
|
5
60
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
var secretsRegexes_1 =
|
|
61
|
+
var secretsRegexes_1 = __importStar(require("../analyzer/secretsRegexes"));
|
|
7
62
|
var util_1 = require("./util");
|
|
8
63
|
var recordSecrets_1 = __importDefault(require("../analyzer/recordSecrets"));
|
|
9
64
|
var Match = /** @class */ (function () {
|
|
@@ -14,34 +69,49 @@ var Match = /** @class */ (function () {
|
|
|
14
69
|
return Match;
|
|
15
70
|
}());
|
|
16
71
|
var secrets = new Set();
|
|
17
|
-
var
|
|
72
|
+
var findInLog = function (parameters) {
|
|
73
|
+
var e_1, _a;
|
|
18
74
|
var matches = [];
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
var
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
matches.push(new Match(secret, value));
|
|
75
|
+
var _loop_1 = function (value) {
|
|
76
|
+
var e_2, _b;
|
|
77
|
+
if ((0, util_1.emptyValue)(value))
|
|
78
|
+
return "continue";
|
|
79
|
+
var patterns = [];
|
|
80
|
+
if ((0, secretsRegexes_1.looksSecret)(value)) {
|
|
81
|
+
// Only look for the exact matching regexes if it matches the catchall regex
|
|
82
|
+
patterns.push.apply(patterns, __spreadArray([], __read(Object.values(secretsRegexes_1.default)
|
|
83
|
+
.flat()
|
|
84
|
+
.filter(function (re) { return re.test(value); })), false));
|
|
85
|
+
}
|
|
86
|
+
try {
|
|
87
|
+
for (var secrets_1 = (e_2 = void 0, __values(secrets)), secrets_1_1 = secrets_1.next(); !secrets_1_1.done; secrets_1_1 = secrets_1.next()) {
|
|
88
|
+
var secret = secrets_1_1.value;
|
|
89
|
+
if (value.includes(secret))
|
|
90
|
+
patterns.push(secret);
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
catch (e_2_1) { e_2 = { error: e_2_1 }; }
|
|
94
|
+
finally {
|
|
95
|
+
try {
|
|
96
|
+
if (secrets_1_1 && !secrets_1_1.done && (_b = secrets_1.return)) _b.call(secrets_1);
|
|
42
97
|
}
|
|
43
|
-
|
|
44
|
-
|
|
98
|
+
finally { if (e_2) throw e_2.error; }
|
|
99
|
+
}
|
|
100
|
+
matches.push.apply(matches, __spreadArray([], __read(patterns.map(function (pattern) { return new Match(pattern, value); })), false));
|
|
101
|
+
};
|
|
102
|
+
try {
|
|
103
|
+
for (var parameters_1 = __values(parameters), parameters_1_1 = parameters_1.next(); !parameters_1_1.done; parameters_1_1 = parameters_1.next()) {
|
|
104
|
+
var value = parameters_1_1.value.value;
|
|
105
|
+
_loop_1(value);
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
catch (e_1_1) { e_1 = { error: e_1_1 }; }
|
|
109
|
+
finally {
|
|
110
|
+
try {
|
|
111
|
+
if (parameters_1_1 && !parameters_1_1.done && (_a = parameters_1.return)) _a.call(parameters_1);
|
|
112
|
+
}
|
|
113
|
+
finally { if (e_1) throw e_1.error; }
|
|
114
|
+
}
|
|
45
115
|
if (matches.length > 0) {
|
|
46
116
|
return matches.map(function (match) { return ({
|
|
47
117
|
level: 'error',
|
|
@@ -56,7 +126,7 @@ function build() {
|
|
|
56
126
|
(0, recordSecrets_1.default)(secrets, e);
|
|
57
127
|
}
|
|
58
128
|
if (e.parameters && e.codeObject.labels.has(Log)) {
|
|
59
|
-
return findInLog(e);
|
|
129
|
+
return findInLog(e.parameters);
|
|
60
130
|
}
|
|
61
131
|
},
|
|
62
132
|
where: function (e) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secretInLog.js","sourceRoot":"","sources":["../../src/rules/secretInLog.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"secretInLog.js","sourceRoot":"","sources":["../../src/rules/secretInLog.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA,2EAAyE;AACzE,+BAAoC;AACpC,4EAAsD;AAEtD;IACE,eAAmB,MAAuB,EAAS,KAAa;QAA7C,WAAM,GAAN,MAAM,CAAiB;QAAS,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IACtE,YAAC;AAAD,CAAC,AAFD,IAEC;AAED,IAAM,OAAO,GAAgB,IAAI,GAAG,EAAE,CAAC;AAEvC,IAAM,SAAS,GAAG,UAAC,UAAsC;;IACvD,IAAM,OAAO,GAAY,EAAE,CAAC;4BAEf,KAAK;;QAChB,IAAI,IAAA,iBAAU,EAAC,KAAK,CAAC;8BAAW;QAEhC,IAAM,QAAQ,GAAwB,EAAE,CAAC;QAEzC,IAAI,IAAA,4BAAW,EAAC,KAAK,CAAC,EAAE;YACtB,4EAA4E;YAC5E,QAAQ,CAAC,IAAI,OAAb,QAAQ,2BACH,MAAM,CAAC,MAAM,CAAC,wBAAc,CAAC;iBAC7B,IAAI,EAAE;iBACN,MAAM,CAAC,UAAC,EAAE,IAAK,OAAA,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,EAAd,CAAc,CAAC,WACjC;SACH;;YAED,KAAqB,IAAA,2BAAA,SAAA,OAAO,CAAA,CAAA,gCAAA,qDAAE;gBAAzB,IAAM,MAAM,oBAAA;gBACf,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;aACnD;;;;;;;;;QAED,OAAO,CAAC,IAAI,OAAZ,OAAO,2BAAS,QAAQ,CAAC,GAAG,CAAC,UAAC,OAAO,IAAK,OAAA,IAAI,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,EAAzB,CAAyB,CAAC,WAAE;;;QAlBxE,KAAwB,IAAA,eAAA,SAAA,UAAU,CAAA,sCAAA;YAArB,IAAA,KAAK,6BAAA;oBAAL,KAAK;SAmBjB;;;;;;;;;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE;QACtB,OAAO,OAAO,CAAC,GAAG,CAAC,UAAC,KAAK,IAAK,OAAA,CAAC;YAC7B,KAAK,EAAE,OAAO;YACd,OAAO,EAAK,KAAK,CAAC,KAAK,yBAAoB,KAAK,CAAC,MAAQ;SAC1D,CAAC,EAH4B,CAG5B,CAAC,CAAC;KACL;AACH,CAAC,CAAC;AAEF,SAAS,KAAK;IACZ,OAAO;QACL,OAAO,EAAE,UAAC,CAAC;YACT,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE;gBACnC,IAAA,uBAAa,EAAC,OAAO,EAAE,CAAC,CAAC,CAAC;aAC3B;YACD,IAAI,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;gBAChD,OAAO,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;aAChC;QACH,CAAC;QACD,KAAK,EAAE,UAAC,CAAC;YACP,OAAO,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzE,CAAC;KACF,CAAC;AACJ,CAAC;AAED,IAAM,MAAM,GAAG,QAAQ,CAAC;AACxB,IAAM,GAAG,GAAG,KAAK,CAAC;AAElB,kBAAe;IACb,EAAE,EAAE,eAAe;IACnB,KAAK,EAAE,eAAe;IACtB,MAAM,EAAE,CAAC,MAAM,EAAE,GAAG,CAAC;IACrB,cAAc,EAAE,IAAI;IACpB,KAAK,OAAA;CACE,CAAC"}
|