@appland/scanner 1.34.1 → 1.36.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/built/cli/scan.js +46 -2
- package/built/cli/scan.js.map +1 -1
- package/built/integration/appland/upload.js +1 -1
- package/built/integration/appland/upload.js.map +1 -1
- package/built/rules/authzBeforeAuthn.js +1 -2
- package/built/rules/authzBeforeAuthn.js.map +1 -1
- package/built/rules/deserializationOfUntrustedData.js +157 -0
- package/built/rules/deserializationOfUntrustedData.js.map +1 -0
- package/built/rules/http500.js +1 -1
- package/built/rules/illegalPackageDependency.js +1 -0
- package/built/rules/illegalPackageDependency.js.map +1 -1
- package/built/rules/logoutWithoutSessionReset.js +85 -0
- package/built/rules/logoutWithoutSessionReset.js.map +1 -0
- package/built/rules/tooManyUpdates.js +4 -0
- package/built/rules/tooManyUpdates.js.map +1 -1
- package/built/sampleConfig/default.yml +21 -14
- package/package.json +3 -3
package/built/cli/scan.js
CHANGED
|
@@ -35,6 +35,31 @@ var __generator = (this && this.__generator) || function (thisArg, body) {
|
|
|
35
35
|
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
|
|
36
36
|
}
|
|
37
37
|
};
|
|
38
|
+
var __read = (this && this.__read) || function (o, n) {
|
|
39
|
+
var m = typeof Symbol === "function" && o[Symbol.iterator];
|
|
40
|
+
if (!m) return o;
|
|
41
|
+
var i = m.call(o), r, ar = [], e;
|
|
42
|
+
try {
|
|
43
|
+
while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
|
|
44
|
+
}
|
|
45
|
+
catch (error) { e = { error: error }; }
|
|
46
|
+
finally {
|
|
47
|
+
try {
|
|
48
|
+
if (r && !r.done && (m = i["return"])) m.call(i);
|
|
49
|
+
}
|
|
50
|
+
finally { if (e) throw e.error; }
|
|
51
|
+
}
|
|
52
|
+
return ar;
|
|
53
|
+
};
|
|
54
|
+
var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
|
|
55
|
+
if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
|
|
56
|
+
if (ar || !(i in from)) {
|
|
57
|
+
if (!ar) ar = Array.prototype.slice.call(from, 0, i);
|
|
58
|
+
ar[i] = from[i];
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
return to.concat(ar || Array.prototype.slice.call(from));
|
|
62
|
+
};
|
|
38
63
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
39
64
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
40
65
|
};
|
|
@@ -43,6 +68,25 @@ var promises_1 = require("fs/promises");
|
|
|
43
68
|
var models_1 = require("@appland/models");
|
|
44
69
|
var ruleChecker_1 = __importDefault(require("../ruleChecker"));
|
|
45
70
|
var progressReporter_1 = __importDefault(require("./progressReporter"));
|
|
71
|
+
function batch(items, size, process) {
|
|
72
|
+
return __awaiter(this, void 0, void 0, function () {
|
|
73
|
+
var left;
|
|
74
|
+
return __generator(this, function (_a) {
|
|
75
|
+
switch (_a.label) {
|
|
76
|
+
case 0:
|
|
77
|
+
left = __spreadArray([], __read(items), false);
|
|
78
|
+
_a.label = 1;
|
|
79
|
+
case 1:
|
|
80
|
+
if (!left.length) return [3 /*break*/, 3];
|
|
81
|
+
return [4 /*yield*/, Promise.all(left.splice(0, size).map(process))];
|
|
82
|
+
case 2:
|
|
83
|
+
_a.sent();
|
|
84
|
+
return [3 /*break*/, 1];
|
|
85
|
+
case 3: return [2 /*return*/];
|
|
86
|
+
}
|
|
87
|
+
});
|
|
88
|
+
});
|
|
89
|
+
}
|
|
46
90
|
function scan(files, checks) {
|
|
47
91
|
return __awaiter(this, void 0, void 0, function () {
|
|
48
92
|
var checker, appMapMetadata, findings;
|
|
@@ -53,7 +97,7 @@ function scan(files, checks) {
|
|
|
53
97
|
checker = new ruleChecker_1.default();
|
|
54
98
|
appMapMetadata = {};
|
|
55
99
|
findings = [];
|
|
56
|
-
return [4 /*yield*/,
|
|
100
|
+
return [4 /*yield*/, batch(files, 2, function (file) { return __awaiter(_this, void 0, void 0, function () {
|
|
57
101
|
var appMapData, appMap;
|
|
58
102
|
var _this = this;
|
|
59
103
|
return __generator(this, function (_a) {
|
|
@@ -91,7 +135,7 @@ function scan(files, checks) {
|
|
|
91
135
|
return [2 /*return*/];
|
|
92
136
|
}
|
|
93
137
|
});
|
|
94
|
-
}); })
|
|
138
|
+
}); })];
|
|
95
139
|
case 1:
|
|
96
140
|
_a.sent();
|
|
97
141
|
return [2 /*return*/, { appMapMetadata: appMapMetadata, findings: findings }];
|
package/built/cli/scan.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/cli/scan.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/cli/scan.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAuC;AACvC,0CAAwD;AAGxD,+DAAyC;AAGzC,wEAAkD;AAOlD,SAAe,KAAK,CAClB,KAAmB,EACnB,IAAY,EACZ,OAAmD;;;;;;oBAE7C,IAAI,4BAAO,KAAK,SAAC,CAAC;;;yBACjB,IAAI,CAAC,MAAM;oBAAE,qBAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,EAAA;;oBAApD,SAAoD,CAAC;;;;;;CAC1E;AAED,SAA8B,IAAI,CAAC,KAAe,EAAE,MAAe;;;;;;;oBAC3D,OAAO,GAAG,IAAI,qBAAW,EAAE,CAAC;oBAC5B,cAAc,GAA6B,EAAE,CAAC;oBAC9C,QAAQ,GAAc,EAAE,CAAC;oBAE/B,qBAAM,KAAK,CAAC,KAAK,EAAE,CAAC,EAAE,UAAO,IAAY;;;;;;wCACvC,2DAA2D;wCAC3D,+FAA+F;wCAC/F,6BAA6B;wCAC7B,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE;4CAC5C,sBAAO,IAAI,EAAC;yCACb;wCACkB,qBAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,MAAM,CAAC,EAAA;;wCAAzC,UAAU,GAAG,SAA4B;wCACzC,MAAM,GAAG,IAAA,oBAAW,EAAC,UAAU,CAAC,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,CAAC;wCAC3D,cAAc,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC;wCAEvC,qBAAM,OAAO,CAAC,GAAG,CACf,MAAM,CAAC,GAAG,CAAC,UAAO,KAAK;;;;;4DACf,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC;4DACnC,qBAAM,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAA;;4DAAlD,SAAkD,CAAC;4DAC7C,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;4DAC/D,UAAU,CAAC,OAAO,CAAC,UAAC,KAAK,IAAK,OAAA,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,EAAzB,CAAyB,CAAC,CAAC;4DACzD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,0BAAgB,EAAC,UAAU,CAAC,CAAC,CAAC;;;;iDACpD,CAAC,CACH,EAAA;;wCARD,SAQC,CAAC;;;;6BACH,CAAC,EAAA;;oBApBF,SAoBE,CAAC;oBAEH,sBAAO,EAAE,cAAc,gBAAA,EAAE,QAAQ,UAAA,EAAE,EAAC;;;;CACrC;AA5BD,uBA4BC"}
|
|
@@ -157,7 +157,7 @@ function default_1(scanResults, appId) {
|
|
|
157
157
|
finally { if (e_1) throw e_1.error; }
|
|
158
158
|
return [7 /*endfinally*/];
|
|
159
159
|
case 8:
|
|
160
|
-
tarStream.entry({ name: 'app.scanner.json' }, JSON.stringify({ findings: clonedFindings }));
|
|
160
|
+
tarStream.entry({ name: 'app.scanner.json' }, JSON.stringify(__assign(__assign({}, scanResults), { findings: clonedFindings })));
|
|
161
161
|
tarStream.finalize();
|
|
162
162
|
gzip = (0, zlib_1.createGzip)();
|
|
163
163
|
tarStream.pipe(gzip);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"upload.js","sourceRoot":"","sources":["../../../src/integration/appland/upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,yCAAkC;AAClC,yBAAoC;AACpC,iCAAoC;AACpC,wDAAiC;AACjC,6BAAkC;AAClC,0CAA8C;AAC9C,gDAAqE;AAGrE,2BAA0B;AAE1B,mBAA+B,WAAwB,EAAE,KAAa;;;;;;;oBAC9D,mBAAmB,GAA8B,EAAE,CAAC;oBAClD,QAAQ,GAAK,WAAW,SAAhB,CAAiB;;wBACjC,KAAsB,aAAA,SAAA,QAAQ,CAAA,0FAAE;4BAArB,OAAO;4BAChB,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE;gCACvB,SAAS;6BACV;4BAEK,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;4BAC3E,mBAAmB,CAAC,OAAO,CAAC,UAAU,CAAC,GAAM,IAAI,iBAAc,CAAC;yBACjE;;;;;;;;;oBAEK,cAAc,GAAG,QAAQ,CAAC,GAAG,CAAC,UAAC,OAAO;wBAC1C,IAAM,KAAK,gBAAQ,OAAO,CAAE,CAAC;wBAC7B,IAAI,KAAK,CAAC,UAAU,EAAE;4BACpB,KAAK,CAAC,UAAU,GAAG,mBAAmB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;yBAC1D;wBACD,OAAO,KAAK,CAAC;oBACf,CAAC,CAAC,CAAC;oBAEG,iBAAiB,GAAG,yBACrB,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAC,CAAC,IAAK,OAAA,CAAC,CAAC,UAAU,EAAZ,CAAY,CAAC,CAAC,GAAG,CAAC,UAAC,CAAC,IAAK,OAAA,CAAC,CAAC,UAAU,EAAZ,CAAY,CAAC,CAAC,SAC9D,CAAC;oBACR,SAAS,GAAG,IAAA,iBAAI,GAAE,CAAC;;;;oBAEF,sBAAA,SAAA,iBAAiB,CAAA;;;;oBAA7B,QAAQ;oBACF,qBAAM,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAA;;oBAApC,MAAM,GAAG,SAA2B;oBAE1C,SAAS,CAAC,KAAK,CACb,EAAE,IAAI,EAAE,mBAAmB,CAAC,QAAQ,CAAC,EAAE,EACvC,IAAI,CAAC,SAAS,CAAC,IAAA,oBAAW,EAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,CAAC,CAC5E,CAAC;;;;;;;;;;;;;;;;;oBAGJ,SAAS,CAAC,KAAK,
|
|
1
|
+
{"version":3,"file":"upload.js","sourceRoot":"","sources":["../../../src/integration/appland/upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,yCAAkC;AAClC,yBAAoC;AACpC,iCAAoC;AACpC,wDAAiC;AACjC,6BAAkC;AAClC,0CAA8C;AAC9C,gDAAqE;AAGrE,2BAA0B;AAE1B,mBAA+B,WAAwB,EAAE,KAAa;;;;;;;oBAC9D,mBAAmB,GAA8B,EAAE,CAAC;oBAClD,QAAQ,GAAK,WAAW,SAAhB,CAAiB;;wBACjC,KAAsB,aAAA,SAAA,QAAQ,CAAA,0FAAE;4BAArB,OAAO;4BAChB,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE;gCACvB,SAAS;6BACV;4BAEK,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;4BAC3E,mBAAmB,CAAC,OAAO,CAAC,UAAU,CAAC,GAAM,IAAI,iBAAc,CAAC;yBACjE;;;;;;;;;oBAEK,cAAc,GAAG,QAAQ,CAAC,GAAG,CAAC,UAAC,OAAO;wBAC1C,IAAM,KAAK,gBAAQ,OAAO,CAAE,CAAC;wBAC7B,IAAI,KAAK,CAAC,UAAU,EAAE;4BACpB,KAAK,CAAC,UAAU,GAAG,mBAAmB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;yBAC1D;wBACD,OAAO,KAAK,CAAC;oBACf,CAAC,CAAC,CAAC;oBAEG,iBAAiB,GAAG,yBACrB,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAC,CAAC,IAAK,OAAA,CAAC,CAAC,UAAU,EAAZ,CAAY,CAAC,CAAC,GAAG,CAAC,UAAC,CAAC,IAAK,OAAA,CAAC,CAAC,UAAU,EAAZ,CAAY,CAAC,CAAC,SAC9D,CAAC;oBACR,SAAS,GAAG,IAAA,iBAAI,GAAE,CAAC;;;;oBAEF,sBAAA,SAAA,iBAAiB,CAAA;;;;oBAA7B,QAAQ;oBACF,qBAAM,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAA;;oBAApC,MAAM,GAAG,SAA2B;oBAE1C,SAAS,CAAC,KAAK,CACb,EAAE,IAAI,EAAE,mBAAmB,CAAC,QAAQ,CAAC,EAAE,EACvC,IAAI,CAAC,SAAS,CAAC,IAAA,oBAAW,EAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,CAAC,CAC5E,CAAC;;;;;;;;;;;;;;;;;oBAGJ,SAAS,CAAC,KAAK,CACb,EAAE,IAAI,EAAE,kBAAkB,EAAE,EAC5B,IAAI,CAAC,SAAS,uBAAM,WAAW,GAAK,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAG,CACpE,CAAC;oBACF,SAAS,CAAC,QAAQ,EAAE,CAAC;oBAEf,IAAI,GAAG,IAAA,iBAAU,GAAE,CAAC;oBAC1B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAEf,IAAI,GAAG,IAAI,mBAAQ,EAAE,CAAC;oBAC5B,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;oBACnD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;oBAE7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAsC,KAAK,QAAK,CAAC,CAAC;oBACvD,qBAAM,IAAA,kBAAY,EAAC,kBAAkB,CAAC,EAAA;;oBAAhD,OAAO,GAAG,SAAsC;oBACtD,sBAAO,IAAI,OAAO,CAAkB,UAAC,OAAO,EAAE,MAAM;4BAClD,IAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CACjC,OAAO,CAAC,GAAG,EACX;gCACE,MAAM,EAAE,MAAM;gCACd,OAAO,wBACF,OAAO,CAAC,OAAO,GACf,IAAI,CAAC,UAAU,EAAE,CACrB;6BACF,EACD,OAAO,CACR,CAAC;4BACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;4BACxB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;wBACjB,CAAC,CAAC;6BACC,IAAI,CAAC,iBAAW,CAAC;6BACjB,IAAI,CAAC,UAAC,QAAyB;4BAC9B,IAAI,OAAO,GAAG,cAAY,WAAW,CAAC,QAAQ,CAAC,MAAM,cAAW,CAAC;4BACjE,IAAI,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE;gCAC7B,IAAM,SAAS,GAAG,IAAI,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gCACvE,OAAO,IAAI,SAAO,SAAW,CAAC;6BAC/B;4BACD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;wBACvB,CAAC,CAAC,EAAC;;;;CACN;AAzED,4BAyEC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authzBeforeAuthn.js","sourceRoot":"","sources":["../../src/rules/authzBeforeAuthn.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,0CAAwD;AACxD,mCAA8D;AAE9D,2BAA0B;AAE1B,SAAS,sBAAsB,CAAC,MAAiC;;;QAC/D,KAAmB,IAAA,WAAA,SAAA,MAAM,CAAA,8BAAA,kDAAE;YAAtB,IAAM,IAAI,mBAAA;YACb,IAAI,IAAA,6BAAsB,EAAC,IAAI,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAAE;gBAC9D,OAAO,IAAI,CAAC;aACb;SACF;;;;;;;;;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,IAAI,IAAA,6BAAsB,EAAC,KAAK,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAAE;oBAC/D,OAAO;iBACR;gBACD,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,IAAA,eAAQ,EAAC,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE;oBACtF,6FAA6F;oBAC7F,IAAI,sBAAsB,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE;wBAC/C,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,
|
|
1
|
+
{"version":3,"file":"authzBeforeAuthn.js","sourceRoot":"","sources":["../../src/rules/authzBeforeAuthn.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,0CAAwD;AACxD,mCAA8D;AAE9D,2BAA0B;AAE1B,SAAS,sBAAsB,CAAC,MAAiC;;;QAC/D,KAAmB,IAAA,WAAA,SAAA,MAAM,CAAA,8BAAA,kDAAE;YAAtB,IAAM,IAAI,mBAAA;YACb,IAAI,IAAA,6BAAsB,EAAC,IAAI,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAAE;gBAC9D,OAAO,IAAI,CAAC;aACb;SACF;;;;;;;;;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,IAAI,IAAA,6BAAsB,EAAC,KAAK,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAAE;oBAC/D,OAAO;iBACR;gBACD,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,IAAA,eAAQ,EAAC,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE;oBACtF,6FAA6F;oBAC7F,IAAI,sBAAsB,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE;wBAC/C,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,OAAO,EAAK,KAAK,CAAC,KAAK,kEAA+D;6BACvF;yBACF,CAAC;qBACH;iBACF;aACF;;;;;;;;;IACH,CAAC;IAED,OAAO,EAAE,OAAO,SAAA,EAAE,CAAC;AACrB,CAAC;AAED,IAAM,sBAAsB,GAAG,yBAAyB,CAAC;AACzD,IAAM,qBAAqB,GAAG,wBAAwB,CAAC;AAEvD,kBAAe;IACb,EAAE,EAAE,oBAAoB;IACxB,KAAK,EAAE,+CAA+C;IACtD,MAAM,EAAE,CAAC,qBAAqB,EAAE,sBAAsB,CAAC;IACvD,KAAK,EAAE,qBAAkC;IACzC,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE;QACV,SAAS,EAAE,IAAI,SAAG,CAAC,iDAAiD,CAAC;KACtE;IACD,KAAK,OAAA;CACE,CAAC"}
|
|
@@ -0,0 +1,157 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __generator = (this && this.__generator) || function (thisArg, body) {
|
|
3
|
+
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
|
|
4
|
+
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
|
|
5
|
+
function verb(n) { return function (v) { return step([n, v]); }; }
|
|
6
|
+
function step(op) {
|
|
7
|
+
if (f) throw new TypeError("Generator is already executing.");
|
|
8
|
+
while (_) try {
|
|
9
|
+
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
|
|
10
|
+
if (y = 0, t) op = [op[0] & 2, t.value];
|
|
11
|
+
switch (op[0]) {
|
|
12
|
+
case 0: case 1: t = op; break;
|
|
13
|
+
case 4: _.label++; return { value: op[1], done: false };
|
|
14
|
+
case 5: _.label++; y = op[1]; op = [0]; continue;
|
|
15
|
+
case 7: op = _.ops.pop(); _.trys.pop(); continue;
|
|
16
|
+
default:
|
|
17
|
+
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
|
|
18
|
+
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
|
|
19
|
+
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
|
|
20
|
+
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
|
|
21
|
+
if (t[2]) _.ops.pop();
|
|
22
|
+
_.trys.pop(); continue;
|
|
23
|
+
}
|
|
24
|
+
op = body.call(thisArg, _);
|
|
25
|
+
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
|
|
26
|
+
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
|
|
27
|
+
}
|
|
28
|
+
};
|
|
29
|
+
var __values = (this && this.__values) || function(o) {
|
|
30
|
+
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
31
|
+
if (m) return m.call(o);
|
|
32
|
+
if (o && typeof o.length === "number") return {
|
|
33
|
+
next: function () {
|
|
34
|
+
if (o && i >= o.length) o = void 0;
|
|
35
|
+
return { value: o && o[i++], done: !o };
|
|
36
|
+
}
|
|
37
|
+
};
|
|
38
|
+
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
|
|
39
|
+
};
|
|
40
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
41
|
+
var models_1 = require("@appland/models");
|
|
42
|
+
var url_1 = require("url");
|
|
43
|
+
function sanitizesData(event, objectId, label) {
|
|
44
|
+
return (event.labels.has(label) &&
|
|
45
|
+
!!event.returnValue &&
|
|
46
|
+
!!event.returnValue.object_id &&
|
|
47
|
+
event.returnValue.object_id === objectId);
|
|
48
|
+
}
|
|
49
|
+
function precedingEvents(rootEvent, target) {
|
|
50
|
+
var _a, _b, event, e_1_1;
|
|
51
|
+
var e_1, _c;
|
|
52
|
+
return __generator(this, function (_d) {
|
|
53
|
+
switch (_d.label) {
|
|
54
|
+
case 0:
|
|
55
|
+
_d.trys.push([0, 5, 6, 7]);
|
|
56
|
+
_a = __values(new models_1.EventNavigator(rootEvent).descendants()), _b = _a.next();
|
|
57
|
+
_d.label = 1;
|
|
58
|
+
case 1:
|
|
59
|
+
if (!!_b.done) return [3 /*break*/, 4];
|
|
60
|
+
event = _b.value;
|
|
61
|
+
if (event.event === target) {
|
|
62
|
+
return [3 /*break*/, 4];
|
|
63
|
+
}
|
|
64
|
+
return [4 /*yield*/, event];
|
|
65
|
+
case 2:
|
|
66
|
+
_d.sent();
|
|
67
|
+
_d.label = 3;
|
|
68
|
+
case 3:
|
|
69
|
+
_b = _a.next();
|
|
70
|
+
return [3 /*break*/, 1];
|
|
71
|
+
case 4: return [3 /*break*/, 7];
|
|
72
|
+
case 5:
|
|
73
|
+
e_1_1 = _d.sent();
|
|
74
|
+
e_1 = { error: e_1_1 };
|
|
75
|
+
return [3 /*break*/, 7];
|
|
76
|
+
case 6:
|
|
77
|
+
try {
|
|
78
|
+
if (_b && !_b.done && (_c = _a.return)) _c.call(_a);
|
|
79
|
+
}
|
|
80
|
+
finally { if (e_1) throw e_1.error; }
|
|
81
|
+
return [7 /*endfinally*/];
|
|
82
|
+
case 7: return [2 /*return*/];
|
|
83
|
+
}
|
|
84
|
+
});
|
|
85
|
+
}
|
|
86
|
+
function allArgumentsSanitized(rootEvent, event) {
|
|
87
|
+
return (event.parameters || [])
|
|
88
|
+
.filter(function (parameter) { return parameter.object_id; })
|
|
89
|
+
.every(function (parameter) {
|
|
90
|
+
var e_2, _a;
|
|
91
|
+
try {
|
|
92
|
+
for (var _b = __values(precedingEvents(rootEvent, event)), _c = _b.next(); !_c.done; _c = _b.next()) {
|
|
93
|
+
var candidate = _c.value;
|
|
94
|
+
if (sanitizesData(candidate.event, parameter.object_id, Sanitize)) {
|
|
95
|
+
return true;
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
}
|
|
99
|
+
catch (e_2_1) { e_2 = { error: e_2_1 }; }
|
|
100
|
+
finally {
|
|
101
|
+
try {
|
|
102
|
+
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
|
|
103
|
+
}
|
|
104
|
+
finally { if (e_2) throw e_2.error; }
|
|
105
|
+
}
|
|
106
|
+
return false;
|
|
107
|
+
});
|
|
108
|
+
}
|
|
109
|
+
function build() {
|
|
110
|
+
function matcher(rootEvent) {
|
|
111
|
+
var e_3, _a;
|
|
112
|
+
try {
|
|
113
|
+
for (var _b = __values(new models_1.EventNavigator(rootEvent).descendants()), _c = _b.next(); !_c.done; _c = _b.next()) {
|
|
114
|
+
var event = _c.value;
|
|
115
|
+
if (event.event.labels.has(DeserializeUnsafe)) {
|
|
116
|
+
if (allArgumentsSanitized(rootEvent, event.event)) {
|
|
117
|
+
return;
|
|
118
|
+
}
|
|
119
|
+
else {
|
|
120
|
+
return [
|
|
121
|
+
{
|
|
122
|
+
level: 'error',
|
|
123
|
+
event: event.event,
|
|
124
|
+
message: event.event + " deserializes untrusted data",
|
|
125
|
+
},
|
|
126
|
+
];
|
|
127
|
+
}
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
catch (e_3_1) { e_3 = { error: e_3_1 }; }
|
|
132
|
+
finally {
|
|
133
|
+
try {
|
|
134
|
+
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
|
|
135
|
+
}
|
|
136
|
+
finally { if (e_3) throw e_3.error; }
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
return {
|
|
140
|
+
matcher: matcher,
|
|
141
|
+
};
|
|
142
|
+
}
|
|
143
|
+
var DeserializeUnsafe = 'deserialize.unsafe';
|
|
144
|
+
var Sanitize = 'sanitize';
|
|
145
|
+
exports.default = {
|
|
146
|
+
id: 'deserialization-of-untrusted-data',
|
|
147
|
+
title: 'Deserialization of untrusted data',
|
|
148
|
+
labels: [DeserializeUnsafe, Sanitize],
|
|
149
|
+
impactDomain: 'Security',
|
|
150
|
+
enumerateScope: false,
|
|
151
|
+
references: {
|
|
152
|
+
'CWE-502': new url_1.URL('https://cwe.mitre.org/data/definitions/502.html'),
|
|
153
|
+
'Ruby Security': new url_1.URL('https://docs.ruby-lang.org/en/3.0/doc/security_rdoc.html'),
|
|
154
|
+
},
|
|
155
|
+
build: build,
|
|
156
|
+
};
|
|
157
|
+
//# sourceMappingURL=deserializationOfUntrustedData.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"deserializationOfUntrustedData.js","sourceRoot":"","sources":["../../src/rules/deserializationOfUntrustedData.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAAwD;AAExD,2BAA0B;AAE1B,SAAS,aAAa,CAAC,KAAY,EAAE,QAAgB,EAAE,KAAa;IAClE,OAAO,CACL,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC;QACvB,CAAC,CAAC,KAAK,CAAC,WAAW;QACnB,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS;QAC7B,KAAK,CAAC,WAAW,CAAC,SAAS,KAAK,QAAQ,CACzC,CAAC;AACJ,CAAC;AAED,SAAU,eAAe,CAAC,SAAgB,EAAE,MAAa;;;;;;;gBACnC,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA;;;;gBAApD,KAAK;gBACd,IAAI,KAAK,CAAC,KAAK,KAAK,MAAM,EAAE;oBAC1B,wBAAM;iBACP;gBACD,qBAAM,KAAK,EAAA;;gBAAX,SAAW,CAAC;;;;;;;;;;;;;;;;;;;CAEf;AAED,SAAS,qBAAqB,CAAC,SAAgB,EAAE,KAAY;IAC3D,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,UAAC,SAAS,IAAK,OAAA,SAAS,CAAC,SAAS,EAAnB,CAAmB,CAAC;SAC1C,KAAK,CAAC,UAAC,SAAS;;;YACf,KAAwB,IAAA,KAAA,SAAA,eAAe,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA,gBAAA,4BAAE;gBAAtD,IAAM,SAAS,WAAA;gBAClB,IAAI,aAAa,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAU,EAAE,QAAQ,CAAC,EAAE;oBAClE,OAAO,IAAI,CAAC;iBACb;aACF;;;;;;;;;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE;oBAC7C,IAAI,qBAAqB,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE;wBACjD,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,OAAO,EAAK,KAAK,CAAC,KAAK,iCAA8B;6BACtD;yBACF,CAAC;qBACH;iBACF;aACF;;;;;;;;;IACH,CAAC;IAED,OAAO;QACL,OAAO,SAAA;KACR,CAAC;AACJ,CAAC;AAED,IAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAC/C,IAAM,QAAQ,GAAG,UAAU,CAAC;AAE5B,kBAAe;IACb,EAAE,EAAE,mCAAmC;IACvC,KAAK,EAAE,mCAAmC;IAC1C,MAAM,EAAE,CAAC,iBAAiB,EAAE,QAAQ,CAAC;IACrC,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE;QACV,SAAS,EAAE,IAAI,SAAG,CAAC,iDAAiD,CAAC;QACrE,eAAe,EAAE,IAAI,SAAG,CAAC,0DAA0D,CAAC;KACrF;IACD,KAAK,OAAA;CACE,CAAC"}
|
package/built/rules/http500.js
CHANGED
|
@@ -16,7 +16,7 @@ exports.default = {
|
|
|
16
16
|
enumerateScope: false,
|
|
17
17
|
impactDomain: 'Stability',
|
|
18
18
|
references: {
|
|
19
|
-
'CWE-
|
|
19
|
+
'CWE-392': new url_1.URL('https://cwe.mitre.org/data/definitions/392.html'),
|
|
20
20
|
},
|
|
21
21
|
build: build,
|
|
22
22
|
};
|
|
@@ -36,6 +36,7 @@ exports.default = {
|
|
|
36
36
|
impactDomain: 'Maintainability',
|
|
37
37
|
references: {
|
|
38
38
|
'CWE-1120': new url_1.URL('https://cwe.mitre.org/data/definitions/1120.html'),
|
|
39
|
+
'CWE-1154': new url_1.URL('https://cwe.mitre.org/data/definitions/1154.html'),
|
|
39
40
|
},
|
|
40
41
|
Options: Options,
|
|
41
42
|
build: build,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"illegalPackageDependency.js","sourceRoot":"","sources":["../../src/rules/illegalPackageDependency.ts"],"names":[],"mappings":";;AAIA,mDAA+D;AAC/D,2BAA0B;AAE1B;IAAA;QACS,mBAAc,GAAyB,EAAE,CAAC;QAC1C,kBAAa,GAAuB,EAAwB,CAAC;IACtE,CAAC;IAAD,cAAC;AAAD,CAAC,AAHD,IAGC;AAED,SAAS,KAAK,CAAC,OAAgB;IAC7B,IAAM,cAAc,GAAG,IAAA,2BAAY,EAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;IAClE,IAAM,aAAa,GAAG,IAAA,0BAAW,EAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAEzD,SAAS,KAAK,CAAC,CAAQ;QACrB,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,MAAO,CAAC,UAAU,CAAC,SAAS,IAAI,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACjG,CAAC;IAED,SAAS,OAAO,CAAC,CAAQ;QACvB,IAAM,eAAe,GAAG,OAAO,CAAC,cAAc;aAC3C,GAAG,CAAC,UAAC,MAAM,IAAK,OAAA,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,KAAK,EAA9C,CAA8C,CAAC;aAC/D,GAAG,CAAC,MAAM,CAAC;aACX,IAAI,CAAC,MAAM,CAAC,CAAC;QAEhB,IAAM,aAAa,GAAG,CAAC,CAAC,MAAO,CAAC,UAAU,CAAC,SAAS,CAAC;QACrD,IACE,CAAC,CACC,CAAC,CAAC,UAAU,CAAC,SAAS,KAAK,aAAa;YACxC,cAAc,CAAC,IAAI,CAAC,UAAC,OAAO,IAAK,OAAA,OAAO,CAAC,aAAa,CAAC,EAAtB,CAAsB,CAAC,CACzD,EACD;YACA,OAAO,iBAAe,CAAC,CAAC,UAAU,CAAC,EAAE,0BAAqB,aAAa,mBAAc,eAAiB,CAAC;SACxG;IACH,CAAC;IAED,OAAO,EAAE,KAAK,OAAA,EAAE,OAAO,SAAA,EAAE,CAAC;AAC5B,CAAC;AAED,kBAAe;IACb,EAAE,EAAE,4BAA4B;IAChC,KAAK,EAAE,kDAAkD;IACzD,KAAK,EAAE,SAAsB;IAC7B,cAAc,EAAE,IAAI;IACpB,YAAY,EAAE,iBAAiB;IAC/B,UAAU,EAAE;QACV,UAAU,EAAE,IAAI,SAAG,CAAC,kDAAkD,CAAC;KACxE;IACD,OAAO,SAAA;IACP,KAAK,OAAA;CACE,CAAC"}
|
|
1
|
+
{"version":3,"file":"illegalPackageDependency.js","sourceRoot":"","sources":["../../src/rules/illegalPackageDependency.ts"],"names":[],"mappings":";;AAIA,mDAA+D;AAC/D,2BAA0B;AAE1B;IAAA;QACS,mBAAc,GAAyB,EAAE,CAAC;QAC1C,kBAAa,GAAuB,EAAwB,CAAC;IACtE,CAAC;IAAD,cAAC;AAAD,CAAC,AAHD,IAGC;AAED,SAAS,KAAK,CAAC,OAAgB;IAC7B,IAAM,cAAc,GAAG,IAAA,2BAAY,EAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;IAClE,IAAM,aAAa,GAAG,IAAA,0BAAW,EAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAEzD,SAAS,KAAK,CAAC,CAAQ;QACrB,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,MAAO,CAAC,UAAU,CAAC,SAAS,IAAI,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACjG,CAAC;IAED,SAAS,OAAO,CAAC,CAAQ;QACvB,IAAM,eAAe,GAAG,OAAO,CAAC,cAAc;aAC3C,GAAG,CAAC,UAAC,MAAM,IAAK,OAAA,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,KAAK,EAA9C,CAA8C,CAAC;aAC/D,GAAG,CAAC,MAAM,CAAC;aACX,IAAI,CAAC,MAAM,CAAC,CAAC;QAEhB,IAAM,aAAa,GAAG,CAAC,CAAC,MAAO,CAAC,UAAU,CAAC,SAAS,CAAC;QACrD,IACE,CAAC,CACC,CAAC,CAAC,UAAU,CAAC,SAAS,KAAK,aAAa;YACxC,cAAc,CAAC,IAAI,CAAC,UAAC,OAAO,IAAK,OAAA,OAAO,CAAC,aAAa,CAAC,EAAtB,CAAsB,CAAC,CACzD,EACD;YACA,OAAO,iBAAe,CAAC,CAAC,UAAU,CAAC,EAAE,0BAAqB,aAAa,mBAAc,eAAiB,CAAC;SACxG;IACH,CAAC;IAED,OAAO,EAAE,KAAK,OAAA,EAAE,OAAO,SAAA,EAAE,CAAC;AAC5B,CAAC;AAED,kBAAe;IACb,EAAE,EAAE,4BAA4B;IAChC,KAAK,EAAE,kDAAkD;IACzD,KAAK,EAAE,SAAsB;IAC7B,cAAc,EAAE,IAAI;IACpB,YAAY,EAAE,iBAAiB;IAC/B,UAAU,EAAE;QACV,UAAU,EAAE,IAAI,SAAG,CAAC,kDAAkD,CAAC;QACvE,UAAU,EAAE,IAAI,SAAG,CAAC,kDAAkD,CAAC;KACxE;IACD,OAAO,SAAA;IACP,KAAK,OAAA;CACE,CAAC"}
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __values = (this && this.__values) || function(o) {
|
|
3
|
+
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
4
|
+
if (m) return m.call(o);
|
|
5
|
+
if (o && typeof o.length === "number") return {
|
|
6
|
+
next: function () {
|
|
7
|
+
if (o && i >= o.length) o = void 0;
|
|
8
|
+
return { value: o && o[i++], done: !o };
|
|
9
|
+
}
|
|
10
|
+
};
|
|
11
|
+
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
|
|
12
|
+
};
|
|
13
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
14
|
+
var models_1 = require("@appland/models");
|
|
15
|
+
var url_1 = require("url");
|
|
16
|
+
function containsSessionClear(events) {
|
|
17
|
+
var e_1, _a;
|
|
18
|
+
try {
|
|
19
|
+
for (var events_1 = __values(events), events_1_1 = events_1.next(); !events_1_1.done; events_1_1 = events_1.next()) {
|
|
20
|
+
var iter = events_1_1.value;
|
|
21
|
+
if (iter.event.labels.has(HTTPSessionClear)) {
|
|
22
|
+
return true;
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
catch (e_1_1) { e_1 = { error: e_1_1 }; }
|
|
27
|
+
finally {
|
|
28
|
+
try {
|
|
29
|
+
if (events_1_1 && !events_1_1.done && (_a = events_1.return)) _a.call(events_1);
|
|
30
|
+
}
|
|
31
|
+
finally { if (e_1) throw e_1.error; }
|
|
32
|
+
}
|
|
33
|
+
return false;
|
|
34
|
+
}
|
|
35
|
+
function build() {
|
|
36
|
+
function matcher(rootEvent) {
|
|
37
|
+
var e_2, _a;
|
|
38
|
+
try {
|
|
39
|
+
for (var _b = __values(new models_1.EventNavigator(rootEvent).descendants()), _c = _b.next(); !_c.done; _c = _b.next()) {
|
|
40
|
+
var event = _c.value;
|
|
41
|
+
if (event.event.labels.has(SecurityLogout)) {
|
|
42
|
+
if (containsSessionClear(event.descendants())) {
|
|
43
|
+
return;
|
|
44
|
+
}
|
|
45
|
+
else {
|
|
46
|
+
return [
|
|
47
|
+
{
|
|
48
|
+
level: 'error',
|
|
49
|
+
event: event.event,
|
|
50
|
+
message: event.event + " logs out the user, but the HTTP session is not cleared",
|
|
51
|
+
},
|
|
52
|
+
];
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
catch (e_2_1) { e_2 = { error: e_2_1 }; }
|
|
58
|
+
finally {
|
|
59
|
+
try {
|
|
60
|
+
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
|
|
61
|
+
}
|
|
62
|
+
finally { if (e_2) throw e_2.error; }
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
return {
|
|
66
|
+
matcher: matcher,
|
|
67
|
+
};
|
|
68
|
+
}
|
|
69
|
+
var SecurityLogout = 'security.logout';
|
|
70
|
+
var HTTPSessionClear = 'http.session.clear';
|
|
71
|
+
exports.default = {
|
|
72
|
+
id: 'logout-without-session-reset',
|
|
73
|
+
title: 'Logout without session reset',
|
|
74
|
+
scope: 'http_server_request',
|
|
75
|
+
labels: [HTTPSessionClear, SecurityLogout],
|
|
76
|
+
impactDomain: 'Security',
|
|
77
|
+
enumerateScope: false,
|
|
78
|
+
references: {
|
|
79
|
+
'CWE-488': new url_1.URL('https://cwe.mitre.org/data/definitions/488.html'),
|
|
80
|
+
'OWASP - Session fixation': new url_1.URL('https://owasp.org/www-community/attacks/Session_fixation'),
|
|
81
|
+
'Ruby on Rails - Session fixation countermeasures': new url_1.URL('https://guides.rubyonrails.org/security.html#session-fixation-countermeasures'),
|
|
82
|
+
},
|
|
83
|
+
build: build,
|
|
84
|
+
};
|
|
85
|
+
//# sourceMappingURL=logoutWithoutSessionReset.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"logoutWithoutSessionReset.js","sourceRoot":"","sources":["../../src/rules/logoutWithoutSessionReset.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,0CAAwD;AAExD,2BAA0B;AAE1B,SAAS,oBAAoB,CAAC,MAAiC;;;QAC7D,KAAmB,IAAA,WAAA,SAAA,MAAM,CAAA,8BAAA,kDAAE;YAAtB,IAAM,IAAI,mBAAA;YACb,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE;gBAC3C,OAAO,IAAI,CAAC;aACb;SACF;;;;;;;;;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE;oBAC1C,IAAI,oBAAoB,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE;wBAC7C,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,OAAO,EAAK,KAAK,CAAC,KAAK,4DAAyD;6BACjF;yBACF,CAAC;qBACH;iBACF;aACF;;;;;;;;;IACH,CAAC;IAED,OAAO;QACL,OAAO,SAAA;KACR,CAAC;AACJ,CAAC;AAED,IAAM,cAAc,GAAG,iBAAiB,CAAC;AACzC,IAAM,gBAAgB,GAAG,oBAAoB,CAAC;AAE9C,kBAAe;IACb,EAAE,EAAE,8BAA8B;IAClC,KAAK,EAAE,8BAA8B;IACrC,KAAK,EAAE,qBAAqB;IAC5B,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,CAAC;IAC1C,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE;QACV,SAAS,EAAE,IAAI,SAAG,CAAC,iDAAiD,CAAC;QACrE,0BAA0B,EAAE,IAAI,SAAG,CAAC,0DAA0D,CAAC;QAC/F,kDAAkD,EAAE,IAAI,SAAG,CACzD,+EAA+E,CAChF;KACF;IACD,KAAK,OAAA;CACE,CAAC"}
|
|
@@ -39,6 +39,7 @@ var __values = (this && this.__values) || function(o) {
|
|
|
39
39
|
};
|
|
40
40
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
41
41
|
var models_1 = require("@appland/models");
|
|
42
|
+
var url_1 = require("url");
|
|
42
43
|
// TODO: Use the Query AST for this.
|
|
43
44
|
var QueryIncludes = [/\bINSERT\b/i, /\bUPDATE\b/i];
|
|
44
45
|
var UpdateMethods = ['put', 'post', 'patch'];
|
|
@@ -138,6 +139,9 @@ exports.default = {
|
|
|
138
139
|
scope: 'command',
|
|
139
140
|
enumerateScope: false,
|
|
140
141
|
impactDomain: 'Maintainability',
|
|
142
|
+
references: {
|
|
143
|
+
'CWE-1048': new url_1.URL('https://cwe.mitre.org/data/definitions/1048.html'),
|
|
144
|
+
},
|
|
141
145
|
Options: Options,
|
|
142
146
|
build: build,
|
|
143
147
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tooManyUpdates.js","sourceRoot":"","sources":["../../src/rules/tooManyUpdates.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAAwD;
|
|
1
|
+
{"version":3,"file":"tooManyUpdates.js","sourceRoot":"","sources":["../../src/rules/tooManyUpdates.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAAwD;AAExD,2BAA0B;AAG1B,oCAAoC;AACpC,IAAM,aAAa,GAAa,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AAC/D,IAAM,aAAa,GAAa,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAEzD;IAAA;QACS,iBAAY,GAAG,EAAE,CAAC;IAC3B,CAAC;IAAD,cAAC;AAAD,CAAC,AAFD,IAEC;AAED,SAAS,KAAK,CAAC,OAAgB;IAC7B,IAAM,QAAQ,GAAG,UAAC,KAAY;QAC5B,IAAM,WAAW,GAAG;YAClB,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE;gBACnB,OAAO,KAAK,CAAC;aACd;YACD,OAAO,aAAa,CAAC,IAAI,CAAC,UAAC,OAAO,IAAK,OAAA,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,QAAS,CAAC,EAA7B,CAA6B,CAAC,CAAC;QACxE,CAAC,CAAC;QAEF,IAAM,WAAW,GAAG;YAClB,IAAI,CAAC,KAAK,CAAC,iBAAiB,EAAE;gBAC5B,OAAO,KAAK,CAAC;aACd;YACD,OAAO,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,iBAAkB,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC,CAAC;QACvF,CAAC,CAAC;QAEF,OAAO,WAAW,EAAE,IAAI,WAAW,EAAE,CAAC;IACxC,CAAC,CAAC;IAEF,IAAM,YAAY,GAAG,UAAW,KAAY;;;;;;;oBAC1B,KAAA,SAAA,IAAI,uBAAc,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAA;;;;oBAA5C,CAAC;oBACV,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE;wBACtB,wBAAS;qBACV;oBACD,qBAAM,CAAC,CAAC,KAAK,EAAA;;oBAAb,SAAa,CAAC;;;;;;;;;;;;;;;;;;;KAEjB,CAAC;IAEF,SAAS,OAAO,CAAC,OAAc;;QAC7B,IAAM,MAAM,GAAY,EAAE,CAAC;;YAC3B,KAA0B,IAAA,KAAA,SAAA,YAAY,CAAC,OAAO,CAAC,CAAA,gBAAA,4BAAE;gBAA5C,IAAM,WAAW,WAAA;gBACpB,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;aAC1B;;;;;;;;;QAED,IAAI,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE;YACxC,OAAO;gBACL;oBACE,KAAK,EAAE,OAAO;oBACd,OAAO,EAAE,sBAAoB,MAAM,CAAC,MAAM,yBAAsB;oBAChE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;oBAChB,aAAa,EAAE,MAAM;iBACtB;aACF,CAAC;SACH;IACH,CAAC;IAED,OAAO;QACL,OAAO,SAAA;KACR,CAAC;AACJ,CAAC;AAED,kBAAe;IACb,EAAE,EAAE,kBAAkB;IACtB,KAAK,EAAE,uDAAuD;IAC9D,KAAK,EAAE,SAAS;IAChB,cAAc,EAAE,KAAK;IACrB,YAAY,EAAE,iBAAiB;IAC/B,UAAU,EAAE;QACV,UAAU,EAAE,IAAI,SAAG,CAAC,kDAAkD,CAAC;KACxE;IACD,OAAO,SAAA;IACP,KAAK,OAAA;CACE,CAAC"}
|
|
@@ -1,19 +1,26 @@
|
|
|
1
1
|
checks:
|
|
2
|
+
- rule: authzBeforeAuthn
|
|
2
3
|
- rule: circularDependency
|
|
4
|
+
- rule: deserializationOfUntrustedData
|
|
3
5
|
- rule: http500
|
|
6
|
+
# - rule: illegalPackageDependency
|
|
7
|
+
# - rule: incompatibleHttpClientRequest
|
|
8
|
+
# - rule: insecureCompare
|
|
9
|
+
# - rule: jobNotCancelled
|
|
10
|
+
- rule: logoutWithoutSessionReset
|
|
11
|
+
- rule: missingAuthentication
|
|
4
12
|
- rule: missingContentType
|
|
5
13
|
- rule: nPlusOneQuery
|
|
6
|
-
#
|
|
7
|
-
|
|
8
|
-
#
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
#
|
|
12
|
-
#
|
|
13
|
-
#
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
# - rule: unbatchedMaterializedQuery
|
|
14
|
+
# - rule: queryFromInvalidPackage
|
|
15
|
+
- rule: queryFromView
|
|
16
|
+
# - rule: rpcWithoutCircuitBreaker
|
|
17
|
+
- rule: saveWithoutValidation
|
|
18
|
+
- rule: secretInLog
|
|
19
|
+
# - rule: slowFunctionCall
|
|
20
|
+
# - rule: slowHttpServerRequest
|
|
21
|
+
# - rule: slowQuery
|
|
22
|
+
- rule: tooManyJoins
|
|
23
|
+
- rule: tooManyUpdates
|
|
24
|
+
- rule: updateInGetRequest
|
|
25
|
+
- rule: unbatchedMaterializedQuery
|
|
26
|
+
- rule: updateInGetRequest
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@appland/scanner",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.36.1",
|
|
4
4
|
"description": "",
|
|
5
5
|
"bin": "built/cli.js",
|
|
6
6
|
"files": [
|
|
@@ -10,10 +10,10 @@
|
|
|
10
10
|
"build": "mkdir -p built && cp -r src/sampleConfig built && tsc && yarn schema && yarn doc",
|
|
11
11
|
"build-native": "yarn build && ./bin/build-native",
|
|
12
12
|
"start": "ts-node src/cli.ts",
|
|
13
|
-
"doc": "ts-node ./bin/front-matter.ts",
|
|
13
|
+
"doc": "ts-node ./bin/verify-rules-doc.ts && ts-node ./bin/verify-labels-doc.ts && ts-node ./bin/front-matter.ts",
|
|
14
14
|
"schema": "./bin/schema",
|
|
15
15
|
"schema-up-to-date": "git diff --exit-code src/configuration/schema/options.json",
|
|
16
|
-
"doc-up-to-date": "git diff --exit-code doc/
|
|
16
|
+
"doc-up-to-date": "git diff --exit-code doc/",
|
|
17
17
|
"lint": "eslint src --ext .ts",
|
|
18
18
|
"ci": "yarn lint && yarn build && yarn schema-up-to-date && yarn doc-up-to-date && yarn test",
|
|
19
19
|
"test": "jest",
|