@appland/scanner 1.35.1 → 1.37.1

package/built/cli/scan.js

@@ -35,6 +35,31 @@ var __generator = (this && this.__generator) || function (thisArg, body) {
         if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
     }
 };
+var __read = (this && this.__read) || function (o, n) {
+    var m = typeof Symbol === "function" && o[Symbol.iterator];
+    if (!m) return o;
+    var i = m.call(o), r, ar = [], e;
+    try {
+        while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
+    }
+    catch (error) { e = { error: error }; }
+    finally {
+        try {
+            if (r && !r.done && (m = i["return"])) m.call(i);
+        }
+        finally { if (e) throw e.error; }
+    }
+    return ar;
+};
+var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
+    if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
+        if (ar || !(i in from)) {
+            if (!ar) ar = Array.prototype.slice.call(from, 0, i);
+            ar[i] = from[i];
+        }
+    }
+    return to.concat(ar || Array.prototype.slice.call(from));
+};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -43,6 +68,25 @@ var promises_1 = require("fs/promises");
 var models_1 = require("@appland/models");
 var ruleChecker_1 = __importDefault(require("../ruleChecker"));
 var progressReporter_1 = __importDefault(require("./progressReporter"));
+function batch(items, size, process) {
+    return __awaiter(this, void 0, void 0, function () {
+        var left;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0:
+                    left = __spreadArray([], __read(items), false);
+                    _a.label = 1;
+                case 1:
+                    if (!left.length) return [3 /*break*/, 3];
+                    return [4 /*yield*/, Promise.all(left.splice(0, size).map(process))];
+                case 2:
+                    _a.sent();
+                    return [3 /*break*/, 1];
+                case 3: return [2 /*return*/];
+            }
+        });
+    });
+}
 function scan(files, checks) {
     return __awaiter(this, void 0, void 0, function () {
         var checker, appMapMetadata, findings;
@@ -53,7 +97,7 @@ function scan(files, checks) {
                     checker = new ruleChecker_1.default();
                     appMapMetadata = {};
                     findings = [];
-                    return [4 /*yield*/, Promise.all(files.map(function (file) { return __awaiter(_this, void 0, void 0, function () {
+                    return [4 /*yield*/, batch(files, 2, function (file) { return __awaiter(_this, void 0, void 0, function () {
                             var appMapData, appMap;
                             var _this = this;
                             return __generator(this, function (_a) {
@@ -91,7 +135,7 @@ function scan(files, checks) {
                                         return [2 /*return*/];
                                 }
                             });
-                        }); }))];
+                        }); })];
                 case 1:
                     _a.sent();
                     return [2 /*return*/, { appMapMetadata: appMapMetadata, findings: findings }];

package/built/cli/scan.js.map

@@ -1 +1 @@
-{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/cli/scan.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAuC;AACvC,0CAAwD;AAGxD,+DAAyC;AAGzC,wEAAkD;AAOlD,SAA8B,IAAI,CAAC,KAAe,EAAE,MAAe;;;;;;;oBAC3D,OAAO,GAAG,IAAI,qBAAW,EAAE,CAAC;oBAC5B,cAAc,GAA6B,EAAE,CAAC;oBAC9C,QAAQ,GAAc,EAAE,CAAC;oBAE/B,qBAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,GAAG,CAAC,UAAO,IAAY;;;;;;wCAC3B,2DAA2D;wCAC3D,+FAA+F;wCAC/F,6BAA6B;wCAC7B,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE;4CAC5C,sBAAO,IAAI,EAAC;yCACb;wCACkB,qBAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,MAAM,CAAC,EAAA;;wCAAzC,UAAU,GAAG,SAA4B;wCACzC,MAAM,GAAG,IAAA,oBAAW,EAAC,UAAU,CAAC,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,CAAC;wCAC3D,cAAc,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC;wCAEvC,qBAAM,OAAO,CAAC,GAAG,CACf,MAAM,CAAC,GAAG,CAAC,UAAO,KAAK;;;;;4DACf,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC;4DACnC,qBAAM,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAA;;4DAAlD,SAAkD,CAAC;4DAC7C,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;4DAC/D,UAAU,CAAC,OAAO,CAAC,UAAC,KAAK,IAAK,OAAA,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,EAAzB,CAAyB,CAAC,CAAC;4DACzD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,0BAAgB,EAAC,UAAU,CAAC,CAAC,CAAC;;;;iDACpD,CAAC,CACH,EAAA;;wCARD,SAQC,CAAC;;;;6BACH,CAAC,CACH,EAAA;;oBAtBD,SAsBC,CAAC;oBAEF,sBAAO,EAAE,cAAc,gBAAA,EAAE,QAAQ,UAAA,EAAE,EAAC;;;;CACrC;AA9BD,uBA8BC"}
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/cli/scan.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAuC;AACvC,0CAAwD;AAGxD,+DAAyC;AAGzC,wEAAkD;AAOlD,SAAe,KAAK,CAClB,KAAmB,EACnB,IAAY,EACZ,OAAmD;;;;;;oBAE7C,IAAI,4BAAO,KAAK,SAAC,CAAC;;;yBACjB,IAAI,CAAC,MAAM;oBAAE,qBAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,EAAA;;oBAApD,SAAoD,CAAC;;;;;;CAC1E;AAED,SAA8B,IAAI,CAAC,KAAe,EAAE,MAAe;;;;;;;oBAC3D,OAAO,GAAG,IAAI,qBAAW,EAAE,CAAC;oBAC5B,cAAc,GAA6B,EAAE,CAAC;oBAC9C,QAAQ,GAAc,EAAE,CAAC;oBAE/B,qBAAM,KAAK,CAAC,KAAK,EAAE,CAAC,EAAE,UAAO,IAAY;;;;;;wCACvC,2DAA2D;wCAC3D,+FAA+F;wCAC/F,6BAA6B;wCAC7B,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE;4CAC5C,sBAAO,IAAI,EAAC;yCACb;wCACkB,qBAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,MAAM,CAAC,EAAA;;wCAAzC,UAAU,GAAG,SAA4B;wCACzC,MAAM,GAAG,IAAA,oBAAW,EAAC,UAAU,CAAC,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,CAAC;wCAC3D,cAAc,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC;wCAEvC,qBAAM,OAAO,CAAC,GAAG,CACf,MAAM,CAAC,GAAG,CAAC,UAAO,KAAK;;;;;4DACf,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC;4DACnC,qBAAM,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAA;;4DAAlD,SAAkD,CAAC;4DAC7C,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;4DAC/D,UAAU,CAAC,OAAO,CAAC,UAAC,KAAK,IAAK,OAAA,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,EAAzB,CAAyB,CAAC,CAAC;4DACzD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,0BAAgB,EAAC,UAAU,CAAC,CAAC,CAAC;;;;iDACpD,CAAC,CACH,EAAA;;wCARD,SAQC,CAAC;;;;6BACH,CAAC,EAAA;;oBApBF,SAoBE,CAAC;oBAEH,sBAAO,EAAE,cAAc,gBAAA,EAAE,QAAQ,UAAA,EAAE,EAAC;;;;CACrC;AA5BD,uBA4BC"}

package/built/rules/authzBeforeAuthn.js

@@ -51,9 +51,8 @@ function build() {
                         return [
                             {
                                 level: 'error',
-                                event: rootEvent,
+                                event: event.event,
                                 message: event.event + " provides authorization, but the request is not authenticated",
-                                relatedEvents: [event.event],
                             },
                         ];
                     }

package/built/rules/authzBeforeAuthn.js.map

@@ -1 +1 @@
-{"version":3,"file":"authzBeforeAuthn.js","sourceRoot":"","sources":["../../src/rules/authzBeforeAuthn.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,0CAAwD;AACxD,mCAA8D;AAE9D,2BAA0B;AAE1B,SAAS,sBAAsB,CAAC,MAAiC;;;QAC/D,KAAmB,IAAA,WAAA,SAAA,MAAM,CAAA,8BAAA,kDAAE;YAAtB,IAAM,IAAI,mBAAA;YACb,IAAI,IAAA,6BAAsB,EAAC,IAAI,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAAE;gBAC9D,OAAO,IAAI,CAAC;aACb;SACF;;;;;;;;;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,IAAI,IAAA,6BAAsB,EAAC,KAAK,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAAE;oBAC/D,OAAO;iBACR;gBACD,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,IAAA,eAAQ,EAAC,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE;oBACtF,6FAA6F;oBAC7F,IAAI,sBAAsB,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE;wBAC/C,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,SAAS;gCAChB,OAAO,EAAK,KAAK,CAAC,KAAK,kEAA+D;gCACtF,aAAa,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC;6BAC7B;yBACF,CAAC;qBACH;iBACF;aACF;;;;;;;;;IACH,CAAC;IAED,OAAO,EAAE,OAAO,SAAA,EAAE,CAAC;AACrB,CAAC;AAED,IAAM,sBAAsB,GAAG,yBAAyB,CAAC;AACzD,IAAM,qBAAqB,GAAG,wBAAwB,CAAC;AAEvD,kBAAe;IACb,EAAE,EAAE,oBAAoB;IACxB,KAAK,EAAE,+CAA+C;IACtD,MAAM,EAAE,CAAC,qBAAqB,EAAE,sBAAsB,CAAC;IACvD,KAAK,EAAE,qBAAkC;IACzC,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE;QACV,SAAS,EAAE,IAAI,SAAG,CAAC,iDAAiD,CAAC;KACtE;IACD,KAAK,OAAA;CACE,CAAC"}
+{"version":3,"file":"authzBeforeAuthn.js","sourceRoot":"","sources":["../../src/rules/authzBeforeAuthn.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,0CAAwD;AACxD,mCAA8D;AAE9D,2BAA0B;AAE1B,SAAS,sBAAsB,CAAC,MAAiC;;;QAC/D,KAAmB,IAAA,WAAA,SAAA,MAAM,CAAA,8BAAA,kDAAE;YAAtB,IAAM,IAAI,mBAAA;YACb,IAAI,IAAA,6BAAsB,EAAC,IAAI,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAAE;gBAC9D,OAAO,IAAI,CAAC;aACb;SACF;;;;;;;;;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,IAAI,IAAA,6BAAsB,EAAC,KAAK,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAAE;oBAC/D,OAAO;iBACR;gBACD,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,IAAA,eAAQ,EAAC,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE;oBACtF,6FAA6F;oBAC7F,IAAI,sBAAsB,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE;wBAC/C,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,OAAO,EAAK,KAAK,CAAC,KAAK,kEAA+D;6BACvF;yBACF,CAAC;qBACH;iBACF;aACF;;;;;;;;;IACH,CAAC;IAED,OAAO,EAAE,OAAO,SAAA,EAAE,CAAC;AACrB,CAAC;AAED,IAAM,sBAAsB,GAAG,yBAAyB,CAAC;AACzD,IAAM,qBAAqB,GAAG,wBAAwB,CAAC;AAEvD,kBAAe;IACb,EAAE,EAAE,oBAAoB;IACxB,KAAK,EAAE,+CAA+C;IACtD,MAAM,EAAE,CAAC,qBAAqB,EAAE,sBAAsB,CAAC;IACvD,KAAK,EAAE,qBAAkC;IACzC,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE;QACV,SAAS,EAAE,IAAI,SAAG,CAAC,iDAAiD,CAAC;KACtE;IACD,KAAK,OAAA;CACE,CAAC"}

package/built/rules/deserializationOfUntrustedData.js

@@ -0,0 +1,159 @@
+"use strict";
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+var __values = (this && this.__values) || function(o) {
+    var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
+    if (m) return m.call(o);
+    if (o && typeof o.length === "number") return {
+        next: function () {
+            if (o && i >= o.length) o = void 0;
+            return { value: o && o[i++], done: !o };
+        }
+    };
+    throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+var models_1 = require("@appland/models");
+var url_1 = require("url");
+function sanitizesData(event, objectId, label) {
+    return (event.labels.has(label) &&
+        !!event.returnValue &&
+        !!event.returnValue.object_id &&
+        event.returnValue.object_id === objectId);
+}
+function precedingEvents(rootEvent, target) {
+    var _a, _b, event, e_1_1;
+    var e_1, _c;
+    return __generator(this, function (_d) {
+        switch (_d.label) {
+            case 0:
+                _d.trys.push([0, 5, 6, 7]);
+                _a = __values(new models_1.EventNavigator(rootEvent).descendants()), _b = _a.next();
+                _d.label = 1;
+            case 1:
+                if (!!_b.done) return [3 /*break*/, 4];
+                event = _b.value;
+                if (event.event === target) {
+                    return [3 /*break*/, 4];
+                }
+                return [4 /*yield*/, event];
+            case 2:
+                _d.sent();
+                _d.label = 3;
+            case 3:
+                _b = _a.next();
+                return [3 /*break*/, 1];
+            case 4: return [3 /*break*/, 7];
+            case 5:
+                e_1_1 = _d.sent();
+                e_1 = { error: e_1_1 };
+                return [3 /*break*/, 7];
+            case 6:
+                try {
+                    if (_b && !_b.done && (_c = _a.return)) _c.call(_a);
+                }
+                finally { if (e_1) throw e_1.error; }
+                return [7 /*endfinally*/];
+            case 7: return [2 /*return*/];
+        }
+    });
+}
+function allArgumentsSanitized(rootEvent, event) {
+    return (event.parameters || [])
+        .filter(function (parameter) { return parameter.object_id; })
+        .every(function (parameter) {
+        var e_2, _a;
+        try {
+            for (var _b = __values(precedingEvents(rootEvent, event)), _c = _b.next(); !_c.done; _c = _b.next()) {
+                var candidate = _c.value;
+                if (sanitizesData(candidate.event, parameter.object_id, Sanitize)) {
+                    return true;
+                }
+            }
+        }
+        catch (e_2_1) { e_2 = { error: e_2_1 }; }
+        finally {
+            try {
+                if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
+            }
+            finally { if (e_2) throw e_2.error; }
+        }
+        return false;
+    });
+}
+function build() {
+    function matcher(rootEvent) {
+        var e_3, _a;
+        try {
+            for (var _b = __values(new models_1.EventNavigator(rootEvent).descendants()), _c = _b.next(); !_c.done; _c = _b.next()) {
+                var event = _c.value;
+                if (event.event.labels.has(DeserializeUnsafe) &&
+                    !event.event.ancestors().find(function (ancestor) { return ancestor.labels.has(DeserializeSafe); })) {
+                    if (allArgumentsSanitized(rootEvent, event.event)) {
+                        return;
+                    }
+                    else {
+                        return [
+                            {
+                                level: 'error',
+                                event: event.event,
+                                message: event.event + " deserializes untrusted data",
+                            },
+                        ];
+                    }
+                }
+            }
+        }
+        catch (e_3_1) { e_3 = { error: e_3_1 }; }
+        finally {
+            try {
+                if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
+            }
+            finally { if (e_3) throw e_3.error; }
+        }
+    }
+    return {
+        matcher: matcher,
+    };
+}
+var DeserializeUnsafe = 'deserialize.unsafe';
+var DeserializeSafe = 'deserialize.safe';
+var Sanitize = 'sanitize';
+exports.default = {
+    id: 'deserialization-of-untrusted-data',
+    title: 'Deserialization of untrusted data',
+    labels: [DeserializeUnsafe, DeserializeSafe, Sanitize],
+    impactDomain: 'Security',
+    enumerateScope: false,
+    references: {
+        'CWE-502': new url_1.URL('https://cwe.mitre.org/data/definitions/502.html'),
+        'Ruby Security': new url_1.URL('https://docs.ruby-lang.org/en/3.0/doc/security_rdoc.html'),
+    },
+    build: build,
+};
+//# sourceMappingURL=deserializationOfUntrustedData.js.map

package/built/rules/deserializationOfUntrustedData.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deserializationOfUntrustedData.js","sourceRoot":"","sources":["../../src/rules/deserializationOfUntrustedData.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAAwD;AAExD,2BAA0B;AAE1B,SAAS,aAAa,CAAC,KAAY,EAAE,QAAgB,EAAE,KAAa;IAClE,OAAO,CACL,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC;QACvB,CAAC,CAAC,KAAK,CAAC,WAAW;QACnB,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS;QAC7B,KAAK,CAAC,WAAW,CAAC,SAAS,KAAK,QAAQ,CACzC,CAAC;AACJ,CAAC;AAED,SAAU,eAAe,CAAC,SAAgB,EAAE,MAAa;;;;;;;gBACnC,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA;;;;gBAApD,KAAK;gBACd,IAAI,KAAK,CAAC,KAAK,KAAK,MAAM,EAAE;oBAC1B,wBAAM;iBACP;gBACD,qBAAM,KAAK,EAAA;;gBAAX,SAAW,CAAC;;;;;;;;;;;;;;;;;;;CAEf;AAED,SAAS,qBAAqB,CAAC,SAAgB,EAAE,KAAY;IAC3D,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,UAAC,SAAS,IAAK,OAAA,SAAS,CAAC,SAAS,EAAnB,CAAmB,CAAC;SAC1C,KAAK,CAAC,UAAC,SAAS;;;YACf,KAAwB,IAAA,KAAA,SAAA,eAAe,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA,gBAAA,4BAAE;gBAAtD,IAAM,SAAS,WAAA;gBAClB,IAAI,aAAa,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAU,EAAE,QAAQ,CAAC,EAAE;oBAClE,OAAO,IAAI,CAAC;iBACb;aACF;;;;;;;;;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,IACE,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC;oBACzC,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,UAAC,QAAQ,IAAK,OAAA,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,EAApC,CAAoC,CAAC,EACjF;oBACA,IAAI,qBAAqB,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE;wBACjD,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,OAAO,EAAK,KAAK,CAAC,KAAK,iCAA8B;6BACtD;yBACF,CAAC;qBACH;iBACF;aACF;;;;;;;;;IACH,CAAC;IAED,OAAO;QACL,OAAO,SAAA;KACR,CAAC;AACJ,CAAC;AAED,IAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAC/C,IAAM,eAAe,GAAG,kBAAkB,CAAC;AAC3C,IAAM,QAAQ,GAAG,UAAU,CAAC;AAE5B,kBAAe;IACb,EAAE,EAAE,mCAAmC;IACvC,KAAK,EAAE,mCAAmC;IAC1C,MAAM,EAAE,CAAC,iBAAiB,EAAE,eAAe,EAAE,QAAQ,CAAC;IACtD,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE;QACV,SAAS,EAAE,IAAI,SAAG,CAAC,iDAAiD,CAAC;QACrE,eAAe,EAAE,IAAI,SAAG,CAAC,0DAA0D,CAAC;KACrF;IACD,KAAK,OAAA;CACE,CAAC"}

package/built/rules/logoutWithoutSessionReset.js

@@ -0,0 +1,85 @@
+"use strict";
+var __values = (this && this.__values) || function(o) {
+    var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
+    if (m) return m.call(o);
+    if (o && typeof o.length === "number") return {
+        next: function () {
+            if (o && i >= o.length) o = void 0;
+            return { value: o && o[i++], done: !o };
+        }
+    };
+    throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+var models_1 = require("@appland/models");
+var url_1 = require("url");
+function containsSessionClear(events) {
+    var e_1, _a;
+    try {
+        for (var events_1 = __values(events), events_1_1 = events_1.next(); !events_1_1.done; events_1_1 = events_1.next()) {
+            var iter = events_1_1.value;
+            if (iter.event.labels.has(HTTPSessionClear)) {
+                return true;
+            }
+        }
+    }
+    catch (e_1_1) { e_1 = { error: e_1_1 }; }
+    finally {
+        try {
+            if (events_1_1 && !events_1_1.done && (_a = events_1.return)) _a.call(events_1);
+        }
+        finally { if (e_1) throw e_1.error; }
+    }
+    return false;
+}
+function build() {
+    function matcher(rootEvent) {
+        var e_2, _a;
+        try {
+            for (var _b = __values(new models_1.EventNavigator(rootEvent).descendants()), _c = _b.next(); !_c.done; _c = _b.next()) {
+                var event = _c.value;
+                if (event.event.labels.has(SecurityLogout)) {
+                    if (containsSessionClear(event.descendants())) {
+                        return;
+                    }
+                    else {
+                        return [
+                            {
+                                level: 'error',
+                                event: event.event,
+                                message: event.event + " logs out the user, but the HTTP session is not cleared",
+                            },
+                        ];
+                    }
+                }
+            }
+        }
+        catch (e_2_1) { e_2 = { error: e_2_1 }; }
+        finally {
+            try {
+                if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
+            }
+            finally { if (e_2) throw e_2.error; }
+        }
+    }
+    return {
+        matcher: matcher,
+    };
+}
+var SecurityLogout = 'security.logout';
+var HTTPSessionClear = 'http.session.clear';
+exports.default = {
+    id: 'logout-without-session-reset',
+    title: 'Logout without session reset',
+    scope: 'http_server_request',
+    labels: [HTTPSessionClear, SecurityLogout],
+    impactDomain: 'Security',
+    enumerateScope: false,
+    references: {
+        'CWE-488': new url_1.URL('https://cwe.mitre.org/data/definitions/488.html'),
+        'OWASP - Session fixation': new url_1.URL('https://owasp.org/www-community/attacks/Session_fixation'),
+        'Ruby on Rails - Session fixation countermeasures': new url_1.URL('https://guides.rubyonrails.org/security.html#session-fixation-countermeasures'),
+    },
+    build: build,
+};
+//# sourceMappingURL=logoutWithoutSessionReset.js.map

package/built/rules/logoutWithoutSessionReset.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logoutWithoutSessionReset.js","sourceRoot":"","sources":["../../src/rules/logoutWithoutSessionReset.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,0CAAwD;AAExD,2BAA0B;AAE1B,SAAS,oBAAoB,CAAC,MAAiC;;;QAC7D,KAAmB,IAAA,WAAA,SAAA,MAAM,CAAA,8BAAA,kDAAE;YAAtB,IAAM,IAAI,mBAAA;YACb,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE;gBAC3C,OAAO,IAAI,CAAC;aACb;SACF;;;;;;;;;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE;oBAC1C,IAAI,oBAAoB,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE;wBAC7C,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,OAAO,EAAK,KAAK,CAAC,KAAK,4DAAyD;6BACjF;yBACF,CAAC;qBACH;iBACF;aACF;;;;;;;;;IACH,CAAC;IAED,OAAO;QACL,OAAO,SAAA;KACR,CAAC;AACJ,CAAC;AAED,IAAM,cAAc,GAAG,iBAAiB,CAAC;AACzC,IAAM,gBAAgB,GAAG,oBAAoB,CAAC;AAE9C,kBAAe;IACb,EAAE,EAAE,8BAA8B;IAClC,KAAK,EAAE,8BAA8B;IACrC,KAAK,EAAE,qBAAqB;IAC5B,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,CAAC;IAC1C,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE;QACV,SAAS,EAAE,IAAI,SAAG,CAAC,iDAAiD,CAAC;QACrE,0BAA0B,EAAE,IAAI,SAAG,CAAC,0DAA0D,CAAC;QAC/F,kDAAkD,EAAE,IAAI,SAAG,CACzD,+EAA+E,CAChF;KACF;IACD,KAAK,OAAA;CACE,CAAC"}

package/built/sampleConfig/default.yml

@@ -1,19 +1,26 @@
 checks:
+  - rule: authzBeforeAuthn
   - rule: circularDependency
+  - rule: deserializationOfUntrustedData
   - rule: http500
+  # - rule: illegalPackageDependency
+  # - rule: incompatibleHttpClientRequest
+  # - rule: insecureCompare
+  # - rule: jobNotCancelled
+  - rule: logoutWithoutSessionReset
+  - rule: missingAuthentication
   - rule: missingContentType
   - rule: nPlusOneQuery
-#  - rule: slowHttpServerRequest
-#  - rule: slowQuery
-#  - rule: tooManyJoins
-#  - rule: tooManyUpdates
-#  - rule: updateInGetRequest
-# Required labels: secret, log
-# - rule: secretInLog
-# Required labels: security.authentication, security.authorization
-# - rule: authzBeforeAuthn
-# Required labels: security.authentication
-# Optional labels: public
-# - rule: missingAuthentication
-# Required labels: dao.materialize
-# - rule: unbatchedMaterializedQuery
+  # - rule: queryFromInvalidPackage
+  - rule: queryFromView
+  # - rule: rpcWithoutCircuitBreaker
+  - rule: saveWithoutValidation
+  - rule: secretInLog
+  #  - rule: slowFunctionCall
+  #  - rule: slowHttpServerRequest
+  #  - rule: slowQuery
+  - rule: tooManyJoins
+  - rule: tooManyUpdates
+  - rule: updateInGetRequest
+  - rule: unbatchedMaterializedQuery
+  - rule: updateInGetRequest

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.35.1",
+  "version": "1.37.1",
   "description": "",
   "bin": "built/cli.js",
   "files": [