@appland/scanner 1.46.1 → 1.47.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/built/cli/ci/command.js +17 -15
- package/built/cli/ci/command.js.map +1 -1
- package/built/cli/scan/command.js +11 -7
- package/built/cli/scan/command.js.map +1 -1
- package/built/cli/scan/scanner.js +15 -25
- package/built/cli/scan/scanner.js.map +1 -1
- package/built/rules/deserializationOfUntrustedData.js +12 -80
- package/built/rules/deserializationOfUntrustedData.js.map +1 -1
- package/built/rules/execOfUntrustedCommand.js +97 -0
- package/built/rules/execOfUntrustedCommand.js.map +1 -0
- package/built/rules/lib/parseRuleDescription.js +4 -3
- package/built/rules/lib/parseRuleDescription.js.map +1 -1
- package/built/rules/lib/precedingEvents.js +80 -0
- package/built/rules/lib/precedingEvents.js.map +1 -0
- package/built/rules/lib/sanitizesData.js +10 -0
- package/built/rules/lib/sanitizesData.js.map +1 -0
- package/built/rules/missingAuthentication.js +3 -3
- package/built/rules/missingAuthentication.js.map +1 -1
- package/built/sampleConfig/default.yml +2 -1
- package/built/scope/commandScope.js.map +1 -1
- package/built/scope/rootScope.js.map +1 -1
- package/built/scope/scopeIterator.js.map +1 -1
- package/built/scope/sqlTransactionScope.js +13 -3
- package/built/scope/sqlTransactionScope.js.map +1 -1
- package/doc/labels/{public.md → access.public.md} +1 -1
- package/doc/labels/deserialize.safe.md +2 -0
- package/doc/labels/deserialize.sanitize.md +22 -0
- package/doc/labels/deserialize.unsafe.md +2 -0
- package/doc/labels/system.exec.md +7 -0
- package/doc/labels/system.exec.safe.md +7 -0
- package/doc/labels/system.exec.sanitize.md +22 -0
- package/doc/rules/deserializationOfUntrustedData.md +1 -1
- package/doc/rules/execOfUntrustedCommand.md +16 -0
- package/doc/rules/missingAuthentication.md +1 -1
- package/package.json +1 -1
- package/doc/labels/sanitize.md +0 -29
package/built/cli/ci/command.js
CHANGED
|
@@ -110,7 +110,7 @@ exports.default = {
|
|
|
110
110
|
}
|
|
111
111
|
_c.label = 1;
|
|
112
112
|
case 1:
|
|
113
|
-
_c.trys.push([1,
|
|
113
|
+
_c.trys.push([1, 13, , 14]);
|
|
114
114
|
if (!appmapDir) {
|
|
115
115
|
throw new errors_1.ValidationError('--appmap-dir is required');
|
|
116
116
|
}
|
|
@@ -127,38 +127,40 @@ exports.default = {
|
|
|
127
127
|
return [4 /*yield*/, (0, configurationProvider_1.parseConfigFile)(config)];
|
|
128
128
|
case 5:
|
|
129
129
|
configData = _c.sent();
|
|
130
|
-
|
|
131
|
-
return [4 /*yield*/, Promise.all([scanner.scan(), scanner.fetchFindingStatus(appIdArg, appmapDir)])];
|
|
130
|
+
return [4 /*yield*/, (0, scanner_1.default)(false, configData, files)];
|
|
132
131
|
case 6:
|
|
132
|
+
scanner = _c.sent();
|
|
133
|
+
return [4 /*yield*/, Promise.all([scanner.scan(), scanner.fetchFindingStatus(appIdArg, appmapDir)])];
|
|
134
|
+
case 7:
|
|
133
135
|
_b = __read.apply(void 0, [_c.sent(), 2]), rawScanResults = _b[0], findingStatuses = _b[1];
|
|
134
136
|
// Always report the raw data
|
|
135
137
|
return [4 /*yield*/, (0, promises_1.writeFile)(reportFile, JSON.stringify(rawScanResults, null, 2))];
|
|
136
|
-
case
|
|
138
|
+
case 8:
|
|
137
139
|
// Always report the raw data
|
|
138
140
|
_c.sent();
|
|
139
141
|
scanResults = rawScanResults.withFindings((0, findings_1.newFindings)(rawScanResults.findings, findingStatuses));
|
|
140
142
|
(0, findingsReport_1.default)(scanResults.findings, scanResults.appMapMetadata);
|
|
141
143
|
(0, summaryReport_1.default)(scanResults, true);
|
|
142
|
-
if (!doUpload) return [3 /*break*/,
|
|
144
|
+
if (!doUpload) return [3 /*break*/, 10];
|
|
143
145
|
return [4 /*yield*/, (0, upload_1.default)(rawScanResults, appId, mergeKey, {
|
|
144
146
|
maxRetries: 3,
|
|
145
147
|
})];
|
|
146
|
-
case
|
|
148
|
+
case 9:
|
|
147
149
|
uploadResponse = _c.sent();
|
|
148
150
|
(0, reportUploadURL_1.default)(uploadResponse.summary.numFindings, uploadResponse.url);
|
|
149
|
-
_c.label =
|
|
150
|
-
case 9:
|
|
151
|
-
if (!updateCommitStatusOption) return [3 /*break*/, 11];
|
|
152
|
-
return [4 /*yield*/, (0, updateCommitStatus_1.default)(scanResults.findings.length, scanResults.summary.numChecks)];
|
|
151
|
+
_c.label = 10;
|
|
153
152
|
case 10:
|
|
154
|
-
|
|
155
|
-
|
|
153
|
+
if (!updateCommitStatusOption) return [3 /*break*/, 12];
|
|
154
|
+
return [4 /*yield*/, (0, updateCommitStatus_1.default)(scanResults.findings.length, scanResults.summary.numChecks)];
|
|
156
155
|
case 11:
|
|
156
|
+
_c.sent();
|
|
157
|
+
_c.label = 12;
|
|
158
|
+
case 12:
|
|
157
159
|
if (failOption) {
|
|
158
160
|
(0, fail_1.default)(scanResults.findings.length);
|
|
159
161
|
}
|
|
160
|
-
return [3 /*break*/,
|
|
161
|
-
case
|
|
162
|
+
return [3 /*break*/, 14];
|
|
163
|
+
case 13:
|
|
162
164
|
err_1 = _c.sent();
|
|
163
165
|
if (err_1 instanceof errors_1.ValidationError) {
|
|
164
166
|
console.warn(err_1.message);
|
|
@@ -172,7 +174,7 @@ exports.default = {
|
|
|
172
174
|
return [2 /*return*/, process.exit(exitCode_1.ExitCode.RuntimeError)];
|
|
173
175
|
}
|
|
174
176
|
throw err_1;
|
|
175
|
-
case
|
|
177
|
+
case 14: return [2 /*return*/];
|
|
176
178
|
}
|
|
177
179
|
});
|
|
178
180
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"command.js","sourceRoot":"","sources":["../../../src/cli/ci/command.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,6BAA4C;AAC5C,wCAAwC;AACxC,6BAAiC;AAKjC,mFAA4E;AAC5E,uCAA2D;AAE3D,6CAA+C;AAC/C,2CAA6C;AAC7C,+EAAyD;AACzD,6EAAuD;AAEvD,wCAAuC;AACvC,iEAA2C;AAC3C,iEAA2C;AAC3C,qDAA+B;AAC/B,4DAA0D;AAG1D,yDAAmC;AACnC,6EAAuD;AACvD,uEAAiD;AACjD,iDAA2B;AAE3B,kBAAe;IACb,OAAO,EAAE,IAAI;IACb,QAAQ,EAAE,uEAAuE;IACjF,OAAO,EAAP,UAAQ,IAAU;QAChB,IAAA,kBAAQ,EAAC,IAAI,CAAC,CAAC;QAEf,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;YAClB,QAAQ,EAAE,yDAAyD;YACnE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE;YAClC,QAAQ,EAAE,oCAAoC;YAC9C,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;YACpB,QAAQ,EAAE,kCAAkC;YAC5C,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE;YACvB,QAAQ,EAAE,8EAA8E;SACzF,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;IACvB,CAAC;IACK,OAAO,EAAb,UAAc,OAAkB;;;;;;wBACxB,KAUF,OAAoC,EATtC,SAAS,eAAA,EACT,MAAM,YAAA,EACG,SAAS,aAAA,EACZ,UAAU,UAAA,EACX,QAAQ,SAAA,EACb,UAAU,gBAAA,EACF,QAAQ,YAAA,EACI,wBAAwB,wBAAA,EAC5C,QAAQ,cAAA,CAC+B;wBAEzC,IAAI,SAAS,EAAE;4BACb,IAAA,cAAO,EAAC,IAAI,CAAC,CAAC;yBACf;;;;wBAGC,IAAI,CAAC,SAAS,EAAE;4BACd,MAAM,IAAI,wBAAe,CAAC,0BAA0B,CAAC,CAAC;yBACvD;wBAED,qBAAM,IAAA,sBAAY,EAAC,WAAW,EAAE,SAAU,CAAC,EAAA;;wBAA3C,SAA2C,CAAC;wBACtC,IAAI,GAAG,IAAA,gBAAS,EAAC,WAAY,CAAC,CAAC;wBACvB,qBAAM,IAAI,CAAI,SAAS,sBAAmB,CAAC,EAAA;;wBAAnD,KAAK,GAAG,SAA2C;wBAE3C,qBAAM,IAAA,sBAAY,EAAC,QAAQ,EAAE,SAAS,CAAC,EAAA;;wBAA/C,KAAK,GAAG,SAAuC;wBAElC,qBAAM,IAAA,uCAAe,EAAC,MAAM,CAAC,EAAA;;wBAA1C,UAAU,GAAG,SAA6B;
|
|
1
|
+
{"version":3,"file":"command.js","sourceRoot":"","sources":["../../../src/cli/ci/command.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,6BAA4C;AAC5C,wCAAwC;AACxC,6BAAiC;AAKjC,mFAA4E;AAC5E,uCAA2D;AAE3D,6CAA+C;AAC/C,2CAA6C;AAC7C,+EAAyD;AACzD,6EAAuD;AAEvD,wCAAuC;AACvC,iEAA2C;AAC3C,iEAA2C;AAC3C,qDAA+B;AAC/B,4DAA0D;AAG1D,yDAAmC;AACnC,6EAAuD;AACvD,uEAAiD;AACjD,iDAA2B;AAE3B,kBAAe;IACb,OAAO,EAAE,IAAI;IACb,QAAQ,EAAE,uEAAuE;IACjF,OAAO,EAAP,UAAQ,IAAU;QAChB,IAAA,kBAAQ,EAAC,IAAI,CAAC,CAAC;QAEf,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;YAClB,QAAQ,EAAE,yDAAyD;YACnE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE;YAClC,QAAQ,EAAE,oCAAoC;YAC9C,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;YACpB,QAAQ,EAAE,kCAAkC;YAC5C,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE;YACvB,QAAQ,EAAE,8EAA8E;SACzF,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;IACvB,CAAC;IACK,OAAO,EAAb,UAAc,OAAkB;;;;;;wBACxB,KAUF,OAAoC,EATtC,SAAS,eAAA,EACT,MAAM,YAAA,EACG,SAAS,aAAA,EACZ,UAAU,UAAA,EACX,QAAQ,SAAA,EACb,UAAU,gBAAA,EACF,QAAQ,YAAA,EACI,wBAAwB,wBAAA,EAC5C,QAAQ,cAAA,CAC+B;wBAEzC,IAAI,SAAS,EAAE;4BACb,IAAA,cAAO,EAAC,IAAI,CAAC,CAAC;yBACf;;;;wBAGC,IAAI,CAAC,SAAS,EAAE;4BACd,MAAM,IAAI,wBAAe,CAAC,0BAA0B,CAAC,CAAC;yBACvD;wBAED,qBAAM,IAAA,sBAAY,EAAC,WAAW,EAAE,SAAU,CAAC,EAAA;;wBAA3C,SAA2C,CAAC;wBACtC,IAAI,GAAG,IAAA,gBAAS,EAAC,WAAY,CAAC,CAAC;wBACvB,qBAAM,IAAI,CAAI,SAAS,sBAAmB,CAAC,EAAA;;wBAAnD,KAAK,GAAG,SAA2C;wBAE3C,qBAAM,IAAA,sBAAY,EAAC,QAAQ,EAAE,SAAS,CAAC,EAAA;;wBAA/C,KAAK,GAAG,SAAuC;wBAElC,qBAAM,IAAA,uCAAe,EAAC,MAAM,CAAC,EAAA;;wBAA1C,UAAU,GAAG,SAA6B;wBAEhC,qBAAM,IAAA,iBAAY,EAAC,KAAK,EAAE,UAAU,EAAE,KAAK,CAAC,EAAA;;wBAAtD,OAAO,GAAG,SAA4C;wBAG1D,qBAAM,OAAO,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,OAAO,CAAC,kBAAkB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,EAAA;;wBADhF,KAAA,sBACJ,SAAoF,KAAA,EAD/E,cAAc,QAAA,EAAE,eAAe,QAAA;wBAGtC,6BAA6B;wBAC7B,qBAAM,IAAA,oBAAS,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAA;;wBADpE,6BAA6B;wBAC7B,SAAoE,CAAC;wBAE/D,WAAW,GAAG,cAAc,CAAC,YAAY,CAC7C,IAAA,sBAAW,EAAC,cAAc,CAAC,QAAQ,EAAE,eAAe,CAAC,CACtD,CAAC;wBAEF,IAAA,wBAAc,EAAC,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,cAAc,CAAC,CAAC;wBACjE,IAAA,uBAAa,EAAC,WAAW,EAAE,IAAI,CAAC,CAAC;6BAE7B,QAAQ,EAAR,yBAAQ;wBACa,qBAAM,IAAA,gBAAM,EAAC,cAAc,EAAE,KAAK,EAAE,QAAQ,EAAE;gCACnE,UAAU,EAAE,CAAC;6BACd,CAAC,EAAA;;wBAFI,cAAc,GAAG,SAErB;wBACF,IAAA,yBAAe,EAAC,cAAc,CAAC,OAAO,CAAC,WAAW,EAAE,cAAc,CAAC,GAAG,CAAC,CAAC;;;6BAGtE,wBAAwB,EAAxB,yBAAwB;wBAC1B,qBAAM,IAAA,4BAAkB,EAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,EAAA;;wBAApF,SAAoF,CAAC;;;wBAGvF,IAAI,UAAU,EAAE;4BACd,IAAA,cAAI,EAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;yBACnC;;;;wBAED,IAAI,KAAG,YAAY,wBAAe,EAAE;4BAClC,OAAO,CAAC,IAAI,CAAC,KAAG,CAAC,OAAO,CAAC,CAAC;4BAC1B,sBAAO,OAAO,CAAC,IAAI,CAAC,mBAAQ,CAAC,eAAe,CAAC,EAAC;yBAC/C;wBACD,IAAI,KAAG,YAAY,mBAAU,EAAE;4BAC7B,sBAAO,OAAO,CAAC,IAAI,CAAC,mBAAQ,CAAC,UAAU,CAAC,EAAC;yBAC1C;wBACD,IAAI,CAAC,cAAO,IAAI,KAAG,YAAY,KAAK,EAAE;4BACpC,OAAO,CAAC,KAAK,CAAC,KAAG,CAAC,OAAO,CAAC,CAAC;4BAC3B,sBAAO,OAAO,CAAC,IAAI,CAAC,mBAAQ,CAAC,YAAY,CAAC,EAAC;yBAC5C;wBAED,MAAM,KAAG,CAAC;;;;;KAEb;CACF,CAAC"}
|
|
@@ -134,7 +134,7 @@ exports.default = {
|
|
|
134
134
|
}
|
|
135
135
|
_c.label = 1;
|
|
136
136
|
case 1:
|
|
137
|
-
_c.trys.push([1,
|
|
137
|
+
_c.trys.push([1, 11, , 12]);
|
|
138
138
|
if (appmapFile && appmapDir) {
|
|
139
139
|
throw new errors_1.ValidationError('Use --appmap-dir or --appmap-file, but not both');
|
|
140
140
|
}
|
|
@@ -161,14 +161,18 @@ exports.default = {
|
|
|
161
161
|
case 6: return [4 /*yield*/, (0, configurationProvider_1.parseConfigFile)(config)];
|
|
162
162
|
case 7:
|
|
163
163
|
configData = _c.sent();
|
|
164
|
-
|
|
164
|
+
return [4 /*yield*/, (0, scanner_1.default)(reportAllFindings, configData, files).catch(function (error) {
|
|
165
|
+
throw new errors_1.ValidationError(error.message + '\nUse --all to perform an offline scan.');
|
|
166
|
+
})];
|
|
167
|
+
case 8:
|
|
168
|
+
scanner = _c.sent();
|
|
165
169
|
startTime = Date.now();
|
|
166
170
|
return [4 /*yield*/, Promise.all([scanner.scan(), scanner.fetchFindingStatus(appIdArg, appmapDir)])];
|
|
167
|
-
case
|
|
171
|
+
case 9:
|
|
168
172
|
_b = __read.apply(void 0, [_c.sent(), 2]), rawScanResults = _b[0], findingStatuses = _b[1];
|
|
169
173
|
// Always report the raw data
|
|
170
174
|
return [4 /*yield*/, (0, promises_1.writeFile)(reportFile, formatReport(rawScanResults))];
|
|
171
|
-
case
|
|
175
|
+
case 10:
|
|
172
176
|
// Always report the raw data
|
|
173
177
|
_c.sent();
|
|
174
178
|
scanResults = void 0;
|
|
@@ -185,8 +189,8 @@ exports.default = {
|
|
|
185
189
|
elapsed = Date.now() - startTime;
|
|
186
190
|
numChecks = scanResults.checks.length * scanResults.summary.numAppMaps;
|
|
187
191
|
console.log("Performed " + numChecks + " checks in " + elapsed + "ms (" + Math.floor(numChecks / (elapsed / 1000.0)) + " checks/sec)");
|
|
188
|
-
return [3 /*break*/,
|
|
189
|
-
case
|
|
192
|
+
return [3 /*break*/, 12];
|
|
193
|
+
case 11:
|
|
190
194
|
err_1 = _c.sent();
|
|
191
195
|
if (err_1 instanceof errors_1.ValidationError) {
|
|
192
196
|
console.warn(err_1.message);
|
|
@@ -200,7 +204,7 @@ exports.default = {
|
|
|
200
204
|
return [2 /*return*/, process.exit(exitCode_1.ExitCode.RuntimeError)];
|
|
201
205
|
}
|
|
202
206
|
throw err_1;
|
|
203
|
-
case
|
|
207
|
+
case 12: return [2 /*return*/];
|
|
204
208
|
}
|
|
205
209
|
});
|
|
206
210
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"command.js","sourceRoot":"","sources":["../../../src/cli/scan/command.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,6BAA4C;AAC5C,wCAAwC;AACxC,6BAAiC;AAKjC,mFAA4E;AAC5E,uCAA2D;AAE3D,6CAA+C;AAC/C,2CAA6C;AAC7C,+EAAyD;AACzD,6EAAuD;AAEvD,wCAAuC;AACvC,iEAA2C;AAG3C,sDAAoD;AACpD,yDAAmC;AAInC,kBAAe;IACb,OAAO,EAAE,MAAM;IACf,QAAQ,EAAE,yCAAyC;IACnD,OAAO,EAAP,UAAQ,IAAU;QAChB,IAAA,kBAAQ,EAAC,IAAI,CAAC,CAAC;QAEf,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;YACzB,QAAQ,EAAE,qBAAqB;YAC/B,KAAK,EAAE,GAAG;SACX,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACjB,QAAQ,EAAE,gEAAgE;YAC1E,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC;SACjD,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACjB,QAAQ,EAAE,6DAA6D;YACvE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;IACvB,CAAC;IACK,OAAO,EAAb,UAAc,OAAkB;;;;;;wBACxB,KAUF,OAAoC,EATtC,SAAS,eAAA,EACT,UAAU,gBAAA,EACV,MAAM,YAAA,EACG,SAAS,aAAA,EACb,iBAAiB,SAAA,EACjB,QAAQ,SAAA,EACb,MAAM,YAAA,EACN,GAAG,SAAA,EACH,UAAU,gBAAA,CAC6B;wBAEzC,IAAI,SAAS,EAAE;4BACb,IAAA,cAAO,EAAC,IAAI,CAAC,CAAC;yBACf;wBAED,IAAI,MAAM,EAAE;4BACV,OAAO,CAAC,GAAG,CAAC,eAAe,GAAG,MAAM,CAAC;yBACtC;;;;wBAGC,IAAI,UAAU,IAAI,SAAS,EAAE;4BAC3B,MAAM,IAAI,wBAAe,CAAC,iDAAiD,CAAC,CAAC;yBAC9E;wBACD,IAAI,CAAC,UAAU,IAAI,CAAC,SAAS,EAAE;4BAC7B,MAAM,IAAI,wBAAe,CAAC,kDAAkD,CAAC,CAAC;yBAC/E;wBAEG,KAAK,GAAa,EAAE,CAAC;6BACrB,SAAS,EAAT,wBAAS;wBACX,qBAAM,IAAA,sBAAY,EAAC,WAAW,EAAE,SAAU,CAAC,EAAA;;wBAA3C,SAA2C,CAAC;wBACtC,IAAI,GAAG,IAAA,gBAAS,EAAC,WAAY,CAAC,CAAC;wBAC7B,qBAAM,IAAI,CAAI,SAAS,sBAAmB,CAAC,EAAA;;wBAAnD,KAAK,GAAG,SAA2C,CAAC;;;6BAElD,UAAU,EAAV,wBAAU;wBACZ,qBAAM,IAAA,sBAAY,EAAC,MAAM,EAAE,UAAU,CAAC,EAAA;;wBAAtC,SAAsC,CAAC;wBACvC,KAAK,GAAG,CAAC,UAAU,CAAC,CAAC;;4BAGJ,qBAAM,IAAA,uCAAe,EAAC,MAAM,CAAC,EAAA;;wBAA1C,UAAU,GAAG,SAA6B;
|
|
1
|
+
{"version":3,"file":"command.js","sourceRoot":"","sources":["../../../src/cli/scan/command.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,6BAA4C;AAC5C,wCAAwC;AACxC,6BAAiC;AAKjC,mFAA4E;AAC5E,uCAA2D;AAE3D,6CAA+C;AAC/C,2CAA6C;AAC7C,+EAAyD;AACzD,6EAAuD;AAEvD,wCAAuC;AACvC,iEAA2C;AAG3C,sDAAoD;AACpD,yDAAmC;AAInC,kBAAe;IACb,OAAO,EAAE,MAAM;IACf,QAAQ,EAAE,yCAAyC;IACnD,OAAO,EAAP,UAAQ,IAAU;QAChB,IAAA,kBAAQ,EAAC,IAAI,CAAC,CAAC;QAEf,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;YACzB,QAAQ,EAAE,qBAAqB;YAC/B,KAAK,EAAE,GAAG;SACX,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACjB,QAAQ,EAAE,gEAAgE;YAC1E,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC;SACjD,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACjB,QAAQ,EAAE,6DAA6D;YACvE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;IACvB,CAAC;IACK,OAAO,EAAb,UAAc,OAAkB;;;;;;wBACxB,KAUF,OAAoC,EATtC,SAAS,eAAA,EACT,UAAU,gBAAA,EACV,MAAM,YAAA,EACG,SAAS,aAAA,EACb,iBAAiB,SAAA,EACjB,QAAQ,SAAA,EACb,MAAM,YAAA,EACN,GAAG,SAAA,EACH,UAAU,gBAAA,CAC6B;wBAEzC,IAAI,SAAS,EAAE;4BACb,IAAA,cAAO,EAAC,IAAI,CAAC,CAAC;yBACf;wBAED,IAAI,MAAM,EAAE;4BACV,OAAO,CAAC,GAAG,CAAC,eAAe,GAAG,MAAM,CAAC;yBACtC;;;;wBAGC,IAAI,UAAU,IAAI,SAAS,EAAE;4BAC3B,MAAM,IAAI,wBAAe,CAAC,iDAAiD,CAAC,CAAC;yBAC9E;wBACD,IAAI,CAAC,UAAU,IAAI,CAAC,SAAS,EAAE;4BAC7B,MAAM,IAAI,wBAAe,CAAC,kDAAkD,CAAC,CAAC;yBAC/E;wBAEG,KAAK,GAAa,EAAE,CAAC;6BACrB,SAAS,EAAT,wBAAS;wBACX,qBAAM,IAAA,sBAAY,EAAC,WAAW,EAAE,SAAU,CAAC,EAAA;;wBAA3C,SAA2C,CAAC;wBACtC,IAAI,GAAG,IAAA,gBAAS,EAAC,WAAY,CAAC,CAAC;wBAC7B,qBAAM,IAAI,CAAI,SAAS,sBAAmB,CAAC,EAAA;;wBAAnD,KAAK,GAAG,SAA2C,CAAC;;;6BAElD,UAAU,EAAV,wBAAU;wBACZ,qBAAM,IAAA,sBAAY,EAAC,MAAM,EAAE,UAAU,CAAC,EAAA;;wBAAtC,SAAsC,CAAC;wBACvC,KAAK,GAAG,CAAC,UAAU,CAAC,CAAC;;4BAGJ,qBAAM,IAAA,uCAAe,EAAC,MAAM,CAAC,EAAA;;wBAA1C,UAAU,GAAG,SAA6B;wBAEhC,qBAAM,IAAA,iBAAY,EAAC,iBAAiB,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC,KAAK,CAC5E,UAAC,KAAY;gCACX,MAAM,IAAI,wBAAe,CAAC,KAAK,CAAC,OAAO,GAAG,yCAAyC,CAAC,CAAC;4BACvF,CAAC,CACF,EAAA;;wBAJK,OAAO,GAAG,SAIf;wBAEK,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;wBAEa,qBAAM,OAAO,CAAC,GAAG,CAGzD,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,OAAO,CAAC,kBAAkB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,EAAA;;wBAH9D,KAAA,sBAAoC,SAG0B,KAAA,EAH7D,cAAc,QAAA,EAAE,eAAe,QAAA;wBAKtC,6BAA6B;wBAC7B,qBAAM,IAAA,oBAAS,EAAC,UAAU,EAAE,YAAY,CAAC,cAAc,CAAC,CAAC,EAAA;;wBADzD,6BAA6B;wBAC7B,SAAyD,CAAC;wBAEtD,WAAW,SAAA,CAAC;wBAChB,IAAI,iBAAiB,EAAE;4BACrB,WAAW,GAAG,cAAc,CAAC;yBAC9B;6BAAM;4BACL,WAAW,GAAG,cAAc,CAAC,YAAY,CACvC,IAAA,sBAAW,EAAC,cAAc,CAAC,QAAQ,EAAE,eAAe,CAAC,CACtD,CAAC;yBACH;wBAED,IAAA,wBAAc,EAAC,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;wBACtE,OAAO,CAAC,GAAG,EAAE,CAAC;wBACd,IAAA,uBAAa,EAAC,WAAW,EAAE,IAAI,CAAC,CAAC;wBACjC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;wBACZ,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;wBAEjC,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC;wBAC7E,OAAO,CAAC,GAAG,CACT,eAAa,SAAS,mBAAc,OAAO,YAAO,IAAI,CAAC,KAAK,CAC1D,SAAS,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,CAC/B,iBAAc,CAChB,CAAC;;;;wBAEF,IAAI,KAAG,YAAY,wBAAe,EAAE;4BAClC,OAAO,CAAC,IAAI,CAAC,KAAG,CAAC,OAAO,CAAC,CAAC;4BAC1B,sBAAO,OAAO,CAAC,IAAI,CAAC,mBAAQ,CAAC,eAAe,CAAC,EAAC;yBAC/C;wBACD,IAAI,KAAG,YAAY,mBAAU,EAAE;4BAC7B,sBAAO,OAAO,CAAC,IAAI,CAAC,mBAAQ,CAAC,UAAU,CAAC,EAAC;yBAC1C;wBACD,IAAI,CAAC,cAAO,IAAI,KAAG,YAAY,KAAK,EAAE;4BACpC,OAAO,CAAC,KAAK,CAAC,KAAG,CAAC,OAAO,CAAC,CAAC;4BAC3B,sBAAO,OAAO,CAAC,IAAI,CAAC,mBAAQ,CAAC,YAAY,CAAC,EAAC;yBAC5C;wBAED,MAAM,KAAG,CAAC;;;;;KAEb;CACF,CAAC;AAEF,SAAS,cAAc,CAAC,EAOP;QANC,IAAI,iBAAA,EACD,OAAO,oBAAA,EACJ,UAAU,uBAAA,EACjB,GAAG,gBAAA,EACG,SAAS,sBAAA,EACT,SAAS,sBAAA;IAE9B,IAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,GAAG,EAAE,IAAI,GAAG,CAAC;QACb,MAAM,EAAE,OAAO,GAAG,CAAC;QACnB,GAAG,EAAE,GAAG,GAAG,CAAC;QACZ,QAAQ,EAAE,SAAS,GAAG,CAAC;QACvB,QAAQ,EAAE,SAAS,GAAG,CAAC;KACxB,CAAC;SACC,MAAM,CAAC,UAAC,EAAK;YAAL,KAAA,aAAK,EAAF,CAAC,QAAA;QAAM,OAAA,CAAC;IAAD,CAAC,CAAC;SACpB,GAAG,CAAC,UAAC,EAAG;YAAH,KAAA,aAAG,EAAF,CAAC,QAAA;QAAM,OAAA,CAAC;IAAD,CAAC,CAAC,CAAC;IAEnB,OAAO,UAAU,QAAkB;QACjC,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAC,EAAM;gBAAN,KAAA,aAAM,EAAL,CAAC,QAAA,EAAE,CAAC,QAAA;YACpC,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAAE,OAAO,KAAK,CAAC;YACvC,IAAI,CAAC,KAAK,YAAY;gBAAE,OAAQ,CAAC,CAAC,IAAI,EAAE,CAAa,CAAC,MAAM,KAAK,UAAU,CAAC;YAC5E,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CACH,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CAAO,OAAoB,EAAE,GAAgB;;IACxD,IAAM,MAAM,GAAG,IAAI,GAAG,EAAQ,CAAC;;QAE/B,KAAoB,IAAA,YAAA,SAAA,OAAO,CAAA,gCAAA,qDAAE;YAAxB,IAAM,KAAK,oBAAA;YACd,IAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;YACrB,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;gBAAE,SAAS;YAC5B,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;SACtB;;;;;;;;;IAED,OAAO,MAAM,CAAC,MAAM,EAAE,CAAC;AACzB,CAAC;AAED,0DAA0D;AAC1D,SAAS,YAAY,CAAC,cAA2B;IACzC,IAAA,kBAA6C,cAAc,CAAE,EAA3D,OAAO,aAAA,EAAE,cAAc,oBAAA,EAAE,QAAQ,cAA0B,CAAC;IAEpE,gDAAgD;IAChD,IAAM,MAAM,GAAG,cAAc,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACtD,IAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CACjC,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,GAAG,CAAC,UAAC,EAAc;YAAd,KAAA,aAAc,EAAb,EAAE,QAAA,EAAE,QAAQ,QAAA;QAAM,OAAA,CAAC,EAAE,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAAtB,CAAsB,CAAC,CAC/E,CAAC;IAEF,yCAAyC;IACzC,IAAM,cAAc,4BAAO,IAAI,CAAC,QAAQ,EAAE,UAAC,EAAQ;YAAN,IAAI,UAAA;QAAO,OAAA,IAAI;IAAJ,CAAI,CAAC,SAAC,CAAC;IAE/D,OAAO,IAAI,CAAC,SAAS,uBAEd,cAAc,KACjB,OAAO,wBAAO,OAAO,KAAE,WAAW,EAAE,cAAc,CAAC,MAAM,KACzD,cAAc,EAAE,QAAQ,EACxB,QAAQ,EAAE,cAAc,KAE1B,IAAI,EACJ,CAAC,CACF,CAAC;AACJ,CAAC"}
|
|
@@ -61,9 +61,19 @@ var resolveAppId_1 = __importDefault(require("../resolveAppId"));
|
|
|
61
61
|
var scan_1 = __importDefault(require("../scan"));
|
|
62
62
|
var scanResults_1 = require("../../report/scanResults");
|
|
63
63
|
function scanner(reportAllFindings, configuration, files) {
|
|
64
|
-
return
|
|
65
|
-
|
|
66
|
-
|
|
64
|
+
return __awaiter(this, void 0, void 0, function () {
|
|
65
|
+
return __generator(this, function (_a) {
|
|
66
|
+
switch (_a.label) {
|
|
67
|
+
case 0:
|
|
68
|
+
if (!reportAllFindings) return [3 /*break*/, 1];
|
|
69
|
+
return [2 /*return*/, new StandaloneScanner(configuration, files)];
|
|
70
|
+
case 1: return [4 /*yield*/, (0, src_1.loadConfiguration)()];
|
|
71
|
+
case 2:
|
|
72
|
+
_a.sent();
|
|
73
|
+
return [2 /*return*/, new ServerIntegratedScanner(configuration, files)];
|
|
74
|
+
}
|
|
75
|
+
});
|
|
76
|
+
});
|
|
67
77
|
}
|
|
68
78
|
exports.default = scanner;
|
|
69
79
|
var ScannerBase = /** @class */ (function () {
|
|
@@ -76,14 +86,11 @@ var ScannerBase = /** @class */ (function () {
|
|
|
76
86
|
var checks, _a, appMapMetadata, findings;
|
|
77
87
|
return __generator(this, function (_b) {
|
|
78
88
|
switch (_b.label) {
|
|
79
|
-
case 0: return [4 /*yield*/, this.
|
|
89
|
+
case 0: return [4 /*yield*/, (0, configurationProvider_1.loadConfig)(this.configuration)];
|
|
80
90
|
case 1:
|
|
81
|
-
_b.sent();
|
|
82
|
-
return [4 /*yield*/, (0, configurationProvider_1.loadConfig)(this.configuration)];
|
|
83
|
-
case 2:
|
|
84
91
|
checks = _b.sent();
|
|
85
92
|
return [4 /*yield*/, (0, scan_1.default)(this.files, checks)];
|
|
86
|
-
case
|
|
93
|
+
case 2:
|
|
87
94
|
_a = _b.sent(), appMapMetadata = _a.appMapMetadata, findings = _a.findings;
|
|
88
95
|
return [2 /*return*/, new scanResults_1.ScanResults(this.configuration, appMapMetadata, findings, checks)];
|
|
89
96
|
}
|
|
@@ -97,23 +104,6 @@ var ServerIntegratedScanner = /** @class */ (function (_super) {
|
|
|
97
104
|
function ServerIntegratedScanner() {
|
|
98
105
|
return _super !== null && _super.apply(this, arguments) || this;
|
|
99
106
|
}
|
|
100
|
-
ServerIntegratedScanner.prototype.verifyServerConfiguration = function () {
|
|
101
|
-
return __awaiter(this, void 0, void 0, function () {
|
|
102
|
-
return __generator(this, function (_a) {
|
|
103
|
-
return [2 /*return*/, new Promise(function (resolve) {
|
|
104
|
-
(0, src_1.loadConfiguration)()
|
|
105
|
-
.then(function () { return resolve(true); })
|
|
106
|
-
.catch(function (err) {
|
|
107
|
-
console.warn("\u26A0\uFE0F Notice \u26A0\uFE0F");
|
|
108
|
-
console.warn("\u26A0\uFE0F AppMap Server configuration is not available.");
|
|
109
|
-
console.warn("\u26A0\uFE0F Detailed message: " + err.toString());
|
|
110
|
-
console.warn("\u26A0\uFE0F Scanning will continue without fetching existing findings from the server.");
|
|
111
|
-
resolve(false);
|
|
112
|
-
});
|
|
113
|
-
})];
|
|
114
|
-
});
|
|
115
|
-
});
|
|
116
|
-
};
|
|
117
107
|
ServerIntegratedScanner.prototype.fetchFindingStatus = function (appIdArg, appMapDir) {
|
|
118
108
|
return __awaiter(this, void 0, void 0, function () {
|
|
119
109
|
var appId;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../../src/cli/scan/scanner.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,gDAAoF;AAEpF,mFAAuE;AAEvE,sGAA0E;AAE1E,iEAA2C;AAC3C,iDAA2B;AAC3B,wDAAuD;AAQvD,
|
|
1
|
+
{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../../src/cli/scan/scanner.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,gDAAoF;AAEpF,mFAAuE;AAEvE,sGAA0E;AAE1E,iEAA2C;AAC3C,iDAA2B;AAC3B,wDAAuD;AAQvD,SAA8B,OAAO,CACnC,iBAA0B,EAC1B,aAA4B,EAC5B,KAAe;;;;;yBAEX,iBAAiB,EAAjB,wBAAiB;oBACnB,sBAAO,IAAI,iBAAiB,CAAC,aAAa,EAAE,KAAK,CAAC,EAAC;wBAEnD,qBAAM,IAAA,uBAAiB,GAAE,EAAA;;oBAAzB,SAAyB,CAAC;oBAC1B,sBAAO,IAAI,uBAAuB,CAAC,aAAa,EAAE,KAAK,CAAC,EAAC;;;;CAE5D;AAXD,0BAWC;AAED;IACE,qBAAmB,aAA4B,EAAS,KAAe;QAApD,kBAAa,GAAb,aAAa,CAAe;QAAS,UAAK,GAAL,KAAK,CAAU;IAAG,CAAC;IAErE,0BAAI,GAAV;;;;;4BACiB,qBAAM,IAAA,kCAAU,EAAC,IAAI,CAAC,aAAa,CAAC,EAAA;;wBAA7C,MAAM,GAAG,SAAoC;wBACd,qBAAM,IAAA,cAAI,EAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,EAAA;;wBAA7D,KAA+B,SAA8B,EAA3D,cAAc,oBAAA,EAAE,QAAQ,cAAA;wBAChC,sBAAO,IAAI,yBAAW,CAAC,IAAI,CAAC,aAAa,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAC;;;;KAC9E;IACH,kBAAC;AAAD,CAAC,AARD,IAQC;AAED;IAAsC,2CAAW;IAAjD;;IAQA,CAAC;IAPO,oDAAkB,GAAxB,UACE,QAAiB,EACjB,SAAkB;;;;;4BAEJ,qBAAM,IAAA,sBAAY,EAAC,QAAQ,EAAE,SAAS,CAAC,EAAA;;wBAA/C,KAAK,GAAG,SAAuC;wBAC9C,qBAAM,IAAA,2BAAW,EAAC,KAAK,CAAC,EAAA;4BAA/B,sBAAO,SAAwB,EAAC;;;;KACjC;IACH,8BAAC;AAAD,CAAC,AARD,CAAsC,WAAW,GAQhD;AAED;IAAgC,qCAAW;IAA3C;;IAQA,CAAC;IAPO,qDAAyB,GAA/B;;;gBACE,sBAAO,IAAI,EAAC;;;KACb;IAEK,8CAAkB,GAAxB;;;gBACE,sBAAO,EAAE,EAAC;;;KACX;IACH,wBAAC;AAAD,CAAC,AARD,CAAgC,WAAW,GAQ1C"}
|
|
@@ -1,31 +1,4 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __generator = (this && this.__generator) || function (thisArg, body) {
|
|
3
|
-
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
|
|
4
|
-
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
|
|
5
|
-
function verb(n) { return function (v) { return step([n, v]); }; }
|
|
6
|
-
function step(op) {
|
|
7
|
-
if (f) throw new TypeError("Generator is already executing.");
|
|
8
|
-
while (_) try {
|
|
9
|
-
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
|
|
10
|
-
if (y = 0, t) op = [op[0] & 2, t.value];
|
|
11
|
-
switch (op[0]) {
|
|
12
|
-
case 0: case 1: t = op; break;
|
|
13
|
-
case 4: _.label++; return { value: op[1], done: false };
|
|
14
|
-
case 5: _.label++; y = op[1]; op = [0]; continue;
|
|
15
|
-
case 7: op = _.ops.pop(); _.trys.pop(); continue;
|
|
16
|
-
default:
|
|
17
|
-
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
|
|
18
|
-
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
|
|
19
|
-
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
|
|
20
|
-
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
|
|
21
|
-
if (t[2]) _.ops.pop();
|
|
22
|
-
_.trys.pop(); continue;
|
|
23
|
-
}
|
|
24
|
-
op = body.call(thisArg, _);
|
|
25
|
-
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
|
|
26
|
-
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
|
|
27
|
-
}
|
|
28
|
-
};
|
|
29
2
|
var __values = (this && this.__values) || function(o) {
|
|
30
3
|
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
31
4
|
if (m) return m.call(o);
|
|
@@ -44,75 +17,34 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
44
17
|
var models_1 = require("@appland/models");
|
|
45
18
|
var url_1 = require("url");
|
|
46
19
|
var parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
!!event.returnValue &&
|
|
50
|
-
!!event.returnValue.object_id &&
|
|
51
|
-
event.returnValue.object_id === objectId);
|
|
52
|
-
}
|
|
53
|
-
function precedingEvents(rootEvent, target) {
|
|
54
|
-
var _a, _b, event, e_1_1;
|
|
55
|
-
var e_1, _c;
|
|
56
|
-
return __generator(this, function (_d) {
|
|
57
|
-
switch (_d.label) {
|
|
58
|
-
case 0:
|
|
59
|
-
_d.trys.push([0, 5, 6, 7]);
|
|
60
|
-
_a = __values(new models_1.EventNavigator(rootEvent).descendants()), _b = _a.next();
|
|
61
|
-
_d.label = 1;
|
|
62
|
-
case 1:
|
|
63
|
-
if (!!_b.done) return [3 /*break*/, 4];
|
|
64
|
-
event = _b.value;
|
|
65
|
-
if (event.event === target) {
|
|
66
|
-
return [3 /*break*/, 4];
|
|
67
|
-
}
|
|
68
|
-
return [4 /*yield*/, event];
|
|
69
|
-
case 2:
|
|
70
|
-
_d.sent();
|
|
71
|
-
_d.label = 3;
|
|
72
|
-
case 3:
|
|
73
|
-
_b = _a.next();
|
|
74
|
-
return [3 /*break*/, 1];
|
|
75
|
-
case 4: return [3 /*break*/, 7];
|
|
76
|
-
case 5:
|
|
77
|
-
e_1_1 = _d.sent();
|
|
78
|
-
e_1 = { error: e_1_1 };
|
|
79
|
-
return [3 /*break*/, 7];
|
|
80
|
-
case 6:
|
|
81
|
-
try {
|
|
82
|
-
if (_b && !_b.done && (_c = _a.return)) _c.call(_a);
|
|
83
|
-
}
|
|
84
|
-
finally { if (e_1) throw e_1.error; }
|
|
85
|
-
return [7 /*endfinally*/];
|
|
86
|
-
case 7: return [2 /*return*/];
|
|
87
|
-
}
|
|
88
|
-
});
|
|
89
|
-
}
|
|
20
|
+
var precedingEvents_1 = __importDefault(require("./lib/precedingEvents"));
|
|
21
|
+
var sanitizesData_1 = __importDefault(require("./lib/sanitizesData"));
|
|
90
22
|
function allArgumentsSanitized(rootEvent, event) {
|
|
91
23
|
return (event.parameters || [])
|
|
92
24
|
.filter(function (parameter) { return parameter.object_id; })
|
|
93
25
|
.every(function (parameter) {
|
|
94
|
-
var
|
|
26
|
+
var e_1, _a;
|
|
95
27
|
try {
|
|
96
|
-
for (var _b = __values(
|
|
28
|
+
for (var _b = __values((0, precedingEvents_1.default)(rootEvent, event)), _c = _b.next(); !_c.done; _c = _b.next()) {
|
|
97
29
|
var candidate = _c.value;
|
|
98
|
-
if (
|
|
30
|
+
if ((0, sanitizesData_1.default)(candidate.event, parameter.object_id, DeserializeSanitize)) {
|
|
99
31
|
return true;
|
|
100
32
|
}
|
|
101
33
|
}
|
|
102
34
|
}
|
|
103
|
-
catch (
|
|
35
|
+
catch (e_1_1) { e_1 = { error: e_1_1 }; }
|
|
104
36
|
finally {
|
|
105
37
|
try {
|
|
106
38
|
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
|
|
107
39
|
}
|
|
108
|
-
finally { if (
|
|
40
|
+
finally { if (e_1) throw e_1.error; }
|
|
109
41
|
}
|
|
110
42
|
return false;
|
|
111
43
|
});
|
|
112
44
|
}
|
|
113
45
|
function build() {
|
|
114
46
|
function matcher(rootEvent) {
|
|
115
|
-
var
|
|
47
|
+
var e_2, _a;
|
|
116
48
|
try {
|
|
117
49
|
for (var _b = __values(new models_1.EventNavigator(rootEvent).descendants()), _c = _b.next(); !_c.done; _c = _b.next()) {
|
|
118
50
|
var event = _c.value;
|
|
@@ -134,12 +66,12 @@ function build() {
|
|
|
134
66
|
}
|
|
135
67
|
}
|
|
136
68
|
}
|
|
137
|
-
catch (
|
|
69
|
+
catch (e_2_1) { e_2 = { error: e_2_1 }; }
|
|
138
70
|
finally {
|
|
139
71
|
try {
|
|
140
72
|
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
|
|
141
73
|
}
|
|
142
|
-
finally { if (
|
|
74
|
+
finally { if (e_2) throw e_2.error; }
|
|
143
75
|
}
|
|
144
76
|
}
|
|
145
77
|
return {
|
|
@@ -148,11 +80,11 @@ function build() {
|
|
|
148
80
|
}
|
|
149
81
|
var DeserializeUnsafe = 'deserialize.unsafe';
|
|
150
82
|
var DeserializeSafe = 'deserialize.safe';
|
|
151
|
-
var
|
|
83
|
+
var DeserializeSanitize = 'deserialize.sanitize';
|
|
152
84
|
exports.default = {
|
|
153
85
|
id: 'deserialization-of-untrusted-data',
|
|
154
86
|
title: 'Deserialization of untrusted data',
|
|
155
|
-
labels: [DeserializeUnsafe, DeserializeSafe,
|
|
87
|
+
labels: [DeserializeUnsafe, DeserializeSafe, DeserializeSanitize],
|
|
156
88
|
impactDomain: 'Security',
|
|
157
89
|
enumerateScope: false,
|
|
158
90
|
// scope: //*[@command]
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"deserializationOfUntrustedData.js","sourceRoot":"","sources":["../../src/rules/deserializationOfUntrustedData.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"deserializationOfUntrustedData.js","sourceRoot":"","sources":["../../src/rules/deserializationOfUntrustedData.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,0CAAwD;AAExD,2BAA0B;AAC1B,oFAA8D;AAC9D,0EAAoD;AACpD,sEAAgD;AAEhD,SAAS,qBAAqB,CAAC,SAAgB,EAAE,KAAY;IAC3D,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,UAAC,SAAS,IAAK,OAAA,SAAS,CAAC,SAAS,EAAnB,CAAmB,CAAC;SAC1C,KAAK,CAAC,UAAC,SAAS;;;YACf,KAAwB,IAAA,KAAA,SAAA,IAAA,yBAAe,EAAC,SAAS,EAAE,KAAK,CAAC,CAAA,gBAAA,4BAAE;gBAAtD,IAAM,SAAS,WAAA;gBAClB,IAAI,IAAA,uBAAa,EAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAU,EAAE,mBAAmB,CAAC,EAAE;oBAC7E,OAAO,IAAI,CAAC;iBACb;aACF;;;;;;;;;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,mIAAmI;gBACnI,IACE,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC;oBACzC,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,UAAC,QAAQ,IAAK,OAAA,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,EAApC,CAAoC,CAAC,EACjF;oBACA,IAAI,qBAAqB,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE;wBACjD,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,OAAO,EAAK,KAAK,CAAC,KAAK,iCAA8B;6BACtD;yBACF,CAAC;qBACH;iBACF;aACF;;;;;;;;;IACH,CAAC;IAED,OAAO;QACL,OAAO,SAAA;KACR,CAAC;AACJ,CAAC;AAED,IAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAC/C,IAAM,eAAe,GAAG,kBAAkB,CAAC;AAC3C,IAAM,mBAAmB,GAAG,sBAAsB,CAAC;AAEnD,kBAAe;IACb,EAAE,EAAE,mCAAmC;IACvC,KAAK,EAAE,mCAAmC;IAC1C,MAAM,EAAE,CAAC,iBAAiB,EAAE,eAAe,EAAE,mBAAmB,CAAC;IACjE,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,uBAAuB;IACvB,UAAU,EAAE;QACV,SAAS,EAAE,IAAI,SAAG,CAAC,iDAAiD,CAAC;QACrE,eAAe,EAAE,IAAI,SAAG,CAAC,0DAA0D,CAAC;KACrF;IACD,WAAW,EAAE,IAAA,8BAAoB,EAAC,gCAAgC,CAAC;IACnE,GAAG,EAAE,0FAA0F;IAC/F,KAAK,OAAA;CACE,CAAC"}
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __values = (this && this.__values) || function(o) {
|
|
3
|
+
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
4
|
+
if (m) return m.call(o);
|
|
5
|
+
if (o && typeof o.length === "number") return {
|
|
6
|
+
next: function () {
|
|
7
|
+
if (o && i >= o.length) o = void 0;
|
|
8
|
+
return { value: o && o[i++], done: !o };
|
|
9
|
+
}
|
|
10
|
+
};
|
|
11
|
+
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
|
|
12
|
+
};
|
|
13
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
14
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
15
|
+
};
|
|
16
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
+
var models_1 = require("@appland/models");
|
|
18
|
+
var url_1 = require("url");
|
|
19
|
+
var parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
20
|
+
var precedingEvents_1 = __importDefault(require("./lib/precedingEvents"));
|
|
21
|
+
var sanitizesData_1 = __importDefault(require("./lib/sanitizesData"));
|
|
22
|
+
function allArgumentsSanitized(rootEvent, event) {
|
|
23
|
+
return (event.parameters || [])
|
|
24
|
+
.filter(function (parameter) { return parameter.object_id; })
|
|
25
|
+
.every(function (parameter) {
|
|
26
|
+
var e_1, _a;
|
|
27
|
+
try {
|
|
28
|
+
for (var _b = __values((0, precedingEvents_1.default)(rootEvent, event)), _c = _b.next(); !_c.done; _c = _b.next()) {
|
|
29
|
+
var candidate = _c.value;
|
|
30
|
+
if ((0, sanitizesData_1.default)(candidate.event, parameter.object_id, ExecSanitize)) {
|
|
31
|
+
return true;
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
catch (e_1_1) { e_1 = { error: e_1_1 }; }
|
|
36
|
+
finally {
|
|
37
|
+
try {
|
|
38
|
+
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
|
|
39
|
+
}
|
|
40
|
+
finally { if (e_1) throw e_1.error; }
|
|
41
|
+
}
|
|
42
|
+
return false;
|
|
43
|
+
});
|
|
44
|
+
}
|
|
45
|
+
function build() {
|
|
46
|
+
function matcher(rootEvent) {
|
|
47
|
+
var e_2, _a;
|
|
48
|
+
try {
|
|
49
|
+
for (var _b = __values(new models_1.EventNavigator(rootEvent).descendants()), _c = _b.next(); !_c.done; _c = _b.next()) {
|
|
50
|
+
var event = _c.value;
|
|
51
|
+
if (event.event.labels.has(Exec) &&
|
|
52
|
+
!event.event.ancestors().find(function (ancestor) { return ancestor.labels.has(ExecSafe); })) {
|
|
53
|
+
if (allArgumentsSanitized(rootEvent, event.event)) {
|
|
54
|
+
return;
|
|
55
|
+
}
|
|
56
|
+
else {
|
|
57
|
+
return [
|
|
58
|
+
{
|
|
59
|
+
level: 'error',
|
|
60
|
+
event: event.event,
|
|
61
|
+
message: event.event + " executes an untrusted command string",
|
|
62
|
+
},
|
|
63
|
+
];
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
catch (e_2_1) { e_2 = { error: e_2_1 }; }
|
|
69
|
+
finally {
|
|
70
|
+
try {
|
|
71
|
+
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
|
|
72
|
+
}
|
|
73
|
+
finally { if (e_2) throw e_2.error; }
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
return {
|
|
77
|
+
matcher: matcher,
|
|
78
|
+
};
|
|
79
|
+
}
|
|
80
|
+
var Exec = 'system.exec';
|
|
81
|
+
var ExecSafe = 'system.exec.safe';
|
|
82
|
+
var ExecSanitize = 'system.exec.sanitize';
|
|
83
|
+
exports.default = {
|
|
84
|
+
id: 'exec-of-untrusted-command',
|
|
85
|
+
title: 'Execution of untrusted system command',
|
|
86
|
+
labels: [Exec, ExecSafe, ExecSanitize],
|
|
87
|
+
impactDomain: 'Security',
|
|
88
|
+
enumerateScope: false,
|
|
89
|
+
// scope: //*[@command]
|
|
90
|
+
references: {
|
|
91
|
+
'CWE-78': new url_1.URL('https://cwe.mitre.org/data/definitions/78.html'),
|
|
92
|
+
},
|
|
93
|
+
description: (0, parseRuleDescription_1.default)('execOfUntrustedCommand'),
|
|
94
|
+
url: 'https://appland.com/docs/analysis/rules-reference.html#exec-of-untrusted-command',
|
|
95
|
+
build: build,
|
|
96
|
+
};
|
|
97
|
+
//# sourceMappingURL=execOfUntrustedCommand.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"execOfUntrustedCommand.js","sourceRoot":"","sources":["../../src/rules/execOfUntrustedCommand.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,0CAAwD;AACxD,2BAA0B;AAE1B,oFAA8D;AAC9D,0EAAoD;AACpD,sEAAgD;AAEhD,SAAS,qBAAqB,CAAC,SAAgB,EAAE,KAAY;IAC3D,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,UAAC,SAAS,IAAK,OAAA,SAAS,CAAC,SAAS,EAAnB,CAAmB,CAAC;SAC1C,KAAK,CAAC,UAAC,SAAS;;;YACf,KAAwB,IAAA,KAAA,SAAA,IAAA,yBAAe,EAAC,SAAS,EAAE,KAAK,CAAC,CAAA,gBAAA,4BAAE;gBAAtD,IAAM,SAAS,WAAA;gBAClB,IAAI,IAAA,uBAAa,EAAC,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,SAAU,EAAE,YAAY,CAAC,EAAE;oBACtE,OAAO,IAAI,CAAC;iBACb;aACF;;;;;;;;;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,KAAK;IACZ,SAAS,OAAO,CAAC,SAAgB;;;YAC/B,KAAoB,IAAA,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA,gBAAA,4BAAE;gBAA5D,IAAM,KAAK,WAAA;gBACd,IACE,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC;oBAC5B,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,UAAC,QAAQ,IAAK,OAAA,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,EAA7B,CAA6B,CAAC,EAC1E;oBACA,IAAI,qBAAqB,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE;wBACjD,OAAO;qBACR;yBAAM;wBACL,OAAO;4BACL;gCACE,KAAK,EAAE,OAAO;gCACd,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,OAAO,EAAK,KAAK,CAAC,KAAK,0CAAuC;6BAC/D;yBACF,CAAC;qBACH;iBACF;aACF;;;;;;;;;IACH,CAAC;IAED,OAAO;QACL,OAAO,SAAA;KACR,CAAC;AACJ,CAAC;AAED,IAAM,IAAI,GAAG,aAAa,CAAC;AAC3B,IAAM,QAAQ,GAAG,kBAAkB,CAAC;AACpC,IAAM,YAAY,GAAG,sBAAsB,CAAC;AAE5C,kBAAe;IACb,EAAE,EAAE,2BAA2B;IAC/B,KAAK,EAAE,uCAAuC;IAC9C,MAAM,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,YAAY,CAAC;IACtC,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,uBAAuB;IACvB,UAAU,EAAE;QACV,QAAQ,EAAE,IAAI,SAAG,CAAC,gDAAgD,CAAC;KACpE;IACD,WAAW,EAAE,IAAA,8BAAoB,EAAC,wBAAwB,CAAC;IAC3D,GAAG,EAAE,kFAAkF;IACvF,KAAK,OAAA;CACE,CAAC"}
|
|
@@ -4,13 +4,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
var fs_1 = __importDefault(require("fs"));
|
|
7
|
-
var errors_1 = require("../../errors");
|
|
8
7
|
var path_1 = require("path");
|
|
9
8
|
function parseRuleDescription(id) {
|
|
10
9
|
var content = fs_1.default.readFileSync((0, path_1.join)(__dirname, "../../../doc/rules/" + id + ".md"), 'utf-8');
|
|
11
|
-
var propertiesContent = content.match(/---\n((?:.*\n)+)---\n((?:.*\n)+?)
|
|
10
|
+
var propertiesContent = content.match(/---\n((?:.*\n)+)---\n((?:.*\n)+?)##?#?/);
|
|
12
11
|
if (!propertiesContent) {
|
|
13
|
-
|
|
12
|
+
// This is probably a new doc that doesn't have front matter yet.
|
|
13
|
+
// It's all description.
|
|
14
|
+
return content;
|
|
14
15
|
}
|
|
15
16
|
return propertiesContent[2].replace(/\n/g, ' ').trim();
|
|
16
17
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"parseRuleDescription.js","sourceRoot":"","sources":["../../../src/rules/lib/parseRuleDescription.ts"],"names":[],"mappings":";;;;;AAAA,0CAAoB;AACpB,
|
|
1
|
+
{"version":3,"file":"parseRuleDescription.js","sourceRoot":"","sources":["../../../src/rules/lib/parseRuleDescription.ts"],"names":[],"mappings":";;;;;AAAA,0CAAoB;AACpB,6BAA4B;AAE5B,SAAwB,oBAAoB,CAAC,EAAU;IACrD,IAAM,OAAO,GAAG,YAAE,CAAC,YAAY,CAAC,IAAA,WAAI,EAAC,SAAS,EAAE,wBAAsB,EAAE,QAAK,CAAC,EAAE,OAAO,CAAC,CAAC;IACzF,IAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAElF,IAAI,CAAC,iBAAiB,EAAE;QACtB,iEAAiE;QACjE,wBAAwB;QACxB,OAAO,OAAO,CAAC;KAChB;IAED,OAAO,iBAAiB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AACzD,CAAC;AAXD,uCAWC"}
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __generator = (this && this.__generator) || function (thisArg, body) {
|
|
3
|
+
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
|
|
4
|
+
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
|
|
5
|
+
function verb(n) { return function (v) { return step([n, v]); }; }
|
|
6
|
+
function step(op) {
|
|
7
|
+
if (f) throw new TypeError("Generator is already executing.");
|
|
8
|
+
while (_) try {
|
|
9
|
+
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
|
|
10
|
+
if (y = 0, t) op = [op[0] & 2, t.value];
|
|
11
|
+
switch (op[0]) {
|
|
12
|
+
case 0: case 1: t = op; break;
|
|
13
|
+
case 4: _.label++; return { value: op[1], done: false };
|
|
14
|
+
case 5: _.label++; y = op[1]; op = [0]; continue;
|
|
15
|
+
case 7: op = _.ops.pop(); _.trys.pop(); continue;
|
|
16
|
+
default:
|
|
17
|
+
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
|
|
18
|
+
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
|
|
19
|
+
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
|
|
20
|
+
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
|
|
21
|
+
if (t[2]) _.ops.pop();
|
|
22
|
+
_.trys.pop(); continue;
|
|
23
|
+
}
|
|
24
|
+
op = body.call(thisArg, _);
|
|
25
|
+
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
|
|
26
|
+
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
|
|
27
|
+
}
|
|
28
|
+
};
|
|
29
|
+
var __values = (this && this.__values) || function(o) {
|
|
30
|
+
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
31
|
+
if (m) return m.call(o);
|
|
32
|
+
if (o && typeof o.length === "number") return {
|
|
33
|
+
next: function () {
|
|
34
|
+
if (o && i >= o.length) o = void 0;
|
|
35
|
+
return { value: o && o[i++], done: !o };
|
|
36
|
+
}
|
|
37
|
+
};
|
|
38
|
+
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
|
|
39
|
+
};
|
|
40
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
41
|
+
var models_1 = require("@appland/models");
|
|
42
|
+
function precedingEvents(rootEvent, target) {
|
|
43
|
+
var _a, _b, event, e_1_1;
|
|
44
|
+
var e_1, _c;
|
|
45
|
+
return __generator(this, function (_d) {
|
|
46
|
+
switch (_d.label) {
|
|
47
|
+
case 0:
|
|
48
|
+
_d.trys.push([0, 5, 6, 7]);
|
|
49
|
+
_a = __values(new models_1.EventNavigator(rootEvent).descendants()), _b = _a.next();
|
|
50
|
+
_d.label = 1;
|
|
51
|
+
case 1:
|
|
52
|
+
if (!!_b.done) return [3 /*break*/, 4];
|
|
53
|
+
event = _b.value;
|
|
54
|
+
if (event.event === target) {
|
|
55
|
+
return [3 /*break*/, 4];
|
|
56
|
+
}
|
|
57
|
+
return [4 /*yield*/, event];
|
|
58
|
+
case 2:
|
|
59
|
+
_d.sent();
|
|
60
|
+
_d.label = 3;
|
|
61
|
+
case 3:
|
|
62
|
+
_b = _a.next();
|
|
63
|
+
return [3 /*break*/, 1];
|
|
64
|
+
case 4: return [3 /*break*/, 7];
|
|
65
|
+
case 5:
|
|
66
|
+
e_1_1 = _d.sent();
|
|
67
|
+
e_1 = { error: e_1_1 };
|
|
68
|
+
return [3 /*break*/, 7];
|
|
69
|
+
case 6:
|
|
70
|
+
try {
|
|
71
|
+
if (_b && !_b.done && (_c = _a.return)) _c.call(_a);
|
|
72
|
+
}
|
|
73
|
+
finally { if (e_1) throw e_1.error; }
|
|
74
|
+
return [7 /*endfinally*/];
|
|
75
|
+
case 7: return [2 /*return*/];
|
|
76
|
+
}
|
|
77
|
+
});
|
|
78
|
+
}
|
|
79
|
+
exports.default = precedingEvents;
|
|
80
|
+
//# sourceMappingURL=precedingEvents.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"precedingEvents.js","sourceRoot":"","sources":["../../../src/rules/lib/precedingEvents.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAAwD;AAExD,SAAyB,eAAe,CACtC,SAAgB,EAChB,MAAa;;;;;;;gBAEO,KAAA,SAAA,IAAI,uBAAc,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA;;;;gBAApD,KAAK;gBACd,IAAI,KAAK,CAAC,KAAK,KAAK,MAAM,EAAE;oBAC1B,wBAAM;iBACP;gBACD,qBAAM,KAAK,EAAA;;gBAAX,SAAW,CAAC;;;;;;;;;;;;;;;;;;;CAEf;AAVD,kCAUC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
function sanitizesData(event, objectId, label) {
|
|
4
|
+
return (event.labels.has(label) &&
|
|
5
|
+
!!event.returnValue &&
|
|
6
|
+
!!event.returnValue.object_id &&
|
|
7
|
+
event.returnValue.object_id === objectId);
|
|
8
|
+
}
|
|
9
|
+
exports.default = sanitizesData;
|
|
10
|
+
//# sourceMappingURL=sanitizesData.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sanitizesData.js","sourceRoot":"","sources":["../../../src/rules/lib/sanitizesData.ts"],"names":[],"mappings":";;AAEA,SAAwB,aAAa,CAAC,KAAY,EAAE,QAAgB,EAAE,KAAa;IACjF,OAAO,CACL,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC;QACvB,CAAC,CAAC,KAAK,CAAC,WAAW;QACnB,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS;QAC7B,KAAK,CAAC,WAAW,CAAC,SAAS,KAAK,QAAQ,CACzC,CAAC;AACJ,CAAC;AAPD,gCAOC"}
|
|
@@ -10,7 +10,7 @@ var matchPattern_1 = require("./lib/matchPattern");
|
|
|
10
10
|
var url_1 = require("url");
|
|
11
11
|
var parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
12
12
|
function isPublic(event) {
|
|
13
|
-
return event.labels.has(
|
|
13
|
+
return event.labels.has(AccessPublic);
|
|
14
14
|
}
|
|
15
15
|
var authenticatedBy = function (iterator) {
|
|
16
16
|
var i = iterator.next();
|
|
@@ -56,13 +56,13 @@ function build(options) {
|
|
|
56
56
|
matcher: matcher,
|
|
57
57
|
};
|
|
58
58
|
}
|
|
59
|
-
var
|
|
59
|
+
var AccessPublic = 'access.public';
|
|
60
60
|
var SecurityAuthentication = 'security.authentication';
|
|
61
61
|
exports.default = {
|
|
62
62
|
id: 'missing-authentication',
|
|
63
63
|
title: 'Unauthenticated HTTP server request',
|
|
64
64
|
scope: 'http_server_request',
|
|
65
|
-
labels: [
|
|
65
|
+
labels: [AccessPublic, SecurityAuthentication],
|
|
66
66
|
impactDomain: 'Security',
|
|
67
67
|
enumerateScope: false,
|
|
68
68
|
references: {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"missingAuthentication.js","sourceRoot":"","sources":["../../src/rules/missingAuthentication.ts"],"names":[],"mappings":";;;;;AAAA,0CAAwD;AACxD,oDAA2D;AAG3D,mCAAoD;AAEpD,mDAAkD;AAClD,2BAA0B;AAC1B,oFAA8D;AAE9D,SAAS,QAAQ,CAAC,KAAY;IAC5B,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,
|
|
1
|
+
{"version":3,"file":"missingAuthentication.js","sourceRoot":"","sources":["../../src/rules/missingAuthentication.ts"],"names":[],"mappings":";;;;;AAAA,0CAAwD;AACxD,oDAA2D;AAG3D,mCAAoD;AAEpD,mDAAkD;AAClD,2BAA0B;AAC1B,oFAA8D;AAE9D,SAAS,QAAQ,CAAC,KAAY;IAC5B,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AACxC,CAAC;AAED,IAAM,eAAe,GAAG,UAAC,QAAkC;IACzD,IAAI,CAAC,GAAmC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACxD,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE;QACd,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,IAAA,6BAAsB,EAAC,CAAC,CAAC,KAAK,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAAE;YAC5F,OAAO,IAAI,CAAC;SACb;QACD,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;KACrB;IAED,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF;IAAA;QACS,wBAAmB,GAAyB,EAAE,CAAC;QAC/C,wBAAmB,GAAyB,EAAE,CAAC;IACxD,CAAC;IAAD,cAAC;AAAD,CAAC,AAHD,IAGC;AAED,SAAS,KAAK,CAAC,OAAgC;IAAhC,wBAAA,EAAA,cAAuB,OAAO,EAAE;IAC7C,IAAM,mBAAmB,GAAG,IAAA,2BAAY,EAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACtE,IAAM,mBAAmB,GAAG,IAAA,2BAAY,EAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEtE,SAAS,eAAe,CAAC,WAAmB;QAC1C,SAAS,IAAI,CAAC,MAAoB;YAChC,OAAO,MAAM,CAAC,WAAW,CAAC,CAAC;QAC7B,CAAC;QAED,OAAO,CACL,CAAC,mBAAmB,CAAC,MAAM,KAAK,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpE,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAChC,CAAC;IACJ,CAAC;IAED,SAAS,OAAO,CAAC,KAAY;QAC3B,OAAO,CAAC,eAAe,CAAC,IAAI,uBAAc,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,SAAS,KAAK,CAAC,CAAQ;QACrB,OAAO,CACL,CAAC,CAAC,KAAK,KAAK,SAAS;YACrB,CAAC,CAAC,kBAAkB,KAAK,SAAS;YAClC,CAAC,CAAC,kBAAkB,CAAC,MAAM,GAAG,GAAG;YACjC,CAAC,CAAC,IAAA,+BAAkB,EAAC,CAAC,CAAC;YACvB,CAAC,CAAC,IAAA,+BAAkB,EAAC,CAAC,CAAE,CAAC,WAAW;YACpC,eAAe,CAAC,IAAA,+BAAkB,EAAC,CAAC,CAAE,CAAC,WAAW,CAAC,CACpD,CAAC;IACJ,CAAC;IACD,OAAO;QACL,KAAK,OAAA;QACL,OAAO,SAAA;KACR,CAAC;AACJ,CAAC;AACD,IAAM,YAAY,GAAG,eAAe,CAAC;AACrC,IAAM,sBAAsB,GAAG,yBAAyB,CAAC;AAEzD,kBAAe;IACb,EAAE,EAAE,wBAAwB;IAC5B,KAAK,EAAE,qCAAqC;IAC5C,KAAK,EAAE,qBAAqB;IAC5B,MAAM,EAAE,CAAC,YAAY,EAAE,sBAAsB,CAAC;IAC9C,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE;QACV,SAAS,EAAE,IAAI,SAAG,CAAC,iDAAiD,CAAC;KACtE;IACD,WAAW,EAAE,IAAA,8BAAoB,EAAC,uBAAuB,CAAC;IAC1D,GAAG,EAAE,+EAA+E;IACpF,OAAO,SAAA;IACP,KAAK,OAAA;CACE,CAAC"}
|
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
checks:
|
|
2
2
|
- rule: authzBeforeAuthn
|
|
3
3
|
- rule: circularDependency
|
|
4
|
-
|
|
4
|
+
- rule: deserializationOfUntrustedData
|
|
5
|
+
- rule: execOfUntrustedCommand
|
|
5
6
|
- rule: http500
|
|
6
7
|
# - rule: illegalPackageDependency
|
|
7
8
|
# - rule: incompatibleHttpClientRequest
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"commandScope.js","sourceRoot":"","sources":["../../src/scope/commandScope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAAwD;AAExD,kEAA4C;AAE5C;IAIE,mBAAY,KAAY;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,WAAW,GAAG,IAAI,uBAAc,CAAC,KAAK,CAAC,CAAC;IAC/C,CAAC;IAEA,0BAAM,GAAP;;;;;wBACE,qBAAM,IAAI,CAAC,KAAK,EAAA;;oBAAhB,SAAgB,CAAC;;;;oBAEG,KAAA,SAAA,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAA;;;;oBAAvC,KAAK;oBACd,qBAAM,KAAK,CAAC,KAAK,EAAA;;oBAAjB,SAAiB,CAAC;;;;;;;;;;;;;;;;;;;KAErB;IACH,gBAAC;AAAD,CAAC,AAhBD,IAgBC;AAED,4CAA4C;AAC5C,IAAM,OAAO,GAAG,SAAS,CAAC;AAC1B,IAAM,GAAG,GAAG,KAAK,CAAC;AAElB;IAA0C,gCAAa;IAAvD;;IAeA,CAAC;IAdE,6BAAM,GAAP,UAAQ,
|
|
1
|
+
{"version":3,"file":"commandScope.js","sourceRoot":"","sources":["../../src/scope/commandScope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAAwD;AAExD,kEAA4C;AAE5C;IAIE,mBAAY,KAAY;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,WAAW,GAAG,IAAI,uBAAc,CAAC,KAAK,CAAC,CAAC;IAC/C,CAAC;IAEA,0BAAM,GAAP;;;;;wBACE,qBAAM,IAAI,CAAC,KAAK,EAAA;;oBAAhB,SAAgB,CAAC;;;;oBAEG,KAAA,SAAA,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAA;;;;oBAAvC,KAAK;oBACd,qBAAM,KAAK,CAAC,KAAK,EAAA;;oBAAjB,SAAiB,CAAC;;;;;;;;;;;;;;;;;;;KAErB;IACH,gBAAC;AAAD,CAAC,AAhBD,IAgBC;AAED,4CAA4C;AAC5C,IAAM,OAAO,GAAG,SAAS,CAAC;AAC1B,IAAM,GAAG,GAAG,KAAK,CAAC;AAElB;IAA0C,gCAAa;IAAvD;;IAeA,CAAC;IAdE,6BAAM,GAAP,UAAQ,MAA+B;;;;;;;oBACjB,WAAA,SAAA,MAAM,CAAA;;;;oBAAf,KAAK;yBAEZ,CAAA,KAAK,CAAC,MAAM,EAAE;wBACd,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC;4BACnC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;4BAChC,KAAK,CAAC,iBAAiB,CAAC,CAAA,EAH1B,wBAG0B;oBAE1B,qBAAM,IAAI,SAAS,CAAC,KAAK,CAAC,EAAA;;oBAA1B,SAA0B,CAAC;oBAE3B,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;;;;;;;;;;;;;;;;;;;KAG9C;IACH,mBAAC;AAAD,CAAC,AAfD,CAA0C,uBAAa,GAetD"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"rootScope.js","sourceRoot":"","sources":["../../src/scope/rootScope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA,0DAAoC;AACpC,kEAA4C;AAE5C;IAAuC,6BAAa;IAApD;;IAUA,CAAC;IATE,0BAAM,GAAP,UAAQ,
|
|
1
|
+
{"version":3,"file":"rootScope.js","sourceRoot":"","sources":["../../src/scope/rootScope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA,0DAAoC;AACpC,kEAA4C;AAE5C;IAAuC,6BAAa;IAApD;;IAUA,CAAC;IATE,0BAAM,GAAP,UAAQ,MAA+B;;;;;;;oBACjB,WAAA,SAAA,MAAM,CAAA;;;;oBAAf,KAAK;yBACV,CAAA,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAA,EAA/B,wBAA+B;oBACjC,qBAAM,IAAI,mBAAS,CAAC,KAAK,CAAC,EAAA;;oBAA1B,SAA0B,CAAC;oBAE3B,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;;;;;;;;;;;;;;;;;;;KAG9C;IACH,gBAAC;AAAD,CAAC,AAVD,CAAuC,uBAAa,GAUnD"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scopeIterator.js","sourceRoot":"","sources":["../../src/scope/scopeIterator.ts"],"names":[],"mappings":";;AAGA;IAAA;IAeA,CAAC;IAZC,yDAAyD;IAC/C,4CAAoB,GAA9B,UAA+B,UAAiB,EAAE,
|
|
1
|
+
{"version":3,"file":"scopeIterator.js","sourceRoot":"","sources":["../../src/scope/scopeIterator.ts"],"names":[],"mappings":";;AAGA;IAAA;IAeA,CAAC;IAZC,yDAAyD;IAC/C,4CAAoB,GAA9B,UAA+B,UAAiB,EAAE,MAAuB;QACvE,uGAAuG;QACvG,IAAI,WAAW,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAChC,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE;YACxB,IAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC;YAChC,IAAI,KAAK,CAAC,QAAQ,EAAE,IAAI,KAAK,CAAC,SAAS,KAAK,UAAU,EAAE;gBACtD,MAAM;aACP;YACD,WAAW,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;SAC7B;IACH,CAAC;IACH,oBAAC;AAAD,CAAC,AAfD,IAeC"}
|
|
@@ -102,7 +102,7 @@ exports.hasTransactionDetails = hasTransactionDetails;
|
|
|
102
102
|
function iterateTransaction(begin, tail) {
|
|
103
103
|
// since we can only go through the tail once,
|
|
104
104
|
// we have to keep the list of events in the transaction
|
|
105
|
-
var transaction = [];
|
|
105
|
+
var transaction = [begin];
|
|
106
106
|
for (var next = tail.next(); !next.done; next = tail.next()) {
|
|
107
107
|
var event = next.value;
|
|
108
108
|
if (!event.isCall())
|
|
@@ -114,17 +114,27 @@ function iterateTransaction(begin, tail) {
|
|
|
114
114
|
var sql = (0, models_1.parseSQL)(event.sql.sql);
|
|
115
115
|
if (!sql)
|
|
116
116
|
continue;
|
|
117
|
+
// This is normally a noop which generates a SQL warning.
|
|
118
|
+
// It can also happen if there's more than one SQL connection used
|
|
119
|
+
// and the new transaction is open in a different one than before.
|
|
120
|
+
// We currently don't track the separate connections, so we have to
|
|
121
|
+
// assume this is the same one and issue a warning.
|
|
117
122
|
if (isBegin(sql))
|
|
118
|
-
|
|
123
|
+
console.warn("SQL transaction started within a transaction in event " + event.id);
|
|
119
124
|
var end = isEnd(sql);
|
|
120
125
|
if (end) {
|
|
121
126
|
begin.transaction = { status: end.action, events: transaction };
|
|
122
127
|
break;
|
|
123
128
|
}
|
|
124
129
|
}
|
|
130
|
+
if (!begin.transaction) {
|
|
131
|
+
// Transaction was still active at the end of appmap;
|
|
132
|
+
// assume it was aborted.
|
|
133
|
+
begin.transaction = { status: 'rollback', events: transaction };
|
|
134
|
+
}
|
|
125
135
|
return {
|
|
126
136
|
scope: begin,
|
|
127
|
-
events: transaction[Symbol.iterator],
|
|
137
|
+
events: transaction[Symbol.iterator].bind(transaction),
|
|
128
138
|
};
|
|
129
139
|
}
|
|
130
140
|
var SQLTransactionScope = /** @class */ (function (_super) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sqlTransactionScope.js","sourceRoot":"","sources":["../../src/scope/sqlTransactionScope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAA2C;AAI3C,kEAA4C;AAG5C,SAAS,OAAO,CAAC,GAA2B;IAC1C,QAAQ,GAAG,CAAC,OAAO,EAAE;QACnB,KAAK,MAAM;YACT,OAAO,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,UAAC,CAAC,IAAK,OAAA,OAAO,CAAC,CAAC,CAAC,EAAV,CAAU,CAAC,CAAC;QAC/C,KAAK,aAAa;YAChB,OAAO,GAAG,CAAC,MAAM,KAAK,OAAO,CAAC;QAChC;YACE,OAAO,KAAK,CAAC;KAChB;AACH,CAAC;AAMD,SAAS,KAAK,CAAC,GAA2B;;IACxC,QAAQ,GAAG,CAAC,OAAO,EAAE;QACnB,KAAK,MAAM;;gBACT,KAAwB,IAAA,KAAA,SAAA,GAAG,CAAC,SAAS,CAAA,gBAAA,4BAAE;oBAAlC,IAAM,SAAS,WAAA;oBAClB,IAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC;oBAChC,IAAI,MAAM;wBAAE,OAAO,MAAM,CAAC;iBAC3B;;;;;;;;;YACD,OAAO,SAAS,CAAC;QACnB,KAAK,aAAa;YAChB,OAAO,GAAG,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAE,GAA+B,CAAC;QAC/E;YACE,OAAO,SAAS,CAAC;KACpB;AACH,CAAC;AASD,SAAgB,qBAAqB,CACnC,KAA0C;IAE1C,OAAO,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;AACzC,CAAC;AAJD,sDAIC;AAED,SAAS,kBAAkB,CACzB,KAA0C,EAC1C,IAAqB;IAErB,8CAA8C;IAC9C,wDAAwD;IACxD,IAAM,WAAW,
|
|
1
|
+
{"version":3,"file":"sqlTransactionScope.js","sourceRoot":"","sources":["../../src/scope/sqlTransactionScope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAA2C;AAI3C,kEAA4C;AAG5C,SAAS,OAAO,CAAC,GAA2B;IAC1C,QAAQ,GAAG,CAAC,OAAO,EAAE;QACnB,KAAK,MAAM;YACT,OAAO,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,UAAC,CAAC,IAAK,OAAA,OAAO,CAAC,CAAC,CAAC,EAAV,CAAU,CAAC,CAAC;QAC/C,KAAK,aAAa;YAChB,OAAO,GAAG,CAAC,MAAM,KAAK,OAAO,CAAC;QAChC;YACE,OAAO,KAAK,CAAC;KAChB;AACH,CAAC;AAMD,SAAS,KAAK,CAAC,GAA2B;;IACxC,QAAQ,GAAG,CAAC,OAAO,EAAE;QACnB,KAAK,MAAM;;gBACT,KAAwB,IAAA,KAAA,SAAA,GAAG,CAAC,SAAS,CAAA,gBAAA,4BAAE;oBAAlC,IAAM,SAAS,WAAA;oBAClB,IAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC;oBAChC,IAAI,MAAM;wBAAE,OAAO,MAAM,CAAC;iBAC3B;;;;;;;;;YACD,OAAO,SAAS,CAAC;QACnB,KAAK,aAAa;YAChB,OAAO,GAAG,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAE,GAA+B,CAAC;QAC/E;YACE,OAAO,SAAS,CAAC;KACpB;AACH,CAAC;AASD,SAAgB,qBAAqB,CACnC,KAA0C;IAE1C,OAAO,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;AACzC,CAAC;AAJD,sDAIC;AAED,SAAS,kBAAkB,CACzB,KAA0C,EAC1C,IAAqB;IAErB,8CAA8C;IAC9C,wDAAwD;IACxD,IAAM,WAAW,GAAG,CAAC,KAAK,CAAC,CAAC;IAC5B,KAAK,IAAI,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,EAAE;QAC3D,IAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;YAAE,SAAS;QAC9B,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,GAAG;YAAE,SAAS;QACzB,kEAAkE;QAClE,IAAM,GAAG,GAAG,IAAA,iBAAQ,EAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,yDAAyD;QACzD,kEAAkE;QAClE,kEAAkE;QAClE,mEAAmE;QACnE,mDAAmD;QACnD,IAAI,OAAO,CAAC,GAAG,CAAC;YACd,OAAO,CAAC,IAAI,CAAC,2DAAyD,KAAK,CAAC,EAAI,CAAC,CAAC;QAEpF,IAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,GAAG,EAAE;YACP,KAAK,CAAC,WAAW,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YAChE,MAAM;SACP;KACF;IAED,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE;QACtB,qDAAqD;QACrD,yBAAyB;QACzB,KAAK,CAAC,WAAW,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;KACjE;IAED,OAAO;QACL,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,WAAW,CAA2B;KACjF,CAAC;AACJ,CAAC;AAED;IAAiD,uCAAa;IAA9D;;IAUA,CAAC;IATE,oCAAM,GAAP,UAAQ,MAA+B;;;;;;;oBACjB,WAAA,SAAA,MAAM,CAAA;;;;oBAAf,KAAK;oBACd,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG;wBAAE,wBAAS;oBACtC,GAAG,GAAG,IAAA,iBAAQ,EAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;yBAChC,CAAA,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA,EAAlC,wBAAkC;oBACpC,qBAAM,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,EAAA;;oBAAvC,SAAuC,CAAC;;;;;;;;;;;;;;;;;;;KAG7C;IACH,0BAAC;AAAD,CAAC,AAVD,CAAiD,uBAAa,GAU7D"}
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: deserialize.sanitize
|
|
3
|
+
rules:
|
|
4
|
+
- deserialization-of-untrusted-data
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
Ensures that data is safe and trusted for deserialization, transforming it if necessary, and
|
|
8
|
+
returning `falsey` or raising an exception if it's impossible to make the data safe.
|
|
9
|
+
|
|
10
|
+
A function with this label can be used to convert untrusted data such as direct user input or HTTP
|
|
11
|
+
request parameters into trusted data.
|
|
12
|
+
|
|
13
|
+
Note that this is not the same as ensuring that a parameter satisfies business logic constraints -
|
|
14
|
+
such as presence or max length. It's a security check that ensures the data cannot cause harm on
|
|
15
|
+
deserialization.
|
|
16
|
+
|
|
17
|
+
To be considered successful, a `deserialize.sanitize` function must return a `truthy` value.
|
|
18
|
+
|
|
19
|
+
## Examples
|
|
20
|
+
|
|
21
|
+
- Running user-provided YAML through a "safe loader" which discards unsafe syntax such as object
|
|
22
|
+
class names.
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: system.exec.sanitize
|
|
3
|
+
rules:
|
|
4
|
+
- exec-of-untrusted-command
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
Ensures that data is safe and trusted for use as a system command, transforming it if necessary, and
|
|
8
|
+
returning `falsey` or raising an exception if it's impossible to make the data safe.
|
|
9
|
+
|
|
10
|
+
A function with this label can be used to convert untrusted data such as direct user input or HTTP
|
|
11
|
+
request parameters into trusted data.
|
|
12
|
+
|
|
13
|
+
Note that this is not the same as ensuring that a parameter satisfies business logic constraints -
|
|
14
|
+
such as presence or max length. It's a security check that ensures the data cannot cause harm when
|
|
15
|
+
used as a system command.
|
|
16
|
+
|
|
17
|
+
To be considered successful, a `system.exec.sanitize` function must return a `truthy` value.
|
|
18
|
+
|
|
19
|
+
## Examples
|
|
20
|
+
|
|
21
|
+
- Ensuring that a user-provided file path is a subdirectory of a known allowed directory.
|
|
22
|
+
- Ensuring that a system command string does not have any potential injection or side-effects.
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
---
|
|
2
|
+
rule: exec-of-untrusted-command
|
|
3
|
+
name: Exec of untrusted command
|
|
4
|
+
title: Execution of untrusted system command
|
|
5
|
+
references:
|
|
6
|
+
CWE-78: https://cwe.mitre.org/data/definitions/78.html
|
|
7
|
+
impactDomain: Security
|
|
8
|
+
labels:
|
|
9
|
+
- system.exec
|
|
10
|
+
- system.exec.safe
|
|
11
|
+
- system.exec.sanitize
|
|
12
|
+
---
|
|
13
|
+
|
|
14
|
+
Find occurrances of system command execution in which the command string is not guaranteed to be
|
|
15
|
+
safe.
|
|
16
|
+
|
package/package.json
CHANGED
package/doc/labels/sanitize.md
DELETED
|
@@ -1,29 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
name: sanitize
|
|
3
|
-
rules:
|
|
4
|
-
- deserialization-of-untrusted-data
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
Ensures that data is safe and trusted, transforming it if necessary, and returning `falsey` or
|
|
8
|
-
raising an exception if it's impossible to make the data safe.
|
|
9
|
-
|
|
10
|
-
A function with this label can be used to convert untrusted data such as direct user input or HTTP
|
|
11
|
-
request parameters into trusted data.
|
|
12
|
-
|
|
13
|
-
Note that this is not the same as ensuring that a parameter satisfies business logic constraints -
|
|
14
|
-
such as presence or max length. It's a security check that ensures the data cannot cause downstream
|
|
15
|
-
harm.
|
|
16
|
-
|
|
17
|
-
To be considered successful, a `sanitize` function must return a `truthy` value.
|
|
18
|
-
|
|
19
|
-
## Examples
|
|
20
|
-
|
|
21
|
-
- Sanitizing HTML by removing all potentially harmful elements, such as script tags.
|
|
22
|
-
- Ensuring that SQL queries are properly escaped.
|
|
23
|
-
- Running user-provided YAML through a "safe loader" which discards unsafe syntax such as object
|
|
24
|
-
class names.
|
|
25
|
-
- Ensuring that a user-provided file path is a subdirectory of a known allowed directory.
|
|
26
|
-
- Ensuring that a system command string does not have any potential injection or side-effects.
|
|
27
|
-
- Ruby -
|
|
28
|
-
[sanitize_filename](https://github.com/technoweenie/attachment_fu/blob/fa08cb03914b02b66853b4615cd3eca768291ca7/lib/technoweenie/attachment_fu.rb#L410)
|
|
29
|
-
in `attachment_fu`.
|