@appland/scanner 1.56.0 → 1.57.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +15 -0
- package/built/algorithms/dataStructures/graph/Graph.js +53 -62
- package/built/algorithms/dataStructures/graph/GraphEdge.js +13 -16
- package/built/algorithms/dataStructures/graph/GraphVertex.js +37 -42
- package/built/algorithms/dataStructures/linked-list/LinkedList.js +33 -38
- package/built/algorithms/dataStructures/linked-list/LinkedListNode.js +6 -10
- package/built/algorithms/graph/depth-first-search/index.js +7 -8
- package/built/algorithms/graph/detect-cycle/index.js +15 -16
- package/built/algorithms/utils/Comparator.js +19 -21
- package/built/analyzer/recordSecrets.js +7 -30
- package/built/analyzer/secretsRegexes.js +8 -9
- package/built/appMapIndex.js +18 -20
- package/built/check.js +16 -18
- package/built/checkInstance.js +26 -48
- package/built/cli/ci/command.js +61 -156
- package/built/cli/ci/options.js +0 -1
- package/built/cli/codeVersionArgs.js +0 -1
- package/built/cli/exitCode.js +0 -1
- package/built/cli/fail.js +2 -3
- package/built/cli/merge/command.js +21 -63
- package/built/cli/merge/options.js +0 -1
- package/built/cli/reportUploadURL.js +2 -3
- package/built/cli/resolveAppId.js +34 -85
- package/built/cli/scan/command.js +52 -94
- package/built/cli/scan/formatReport.js +16 -89
- package/built/cli/scan/options.js +0 -1
- package/built/cli/scan/scanner.js +38 -117
- package/built/cli/scan/singleScan.js +61 -109
- package/built/cli/scan/watchScan.js +32 -82
- package/built/cli/scan.js +39 -132
- package/built/cli/scanArgs.js +0 -1
- package/built/cli/scanOptions.js +0 -1
- package/built/cli/updateCommitStatus.js +10 -47
- package/built/cli/upload/command.js +20 -64
- package/built/cli/upload/options.js +0 -1
- package/built/cli/upload/pruneAppMap.js +16 -0
- package/built/cli/upload.js +91 -172
- package/built/cli/validateFile.js +13 -52
- package/built/cli.js +34 -21
- package/built/configuration/configurationProvider.js +148 -233
- package/built/configuration/schema/options.json +76 -76
- package/built/configuration/types/checkConfig.js +0 -1
- package/built/configuration/types/configuration.js +0 -1
- package/built/configuration/types/matchEventConfig.js +0 -1
- package/built/configuration/types/matchPatternConfig.js +0 -1
- package/built/database/index.js +33 -127
- package/built/database/visit.js +16 -66
- package/built/errors.js +4 -30
- package/built/eventUtil.js +10 -35
- package/built/findings.js +3 -4
- package/built/integration/appland/app/exists.js +33 -76
- package/built/integration/appland/app/listFindingStatus.js +3 -36
- package/built/integration/appland/appMap/create.js +38 -89
- package/built/integration/appland/location.js +0 -1
- package/built/integration/appland/mapset/create.js +34 -85
- package/built/integration/appland/retry.js +10 -11
- package/built/integration/appland/retryOptions.js +0 -1
- package/built/integration/appland/scannerJob/create.js +34 -84
- package/built/integration/appland/scannerJob/merge.js +28 -74
- package/built/integration/appland/scannerJob.js +0 -1
- package/built/integration/github/commitStatus.js +3 -4
- package/built/integration/vars.js +1 -2
- package/built/openapi/index.js +39 -83
- package/built/report/appMapMetadata.js +0 -1
- package/built/report/findingSummary.js +0 -1
- package/built/report/findingsReport.js +14 -16
- package/built/report/scanResults.js +18 -45
- package/built/report/scanSummary.js +0 -1
- package/built/report/summaryReport.js +12 -13
- package/built/ruleChecker.js +146 -297
- package/built/rules/authzBeforeAuthn.js +25 -59
- package/built/rules/circularDependency.js +69 -101
- package/built/rules/deserializationOfUntrustedData.js +29 -63
- package/built/rules/execOfUntrustedCommand.js +28 -62
- package/built/rules/http-500/metadata.js +0 -1
- package/built/rules/http-500/rule.js +2 -3
- package/built/rules/illegalPackageDependency.js +16 -18
- package/built/rules/incompatibleHttpClientRequest.js +30 -69
- package/built/rules/insecureCompare.js +12 -13
- package/built/rules/jobNotCancelled.js +13 -45
- package/built/rules/lib/hasParameterOrReceiver.js +4 -7
- package/built/rules/lib/matchEvent.js +12 -13
- package/built/rules/lib/matchPattern.js +6 -7
- package/built/rules/lib/metadata.js +0 -1
- package/built/rules/lib/parseRuleDescription.js +5 -6
- package/built/rules/lib/precedingEvents.js +7 -75
- package/built/rules/lib/rpcWithoutProtection.js +5 -28
- package/built/rules/lib/sanitizesData.js +0 -1
- package/built/rules/lib/util.js +33 -73
- package/built/rules/logoutWithoutSessionReset.js +24 -58
- package/built/rules/missingAuthentication.js +28 -28
- package/built/rules/missingContentType.js +8 -9
- package/built/rules/nPlusOneQuery.js +35 -87
- package/built/rules/queryFromInvalidPackage.js +17 -19
- package/built/rules/queryFromView.js +13 -16
- package/built/rules/rpcWithoutCircuitBreaker.js +14 -84
- package/built/rules/saveWithoutValidation.js +8 -9
- package/built/rules/secretInLog.js +29 -92
- package/built/rules/slowFunctionCall.js +16 -20
- package/built/rules/slowHttpServerRequest.js +9 -11
- package/built/rules/slowQuery.js +9 -12
- package/built/rules/tooManyJoins.js +26 -51
- package/built/rules/tooManyUpdates.js +25 -105
- package/built/rules/unbatchedMaterializedQuery.js +26 -30
- package/built/rules/updateInGetRequest.js +30 -45
- package/built/scope/commandScope.js +24 -144
- package/built/scope/httpClientRequestScope.js +11 -98
- package/built/scope/httpServerRequestScope.js +11 -98
- package/built/scope/rootScope.js +11 -98
- package/built/scope/scopeImpl.js +10 -82
- package/built/scope/scopeIterator.js +6 -10
- package/built/scope/sqlTransactionScope.js +24 -122
- package/built/sqlWarning.js +9 -35
- package/built/telemetry.js +215 -0
- package/built/wellKnownLabels.js +0 -1
- package/package.json +7 -3
- package/built/algorithms/dataStructures/graph/Graph.js.map +0 -1
- package/built/algorithms/dataStructures/graph/GraphEdge.js.map +0 -1
- package/built/algorithms/dataStructures/graph/GraphVertex.js.map +0 -1
- package/built/algorithms/dataStructures/linked-list/LinkedList.js.map +0 -1
- package/built/algorithms/dataStructures/linked-list/LinkedListNode.js.map +0 -1
- package/built/algorithms/graph/depth-first-search/index.js.map +0 -1
- package/built/algorithms/graph/detect-cycle/index.js.map +0 -1
- package/built/algorithms/utils/Comparator.js.map +0 -1
- package/built/analyzer/recordSecrets.js.map +0 -1
- package/built/analyzer/secretsRegexes.js.map +0 -1
- package/built/appMapIndex.js.map +0 -1
- package/built/check.js.map +0 -1
- package/built/checkInstance.js.map +0 -1
- package/built/cli/ci/command.js.map +0 -1
- package/built/cli/ci/options.js.map +0 -1
- package/built/cli/codeVersionArgs.js.map +0 -1
- package/built/cli/exitCode.js.map +0 -1
- package/built/cli/fail.js.map +0 -1
- package/built/cli/merge/command.js.map +0 -1
- package/built/cli/merge/options.js.map +0 -1
- package/built/cli/reportUploadURL.js.map +0 -1
- package/built/cli/resolveAppId.js.map +0 -1
- package/built/cli/scan/command.js.map +0 -1
- package/built/cli/scan/formatReport.js.map +0 -1
- package/built/cli/scan/options.js.map +0 -1
- package/built/cli/scan/scanner.js.map +0 -1
- package/built/cli/scan/singleScan.js.map +0 -1
- package/built/cli/scan/watchScan.js.map +0 -1
- package/built/cli/scan.js.map +0 -1
- package/built/cli/scanArgs.js.map +0 -1
- package/built/cli/scanOptions.js.map +0 -1
- package/built/cli/updateCommitStatus.js.map +0 -1
- package/built/cli/upload/command.js.map +0 -1
- package/built/cli/upload/options.js.map +0 -1
- package/built/cli/upload.js.map +0 -1
- package/built/cli/validateFile.js.map +0 -1
- package/built/cli.js.map +0 -1
- package/built/configuration/configurationProvider.js.map +0 -1
- package/built/configuration/types/checkConfig.js.map +0 -1
- package/built/configuration/types/configuration.js.map +0 -1
- package/built/configuration/types/matchEventConfig.js.map +0 -1
- package/built/configuration/types/matchPatternConfig.js.map +0 -1
- package/built/database/index.js.map +0 -1
- package/built/database/visit.js.map +0 -1
- package/built/errors.js.map +0 -1
- package/built/eventUtil.js.map +0 -1
- package/built/findings.js.map +0 -1
- package/built/integration/appland/app/exists.js.map +0 -1
- package/built/integration/appland/app/listFindingStatus.js.map +0 -1
- package/built/integration/appland/appMap/create.js.map +0 -1
- package/built/integration/appland/location.js.map +0 -1
- package/built/integration/appland/mapset/create.js.map +0 -1
- package/built/integration/appland/retry.js.map +0 -1
- package/built/integration/appland/retryOptions.js.map +0 -1
- package/built/integration/appland/scannerJob/create.js.map +0 -1
- package/built/integration/appland/scannerJob/merge.js.map +0 -1
- package/built/integration/appland/scannerJob.js.map +0 -1
- package/built/integration/github/commitStatus.js.map +0 -1
- package/built/integration/vars.js.map +0 -1
- package/built/openapi/index.js.map +0 -1
- package/built/openapi/method.js +0 -120
- package/built/openapi/method.js.map +0 -1
- package/built/openapi/model.js +0 -49
- package/built/openapi/model.js.map +0 -1
- package/built/openapi/path.js +0 -36
- package/built/openapi/path.js.map +0 -1
- package/built/openapi/provider.js +0 -133
- package/built/openapi/provider.js.map +0 -1
- package/built/openapi/response.js +0 -59
- package/built/openapi/response.js.map +0 -1
- package/built/openapi/rpcRequest.js +0 -130
- package/built/openapi/rpcRequest.js.map +0 -1
- package/built/openapi/schema.js +0 -42
- package/built/openapi/schema.js.map +0 -1
- package/built/openapi/securitySchemes.js +0 -32
- package/built/openapi/securitySchemes.js.map +0 -1
- package/built/openapi/statusCodes.js +0 -68
- package/built/openapi/statusCodes.js.map +0 -1
- package/built/openapi/util.js +0 -91
- package/built/openapi/util.js.map +0 -1
- package/built/report/appMapMetadata.js.map +0 -1
- package/built/report/findingSummary.js.map +0 -1
- package/built/report/findingsReport.js.map +0 -1
- package/built/report/scanResults.js.map +0 -1
- package/built/report/scanSummary.js.map +0 -1
- package/built/report/summaryReport.js.map +0 -1
- package/built/ruleChecker.js.map +0 -1
- package/built/rules/authzBeforeAuthn.js.map +0 -1
- package/built/rules/circularDependency.js.map +0 -1
- package/built/rules/deserializationOfUntrustedData.js.map +0 -1
- package/built/rules/execOfUntrustedCommand.js.map +0 -1
- package/built/rules/http-500/metadata.js.map +0 -1
- package/built/rules/http-500/rule.js.map +0 -1
- package/built/rules/illegalPackageDependency.js.map +0 -1
- package/built/rules/incompatibleHttpClientRequest.js.map +0 -1
- package/built/rules/insecureCompare.js.map +0 -1
- package/built/rules/jobNotCancelled.js.map +0 -1
- package/built/rules/lib/hasParameterOrReceiver.js.map +0 -1
- package/built/rules/lib/matchEvent.js.map +0 -1
- package/built/rules/lib/matchPattern.js.map +0 -1
- package/built/rules/lib/metadata.js.map +0 -1
- package/built/rules/lib/parseRuleDescription.js.map +0 -1
- package/built/rules/lib/precedingEvents.js.map +0 -1
- package/built/rules/lib/rpcWithoutProtection.js.map +0 -1
- package/built/rules/lib/sanitizesData.js.map +0 -1
- package/built/rules/lib/util.js.map +0 -1
- package/built/rules/logoutWithoutSessionReset.js.map +0 -1
- package/built/rules/missingAuthentication.js.map +0 -1
- package/built/rules/missingContentType.js.map +0 -1
- package/built/rules/nPlusOneQuery.js.map +0 -1
- package/built/rules/queryFromInvalidPackage.js.map +0 -1
- package/built/rules/queryFromView.js.map +0 -1
- package/built/rules/rpcWithoutCircuitBreaker.js.map +0 -1
- package/built/rules/saveWithoutValidation.js.map +0 -1
- package/built/rules/secretInLog.js.map +0 -1
- package/built/rules/slowFunctionCall.js.map +0 -1
- package/built/rules/slowHttpServerRequest.js.map +0 -1
- package/built/rules/slowQuery.js.map +0 -1
- package/built/rules/tooManyJoins.js.map +0 -1
- package/built/rules/tooManyUpdates.js.map +0 -1
- package/built/rules/unbatchedMaterializedQuery.js.map +0 -1
- package/built/rules/updateInGetRequest.js.map +0 -1
- package/built/scope/commandScope.js.map +0 -1
- package/built/scope/httpClientRequestScope.js.map +0 -1
- package/built/scope/httpServerRequestScope.js.map +0 -1
- package/built/scope/rootScope.js.map +0 -1
- package/built/scope/scopeImpl.js.map +0 -1
- package/built/scope/scopeIterator.js.map +0 -1
- package/built/scope/sqlTransactionScope.js.map +0 -1
- package/built/sqlWarning.js.map +0 -1
- package/built/wellKnownLabels.js.map +0 -1
package/built/rules/lib/util.js
CHANGED
|
@@ -8,66 +8,27 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
8
8
|
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
9
|
});
|
|
10
10
|
};
|
|
11
|
-
var __generator = (this && this.__generator) || function (thisArg, body) {
|
|
12
|
-
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
|
|
13
|
-
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
|
|
14
|
-
function verb(n) { return function (v) { return step([n, v]); }; }
|
|
15
|
-
function step(op) {
|
|
16
|
-
if (f) throw new TypeError("Generator is already executing.");
|
|
17
|
-
while (_) try {
|
|
18
|
-
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
|
|
19
|
-
if (y = 0, t) op = [op[0] & 2, t.value];
|
|
20
|
-
switch (op[0]) {
|
|
21
|
-
case 0: case 1: t = op; break;
|
|
22
|
-
case 4: _.label++; return { value: op[1], done: false };
|
|
23
|
-
case 5: _.label++; y = op[1]; op = [0]; continue;
|
|
24
|
-
case 7: op = _.ops.pop(); _.trys.pop(); continue;
|
|
25
|
-
default:
|
|
26
|
-
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
|
|
27
|
-
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
|
|
28
|
-
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
|
|
29
|
-
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
|
|
30
|
-
if (t[2]) _.ops.pop();
|
|
31
|
-
_.trys.pop(); continue;
|
|
32
|
-
}
|
|
33
|
-
op = body.call(thisArg, _);
|
|
34
|
-
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
|
|
35
|
-
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
|
|
36
|
-
}
|
|
37
|
-
};
|
|
38
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
39
12
|
exports.verbose = exports.toRegExpArray = exports.responseContentType = exports.toRegExp = exports.providesAuthentication = exports.pluralize = exports.dasherize = exports.camelize = exports.parseValue = exports.isRoot = exports.ideLink = exports.isTruthy = exports.isFalsey = exports.emptyValue = exports.capitalize = exports.appMapDir = exports.appmapDirFromConfig = void 0;
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
13
|
+
const fs_1 = require("fs");
|
|
14
|
+
const promises_1 = require("fs/promises");
|
|
15
|
+
const js_yaml_1 = require("js-yaml");
|
|
16
|
+
const path_1 = require("path");
|
|
17
|
+
const util_1 = require("util");
|
|
45
18
|
function appmapDirFromConfig() {
|
|
46
|
-
return __awaiter(this, void 0, void 0, function () {
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
appMapConfigExists = _b.sent();
|
|
53
|
-
if (!appMapConfigExists) return [3 /*break*/, 3];
|
|
54
|
-
_a = js_yaml_1.load;
|
|
55
|
-
return [4 /*yield*/, (0, promises_1.readFile)('appmap.yml')];
|
|
56
|
-
case 2:
|
|
57
|
-
appMapConfigData = _a.apply(void 0, [(_b.sent()).toString()]);
|
|
58
|
-
if (appMapConfigData && typeof appMapConfigData === 'object') {
|
|
59
|
-
return [2 /*return*/, appMapConfigData['appmap_dir']];
|
|
60
|
-
}
|
|
61
|
-
_b.label = 3;
|
|
62
|
-
case 3: return [2 /*return*/];
|
|
19
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
20
|
+
const appMapConfigExists = yield (0, util_1.promisify)(fs_1.exists)('appmap.yml');
|
|
21
|
+
if (appMapConfigExists) {
|
|
22
|
+
const appMapConfigData = (0, js_yaml_1.load)((yield (0, promises_1.readFile)('appmap.yml')).toString());
|
|
23
|
+
if (appMapConfigData && typeof appMapConfigData === 'object') {
|
|
24
|
+
return appMapConfigData['appmap_dir'];
|
|
63
25
|
}
|
|
64
|
-
}
|
|
26
|
+
}
|
|
65
27
|
});
|
|
66
28
|
}
|
|
67
29
|
exports.appmapDirFromConfig = appmapDirFromConfig;
|
|
68
|
-
|
|
69
|
-
function verbose(v) {
|
|
70
|
-
if (v === void 0) { v = null; }
|
|
30
|
+
let isVerbose = false;
|
|
31
|
+
function verbose(v = null) {
|
|
71
32
|
if (v === true || v === false) {
|
|
72
33
|
isVerbose = v;
|
|
73
34
|
}
|
|
@@ -127,55 +88,55 @@ function parseValue(valueObj) {
|
|
|
127
88
|
return valueObj.value
|
|
128
89
|
.slice(1, valueObj.value.length - 1)
|
|
129
90
|
.split(',')
|
|
130
|
-
.map(
|
|
91
|
+
.map((v) => v.trim());
|
|
131
92
|
}
|
|
132
93
|
return [valueObj.value];
|
|
133
94
|
}
|
|
134
95
|
exports.parseValue = parseValue;
|
|
135
|
-
|
|
96
|
+
const isTruthy = (valueObj) => !isFalsey(valueObj);
|
|
136
97
|
exports.isTruthy = isTruthy;
|
|
137
98
|
function providesAuthentication(event, label) {
|
|
138
99
|
return event.returnValue && event.labels.has(label) && isTruthy(event.returnValue);
|
|
139
100
|
}
|
|
140
101
|
exports.providesAuthentication = providesAuthentication;
|
|
141
102
|
function ideLink(filePath, ide, eventId) {
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
103
|
+
const OSC = '\u001B]';
|
|
104
|
+
const BEL = '\u0007';
|
|
105
|
+
const SEP = ';';
|
|
145
106
|
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
|
146
|
-
|
|
107
|
+
const supportsHyperlinks = require('supports-hyperlinks');
|
|
147
108
|
if (!supportsHyperlinks.stdout) {
|
|
148
109
|
return filePath;
|
|
149
110
|
}
|
|
150
|
-
|
|
111
|
+
let path;
|
|
151
112
|
if (!(0, path_1.isAbsolute)(filePath)) {
|
|
152
|
-
path =
|
|
113
|
+
path = `${__dirname}/../../../../../${filePath}`;
|
|
153
114
|
}
|
|
154
115
|
else {
|
|
155
116
|
path = filePath;
|
|
156
117
|
}
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
?
|
|
161
|
-
:
|
|
118
|
+
const state = { currentView: 'viewFlow', selectedObject: `event:${eventId}` };
|
|
119
|
+
const encodedState = encodeURIComponent(JSON.stringify(state));
|
|
120
|
+
const link = ide == 'vscode'
|
|
121
|
+
? `vscode://appland.appmap/open?uri=${path}&state=${encodedState}`
|
|
122
|
+
: `${ide}://open?file=${path}`;
|
|
162
123
|
return [OSC, '8', SEP, SEP, link, BEL, filePath, OSC, '8', SEP, SEP, BEL].join('');
|
|
163
124
|
}
|
|
164
125
|
exports.ideLink = ideLink;
|
|
165
|
-
|
|
126
|
+
const toRegExp = (value) => {
|
|
166
127
|
return typeof value === 'string' ? new RegExp(value) : value;
|
|
167
128
|
};
|
|
168
129
|
exports.toRegExp = toRegExp;
|
|
169
|
-
|
|
130
|
+
const toRegExpArray = (value) => {
|
|
170
131
|
return value.map(toRegExp);
|
|
171
132
|
};
|
|
172
133
|
exports.toRegExpArray = toRegExpArray;
|
|
173
|
-
|
|
174
|
-
|
|
134
|
+
const RootLabels = ['command', 'job'];
|
|
135
|
+
const isRoot = (event) => {
|
|
175
136
|
if (!event) {
|
|
176
137
|
return true;
|
|
177
138
|
}
|
|
178
|
-
return (!!event.httpServerRequest || RootLabels.some(
|
|
139
|
+
return (!!event.httpServerRequest || RootLabels.some((label) => event.codeObject.labels.has(label)));
|
|
179
140
|
};
|
|
180
141
|
exports.isRoot = isRoot;
|
|
181
142
|
// Attribution: https://github.com/shahata/dasherize
|
|
@@ -190,7 +151,7 @@ function dasherize(str) {
|
|
|
190
151
|
exports.dasherize = dasherize;
|
|
191
152
|
// Literally StackOverflow
|
|
192
153
|
function camelize(text) {
|
|
193
|
-
text = text.replace(/[-_\s.]+(.)?/g,
|
|
154
|
+
text = text.replace(/[-_\s.]+(.)?/g, (_, c) => (c ? c.toUpperCase() : ''));
|
|
194
155
|
return text.slice(0, 1).toLowerCase() + text.slice(1);
|
|
195
156
|
}
|
|
196
157
|
exports.camelize = camelize;
|
|
@@ -198,4 +159,3 @@ function pluralize(word, count) {
|
|
|
198
159
|
return count === 1 ? word : [word, 's'].join('');
|
|
199
160
|
}
|
|
200
161
|
exports.pluralize = pluralize;
|
|
201
|
-
//# sourceMappingURL=util.js.map
|
|
@@ -1,78 +1,45 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __values = (this && this.__values) || function(o) {
|
|
3
|
-
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
4
|
-
if (m) return m.call(o);
|
|
5
|
-
if (o && typeof o.length === "number") return {
|
|
6
|
-
next: function () {
|
|
7
|
-
if (o && i >= o.length) o = void 0;
|
|
8
|
-
return { value: o && o[i++], done: !o };
|
|
9
|
-
}
|
|
10
|
-
};
|
|
11
|
-
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
|
|
12
|
-
};
|
|
13
2
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
14
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
15
4
|
};
|
|
16
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
6
|
+
const models_1 = require("@appland/models");
|
|
7
|
+
const url_1 = require("url");
|
|
8
|
+
const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
20
9
|
function containsSessionClear(events) {
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
var iter = events_1_1.value;
|
|
25
|
-
if (iter.event.labels.has(HTTPSessionClear)) {
|
|
26
|
-
return true;
|
|
27
|
-
}
|
|
10
|
+
for (const iter of events) {
|
|
11
|
+
if (iter.event.labels.has(HTTPSessionClear)) {
|
|
12
|
+
return true;
|
|
28
13
|
}
|
|
29
14
|
}
|
|
30
|
-
catch (e_1_1) { e_1 = { error: e_1_1 }; }
|
|
31
|
-
finally {
|
|
32
|
-
try {
|
|
33
|
-
if (events_1_1 && !events_1_1.done && (_a = events_1.return)) _a.call(events_1);
|
|
34
|
-
}
|
|
35
|
-
finally { if (e_1) throw e_1.error; }
|
|
36
|
-
}
|
|
37
15
|
return false;
|
|
38
16
|
}
|
|
39
17
|
function build() {
|
|
40
18
|
function matcher(rootEvent) {
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
message: "".concat(event.event, " logs out the user, but the HTTP session is not cleared"),
|
|
56
|
-
},
|
|
57
|
-
];
|
|
58
|
-
}
|
|
19
|
+
for (const event of new models_1.EventNavigator(rootEvent).descendants()) {
|
|
20
|
+
// .//*[@security.logout]
|
|
21
|
+
if (event.event.labels.has(SecurityLogout)) {
|
|
22
|
+
// .//*[@http.session.clear]
|
|
23
|
+
if (containsSessionClear(event.descendants())) {
|
|
24
|
+
return;
|
|
25
|
+
}
|
|
26
|
+
else {
|
|
27
|
+
return [
|
|
28
|
+
{
|
|
29
|
+
event: event.event,
|
|
30
|
+
message: `${event.event} logs out the user, but the HTTP session is not cleared`,
|
|
31
|
+
},
|
|
32
|
+
];
|
|
59
33
|
}
|
|
60
34
|
}
|
|
61
35
|
}
|
|
62
|
-
catch (e_2_1) { e_2 = { error: e_2_1 }; }
|
|
63
|
-
finally {
|
|
64
|
-
try {
|
|
65
|
-
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
|
|
66
|
-
}
|
|
67
|
-
finally { if (e_2) throw e_2.error; }
|
|
68
|
-
}
|
|
69
36
|
}
|
|
70
37
|
return {
|
|
71
|
-
matcher
|
|
38
|
+
matcher,
|
|
72
39
|
};
|
|
73
40
|
}
|
|
74
|
-
|
|
75
|
-
|
|
41
|
+
const SecurityLogout = 'security.logout';
|
|
42
|
+
const HTTPSessionClear = 'http.session.clear';
|
|
76
43
|
exports.default = {
|
|
77
44
|
id: 'logout-without-session-reset',
|
|
78
45
|
title: 'Logout without session reset',
|
|
@@ -87,6 +54,5 @@ exports.default = {
|
|
|
87
54
|
},
|
|
88
55
|
description: (0, parseRuleDescription_1.default)('logoutWithoutSessionReset'),
|
|
89
56
|
url: 'https://appland.com/docs/analysis/rules-reference.html#logout-without-session-reset',
|
|
90
|
-
build
|
|
57
|
+
build,
|
|
91
58
|
};
|
|
92
|
-
//# sourceMappingURL=logoutWithoutSessionReset.js.map
|
|
@@ -3,17 +3,17 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
6
|
+
const models_1 = require("@appland/models");
|
|
7
|
+
const openapi_1 = require("@appland/openapi");
|
|
8
|
+
const util_1 = require("./lib/util");
|
|
9
|
+
const matchPattern_1 = require("./lib/matchPattern");
|
|
10
|
+
const url_1 = require("url");
|
|
11
|
+
const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
12
12
|
function isPublic(event) {
|
|
13
13
|
return event.labels.has(AccessPublic);
|
|
14
14
|
}
|
|
15
|
-
|
|
16
|
-
|
|
15
|
+
const authenticatedBy = (iterator) => {
|
|
16
|
+
let i = iterator.next();
|
|
17
17
|
while (!i.done) {
|
|
18
18
|
if (isPublic(i.value.event) || (0, util_1.providesAuthentication)(i.value.event, SecurityAuthentication)) {
|
|
19
19
|
return true;
|
|
@@ -22,20 +22,21 @@ var authenticatedBy = function (iterator) {
|
|
|
22
22
|
}
|
|
23
23
|
return false;
|
|
24
24
|
};
|
|
25
|
-
|
|
26
|
-
|
|
25
|
+
class Options {
|
|
26
|
+
constructor() {
|
|
27
27
|
this.includeContentTypes = [];
|
|
28
28
|
this.excludeContentTypes = [];
|
|
29
29
|
}
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
var includeContentTypes = (0, matchPattern_1.buildFilters)(options.includeContentTypes);
|
|
35
|
-
var excludeContentTypes = (0, matchPattern_1.buildFilters)(options.excludeContentTypes);
|
|
30
|
+
}
|
|
31
|
+
function build(options = new Options()) {
|
|
32
|
+
const includeContentTypes = (0, matchPattern_1.buildFilters)(options.includeContentTypes);
|
|
33
|
+
const excludeContentTypes = (0, matchPattern_1.buildFilters)(options.excludeContentTypes);
|
|
36
34
|
function testContentType(contentType) {
|
|
35
|
+
if (!contentType)
|
|
36
|
+
return false;
|
|
37
|
+
const content = contentType;
|
|
37
38
|
function test(filter) {
|
|
38
|
-
return filter(
|
|
39
|
+
return filter(content);
|
|
39
40
|
}
|
|
40
41
|
return ((includeContentTypes.length === 0 || includeContentTypes.some(test)) &&
|
|
41
42
|
!excludeContentTypes.some(test));
|
|
@@ -45,7 +46,7 @@ function build(options) {
|
|
|
45
46
|
return [
|
|
46
47
|
{
|
|
47
48
|
event: event,
|
|
48
|
-
message:
|
|
49
|
+
message: `Unauthenticated HTTP server request: ${event.route}`,
|
|
49
50
|
},
|
|
50
51
|
];
|
|
51
52
|
}
|
|
@@ -54,17 +55,17 @@ function build(options) {
|
|
|
54
55
|
return (e.route !== undefined &&
|
|
55
56
|
e.httpServerResponse !== undefined &&
|
|
56
57
|
e.httpServerResponse.status < 300 &&
|
|
57
|
-
!!(0,
|
|
58
|
-
!!(0,
|
|
59
|
-
testContentType((0,
|
|
58
|
+
!!(0, openapi_1.rpcRequestForEvent)(e) &&
|
|
59
|
+
!!(0, openapi_1.rpcRequestForEvent)(e).responseContentType &&
|
|
60
|
+
testContentType((0, openapi_1.rpcRequestForEvent)(e).responseContentType));
|
|
60
61
|
}
|
|
61
62
|
return {
|
|
62
|
-
where
|
|
63
|
-
matcher
|
|
63
|
+
where,
|
|
64
|
+
matcher,
|
|
64
65
|
};
|
|
65
66
|
}
|
|
66
|
-
|
|
67
|
-
|
|
67
|
+
const AccessPublic = 'access.public';
|
|
68
|
+
const SecurityAuthentication = 'security.authentication';
|
|
68
69
|
exports.default = {
|
|
69
70
|
id: 'missing-authentication',
|
|
70
71
|
title: 'Unauthenticated HTTP server request',
|
|
@@ -77,7 +78,6 @@ exports.default = {
|
|
|
77
78
|
},
|
|
78
79
|
description: (0, parseRuleDescription_1.default)('missingAuthentication'),
|
|
79
80
|
url: 'https://appland.com/docs/analysis/rules-reference.html#missing-authentication',
|
|
80
|
-
Options
|
|
81
|
-
build
|
|
81
|
+
Options,
|
|
82
|
+
build,
|
|
82
83
|
};
|
|
83
|
-
//# sourceMappingURL=missingAuthentication.js.map
|
|
@@ -3,13 +3,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
6
|
+
const openapi_1 = require("@appland/openapi");
|
|
7
|
+
const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
8
|
+
const isRedirect = (status) => [301, 302, 303, 307, 308].includes(status);
|
|
9
|
+
const hasContent = (status) => status !== 204;
|
|
10
10
|
function build() {
|
|
11
11
|
function matcher(e) {
|
|
12
|
-
return (0,
|
|
12
|
+
return (0, openapi_1.rpcRequestForEvent)(e).responseContentType === undefined;
|
|
13
13
|
}
|
|
14
14
|
function where(e) {
|
|
15
15
|
return (!!e.httpServerResponse &&
|
|
@@ -17,8 +17,8 @@ function build() {
|
|
|
17
17
|
hasContent(e.httpServerResponse.status));
|
|
18
18
|
}
|
|
19
19
|
return {
|
|
20
|
-
matcher
|
|
21
|
-
where
|
|
20
|
+
matcher,
|
|
21
|
+
where,
|
|
22
22
|
};
|
|
23
23
|
}
|
|
24
24
|
exports.default = {
|
|
@@ -29,6 +29,5 @@ exports.default = {
|
|
|
29
29
|
enumerateScope: false,
|
|
30
30
|
description: (0, parseRuleDescription_1.default)('missingContentType'),
|
|
31
31
|
url: 'https://appland.com/docs/analysis/rules-reference.html#missing-content-type',
|
|
32
|
-
build
|
|
32
|
+
build,
|
|
33
33
|
};
|
|
34
|
-
//# sourceMappingURL=missingContentType.js.map
|
|
@@ -1,96 +1,48 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __values = (this && this.__values) || function(o) {
|
|
3
|
-
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
4
|
-
if (m) return m.call(o);
|
|
5
|
-
if (o && typeof o.length === "number") return {
|
|
6
|
-
next: function () {
|
|
7
|
-
if (o && i >= o.length) o = void 0;
|
|
8
|
-
return { value: o && o[i++], done: !o };
|
|
9
|
-
}
|
|
10
|
-
};
|
|
11
|
-
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
|
|
12
|
-
};
|
|
13
|
-
var __read = (this && this.__read) || function (o, n) {
|
|
14
|
-
var m = typeof Symbol === "function" && o[Symbol.iterator];
|
|
15
|
-
if (!m) return o;
|
|
16
|
-
var i = m.call(o), r, ar = [], e;
|
|
17
|
-
try {
|
|
18
|
-
while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
|
|
19
|
-
}
|
|
20
|
-
catch (error) { e = { error: error }; }
|
|
21
|
-
finally {
|
|
22
|
-
try {
|
|
23
|
-
if (r && !r.done && (m = i["return"])) m.call(i);
|
|
24
|
-
}
|
|
25
|
-
finally { if (e) throw e.error; }
|
|
26
|
-
}
|
|
27
|
-
return ar;
|
|
28
|
-
};
|
|
29
|
-
var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
|
|
30
|
-
if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
|
|
31
|
-
if (ar || !(i in from)) {
|
|
32
|
-
if (!ar) ar = Array.prototype.slice.call(from, 0, i);
|
|
33
|
-
ar[i] = from[i];
|
|
34
|
-
}
|
|
35
|
-
}
|
|
36
|
-
return to.concat(ar || Array.prototype.slice.call(from));
|
|
37
|
-
};
|
|
38
2
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
39
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
40
4
|
};
|
|
41
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
6
|
+
const database_1 = require("../database");
|
|
7
|
+
const url_1 = require("url");
|
|
8
|
+
const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
9
|
+
class Options {
|
|
10
|
+
constructor() {
|
|
47
11
|
this.warningLimit = 5;
|
|
48
12
|
this.errorLimit = 10;
|
|
49
13
|
}
|
|
50
|
-
|
|
51
|
-
}());
|
|
14
|
+
}
|
|
52
15
|
function build(options) {
|
|
53
16
|
function matcher(command, appMapIndex, eventFilter) {
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
appMapIndex.appMap.events.forEach(function (event) {
|
|
17
|
+
const sqlEvents = (0, database_1.sqlStrings)(command, appMapIndex, eventFilter);
|
|
18
|
+
let sqlRollup = {};
|
|
19
|
+
const eventsById = {};
|
|
20
|
+
appMapIndex.appMap.events.forEach((event) => {
|
|
59
21
|
eventsById[event.id] = event;
|
|
60
22
|
});
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
sqlRollup[key] || (sqlRollup[key] = []);
|
|
68
|
-
sqlRollup[key].push(sqlEvent);
|
|
69
|
-
}
|
|
23
|
+
for (const sqlEvent of sqlEvents) {
|
|
24
|
+
if (!sqlEvent.event.parent)
|
|
25
|
+
continue;
|
|
26
|
+
const key = [sqlEvent.event.parent.id, sqlEvent.sql].join('\n');
|
|
27
|
+
sqlRollup[key] || (sqlRollup[key] = []);
|
|
28
|
+
sqlRollup[key].push(sqlEvent);
|
|
70
29
|
}
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
var matchResults = [];
|
|
79
|
-
var _loop_1 = function () {
|
|
80
|
-
__spreadArray([], __read(Object.keys(sqlRollup)), false).forEach(function (key) {
|
|
81
|
-
var events = sqlRollup[key];
|
|
82
|
-
var _a = __read(key.split('\n'), 2), ancestorId = _a[0], sql = _a[1];
|
|
83
|
-
var ancestor = eventsById[parseInt(ancestorId)];
|
|
84
|
-
var occurranceCount = events.length;
|
|
30
|
+
const matchResults = [];
|
|
31
|
+
do {
|
|
32
|
+
[...Object.keys(sqlRollup)].forEach((key) => {
|
|
33
|
+
const events = sqlRollup[key];
|
|
34
|
+
const [ancestorId, sql] = key.split('\n');
|
|
35
|
+
const ancestor = eventsById[parseInt(ancestorId)];
|
|
36
|
+
const occurranceCount = events.length;
|
|
85
37
|
if (occurranceCount > options.warningLimit) {
|
|
86
|
-
|
|
38
|
+
const buildMatchResult = (level) => {
|
|
87
39
|
return {
|
|
88
40
|
level: level,
|
|
89
41
|
event: events[0].event,
|
|
90
|
-
message:
|
|
42
|
+
message: `${ancestor.toString()}[${ancestor.id}] contains ${occurranceCount} occurrences of SQL: ${sql}`,
|
|
91
43
|
groupMessage: sql,
|
|
92
44
|
occurranceCount: occurranceCount,
|
|
93
|
-
relatedEvents: events.map(
|
|
45
|
+
relatedEvents: events.map((e) => e.event),
|
|
94
46
|
};
|
|
95
47
|
};
|
|
96
48
|
if (occurranceCount >= options.errorLimit) {
|
|
@@ -101,27 +53,24 @@ function build(options) {
|
|
|
101
53
|
}
|
|
102
54
|
}
|
|
103
55
|
});
|
|
104
|
-
|
|
105
|
-
Object.keys(sqlRollup).forEach(
|
|
106
|
-
|
|
56
|
+
const newRollup = {};
|
|
57
|
+
Object.keys(sqlRollup).forEach((key) => {
|
|
58
|
+
const events = sqlRollup[key];
|
|
107
59
|
if (events.length >= options.warningLimit)
|
|
108
60
|
return;
|
|
109
|
-
|
|
110
|
-
|
|
61
|
+
const [ancestorId, sql] = key.split('\n');
|
|
62
|
+
const ancestor = eventsById[parseInt(ancestorId)];
|
|
111
63
|
if (ancestor.parent) {
|
|
112
|
-
|
|
64
|
+
const parentKey = [ancestor.parent.id, sql].join('\n');
|
|
113
65
|
newRollup[parentKey] = (newRollup[parentKey] || []).concat(events);
|
|
114
66
|
}
|
|
115
67
|
}, {});
|
|
116
68
|
sqlRollup = newRollup;
|
|
117
|
-
};
|
|
118
|
-
do {
|
|
119
|
-
_loop_1();
|
|
120
69
|
} while (Object.keys(sqlRollup).length > 0);
|
|
121
70
|
return matchResults;
|
|
122
71
|
}
|
|
123
72
|
return {
|
|
124
|
-
matcher
|
|
73
|
+
matcher,
|
|
125
74
|
};
|
|
126
75
|
}
|
|
127
76
|
exports.default = {
|
|
@@ -130,12 +79,11 @@ exports.default = {
|
|
|
130
79
|
scope: 'command',
|
|
131
80
|
impactDomain: 'Performance',
|
|
132
81
|
enumerateScope: false,
|
|
133
|
-
Options
|
|
82
|
+
Options,
|
|
134
83
|
references: {
|
|
135
84
|
'CWE-1073': new url_1.URL('https://cwe.mitre.org/data/definitions/1073.html'),
|
|
136
85
|
},
|
|
137
86
|
description: (0, parseRuleDescription_1.default)('nPlusOneQuery'),
|
|
138
87
|
url: 'https://appland.com/docs/analysis/rules-reference.html#n-plus-one-query',
|
|
139
|
-
build
|
|
88
|
+
build,
|
|
140
89
|
};
|
|
141
|
-
//# sourceMappingURL=nPlusOneQuery.js.map
|