@appland/scanner 1.56.0 → 1.59.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +29 -0
- package/built/algorithms/dataStructures/graph/Graph.js +53 -62
- package/built/algorithms/dataStructures/graph/GraphEdge.js +13 -16
- package/built/algorithms/dataStructures/graph/GraphVertex.js +37 -42
- package/built/algorithms/dataStructures/linked-list/LinkedList.js +33 -38
- package/built/algorithms/dataStructures/linked-list/LinkedListNode.js +6 -10
- package/built/algorithms/graph/depth-first-search/index.js +7 -8
- package/built/algorithms/graph/detect-cycle/index.js +15 -16
- package/built/algorithms/utils/Comparator.js +19 -21
- package/built/analyzer/recordSecrets.js +7 -30
- package/built/analyzer/secretsRegexes.js +8 -9
- package/built/appMapIndex.js +19 -21
- package/built/check.js +17 -21
- package/built/checkInstance.js +26 -48
- package/built/cli/ci/command.js +61 -156
- package/built/cli/ci/options.js +0 -1
- package/built/cli/codeVersionArgs.js +0 -1
- package/built/cli/exitCode.js +0 -1
- package/built/cli/fail.js +2 -3
- package/built/cli/merge/command.js +21 -63
- package/built/cli/merge/options.js +0 -1
- package/built/cli/reportUploadURL.js +2 -3
- package/built/cli/resolveAppId.js +34 -85
- package/built/cli/scan/command.js +52 -94
- package/built/cli/scan/formatReport.js +16 -89
- package/built/cli/scan/options.js +0 -1
- package/built/cli/scan/scanner.js +38 -117
- package/built/cli/scan/singleScan.js +61 -109
- package/built/cli/scan/watchScan.js +53 -85
- package/built/cli/scan.js +39 -132
- package/built/cli/scanArgs.js +0 -1
- package/built/cli/scanOptions.js +0 -1
- package/built/cli/updateCommitStatus.js +10 -47
- package/built/cli/upload/command.js +20 -64
- package/built/cli/upload/options.js +0 -1
- package/built/cli/upload/pruneAppMap.js +20 -0
- package/built/cli/upload.js +93 -172
- package/built/cli/validateFile.js +13 -52
- package/built/cli.js +34 -21
- package/built/configuration/configurationProvider.js +151 -233
- package/built/configuration/schema/options.json +76 -76
- package/built/configuration/types/checkConfig.js +0 -1
- package/built/configuration/types/configuration.js +0 -1
- package/built/configuration/types/matchEventConfig.js +0 -1
- package/built/configuration/types/matchPatternConfig.js +0 -1
- package/built/database/index.js +35 -128
- package/built/database/visit.js +20 -68
- package/built/errors.js +4 -30
- package/built/eventUtil.js +10 -35
- package/built/findings.js +3 -4
- package/built/integration/appland/app/exists.js +33 -76
- package/built/integration/appland/app/listFindingStatus.js +3 -36
- package/built/integration/appland/appMap/create.js +38 -89
- package/built/integration/appland/location.js +0 -1
- package/built/integration/appland/mapset/create.js +34 -85
- package/built/integration/appland/retry.js +10 -11
- package/built/integration/appland/retryOptions.js +0 -1
- package/built/integration/appland/scannerJob/create.js +34 -84
- package/built/integration/appland/scannerJob/merge.js +28 -74
- package/built/integration/appland/scannerJob.js +0 -1
- package/built/integration/github/commitStatus.js +3 -4
- package/built/integration/vars.js +1 -2
- package/built/openapi/index.js +39 -83
- package/built/report/appMapMetadata.js +0 -1
- package/built/report/findingSummary.js +0 -1
- package/built/report/findingsReport.js +14 -16
- package/built/report/scanResults.js +50 -72
- package/built/report/scanSummary.js +0 -1
- package/built/report/summaryReport.js +12 -13
- package/built/ruleChecker.js +146 -297
- package/built/rules/authzBeforeAuthn.js +25 -59
- package/built/rules/circularDependency.js +69 -101
- package/built/rules/deserializationOfUntrustedData.js +29 -63
- package/built/rules/execOfUntrustedCommand.js +28 -62
- package/built/rules/http-500/metadata.js +0 -1
- package/built/rules/http-500/rule.js +2 -3
- package/built/rules/illegalPackageDependency.js +16 -18
- package/built/rules/incompatibleHttpClientRequest.js +30 -69
- package/built/rules/insecureCompare.js +12 -13
- package/built/rules/jobNotCancelled.js +13 -45
- package/built/rules/lib/hasParameterOrReceiver.js +4 -7
- package/built/rules/lib/matchEvent.js +12 -13
- package/built/rules/lib/matchPattern.js +6 -7
- package/built/rules/lib/metadata.js +0 -1
- package/built/rules/lib/parseRuleDescription.js +5 -6
- package/built/rules/lib/precedingEvents.js +7 -75
- package/built/rules/lib/rpcWithoutProtection.js +5 -28
- package/built/rules/lib/sanitizesData.js +0 -1
- package/built/rules/lib/util.js +34 -73
- package/built/rules/logoutWithoutSessionReset.js +24 -58
- package/built/rules/missingAuthentication.js +28 -28
- package/built/rules/missingContentType.js +8 -9
- package/built/rules/nPlusOneQuery.js +35 -87
- package/built/rules/queryFromInvalidPackage.js +17 -19
- package/built/rules/queryFromView.js +13 -16
- package/built/rules/rpcWithoutCircuitBreaker.js +14 -84
- package/built/rules/saveWithoutValidation.js +8 -9
- package/built/rules/secretInLog.js +29 -92
- package/built/rules/slowFunctionCall.js +16 -20
- package/built/rules/slowHttpServerRequest.js +9 -11
- package/built/rules/slowQuery.js +9 -12
- package/built/rules/tooManyJoins.js +26 -51
- package/built/rules/tooManyUpdates.js +25 -105
- package/built/rules/unbatchedMaterializedQuery.js +26 -30
- package/built/rules/updateInGetRequest.js +30 -45
- package/built/scope/commandScope.js +24 -144
- package/built/scope/httpClientRequestScope.js +11 -98
- package/built/scope/httpServerRequestScope.js +11 -98
- package/built/scope/rootScope.js +11 -98
- package/built/scope/scopeImpl.js +10 -82
- package/built/scope/scopeIterator.js +6 -10
- package/built/scope/sqlTransactionScope.js +24 -122
- package/built/sqlWarning.js +9 -35
- package/built/telemetry.js +215 -0
- package/built/wellKnownLabels.js +0 -1
- package/package.json +7 -3
- package/built/algorithms/dataStructures/graph/Graph.js.map +0 -1
- package/built/algorithms/dataStructures/graph/GraphEdge.js.map +0 -1
- package/built/algorithms/dataStructures/graph/GraphVertex.js.map +0 -1
- package/built/algorithms/dataStructures/linked-list/LinkedList.js.map +0 -1
- package/built/algorithms/dataStructures/linked-list/LinkedListNode.js.map +0 -1
- package/built/algorithms/graph/depth-first-search/index.js.map +0 -1
- package/built/algorithms/graph/detect-cycle/index.js.map +0 -1
- package/built/algorithms/utils/Comparator.js.map +0 -1
- package/built/analyzer/recordSecrets.js.map +0 -1
- package/built/analyzer/secretsRegexes.js.map +0 -1
- package/built/appMapIndex.js.map +0 -1
- package/built/check.js.map +0 -1
- package/built/checkInstance.js.map +0 -1
- package/built/cli/ci/command.js.map +0 -1
- package/built/cli/ci/options.js.map +0 -1
- package/built/cli/codeVersionArgs.js.map +0 -1
- package/built/cli/exitCode.js.map +0 -1
- package/built/cli/fail.js.map +0 -1
- package/built/cli/merge/command.js.map +0 -1
- package/built/cli/merge/options.js.map +0 -1
- package/built/cli/reportUploadURL.js.map +0 -1
- package/built/cli/resolveAppId.js.map +0 -1
- package/built/cli/scan/command.js.map +0 -1
- package/built/cli/scan/formatReport.js.map +0 -1
- package/built/cli/scan/options.js.map +0 -1
- package/built/cli/scan/scanner.js.map +0 -1
- package/built/cli/scan/singleScan.js.map +0 -1
- package/built/cli/scan/watchScan.js.map +0 -1
- package/built/cli/scan.js.map +0 -1
- package/built/cli/scanArgs.js.map +0 -1
- package/built/cli/scanOptions.js.map +0 -1
- package/built/cli/updateCommitStatus.js.map +0 -1
- package/built/cli/upload/command.js.map +0 -1
- package/built/cli/upload/options.js.map +0 -1
- package/built/cli/upload.js.map +0 -1
- package/built/cli/validateFile.js.map +0 -1
- package/built/cli.js.map +0 -1
- package/built/configuration/configurationProvider.js.map +0 -1
- package/built/configuration/types/checkConfig.js.map +0 -1
- package/built/configuration/types/configuration.js.map +0 -1
- package/built/configuration/types/matchEventConfig.js.map +0 -1
- package/built/configuration/types/matchPatternConfig.js.map +0 -1
- package/built/database/index.js.map +0 -1
- package/built/database/visit.js.map +0 -1
- package/built/errors.js.map +0 -1
- package/built/eventUtil.js.map +0 -1
- package/built/findings.js.map +0 -1
- package/built/integration/appland/app/exists.js.map +0 -1
- package/built/integration/appland/app/listFindingStatus.js.map +0 -1
- package/built/integration/appland/appMap/create.js.map +0 -1
- package/built/integration/appland/location.js.map +0 -1
- package/built/integration/appland/mapset/create.js.map +0 -1
- package/built/integration/appland/retry.js.map +0 -1
- package/built/integration/appland/retryOptions.js.map +0 -1
- package/built/integration/appland/scannerJob/create.js.map +0 -1
- package/built/integration/appland/scannerJob/merge.js.map +0 -1
- package/built/integration/appland/scannerJob.js.map +0 -1
- package/built/integration/github/commitStatus.js.map +0 -1
- package/built/integration/vars.js.map +0 -1
- package/built/openapi/index.js.map +0 -1
- package/built/openapi/method.js +0 -120
- package/built/openapi/method.js.map +0 -1
- package/built/openapi/model.js +0 -49
- package/built/openapi/model.js.map +0 -1
- package/built/openapi/path.js +0 -36
- package/built/openapi/path.js.map +0 -1
- package/built/openapi/provider.js +0 -133
- package/built/openapi/provider.js.map +0 -1
- package/built/openapi/response.js +0 -59
- package/built/openapi/response.js.map +0 -1
- package/built/openapi/rpcRequest.js +0 -130
- package/built/openapi/rpcRequest.js.map +0 -1
- package/built/openapi/schema.js +0 -42
- package/built/openapi/schema.js.map +0 -1
- package/built/openapi/securitySchemes.js +0 -32
- package/built/openapi/securitySchemes.js.map +0 -1
- package/built/openapi/statusCodes.js +0 -68
- package/built/openapi/statusCodes.js.map +0 -1
- package/built/openapi/util.js +0 -91
- package/built/openapi/util.js.map +0 -1
- package/built/report/appMapMetadata.js.map +0 -1
- package/built/report/findingSummary.js.map +0 -1
- package/built/report/findingsReport.js.map +0 -1
- package/built/report/scanResults.js.map +0 -1
- package/built/report/scanSummary.js.map +0 -1
- package/built/report/summaryReport.js.map +0 -1
- package/built/ruleChecker.js.map +0 -1
- package/built/rules/authzBeforeAuthn.js.map +0 -1
- package/built/rules/circularDependency.js.map +0 -1
- package/built/rules/deserializationOfUntrustedData.js.map +0 -1
- package/built/rules/execOfUntrustedCommand.js.map +0 -1
- package/built/rules/http-500/metadata.js.map +0 -1
- package/built/rules/http-500/rule.js.map +0 -1
- package/built/rules/illegalPackageDependency.js.map +0 -1
- package/built/rules/incompatibleHttpClientRequest.js.map +0 -1
- package/built/rules/insecureCompare.js.map +0 -1
- package/built/rules/jobNotCancelled.js.map +0 -1
- package/built/rules/lib/hasParameterOrReceiver.js.map +0 -1
- package/built/rules/lib/matchEvent.js.map +0 -1
- package/built/rules/lib/matchPattern.js.map +0 -1
- package/built/rules/lib/metadata.js.map +0 -1
- package/built/rules/lib/parseRuleDescription.js.map +0 -1
- package/built/rules/lib/precedingEvents.js.map +0 -1
- package/built/rules/lib/rpcWithoutProtection.js.map +0 -1
- package/built/rules/lib/sanitizesData.js.map +0 -1
- package/built/rules/lib/util.js.map +0 -1
- package/built/rules/logoutWithoutSessionReset.js.map +0 -1
- package/built/rules/missingAuthentication.js.map +0 -1
- package/built/rules/missingContentType.js.map +0 -1
- package/built/rules/nPlusOneQuery.js.map +0 -1
- package/built/rules/queryFromInvalidPackage.js.map +0 -1
- package/built/rules/queryFromView.js.map +0 -1
- package/built/rules/rpcWithoutCircuitBreaker.js.map +0 -1
- package/built/rules/saveWithoutValidation.js.map +0 -1
- package/built/rules/secretInLog.js.map +0 -1
- package/built/rules/slowFunctionCall.js.map +0 -1
- package/built/rules/slowHttpServerRequest.js.map +0 -1
- package/built/rules/slowQuery.js.map +0 -1
- package/built/rules/tooManyJoins.js.map +0 -1
- package/built/rules/tooManyUpdates.js.map +0 -1
- package/built/rules/unbatchedMaterializedQuery.js.map +0 -1
- package/built/rules/updateInGetRequest.js.map +0 -1
- package/built/scope/commandScope.js.map +0 -1
- package/built/scope/httpClientRequestScope.js.map +0 -1
- package/built/scope/httpServerRequestScope.js.map +0 -1
- package/built/scope/rootScope.js.map +0 -1
- package/built/scope/scopeImpl.js.map +0 -1
- package/built/scope/scopeIterator.js.map +0 -1
- package/built/scope/sqlTransactionScope.js.map +0 -1
- package/built/sqlWarning.js.map +0 -1
- package/built/wellKnownLabels.js.map +0 -1
package/built/rules/lib/util.js
CHANGED
|
@@ -8,66 +8,28 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
8
8
|
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
9
|
});
|
|
10
10
|
};
|
|
11
|
-
var __generator = (this && this.__generator) || function (thisArg, body) {
|
|
12
|
-
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
|
|
13
|
-
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
|
|
14
|
-
function verb(n) { return function (v) { return step([n, v]); }; }
|
|
15
|
-
function step(op) {
|
|
16
|
-
if (f) throw new TypeError("Generator is already executing.");
|
|
17
|
-
while (_) try {
|
|
18
|
-
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
|
|
19
|
-
if (y = 0, t) op = [op[0] & 2, t.value];
|
|
20
|
-
switch (op[0]) {
|
|
21
|
-
case 0: case 1: t = op; break;
|
|
22
|
-
case 4: _.label++; return { value: op[1], done: false };
|
|
23
|
-
case 5: _.label++; y = op[1]; op = [0]; continue;
|
|
24
|
-
case 7: op = _.ops.pop(); _.trys.pop(); continue;
|
|
25
|
-
default:
|
|
26
|
-
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
|
|
27
|
-
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
|
|
28
|
-
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
|
|
29
|
-
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
|
|
30
|
-
if (t[2]) _.ops.pop();
|
|
31
|
-
_.trys.pop(); continue;
|
|
32
|
-
}
|
|
33
|
-
op = body.call(thisArg, _);
|
|
34
|
-
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
|
|
35
|
-
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
|
|
36
|
-
}
|
|
37
|
-
};
|
|
38
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
39
12
|
exports.verbose = exports.toRegExpArray = exports.responseContentType = exports.toRegExp = exports.providesAuthentication = exports.pluralize = exports.dasherize = exports.camelize = exports.parseValue = exports.isRoot = exports.ideLink = exports.isTruthy = exports.isFalsey = exports.emptyValue = exports.capitalize = exports.appMapDir = exports.appmapDirFromConfig = void 0;
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
13
|
+
const fs_1 = require("fs");
|
|
14
|
+
const promises_1 = require("fs/promises");
|
|
15
|
+
const js_yaml_1 = require("js-yaml");
|
|
16
|
+
const path_1 = require("path");
|
|
17
|
+
const util_1 = require("util");
|
|
45
18
|
function appmapDirFromConfig() {
|
|
46
|
-
return __awaiter(this, void 0, void 0, function () {
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
if (!appMapConfigExists) return [3 /*break*/, 3];
|
|
54
|
-
_a = js_yaml_1.load;
|
|
55
|
-
return [4 /*yield*/, (0, promises_1.readFile)('appmap.yml')];
|
|
56
|
-
case 2:
|
|
57
|
-
appMapConfigData = _a.apply(void 0, [(_b.sent()).toString()]);
|
|
58
|
-
if (appMapConfigData && typeof appMapConfigData === 'object') {
|
|
59
|
-
return [2 /*return*/, appMapConfigData['appmap_dir']];
|
|
60
|
-
}
|
|
61
|
-
_b.label = 3;
|
|
62
|
-
case 3: return [2 /*return*/];
|
|
19
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
20
|
+
const appMapConfigExists = yield (0, util_1.promisify)(fs_1.exists)('appmap.yml');
|
|
21
|
+
if (appMapConfigExists) {
|
|
22
|
+
const appMapConfigData = (0, js_yaml_1.load)((yield (0, promises_1.readFile)('appmap.yml')).toString());
|
|
23
|
+
if (appMapConfigData && typeof appMapConfigData === 'object') {
|
|
24
|
+
const configData = appMapConfigData;
|
|
25
|
+
return configData['appmap_dir'];
|
|
63
26
|
}
|
|
64
|
-
}
|
|
27
|
+
}
|
|
65
28
|
});
|
|
66
29
|
}
|
|
67
30
|
exports.appmapDirFromConfig = appmapDirFromConfig;
|
|
68
|
-
|
|
69
|
-
function verbose(v) {
|
|
70
|
-
if (v === void 0) { v = null; }
|
|
31
|
+
let isVerbose = false;
|
|
32
|
+
function verbose(v = null) {
|
|
71
33
|
if (v === true || v === false) {
|
|
72
34
|
isVerbose = v;
|
|
73
35
|
}
|
|
@@ -127,55 +89,55 @@ function parseValue(valueObj) {
|
|
|
127
89
|
return valueObj.value
|
|
128
90
|
.slice(1, valueObj.value.length - 1)
|
|
129
91
|
.split(',')
|
|
130
|
-
.map(
|
|
92
|
+
.map((v) => v.trim());
|
|
131
93
|
}
|
|
132
94
|
return [valueObj.value];
|
|
133
95
|
}
|
|
134
96
|
exports.parseValue = parseValue;
|
|
135
|
-
|
|
97
|
+
const isTruthy = (valueObj) => !isFalsey(valueObj);
|
|
136
98
|
exports.isTruthy = isTruthy;
|
|
137
99
|
function providesAuthentication(event, label) {
|
|
138
100
|
return event.returnValue && event.labels.has(label) && isTruthy(event.returnValue);
|
|
139
101
|
}
|
|
140
102
|
exports.providesAuthentication = providesAuthentication;
|
|
141
103
|
function ideLink(filePath, ide, eventId) {
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
104
|
+
const OSC = '\u001B]';
|
|
105
|
+
const BEL = '\u0007';
|
|
106
|
+
const SEP = ';';
|
|
145
107
|
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
|
146
|
-
|
|
108
|
+
const supportsHyperlinks = require('supports-hyperlinks');
|
|
147
109
|
if (!supportsHyperlinks.stdout) {
|
|
148
110
|
return filePath;
|
|
149
111
|
}
|
|
150
|
-
|
|
112
|
+
let path;
|
|
151
113
|
if (!(0, path_1.isAbsolute)(filePath)) {
|
|
152
|
-
path =
|
|
114
|
+
path = `${__dirname}/../../../../../${filePath}`;
|
|
153
115
|
}
|
|
154
116
|
else {
|
|
155
117
|
path = filePath;
|
|
156
118
|
}
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
?
|
|
161
|
-
:
|
|
119
|
+
const state = { currentView: 'viewFlow', selectedObject: `event:${eventId}` };
|
|
120
|
+
const encodedState = encodeURIComponent(JSON.stringify(state));
|
|
121
|
+
const link = ide == 'vscode'
|
|
122
|
+
? `vscode://appland.appmap/open?uri=${path}&state=${encodedState}`
|
|
123
|
+
: `${ide}://open?file=${path}`;
|
|
162
124
|
return [OSC, '8', SEP, SEP, link, BEL, filePath, OSC, '8', SEP, SEP, BEL].join('');
|
|
163
125
|
}
|
|
164
126
|
exports.ideLink = ideLink;
|
|
165
|
-
|
|
127
|
+
const toRegExp = (value) => {
|
|
166
128
|
return typeof value === 'string' ? new RegExp(value) : value;
|
|
167
129
|
};
|
|
168
130
|
exports.toRegExp = toRegExp;
|
|
169
|
-
|
|
131
|
+
const toRegExpArray = (value) => {
|
|
170
132
|
return value.map(toRegExp);
|
|
171
133
|
};
|
|
172
134
|
exports.toRegExpArray = toRegExpArray;
|
|
173
|
-
|
|
174
|
-
|
|
135
|
+
const RootLabels = ['command', 'job'];
|
|
136
|
+
const isRoot = (event) => {
|
|
175
137
|
if (!event) {
|
|
176
138
|
return true;
|
|
177
139
|
}
|
|
178
|
-
return (!!event.httpServerRequest || RootLabels.some(
|
|
140
|
+
return (!!event.httpServerRequest || RootLabels.some((label) => event.codeObject.labels.has(label)));
|
|
179
141
|
};
|
|
180
142
|
exports.isRoot = isRoot;
|
|
181
143
|
// Attribution: https://github.com/shahata/dasherize
|
|
@@ -190,7 +152,7 @@ function dasherize(str) {
|
|
|
190
152
|
exports.dasherize = dasherize;
|
|
191
153
|
// Literally StackOverflow
|
|
192
154
|
function camelize(text) {
|
|
193
|
-
text = text.replace(/[-_\s.]+(.)?/g,
|
|
155
|
+
text = text.replace(/[-_\s.]+(.)?/g, (_, c) => (c ? c.toUpperCase() : ''));
|
|
194
156
|
return text.slice(0, 1).toLowerCase() + text.slice(1);
|
|
195
157
|
}
|
|
196
158
|
exports.camelize = camelize;
|
|
@@ -198,4 +160,3 @@ function pluralize(word, count) {
|
|
|
198
160
|
return count === 1 ? word : [word, 's'].join('');
|
|
199
161
|
}
|
|
200
162
|
exports.pluralize = pluralize;
|
|
201
|
-
//# sourceMappingURL=util.js.map
|
|
@@ -1,78 +1,45 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __values = (this && this.__values) || function(o) {
|
|
3
|
-
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
4
|
-
if (m) return m.call(o);
|
|
5
|
-
if (o && typeof o.length === "number") return {
|
|
6
|
-
next: function () {
|
|
7
|
-
if (o && i >= o.length) o = void 0;
|
|
8
|
-
return { value: o && o[i++], done: !o };
|
|
9
|
-
}
|
|
10
|
-
};
|
|
11
|
-
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
|
|
12
|
-
};
|
|
13
2
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
14
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
15
4
|
};
|
|
16
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
6
|
+
const models_1 = require("@appland/models");
|
|
7
|
+
const url_1 = require("url");
|
|
8
|
+
const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
20
9
|
function containsSessionClear(events) {
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
var iter = events_1_1.value;
|
|
25
|
-
if (iter.event.labels.has(HTTPSessionClear)) {
|
|
26
|
-
return true;
|
|
27
|
-
}
|
|
10
|
+
for (const iter of events) {
|
|
11
|
+
if (iter.event.labels.has(HTTPSessionClear)) {
|
|
12
|
+
return true;
|
|
28
13
|
}
|
|
29
14
|
}
|
|
30
|
-
catch (e_1_1) { e_1 = { error: e_1_1 }; }
|
|
31
|
-
finally {
|
|
32
|
-
try {
|
|
33
|
-
if (events_1_1 && !events_1_1.done && (_a = events_1.return)) _a.call(events_1);
|
|
34
|
-
}
|
|
35
|
-
finally { if (e_1) throw e_1.error; }
|
|
36
|
-
}
|
|
37
15
|
return false;
|
|
38
16
|
}
|
|
39
17
|
function build() {
|
|
40
18
|
function matcher(rootEvent) {
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
message: "".concat(event.event, " logs out the user, but the HTTP session is not cleared"),
|
|
56
|
-
},
|
|
57
|
-
];
|
|
58
|
-
}
|
|
19
|
+
for (const event of new models_1.EventNavigator(rootEvent).descendants()) {
|
|
20
|
+
// .//*[@security.logout]
|
|
21
|
+
if (event.event.labels.has(SecurityLogout)) {
|
|
22
|
+
// .//*[@http.session.clear]
|
|
23
|
+
if (containsSessionClear(event.descendants())) {
|
|
24
|
+
return;
|
|
25
|
+
}
|
|
26
|
+
else {
|
|
27
|
+
return [
|
|
28
|
+
{
|
|
29
|
+
event: event.event,
|
|
30
|
+
message: `${event.event} logs out the user, but the HTTP session is not cleared`,
|
|
31
|
+
},
|
|
32
|
+
];
|
|
59
33
|
}
|
|
60
34
|
}
|
|
61
35
|
}
|
|
62
|
-
catch (e_2_1) { e_2 = { error: e_2_1 }; }
|
|
63
|
-
finally {
|
|
64
|
-
try {
|
|
65
|
-
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
|
|
66
|
-
}
|
|
67
|
-
finally { if (e_2) throw e_2.error; }
|
|
68
|
-
}
|
|
69
36
|
}
|
|
70
37
|
return {
|
|
71
|
-
matcher
|
|
38
|
+
matcher,
|
|
72
39
|
};
|
|
73
40
|
}
|
|
74
|
-
|
|
75
|
-
|
|
41
|
+
const SecurityLogout = 'security.logout';
|
|
42
|
+
const HTTPSessionClear = 'http.session.clear';
|
|
76
43
|
exports.default = {
|
|
77
44
|
id: 'logout-without-session-reset',
|
|
78
45
|
title: 'Logout without session reset',
|
|
@@ -87,6 +54,5 @@ exports.default = {
|
|
|
87
54
|
},
|
|
88
55
|
description: (0, parseRuleDescription_1.default)('logoutWithoutSessionReset'),
|
|
89
56
|
url: 'https://appland.com/docs/analysis/rules-reference.html#logout-without-session-reset',
|
|
90
|
-
build
|
|
57
|
+
build,
|
|
91
58
|
};
|
|
92
|
-
//# sourceMappingURL=logoutWithoutSessionReset.js.map
|
|
@@ -3,17 +3,17 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
6
|
+
const models_1 = require("@appland/models");
|
|
7
|
+
const openapi_1 = require("@appland/openapi");
|
|
8
|
+
const util_1 = require("./lib/util");
|
|
9
|
+
const matchPattern_1 = require("./lib/matchPattern");
|
|
10
|
+
const url_1 = require("url");
|
|
11
|
+
const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
12
12
|
function isPublic(event) {
|
|
13
13
|
return event.labels.has(AccessPublic);
|
|
14
14
|
}
|
|
15
|
-
|
|
16
|
-
|
|
15
|
+
const authenticatedBy = (iterator) => {
|
|
16
|
+
let i = iterator.next();
|
|
17
17
|
while (!i.done) {
|
|
18
18
|
if (isPublic(i.value.event) || (0, util_1.providesAuthentication)(i.value.event, SecurityAuthentication)) {
|
|
19
19
|
return true;
|
|
@@ -22,20 +22,21 @@ var authenticatedBy = function (iterator) {
|
|
|
22
22
|
}
|
|
23
23
|
return false;
|
|
24
24
|
};
|
|
25
|
-
|
|
26
|
-
|
|
25
|
+
class Options {
|
|
26
|
+
constructor() {
|
|
27
27
|
this.includeContentTypes = [];
|
|
28
28
|
this.excludeContentTypes = [];
|
|
29
29
|
}
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
var includeContentTypes = (0, matchPattern_1.buildFilters)(options.includeContentTypes);
|
|
35
|
-
var excludeContentTypes = (0, matchPattern_1.buildFilters)(options.excludeContentTypes);
|
|
30
|
+
}
|
|
31
|
+
function build(options = new Options()) {
|
|
32
|
+
const includeContentTypes = (0, matchPattern_1.buildFilters)(options.includeContentTypes);
|
|
33
|
+
const excludeContentTypes = (0, matchPattern_1.buildFilters)(options.excludeContentTypes);
|
|
36
34
|
function testContentType(contentType) {
|
|
35
|
+
if (!contentType)
|
|
36
|
+
return false;
|
|
37
|
+
const content = contentType;
|
|
37
38
|
function test(filter) {
|
|
38
|
-
return filter(
|
|
39
|
+
return filter(content);
|
|
39
40
|
}
|
|
40
41
|
return ((includeContentTypes.length === 0 || includeContentTypes.some(test)) &&
|
|
41
42
|
!excludeContentTypes.some(test));
|
|
@@ -45,7 +46,7 @@ function build(options) {
|
|
|
45
46
|
return [
|
|
46
47
|
{
|
|
47
48
|
event: event,
|
|
48
|
-
message:
|
|
49
|
+
message: `Unauthenticated HTTP server request: ${event.route}`,
|
|
49
50
|
},
|
|
50
51
|
];
|
|
51
52
|
}
|
|
@@ -54,17 +55,17 @@ function build(options) {
|
|
|
54
55
|
return (e.route !== undefined &&
|
|
55
56
|
e.httpServerResponse !== undefined &&
|
|
56
57
|
e.httpServerResponse.status < 300 &&
|
|
57
|
-
!!(0,
|
|
58
|
-
!!(0,
|
|
59
|
-
testContentType((0,
|
|
58
|
+
!!(0, openapi_1.rpcRequestForEvent)(e) &&
|
|
59
|
+
!!(0, openapi_1.rpcRequestForEvent)(e).responseContentType &&
|
|
60
|
+
testContentType((0, openapi_1.rpcRequestForEvent)(e).responseContentType));
|
|
60
61
|
}
|
|
61
62
|
return {
|
|
62
|
-
where
|
|
63
|
-
matcher
|
|
63
|
+
where,
|
|
64
|
+
matcher,
|
|
64
65
|
};
|
|
65
66
|
}
|
|
66
|
-
|
|
67
|
-
|
|
67
|
+
const AccessPublic = 'access.public';
|
|
68
|
+
const SecurityAuthentication = 'security.authentication';
|
|
68
69
|
exports.default = {
|
|
69
70
|
id: 'missing-authentication',
|
|
70
71
|
title: 'Unauthenticated HTTP server request',
|
|
@@ -77,7 +78,6 @@ exports.default = {
|
|
|
77
78
|
},
|
|
78
79
|
description: (0, parseRuleDescription_1.default)('missingAuthentication'),
|
|
79
80
|
url: 'https://appland.com/docs/analysis/rules-reference.html#missing-authentication',
|
|
80
|
-
Options
|
|
81
|
-
build
|
|
81
|
+
Options,
|
|
82
|
+
build,
|
|
82
83
|
};
|
|
83
|
-
//# sourceMappingURL=missingAuthentication.js.map
|
|
@@ -3,13 +3,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
6
|
+
const openapi_1 = require("@appland/openapi");
|
|
7
|
+
const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
8
|
+
const isRedirect = (status) => [301, 302, 303, 307, 308].includes(status);
|
|
9
|
+
const hasContent = (status) => status !== 204;
|
|
10
10
|
function build() {
|
|
11
11
|
function matcher(e) {
|
|
12
|
-
return (0,
|
|
12
|
+
return (0, openapi_1.rpcRequestForEvent)(e).responseContentType === undefined;
|
|
13
13
|
}
|
|
14
14
|
function where(e) {
|
|
15
15
|
return (!!e.httpServerResponse &&
|
|
@@ -17,8 +17,8 @@ function build() {
|
|
|
17
17
|
hasContent(e.httpServerResponse.status));
|
|
18
18
|
}
|
|
19
19
|
return {
|
|
20
|
-
matcher
|
|
21
|
-
where
|
|
20
|
+
matcher,
|
|
21
|
+
where,
|
|
22
22
|
};
|
|
23
23
|
}
|
|
24
24
|
exports.default = {
|
|
@@ -29,6 +29,5 @@ exports.default = {
|
|
|
29
29
|
enumerateScope: false,
|
|
30
30
|
description: (0, parseRuleDescription_1.default)('missingContentType'),
|
|
31
31
|
url: 'https://appland.com/docs/analysis/rules-reference.html#missing-content-type',
|
|
32
|
-
build
|
|
32
|
+
build,
|
|
33
33
|
};
|
|
34
|
-
//# sourceMappingURL=missingContentType.js.map
|
|
@@ -1,96 +1,48 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __values = (this && this.__values) || function(o) {
|
|
3
|
-
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
|
|
4
|
-
if (m) return m.call(o);
|
|
5
|
-
if (o && typeof o.length === "number") return {
|
|
6
|
-
next: function () {
|
|
7
|
-
if (o && i >= o.length) o = void 0;
|
|
8
|
-
return { value: o && o[i++], done: !o };
|
|
9
|
-
}
|
|
10
|
-
};
|
|
11
|
-
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
|
|
12
|
-
};
|
|
13
|
-
var __read = (this && this.__read) || function (o, n) {
|
|
14
|
-
var m = typeof Symbol === "function" && o[Symbol.iterator];
|
|
15
|
-
if (!m) return o;
|
|
16
|
-
var i = m.call(o), r, ar = [], e;
|
|
17
|
-
try {
|
|
18
|
-
while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
|
|
19
|
-
}
|
|
20
|
-
catch (error) { e = { error: error }; }
|
|
21
|
-
finally {
|
|
22
|
-
try {
|
|
23
|
-
if (r && !r.done && (m = i["return"])) m.call(i);
|
|
24
|
-
}
|
|
25
|
-
finally { if (e) throw e.error; }
|
|
26
|
-
}
|
|
27
|
-
return ar;
|
|
28
|
-
};
|
|
29
|
-
var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
|
|
30
|
-
if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
|
|
31
|
-
if (ar || !(i in from)) {
|
|
32
|
-
if (!ar) ar = Array.prototype.slice.call(from, 0, i);
|
|
33
|
-
ar[i] = from[i];
|
|
34
|
-
}
|
|
35
|
-
}
|
|
36
|
-
return to.concat(ar || Array.prototype.slice.call(from));
|
|
37
|
-
};
|
|
38
2
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
39
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
40
4
|
};
|
|
41
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
6
|
+
const database_1 = require("../database");
|
|
7
|
+
const url_1 = require("url");
|
|
8
|
+
const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
|
|
9
|
+
class Options {
|
|
10
|
+
constructor() {
|
|
47
11
|
this.warningLimit = 5;
|
|
48
12
|
this.errorLimit = 10;
|
|
49
13
|
}
|
|
50
|
-
|
|
51
|
-
}());
|
|
14
|
+
}
|
|
52
15
|
function build(options) {
|
|
53
16
|
function matcher(command, appMapIndex, eventFilter) {
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
appMapIndex.appMap.events.forEach(function (event) {
|
|
17
|
+
const sqlEvents = (0, database_1.sqlStrings)(command, appMapIndex, eventFilter);
|
|
18
|
+
let sqlRollup = {};
|
|
19
|
+
const eventsById = {};
|
|
20
|
+
appMapIndex.appMap.events.forEach((event) => {
|
|
59
21
|
eventsById[event.id] = event;
|
|
60
22
|
});
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
sqlRollup[key] || (sqlRollup[key] = []);
|
|
68
|
-
sqlRollup[key].push(sqlEvent);
|
|
69
|
-
}
|
|
23
|
+
for (const sqlEvent of sqlEvents) {
|
|
24
|
+
if (!sqlEvent.event.parent)
|
|
25
|
+
continue;
|
|
26
|
+
const key = [sqlEvent.event.parent.id, sqlEvent.sql].join('\n');
|
|
27
|
+
sqlRollup[key] || (sqlRollup[key] = []);
|
|
28
|
+
sqlRollup[key].push(sqlEvent);
|
|
70
29
|
}
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
var matchResults = [];
|
|
79
|
-
var _loop_1 = function () {
|
|
80
|
-
__spreadArray([], __read(Object.keys(sqlRollup)), false).forEach(function (key) {
|
|
81
|
-
var events = sqlRollup[key];
|
|
82
|
-
var _a = __read(key.split('\n'), 2), ancestorId = _a[0], sql = _a[1];
|
|
83
|
-
var ancestor = eventsById[parseInt(ancestorId)];
|
|
84
|
-
var occurranceCount = events.length;
|
|
30
|
+
const matchResults = [];
|
|
31
|
+
do {
|
|
32
|
+
[...Object.keys(sqlRollup)].forEach((key) => {
|
|
33
|
+
const events = sqlRollup[key];
|
|
34
|
+
const [ancestorId, sql] = key.split('\n');
|
|
35
|
+
const ancestor = eventsById[parseInt(ancestorId)];
|
|
36
|
+
const occurranceCount = events.length;
|
|
85
37
|
if (occurranceCount > options.warningLimit) {
|
|
86
|
-
|
|
38
|
+
const buildMatchResult = (level) => {
|
|
87
39
|
return {
|
|
88
40
|
level: level,
|
|
89
41
|
event: events[0].event,
|
|
90
|
-
message:
|
|
42
|
+
message: `${ancestor.toString()}[${ancestor.id}] contains ${occurranceCount} occurrences of SQL: ${sql}`,
|
|
91
43
|
groupMessage: sql,
|
|
92
44
|
occurranceCount: occurranceCount,
|
|
93
|
-
relatedEvents: events.map(
|
|
45
|
+
relatedEvents: events.map((e) => e.event),
|
|
94
46
|
};
|
|
95
47
|
};
|
|
96
48
|
if (occurranceCount >= options.errorLimit) {
|
|
@@ -101,27 +53,24 @@ function build(options) {
|
|
|
101
53
|
}
|
|
102
54
|
}
|
|
103
55
|
});
|
|
104
|
-
|
|
105
|
-
Object.keys(sqlRollup).forEach(
|
|
106
|
-
|
|
56
|
+
const newRollup = {};
|
|
57
|
+
Object.keys(sqlRollup).forEach((key) => {
|
|
58
|
+
const events = sqlRollup[key];
|
|
107
59
|
if (events.length >= options.warningLimit)
|
|
108
60
|
return;
|
|
109
|
-
|
|
110
|
-
|
|
61
|
+
const [ancestorId, sql] = key.split('\n');
|
|
62
|
+
const ancestor = eventsById[parseInt(ancestorId)];
|
|
111
63
|
if (ancestor.parent) {
|
|
112
|
-
|
|
64
|
+
const parentKey = [ancestor.parent.id, sql].join('\n');
|
|
113
65
|
newRollup[parentKey] = (newRollup[parentKey] || []).concat(events);
|
|
114
66
|
}
|
|
115
67
|
}, {});
|
|
116
68
|
sqlRollup = newRollup;
|
|
117
|
-
};
|
|
118
|
-
do {
|
|
119
|
-
_loop_1();
|
|
120
69
|
} while (Object.keys(sqlRollup).length > 0);
|
|
121
70
|
return matchResults;
|
|
122
71
|
}
|
|
123
72
|
return {
|
|
124
|
-
matcher
|
|
73
|
+
matcher,
|
|
125
74
|
};
|
|
126
75
|
}
|
|
127
76
|
exports.default = {
|
|
@@ -130,12 +79,11 @@ exports.default = {
|
|
|
130
79
|
scope: 'command',
|
|
131
80
|
impactDomain: 'Performance',
|
|
132
81
|
enumerateScope: false,
|
|
133
|
-
Options
|
|
82
|
+
Options,
|
|
134
83
|
references: {
|
|
135
84
|
'CWE-1073': new url_1.URL('https://cwe.mitre.org/data/definitions/1073.html'),
|
|
136
85
|
},
|
|
137
86
|
description: (0, parseRuleDescription_1.default)('nPlusOneQuery'),
|
|
138
87
|
url: 'https://appland.com/docs/analysis/rules-reference.html#n-plus-one-query',
|
|
139
|
-
build
|
|
88
|
+
build,
|
|
140
89
|
};
|
|
141
|
-
//# sourceMappingURL=nPlusOneQuery.js.map
|