STRLCPY/bearer

feat: add typescript (#795)

* feat: add typescript

* feat: add 3 rules

* feat: done a couple more rules

* feat: add string_fragment type

* feat: add a couple of more rules

* feat: remove http insecure

* chore: remove typescript as a separate lang

* feat: remove ts test

* feat: correct javascript

* feat: add scanner execute single rule

* feat: fix rules

* fix: mysql injection file

* feat: fix react's rule by intruducing tsx

* feat: add should skipNode method

* feat: add support for tsx jsx and typed objects

* feat: remove rule ts test

* feat: remove duplicate tests

* feat: remove ts redundant tests

* chore: remove ts redundant tests

* feat: remove rednudant snapshot

Vjeran Fistric committed with GitHub 1 year ago

12b8d797

1 parent 44296f18

Total 22 files Show one by one

■ ■ ■ ■ ■ ■

new/detector/composition/javascript/.snapshots/TestObjectDeconstructing-multiple_objects.json

skipped 15 lines
16 16 }
17 17 }
18 18 ]
19 +

All occurrences

■ ■ ■ ■ ■ ■

new/detector/composition/javascript/javascript.go

		skipped 8 lines
9	9		"github.com/bearer/bearer/pkg/classification"
10	10		"github.com/bearer/bearer/pkg/commands/process/settings"
11	11		"github.com/bearer/bearer/pkg/util/file"
12		-	"github.com/rs/zerolog/log"
13	12
14	13		"github.com/bearer/bearer/new/detector/composition/types"
15	14		"github.com/bearer/bearer/new/detector/evaluator"
		skipped 150 lines
166	165		}
167	166
168	167		func (composition Composition) DetectFromFileWithTypes(file file.FileInfo, detectorTypes []string) ([]*detectortypes.Detection, error) {
169		-	if file.Language != "JavaScript" {
170		-	log.Debug().Msgf("file language is %s", file.Language)
	168	+	if file.Language != "JavaScript" && file.Language != "TypeScript" && file.Language != "TSX" {
171	169		return nil, nil
172	170		}
173	171
		skipped 25 lines

■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/.snapshots/TestJavascriptFileTypes-file_type_jsx

1	+	- position: "1:7"
2	+	content: 'user: { email: string } = { email: "[email protected]" }'
3	+	data:
4	+	name: user
5	+	properties:
6	+	- detectortype: property
7	+	matchnode: {}
8	+	data:
9	+	name: email
10	+
11	+

■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/.snapshots/TestJavascriptFileTypes-file_type_tsx

1	+	- position: "1:7"
2	+	content: 'user: { email: string } = { email: "[email protected]" }'
3	+	data:
4	+	name: user
5	+	properties:
6	+	- detectortype: property
7	+	matchnode: {}
8	+	data:
9	+	name: email
10	+
11	+

■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/.snapshots/TestJavascriptTypes-typed_object_const

1	+	- position: "1:7"
2	+	content: 'user: { email: string } = { email: "[email protected]" }'
3	+	data:
4	+	name: user
5	+	properties:
6	+	- detectortype: property
7	+	matchnode: {}
8	+	data:
9	+	name: email
10	+
11	+

■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/.snapshots/TestJavascriptTypes-typed_object_let

1	+	- position: "1:5"
2	+	content: 'user: { email: string } = { email: "[email protected]" }'
3	+	data:
4	+	name: user
5	+	properties:
6	+	- detectortype: property
7	+	matchnode: {}
8	+	data:
9	+	name: email
10	+
11	+

■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/.snapshots/TestJavascriptTypes-typed_object_var

1	+	- position: "1:5"
2	+	content: 'user: { email: string } = { email: "[email protected]" }'
3	+	data:
4	+	name: user
5	+	properties:
6	+	- detectortype: property
7	+	matchnode: {}
8	+	data:
9	+	name: email
10	+
11	+

■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/javascript_test.go

		skipped 9 lines
10	10		func TestJavascriptStringDetector(t *testing.T) {
11	11		runTest(t, "string_literal", "string", "testdata/string_literal.js")
12	12		runTest(t, "string_non_literal", "string", "testdata/string_non_literal.js")
	13	+	runTest(t, "typed_object", "object", "testdata/typed_object.ts")
	14	+	}
	15	+
	16	+	func TestJavascriptTypes(t *testing.T) {
	17	+	runTest(t, "typed_object_const", "object", "testdata/typed_object_const.ts")
	18	+	runTest(t, "typed_object_let", "object", "testdata/typed_object_let.ts")
	19	+	runTest(t, "typed_object_var", "object", "testdata/typed_object_var.ts")
	20	+	}
	21	+
	22	+	func TestJavascriptFileTypes(t *testing.T) {
	23	+	runTest(t, "file_type_tsx", "object", "testdata/file_type.tsx")
	24	+	runTest(t, "file_type_jsx", "object", "testdata/file_type.jsx")
13	25		}
14	26
15	27		func runTest(t *testing.T, name, detectorType, fileName string) {
		skipped 3 lines

■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/object/object.go

		skipped 63 lines
64	64		return nil, fmt.Errorf("error compiling parent pair query: %s", err)
65	65		}
66	66
67		-	// class User
68		-	// end
69		-	classNameQuery, err := lang.CompileQuery(`(class_declaration name: (identifier) @name) @root`)
	67	+	// new User()
	68	+	constructorQuery, err := lang.CompileQuery(`(new_expression constructor: (identifier) @name) @root`)
70	69		if err != nil {
71	70		return nil, fmt.Errorf("error compiling class name query: %s", err)
72	71		}
73	72
74		-	// new User()
75		-	constructorQuery, err := lang.CompileQuery(`(new_expression constructor: (identifier) @name) @root`)
	73	+	classNameQuery, err := lang.CompileQuery(`(class_declaration name: (type_identifier) @name) @root`)
76	74		if err != nil {
77	75		return nil, fmt.Errorf("error compiling class name query: %s", err)
78	76		}
		skipped 16 lines
95	93		variableDeclarationQuery: variableDeclarationQuery,
96	94		objectDeconstructionQuery: objectDeconstructionQuery,
97	95		parentPairQuery: parentPairQuery,
98		-	classNameQuery: classNameQuery,
99	96		constructorQuery: constructorQuery,
	97	+	classNameQuery: classNameQuery,
100	98		memberExpressionQuery: memberExpressionQuery,
101	99		subscriptExpressionQuery: subscriptExpressionQuery,
102	100		}, nil
		skipped 189 lines

■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/property/property.go

		skipped 5 lines
6	6		"github.com/bearer/bearer/new/detector/types"
7	7		"github.com/bearer/bearer/new/language/tree"
8	8		"github.com/bearer/bearer/pkg/util/stringutil"
9		-	"github.com/rs/zerolog/log"
10	9
11	10		generictypes "github.com/bearer/bearer/new/detector/implementation/generic/types"
12	11		languagetypes "github.com/bearer/bearer/new/language/types"
		skipped 1 lines
14	13
15	14		type propertyDetector struct {
16	15		types.DetectorBase
	16	+
17	17		pairQuery *tree.Query
18	18		functionNameQuery *tree.Query
19	19		methodNameQuery *tree.Query
		skipped 79 lines
99	99		return nil, err
100	100		}
101	101
102		-	log.Debug().Msgf("")
103		-
104	102		// fetch all arguments from constructor
105	103		if result["name"].Content() == "constructor" {
106	104		properties := []interface{}{}
		skipped 2 lines
109	107
110	108		for i := 0; i < params.ChildCount(); i++ {
111	109		param := params.Child(i)
112		-	if param.Type() != "identifier" {
	110	+
	111	+	if !(param.Type() == "required_parameter" && param.Child(0) != nil && param.Child(0).Type() == "identifier") {
113	112		continue
114	113		}
115	114
		skipped 16 lines

■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/testdata/file_type.jsx

1 + const user: { email: string } = { email: "[email protected]" };
2 +
3 +

All occurrences
■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/testdata/file_type.tsx

1 + const user: { email: string } = { email: "[email protected]" };
2 +
3 +

All occurrences
■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/testdata/typed_object_const.ts

1 + const user: { email: string } = { email: "[email protected]" };
2 +
3 +

All occurrences
■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/testdata/typed_object_let.ts

1 + let user: { email: string } = { email: "[email protected]" };
2 +
3 +

All occurrences
■ ■ ■ ■ ■ ■

new/detector/implementation/javascript/testdata/typed_object_var.ts

1 + var user: { email: string } = { email: "[email protected]" };
2 +
3 +

All occurrences

■ ■ ■ ■ ■ ■

new/language/implementation/implementation.go

		skipped 106 lines
107	107		// we want to ignore member_expressions as roots.
108	108		IsRootOfRuleQuery(node *tree.Node) bool
109	109		PatternLeafContentTypes() []string
	110	+	// ShouldSkipNode returns wether a node should should be skipped or assigned variable to it
	111	+	// it is useful for cases when you have nested nodes to ignore and want to assign variable to its child
	112	+	//
	113	+	// eg. given the following tree sitter
	114	+	// arguments
	115	+	// formal_parameters
	116	+	// required_parameter
	117	+	// identifier
	118	+	//
	119	+	// if you want to get only identifier instead of required parameter ShouldSkipNode should return true
	120	+	// for required parameter
	121	+	ShouldSkipNode(node *tree.Node) bool
110	122		}
111	123
112	124		type Scope struct {
		skipped 27 lines

■ ■ ■ ■ ■ ■

new/language/implementation/javascript/javascript.go

1	1		package javascript
2	2
3	3		import (
4		-	"errors"
5	4		"fmt"
6	5		"regexp"
7	6		"strings"
8	7
9		-	"github.com/smacker/go-tree-sitter/javascript"
10	8		"github.com/ssoroka/slice"
11	9		"golang.org/x/exp/slices"
12	10
		skipped 3 lines
16	14
17	15		patternquerytypes "github.com/bearer/bearer/new/language/patternquery/types"
18	16		sitter "github.com/smacker/go-tree-sitter"
	17	+	"github.com/smacker/go-tree-sitter/typescript/tsx"
19	18		)
20	19
21	20		var (
		skipped 6 lines
28	27		}
29	28
30	29		anonymousPatternNodeParentTypes = []string{}
31		-	patternMatchNodeContainerTypes = []string{}
	30	+	patternMatchNodeContainerTypes = []string{"required_parameter"}
32	31
33	32		// $<name:type> or $<name:type1\|type2> or $<name>
34	33		patternQueryVariableRegex = regexp.MustCompile(`\$<(?P<name>[^>:!\.]+)(?::(?P<types>[^>]+))?>`)
		skipped 11 lines
46	45		}
47	46
48	47		func (implementation javascriptImplementation) SitterLanguage() sitter.Language {
49		-	return javascript.GetLanguage()
	48	+	return tsx.GetLanguage()
50	49		}
51	50
52	51		func (javascriptImplementation) AnalyzeFlow(rootNode tree.Node) error {
		skipped 57 lines
110	109		}
111	110		}
112	111
113		-	if parent.Type() == "formal_parameters" {
	112	+	// typescript: different type of identifier
	113	+	if parent.Type() == "required_parameter" {
114	114		scope.Assign(node.Content(), node)
	115	+
115	116		}
116	117		case "property_identifier":
117	118		parent := node.Parent()
		skipped 48 lines
166	167		return replaced, params, nil
167	168		}
168	169
169		-	// TODO: See if anything needs to be added here
170		-	func (implementation *javascriptImplementation) ExtractPatternMatchNode(input string) (string, int, error) {
171		-	inputBytes := []byte(input)
172		-	matches := matchNodeRegex.FindAllIndex(inputBytes, -1)
173		-
174		-	if len(matches) == 0 {
175		-	return input, 0, nil
176		-	}
177		-
178		-	if len(matches) > 1 {
179		-	return "", 0, errors.New("pattern must only contain a single match node")
180		-	}
181		-
182		-	match := matches[0]
183		-	return string(inputBytes[0:match[0]]) + string(inputBytes[match[1]:]), match[0], nil
184		-	}
185		-
186	170		func produceDummyValue(i int, nodeType string) string {
187	171		return "CurioVar" + fmt.Sprint(i)
188	172		}
		skipped 13 lines
202	186		return ellipsisRegex.FindAllIndex(input, -1)
203	187		}
204	188
205		-	// TODO: See if anything needs to be added here
206		-	func (implementation javascriptImplementation) IsTerminalDetectionNode(node tree.Node) bool {
207		-	return false
	189	+	func (implementation *javascriptImplementation) PatternMatchNodeContainerTypes() []string {
	190	+	return patternMatchNodeContainerTypes
208	191		}
209	192
210		-	func (implementation *javascriptImplementation) PatternMatchNodeContainerTypes() []string {
211		-	return patternMatchNodeContainerTypes
	193	+	func (javascriptImplementation javascriptImplementation) ShouldSkipNode(node tree.Node) bool {
	194	+	return node.Type() == "required_parameter"
212	195		}
213	196
214	197		func (*javascriptImplementation) PatternLeafContentTypes() []string {
		skipped 1 lines
216	199		// identifiers
217	200		"identifier", "property_identifier", "shorthand_property_identifier",
218	201		// datatypes/literals
219		-	"template_string", "string", "number", "null", "true", "false",
	202	+	"template_string", "string_fragment", "number", "null", "true", "false",
220	203		}
221	204		}
222	205
		skipped 40 lines

■ ■ ■ ■ ■ ■

new/language/implementation/ruby/ruby.go

		skipped 164 lines
165	165		return anonymousPatternNodeParentTypes
166	166		}
167	167
	168	+	func (rubyImplementation) ShouldSkipNode(node tree.Node) bool {
	169	+	return false
	170	+	}
	171	+
168	172		func (*rubyImplementation) PatternMatchNodeContainerTypes() []string {
169	173		return patternMatchNodeContainerTypes
170	174		}
		skipped 90 lines

■ ■ ■ ■ ■ ■

new/language/patternquery/builder/builder.go

		skipped 270 lines
271	271
272	272		func (builder builder) getVariableFor(node tree.Node) *types.Variable {
273	273		for _, variable := range builder.inputParams.Variables {
	274	+	if builder.langImplementation.ShouldSkipNode(node) {
	275	+	continue
	276	+	}
	277	+
274	278		if node.Content() == variable.DummyValue {
275	279		return &variable
276	280		}
		skipped 31 lines

■ ■ ■ ■ ■ ■

new/scanner/scanner.go

		skipped 2 lines
3	3		import (
4	4		"fmt"
5	5
6		-	"github.com/bearer/bearer/new/detector/composition/javascript"
7	6		"github.com/bearer/bearer/new/detector/composition"
	7	+	"github.com/bearer/bearer/new/detector/composition/javascript"
8	8		"github.com/bearer/bearer/new/detector/composition/ruby"
9	9		"github.com/bearer/bearer/new/detector/types"
10	10		"github.com/bearer/bearer/pkg/classification"
		skipped 63 lines

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/express/sql_injection.yml

		skipped 75 lines
76	76		- mysql.createPool()
77	77		- id: javascript_express_sql_injection_pool_conn
78	78		patterns:
79		-	- pattern:
80		-	$<MYSQL_POOL>.getConnection(function($<_>, $<!>$<CONN:identifier>) {})
	79	+	- pattern: $<MYSQL_POOL>.getConnection(function($<_>, $<!>$<CONN:identifier>) {})
81	80		filters:
82	81		- variable: MYSQL_POOL
83	82		detection: javascript_express_sql_injection_mysql_pool
		skipped 48 lines

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/rules/javascript/third_parties/sentry/testdata/javascript_configure_scope_set_extra.js

1 1 Sentry.configureScope((scope) => {
2 - scope.setExtra("email", user.email)
3 - })
2 + scope.setExtra("email", user.email);
3 + });
4 4

All occurrences

1	+	const user: { email: string } = { email: "[email protected]" };
2	+
3	+

1	+	let user: { email: string } = { email: "[email protected]" };
2	+
3	+

1	+	var user: { email: string } = { email: "[email protected]" };
2	+
3	+

1	1		Sentry.configureScope((scope) => {
2		-	scope.setExtra("email", user.email)
3		-	})
	2	+	scope.setExtra("email", user.email);
	3	+	});
4	4