crash.software
Projects
Pull Requests
Issues
Builds
bearer
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY bearer Commits 150b64d9
🤬

  • Revert "feat(JS rules): rule for express session for static assets (#763)"

    This reverts commit cf39059befa6518d46ed62b89bee9e4bccd0bc72.
  • Loading...
  • elsapet committed 1 year ago
    150b64d9
    1 parent ab277176
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■
    integration/rules/javascript_test.go
    skipped 150 lines
    151 151   getRunner(t).runTest(t, javascriptRulesPath+"express/insecure_template_rendering")
    152 152  }
    153 153   
    154  -func TestJavascriptExpressStaticAssetWithSession(t *testing.T) {
    155  - t.Parallel()
    156  - getRunner(t).runTest(t, javascriptRulesPath+"express/static_asset_with_session")
    157  -}
    158  - 
    159 154  func TestJavascriptExpressUiRedress(t *testing.T) {
    160 155   t.Parallel()
    161 156   getRunner(t).runTest(t, javascriptRulesPath+"express/ui_redress")
    skipped 132 lines
  • ■ ■ ■ ■ ■ ■
    new/language/implementation/javascript/javascript.go
    skipped 218 lines
    219 219  }
    220 220   
    221 221  func (implementation *javascriptImplementation) PatternIsAnchored(node *tree.Node) (bool, bool) {
    222  - if node.Type() == "pair" {
    223  - return false, false
    224  - }
    225  - 
    226 222   parent := node.Parent()
    227 223   if parent == nil {
    228 224   return true, true
    skipped 2 lines
    231 227   // Class body class_body
    232 228   // arrow functions statement_block
    233 229   // function statement_block
    234  - // method statement_block
    235  - unAnchored := []string{"statement_block", "class_body"}
     230 + // method statement_blocks
     231 + unAnchored := []string{"statement_blocks", "class_body", "pair"}
    236 232   
    237  - isUnanchored := !slices.Contains(unAnchored, parent.Type())
     233 + isUnanchored := !slices.Contains(unAnchored, node.Type())
    238 234   return isUnanchored, isUnanchored
    239 235  }
    240 236   
    skipped 2 lines
    243 239  }
    244 240   
    245 241  func (implementation *javascriptImplementation) PatternNodeTypes(node *tree.Node) []string {
    246  - if node.Type() == "statement_block" && node.Parent().Type() == "program" {
    247  - if node.NamedChildCount() == 0 {
    248  - return []string{"object"}
    249  - } else {
    250  - return []string{node.Type(), "program"}
    251  - }
     242 + if node.Type() == "statement_block" && node.Parent().Type() == "program" && node.NamedChildCount() == 0 {
     243 + return []string{"object"}
    252 244   }
    253 245   
    254 246   return []string{node.Type()}
    skipped 6 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/static_asset_with_session/.snapshots/TestJavascriptExpressStaticAssetWithSession--ok.yml
    1  -medium:
    2  - - rule:
    3  - cwe_ids:
    4  - - "523"
    5  - - "522"
    6  - id: express_default_session_config
    7  - description: Session cookie with default config detected.
    8  - documentation_url: https://docs.bearer.com/reference/rules/express_default_session_config
    9  - line_number: 2
    10  - filename: ok.js
    11  - parent_line_number: 2
    12  - parent_content: '{}'
    13  - 
    14  - 
    15  - 
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/static_asset_with_session/.snapshots/TestJavascriptExpressStaticAssetWithSession--unsafe.yml
    1  -low:
    2  - - rule:
    3  - cwe_ids:
    4  - - "352"
    5  - - "668"
    6  - id: javascript_express_static_asset_with_session
    7  - description: Static asset with active session detected.
    8  - documentation_url: https://docs.bearer.com/reference/rules/javascript_express_static_asset_with_session
    9  - line_number: 3
    10  - filename: unsafe.js
    11  - parent_line_number: 3
    12  - parent_content: app.use(express.static(__dirname + "/public"))
    13  -medium:
    14  - - rule:
    15  - cwe_ids:
    16  - - "523"
    17  - - "522"
    18  - id: express_default_session_config
    19  - description: Session cookie with default config detected.
    20  - documentation_url: https://docs.bearer.com/reference/rules/express_default_session_config
    21  - line_number: 1
    22  - filename: unsafe.js
    23  - parent_line_number: 1
    24  - parent_content: '{}'
    25  - 
    26  - 
    27  - 
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/static_asset_with_session/testdata/ok.js
    1  -app.use(express.static(__dirname + "/public"))
    2  -app.use(session({}))
    3  - 
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/static_asset_with_session/testdata/unsafe.js
    1  -app.use(session({}))
    2  -app.use(other())
    3  -app.use(express.static(__dirname + "/public"))
    4  - 
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/static_asset_with_session.yml
    1  -patterns:
    2  - - pattern: |
    3  - {
    4  - $<SESSION>
    5  - $<!>$<STATIC>
    6  - }
    7  - filters:
    8  - - variable: SESSION
    9  - detection: javascript_express_static_asset_with_session_session
    10  - - variable: STATIC
    11  - detection: javascript_express_static_asset_with_session_static
    12  -auxiliary:
    13  - - id: javascript_express_static_asset_with_session_session
    14  - patterns:
    15  - - pattern: app.use($<MIDDLEWARE>)
    16  - filters:
    17  - - variable: MIDDLEWARE
    18  - detection: javascript_express_static_asset_with_session_session_init
    19  - - id: javascript_express_static_asset_with_session_session_init
    20  - patterns:
    21  - - session()
    22  - - id: javascript_express_static_asset_with_session_static
    23  - patterns:
    24  - - pattern: app.use($<MIDDLEWARE>)
    25  - filters:
    26  - - variable: MIDDLEWARE
    27  - detection: javascript_express_static_asset_with_session_static_init
    28  - - id: javascript_express_static_asset_with_session_static_init
    29  - patterns:
    30  - - express.static()
    31  -languages:
    32  - - javascript
    33  -trigger: presence
    34  -metadata:
    35  - description: Static asset with active session detected.
    36  - remediation_message: |
    37  - ## Description
    38  - Static assets are often cached by services in front of the application
    39  - (eg. CDNs). Serving static assets with sessions enabled may lead to
    40  - Cross-Site Request Forgery (CSRF) attacks that can hijack a user's session.
    41  - 
    42  - ## Remediations
    43  - 
    44  - ✅ Ensure static resources are handled prior to session initialization:
    45  - 
    46  - ```javascript
    47  - // static middleware should be added before session middleware
    48  - app.use(express.static(__dirname + "/public"))
    49  - 
    50  - app.use(session())
    51  - ```
    52  - cwe_id:
    53  - - 352
    54  - - 668
    55  - id: javascript_express_static_asset_with_session
    56  - 
Please wait...
Page is in error, reload to recover