axios-headers-credentials

Try in Playground
javascript-expressjsSecurityCritical

0

No tags

CWE-798

Never put hardcoded credentials in your code, as recommended per CWE-798. Instead, put your secrets in a secure secrets storage manager or in environment variables (and use process.env.<MY-VARIABLE>).

Ast Rule: function call


axios-headers-credentials

How to write a rule
function isClearCredentials(value) {
  if (/^"Bearer .+"$/.test(value)) {
		return true;
  }
  return false;

}

function visit(node, filename, code) {
	if(node.functionName && node.functionName.name && node.functionName.name.value === "get" &&
     node.functionName.astType === "member" && node.functionName.parent &&
     node.functionName.parent.astType === "string" && node.functionName.parent.value === "axios") {

  	if(node.arguments && node.arguments.values && node.arguments.values.length >= 2) {
      
      const secondArgument = node.arguments.values[1];
      
      if (secondArgument && secondArgument.value && secondArgument.value.astType === "object") {
        const headers = secondArgument.value.elements.filter(e => e && e.name && e.name.value === "headers" && e.value);

        if (headers && headers.length > 0 && headers[0].value.astType === "object"){
          const authorizationElements = headers[0].value.elements.filter(e => e.name && e.name.value === "Authorization");
          if (authorizationElements && authorizationElements.length > 0) {
            const authorizationElement = authorizationElements[0];
            if (authorizationElement && authorizationElement.value && authorizationElement.value.astType === "string" &&
               isClearCredentials(authorizationElement.value.value)) {
              const error = buildError(authorizationElement.start.line, 
                                       authorizationElement.start.col, 
                                       authorizationElement.end.line, 
                                       authorizationElement.end.col, 
                                       "use of hardcoded credentials", "WARNING", "SECURITY");
              addError(error);
          	}
          }

        }
        

      }
    }
  }
}

bearer-token.py

Expected test result: no error

const res = axios.get('https://api.github.com/user', {
  headers: {
    Authorization: `token ${access_token}`
  }
});

clear-token.js

Expected test result: no error

const res = axios.get('https://api.github.com/user', {
  headers: {
    Authorization: "Bearer tokenabc"
  }
});
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.