axios-headers-credentials
Ast Rule: function call
axios-headers-credentials
function isClearCredentials(value) {
if (/^"Bearer .+"$/.test(value)) {
return true;
}
return false;
}
function visit(node, filename, code) {
if(node.functionName && node.functionName.name && node.functionName.name.value === "get" &&
node.functionName.astType === "member" && node.functionName.parent &&
node.functionName.parent.astType === "string" && node.functionName.parent.value === "axios") {
if(node.arguments && node.arguments.values && node.arguments.values.length >= 2) {
const secondArgument = node.arguments.values[1];
if (secondArgument && secondArgument.value && secondArgument.value.astType === "object") {
const headers = secondArgument.value.elements.filter(e => e && e.name && e.name.value === "headers" && e.value);
if (headers && headers.length > 0 && headers[0].value.astType === "object"){
const authorizationElements = headers[0].value.elements.filter(e => e.name && e.name.value === "Authorization");
if (authorizationElements && authorizationElements.length > 0) {
const authorizationElement = authorizationElements[0];
if (authorizationElement && authorizationElement.value && authorizationElement.value.astType === "string" &&
isClearCredentials(authorizationElement.value.value)) {
const error = buildError(authorizationElement.start.line,
authorizationElement.start.col,
authorizationElement.end.line,
authorizationElement.end.col,
"use of hardcoded credentials", "WARNING", "SECURITY");
addError(error);
}
}
}
}
}
}
}bearer-token.py
Expected test result: no error
clear-token.js
Expected test result: no error