clear-credentials

knex

Use hardcoded credentials to connect to a database using knex.js. Instead of using hardcoded credentials, use passwords from the secrets manager or environment variables (e.g., process.env.<MYVARIABLE>).

Hardcoded credentials should never be used, as recommended per CWE-259. Secrets should be securely stored and not be available clearly in the source code.

Ast Rule: function call

clear-credentials

How to write a rule

function visit(node, filename, code) {
    function isString(value) {
      if (/^".+"$/.test(value)) {
        return true;
      }
      if (/^'.+'$/.test(value)) {
        return true;
      }
      return false;

    }
  
  
  if((node.arguments && node.arguments.values.length === 1) &&
     (node.functionName.astType === "functioncall") && 
     (node.functionName.functionName.astType === "string") &&
     (node.functionName.functionName.value === "require") &&
     (node.functionName.arguments) &&
     (node.functionName.arguments.values.length === 1) &&
     (node.functionName.arguments.values[0].value) &&
     (node.functionName.arguments.values[0].value.astType === "string") &&
     (node.functionName.arguments.values[0].value.value === "'knex'")
    ) {
    const firstArgument = node.arguments.values[0].value;
    if(firstArgument.astType !== "object") {
      return;
    }
    const connections = firstArgument.elements.filter(e => e.name && e.name.value && e.name.value === "connection");
    if(connections.length == 0){
      return;
    }
    const connection = connections[0].value;
    if(connection.astType === "object") {
      const passwords = connection.elements.filter(e => e.name && e.name.value && e.name.value === "password");
      if(passwords.length == 0) {
        return;
      }
      const password = passwords[0].value;
      if (password.value && isString(password.value)) {
        const error = buildError(password.start.line, 
                                 password.start.col, 
                                 password.end.line, 
                                 password.end.col, 
                                 "use of hardcoded credentials", "WARNING", "SECURITY");
        addError(error);
      }
    }
    if(connection.astType === "string") {
      if(isString(connection.value)) {
        const error = buildError(connection.start.line, 
                                 connection.start.col, 
                                 connection.end.line, 
                                 connection.end.col, 
                                 "use of hardcoded credentials", "WARNING", "SECURITY");
        addError(error);
      }
    }

  }
}

connection-string-error.js

Expected test result: has error

const pg = require('knex')({
  client: 'pg',
  connection: 'mysql://root:secret@127.0.0.1:3306/test-db',
  searchPath: ['knex', 'public'],
});

connection-string.js

Expected test result: no error

const pg = require('knex')({
  client: 'pg',
  connection: process.env.PG_CONNECTION_STRING,
  searchPath: ['knex', 'public'],
});

password-variable.js

Expected test result: no error

const knex = require('knex')({
  client: 'mysql',
  connection: {
    host : '127.0.0.1',
    port : 3306,
    user : 'your_database_user',
    password : passwd,
    database : 'myapp_test'
  }
});

credentials-in-variable.js

Expected test result: has error

clear-credentials.js

Expected test result: has error

Add comment

Be the first one to leave a comment!