Skip to content

Commit

Permalink
fix: improve jwt not revoked rules and tests (#157)
Browse files Browse the repository at this point in the history
  • Loading branch information
@cfabianski
cfabianski authored Sep 19, 2023
1 parent 4a4b12a commit b1f7187
Show file tree
Hide file tree
Showing 4 changed files with 87 additions and 8 deletions.
4 changes: 2 additions & 2 deletions rules/javascript/express/jwt_not_revoked.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ patterns:
regex: (?i)\A(expressjwt)\z
- variable: HASH_CONTENT
detection: javascript_express_jwt_not_revoked_secret
scope: cursor
scope: result
- not:
variable: HASH_CONTENT
detection: javascript_express_jwt_not_revoked_is_revoked
scope: cursor
scope: result
languages:
- javascript
auxiliary:
Expand Down
75 changes: 75 additions & 0 deletions tests/javascript/express/jwt_not_revoked/__snapshots__/test.js.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,4 +109,79 @@ exports[`javascript_express_jwt_not_revoked express_jwt_not_revoked 1`] = `
}"
`;

exports[`javascript_express_jwt_not_revoked insecurity_express_jwt_revoked 1`] = `
"{
"low": [
{
"cwe_ids": [
"525"
],
"id": "javascript_express_jwt_not_revoked",
"title": "Unrevoked JWT detected.",
"description": "## Description\\nThe best practice caching policy is to revoke JWTs especially when these contain senstitive information.\\n\\n## Remediations\\n✅ Ensure JWTs are short-lived by revoking them\\n\\n\`\`\`javascript\\nexpressjwt({\\n ...\\n isRevoked: this.customRevokeCall(),\\n ...\\n})\\n\`\`\`\\n\\n## Resources\\n- [ExpressJWT documentation on revoking tokens](https://github.com/auth0/express-jwt#revoked-tokens)\\n",
"documentation_url": "https://docs.bearer.com/reference/rules/javascript_express_jwt_not_revoked",
"line_number": 1,
"full_filename": "/tmp/bearer-scan/insecurity.ts",
"filename": ".",
"source": {
"start": 1,
"end": 1,
"column": {
"start": 1,
"end": 43
}
},
"sink": {
"start": 1,
"end": 1,
"column": {
"start": 1,
"end": 43
},
"content": "expressJwt({ secret: \\"\\" + Math.random() })"
},
"parent_line_number": 1,
"snippet": "expressJwt({ secret: \\"\\" + Math.random() })",
"fingerprint": "eaae2a30ff6ed4568ddf01dd63a61387_0",
"old_fingerprint": "bc1db353c43740bf9d7b7d4bddbcddb4_0",
"code_extract": "expressJwt({ secret: \\"\\" + Math.random() })"
},
{
"cwe_ids": [
"525"
],
"id": "javascript_express_jwt_not_revoked",
"title": "Unrevoked JWT detected.",
"description": "## Description\\nThe best practice caching policy is to revoke JWTs especially when these contain senstitive information.\\n\\n## Remediations\\n✅ Ensure JWTs are short-lived by revoking them\\n\\n\`\`\`javascript\\nexpressjwt({\\n ...\\n isRevoked: this.customRevokeCall(),\\n ...\\n})\\n\`\`\`\\n\\n## Resources\\n- [ExpressJWT documentation on revoking tokens](https://github.com/auth0/express-jwt#revoked-tokens)\\n",
"documentation_url": "https://docs.bearer.com/reference/rules/javascript_express_jwt_not_revoked",
"line_number": 2,
"full_filename": "/tmp/bearer-scan/insecurity.ts",
"filename": ".",
"source": {
"start": 2,
"end": 2,
"column": {
"start": 30,
"end": 79
}
},
"sink": {
"start": 2,
"end": 2,
"column": {
"start": 30,
"end": 79
},
"content": "expressjwt({ secret: \\"\\" + Math.random() } as any)"
},
"parent_line_number": 2,
"snippet": "expressjwt({ secret: \\"\\" + Math.random() } as any)",
"fingerprint": "eaae2a30ff6ed4568ddf01dd63a61387_1",
"old_fingerprint": "bc1db353c43740bf9d7b7d4bddbcddb4_1",
"code_extract": "export const denyAll = () => expressjwt({ secret: \\"\\" + Math.random() } as any)"
}
]
}"
`;

exports[`javascript_express_jwt_not_revoked ok_express_jwt_revoked 1`] = `"{}"`;
14 changes: 8 additions & 6 deletions tests/javascript/express/jwt_not_revoked/test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,19 @@ const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)

describe(ruleId, () => {
const invoke = createInvoker(ruleId, ruleFile, testBase)


test("express_jwt_not_revoked", () => {
const testCase = "express_jwt_not_revoked.js"
expect(invoke(testCase)).toMatchSnapshot();
expect(invoke(testCase)).toMatchSnapshot()
})


test("ok_express_jwt_revoked", () => {
const testCase = "ok_express_jwt_revoked.js"
expect(invoke(testCase)).toMatchSnapshot();
expect(invoke(testCase)).toMatchSnapshot()
})

})

test("insecurity_express_jwt_revoked", () => {
const testCase = "insecurity.ts"
expect(invoke(testCase)).toMatchSnapshot()
})
})
2 changes: 2 additions & 0 deletions tests/javascript/express/jwt_not_revoked/testdata/insecurity.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
expressJwt({ secret: "" + Math.random() })
export const denyAll = () => expressjwt({ secret: "" + Math.random() } as any)

0 comments on commit b1f7187

Please sign in to comment.