ast-grep-essentials/rules/scala/security/jwt-scala-hardcode-scala.yml at main · coderabbitai/ast-grep-essentials · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
id: jwt-scala-hardcode-scala
language: scala
severity: warning
message: >-
  Hardcoded JWT secret or private key is used. This is a Insufficiently
  Protected Credentials weakness:
  https://cwe.mitre.org/data/definitions/522.html Consider using an
  appropriate security mechanism to protect the credentials (e.g. keeping
  secrets in environment variables).
note: >-
  [CWE-522] Insufficiently Protected Credentials.
  [REFERENCES]
      - https://jwt-scala.github.io/jwt-scala/

ast-grep-essentials: true

utils:
  PATTERN:
    kind: call_expression
    all:
      - inside:
          stopBy: end
          follows:
            stopBy: end
            kind: import_declaration
            regex: ^import pdi.jwt.*
      - has:
          kind: field_expression
          all:
            - has:
                kind: identifier
                nthChild: 1
                regex: ^(Jwt|JwtArgonaut|JwtCirce|JwtJson4s|JwtJson|JwtUpickle)$
            - has:
                kind: identifier
                nthChild: 2
                regex: ^(encode|decode|decodeRawAll|decodeRaw|decodeAll|validate|isValid|decodeJson|decodeJsonAll)$
      - has:
          kind: arguments
          has:
            kind: string
            not:
              regex: ^""$
            nthChild:
              position: 2
              ofRule:
                not:
                  kind: comment

  PATTERN_with_Instance:
    kind: call_expression
    all:
      - inside:
          stopBy: end
          follows:
            stopBy: end
            kind: import_declaration
            regex: ^import pdi.jwt.*
      - has:
          kind: field_expression
          all:
            - has:
                kind: identifier
                nthChild: 1
                regex: ^(Jwt|JwtArgonaut|JwtCirce|JwtJson4s|JwtJson|JwtUpickle)$
            - has:
                kind: identifier
                nthChild: 2
                regex: ^(encode|decode|decodeRawAll|decodeRaw|decodeAll|validate|isValid|decodeJson|decodeJsonAll)$
      - has:
          kind: arguments
          any:
            - has:
                kind: field_expression
                all:
                  - has:
                      nthChild: 1
                      regex: ^this$
                  - has:
                      nthChild: 2
                      kind: identifier
                      pattern: $STRG
            - has:
                kind: identifier
                pattern: $STRG
                nthChild:
                  position: 2
                  ofRule:
                    not:
                      kind: comment
      - inside:
          stopBy: end
          follows:
            stopBy: end
            kind: val_definition
            all:
              - has:
                  kind: identifier
                  field: pattern
                  pattern: $STRG
                  #  nthChild: 1
              - has:
                  kind: string
                  field: value
                  #  nthChild: 2
                  not:
                    regex: ^""$
              - inside:
                  stopBy: end
                  any:
                    - kind: object_definition
                    - kind: class_definition

rule:
  kind: call_expression
  any:
    - matches: PATTERN
    - matches: PATTERN_with_Instance