UNPKG

tslint-microsoft-contrib/possibleTimingAttackRule.js

Version:

2.97 kBJavaScriptView Raw

1"use strict";
2var __extends = (this && this.__extends) || (function () {
  var extendStatics = function (d, b) {
      extendStatics = Object.setPrototypeOf ||
          ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
          function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
      return extendStatics(d, b);
  }
  return function (d, b) {
      extendStatics(d, b);
      function __() { this.constructor = d; }
      d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
  };
14})();
15Object.defineProperty(exports, "__esModule", { value: true });
16var ts = require("typescript");
17var Lint = require("tslint");
18var tsutils = require("tsutils");
19var Utils_1 = require("./utils/Utils");
20var FAILURE_STRING = 'Possible timing attack detected. Direct comparison found: ';
21var SENSITIVE_VAR_NAME = /^(password|secret|api|apiKey|token|auth|pass|hash)$/im;
22var Rule = (function (_super) {
  __extends(Rule, _super);
  function Rule() {
      return _super !== null && _super.apply(this, arguments) || this;
  }
  Rule.prototype.apply = function (sourceFile) {
      return this.applyWithFunction(sourceFile, walk);
  };
  Rule.metadata = {
      ruleName: 'possible-timing-attack',
      type: 'functionality',
      description: 'Avoid timing attacks by not making direct comaprisons to sensitive data',
      options: null,
      optionsDescription: '',
      typescriptOnly: true,
      issueClass: 'Non-SDL',
      issueType: 'Warning',
      severity: 'Moderate',
      level: 'Opportunity for Excellence',
      group: 'Security',
      commonWeaknessEnumeration: '710,749'
  };
  return Rule;
45}(Lint.Rules.AbstractRule));
46exports.Rule = Rule;
47function walk(ctx) {
  function cb(node) {
      if (tsutils.isBinaryExpression(node)) {
          if (node.operatorToken.kind === ts.SyntaxKind.EqualsEqualsToken ||
              node.operatorToken.kind === ts.SyntaxKind.EqualsEqualsEqualsToken ||
              node.operatorToken.kind === ts.SyntaxKind.ExclamationEqualsToken ||
              node.operatorToken.kind === ts.SyntaxKind.ExclamationEqualsEqualsToken) {
              if ((SENSITIVE_VAR_NAME.test(node.left.getText()) || SENSITIVE_VAR_NAME.test(node.right.getText())) &&
                  node.left.getText() !== 'null' &&
                  node.right.getText() !== 'null' &&
                  node.left.getText() !== 'undefined' &&
                  node.right.getText() !== 'undefined') {
                  ctx.addFailureAt(node.getStart(), node.getWidth(), FAILURE_STRING + Utils_1.Utils.trimTo(node.getText(), 20));
              }
          }
      }
      return ts.forEachChild(node, cb);
  }
  return ts.forEachChild(ctx.sourceFile, cb);
66}
67//# sourceMappingURL=possibleTimingAttackRule.js.map
\No newline at end of file

1	`"use strict";`
2	`var __extends = (this && this.__extends) \|\| (function () {`
3	`var extendStatics = function (d, b) {`
4	`extendStatics = Object.setPrototypeOf \|\|`
5	`({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) \|\|`
6	`function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };`
7	`return extendStatics(d, b);`
8	`}`
9	`return function (d, b) {`
10	`extendStatics(d, b);`
11	`function __() { this.constructor = d; }`
12	`d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());`
13	`};`
14	`})();`
15	`Object.defineProperty(exports, "__esModule", { value: true });`
16	`var ts = require("typescript");`
17	`var Lint = require("tslint");`
18	`var tsutils = require("tsutils");`
19	`var Utils_1 = require("./utils/Utils");`
20	`var FAILURE_STRING = 'Possible timing attack detected. Direct comparison found: ';`
21	`var SENSITIVE_VAR_NAME = /^(password\|secret\|api\|apiKey\|token\|auth\|pass\|hash)$/im;`
22	`var Rule = (function (_super) {`
23	`__extends(Rule, _super);`
24	`function Rule() {`
25	`return _super !== null && _super.apply(this, arguments) \|\| this;`
26	`}`
27	`Rule.prototype.apply = function (sourceFile) {`
28	`return this.applyWithFunction(sourceFile, walk);`
29	`};`
30	`Rule.metadata = {`
31	`ruleName: 'possible-timing-attack',`
32	`type: 'functionality',`
33	`description: 'Avoid timing attacks by not making direct comaprisons to sensitive data',`
34	`options: null,`
35	`optionsDescription: '',`
36	`typescriptOnly: true,`
37	`issueClass: 'Non-SDL',`
38	`issueType: 'Warning',`
39	`severity: 'Moderate',`
40	`level: 'Opportunity for Excellence',`
41	`group: 'Security',`
42	`commonWeaknessEnumeration: '710,749'`
43	`};`
44	`return Rule;`
45	`}(Lint.Rules.AbstractRule));`
46	`exports.Rule = Rule;`
47	`function walk(ctx) {`
48	`function cb(node) {`
49	`if (tsutils.isBinaryExpression(node)) {`
50	`if (node.operatorToken.kind === ts.SyntaxKind.EqualsEqualsToken \|\|`
51	`node.operatorToken.kind === ts.SyntaxKind.EqualsEqualsEqualsToken \|\|`
52	`node.operatorToken.kind === ts.SyntaxKind.ExclamationEqualsToken \|\|`
53	`node.operatorToken.kind === ts.SyntaxKind.ExclamationEqualsEqualsToken) {`
54	`if ((SENSITIVE_VAR_NAME.test(node.left.getText()) \|\| SENSITIVE_VAR_NAME.test(node.right.getText())) &&`
55	`node.left.getText() !== 'null' &&`
56	`node.right.getText() !== 'null' &&`
57	`node.left.getText() !== 'undefined' &&`
58	`node.right.getText() !== 'undefined') {`
59	`ctx.addFailureAt(node.getStart(), node.getWidth(), FAILURE_STRING + Utils_1.Utils.trimTo(node.getText(), 20));`
60	`}`
61	`}`
62	`}`
63	`return ts.forEachChild(node, cb);`
64	`}`
65	`return ts.forEachChild(ctx.sourceFile, cb);`
66	`}`
67	`//# sourceMappingURL=possibleTimingAttackRule.js.map`
\	No newline at end of file