1 | "use strict";
|
2 | var __extends = (this && this.__extends) || (function () {
|
3 | var extendStatics = function (d, b) {
|
4 | extendStatics = Object.setPrototypeOf ||
|
5 | ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
|
6 | function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
|
7 | return extendStatics(d, b);
|
8 | }
|
9 | return function (d, b) {
|
10 | extendStatics(d, b);
|
11 | function __() { this.constructor = d; }
|
12 | d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
|
13 | };
|
14 | })();
|
15 | Object.defineProperty(exports, "__esModule", { value: true });
|
16 | var ts = require("typescript");
|
17 | var Lint = require("tslint");
|
18 | var tsutils = require("tsutils");
|
19 | var Utils_1 = require("./utils/Utils");
|
20 | var FAILURE_STRING = 'Possible timing attack detected. Direct comparison found: ';
|
21 | var SENSITIVE_VAR_NAME = /^(password|secret|api|apiKey|token|auth|pass|hash)$/im;
|
22 | var Rule = (function (_super) {
|
23 | __extends(Rule, _super);
|
24 | function Rule() {
|
25 | return _super !== null && _super.apply(this, arguments) || this;
|
26 | }
|
27 | Rule.prototype.apply = function (sourceFile) {
|
28 | return this.applyWithFunction(sourceFile, walk);
|
29 | };
|
30 | Rule.metadata = {
|
31 | ruleName: 'possible-timing-attack',
|
32 | type: 'functionality',
|
33 | description: 'Avoid timing attacks by not making direct comaprisons to sensitive data',
|
34 | options: null,
|
35 | optionsDescription: '',
|
36 | typescriptOnly: true,
|
37 | issueClass: 'Non-SDL',
|
38 | issueType: 'Warning',
|
39 | severity: 'Moderate',
|
40 | level: 'Opportunity for Excellence',
|
41 | group: 'Security',
|
42 | commonWeaknessEnumeration: '710,749'
|
43 | };
|
44 | return Rule;
|
45 | }(Lint.Rules.AbstractRule));
|
46 | exports.Rule = Rule;
|
47 | function walk(ctx) {
|
48 | function cb(node) {
|
49 | if (tsutils.isBinaryExpression(node)) {
|
50 | if (node.operatorToken.kind === ts.SyntaxKind.EqualsEqualsToken ||
|
51 | node.operatorToken.kind === ts.SyntaxKind.EqualsEqualsEqualsToken ||
|
52 | node.operatorToken.kind === ts.SyntaxKind.ExclamationEqualsToken ||
|
53 | node.operatorToken.kind === ts.SyntaxKind.ExclamationEqualsEqualsToken) {
|
54 | if ((SENSITIVE_VAR_NAME.test(node.left.getText()) || SENSITIVE_VAR_NAME.test(node.right.getText())) &&
|
55 | node.left.getText() !== 'null' &&
|
56 | node.right.getText() !== 'null' &&
|
57 | node.left.getText() !== 'undefined' &&
|
58 | node.right.getText() !== 'undefined') {
|
59 | ctx.addFailureAt(node.getStart(), node.getWidth(), FAILURE_STRING + Utils_1.Utils.trimTo(node.getText(), 20));
|
60 | }
|
61 | }
|
62 | }
|
63 | return ts.forEachChild(node, cb);
|
64 | }
|
65 | return ts.forEachChild(ctx.sourceFile, cb);
|
66 | }
|
67 |
|
\ | No newline at end of file |