azure-openapi-validator/packages/rulesets/src/spectral/functions/xms-secret-in-response.ts at 575cde41b1181a8c6b959ac7c1b66d163bc1785e · Azure/azure-openapi-validator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
const sensitiveKeywords = ["access", "credential", "secret", "password", "key", "token", "auth", "connection"]

const excludeKeywords = ["publicKey"].map((keyword) => keyword.toLowerCase())

function isPotentialSensitiveProperty(propertyName: string): boolean {
  const lowerName = propertyName.toLowerCase()
  return (
    sensitiveKeywords.some((keyword) => lowerName.endsWith(keyword) && !lowerName.startsWith(keyword)) &&
    !excludeKeywords.some((keyword) => lowerName.endsWith(keyword) && !lowerName.startsWith(keyword))
  )
}

function isKeyValuePairKeyProp(propertiesKeys: any): boolean {
  return propertiesKeys.includes("key") && propertiesKeys.includes("value")
}

export const XMSSecretInResponse = (properties: any, _opts: any, ctx: any) => {
  if (properties === null || typeof properties !== "object") {
    return []
  }

  const path = ctx.path || []
  const errors: any[] = []
  const propertiesSize = Object.keys(properties).length
  const propertiesKeys = Object.keys(properties)
  const keyValuePairCheck = propertiesSize === 2 && isKeyValuePairKeyProp(propertiesKeys)

  // Check top-level and deeply nested properties
  for (const prpName of propertiesKeys) {
    if (prpName === "properties" && typeof properties[prpName] === "object") {
      errors.push(...XMSSecretInResponse(properties[prpName], _opts, { ...ctx, path: [...path, prpName] }))
    } else {
      // Add all conditions for secret detection
      if (
        isPotentialSensitiveProperty(prpName) && // property name matches sensitive keywords
        properties[prpName] && // property exists
        properties[prpName]["x-ms-secret"] !== true && // not explicitly marked as secret
        !keyValuePairCheck && // not a key-value pair key
        properties[prpName].type === "string" // property type is string
      ) {
        errors.push({
          message: `Property '${prpName}' contains secret keyword and does not have 'x-ms-secret' annotation. To ensure security, must add the 'x-ms-secret' annotation to this property.`,
          path: [...path, prpName],
        })
      }
    }
  }

  return errors
}

export default XMSSecretInResponse