coderabbitai
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎rules/typescript/security/argon2-weak-type-typescript.yml
Lines changed: 59 additions & 0 deletions b/‎rules/typescript/security/argon2-weak-type-typescript.yml
Lines changed: 59 additions & 0 deletions
diff --git a/‎rules/typescript/security/avoid-crypto-rc4-typescript.yml
Lines changed: 42 additions & 0 deletions b/‎rules/typescript/security/avoid-crypto-rc4-typescript.yml
Lines changed: 42 additions & 0 deletions
diff --git a/‎rules/typescript/security/avoid-crypto-sha1-typescript.yml
Lines changed: 34 additions & 0 deletions b/‎rules/typescript/security/avoid-crypto-sha1-typescript.yml
Lines changed: 34 additions & 0 deletions
diff --git a/‎rules/typescript/security/avoid-des-typescript.yml
Lines changed: 42 additions & 0 deletions b/‎rules/typescript/security/avoid-des-typescript.yml
Lines changed: 42 additions & 0 deletions
diff --git a/‎rules/typescript/security/chmod-permissions-typescript.yml
Lines changed: 35 additions & 0 deletions b/‎rules/typescript/security/chmod-permissions-typescript.yml
Lines changed: 35 additions & 0 deletions
diff --git a/‎rules/typescript/security/command-injection-typescript.yml
Lines changed: 35 additions & 0 deletions b/‎rules/typescript/security/command-injection-typescript.yml
Lines changed: 35 additions & 0 deletions
diff --git a/‎rules/typescript/security/crypto-avoid-weak-hash-typescript.yml
Lines changed: 38 additions & 0 deletions b/‎rules/typescript/security/crypto-avoid-weak-hash-typescript.yml
Lines changed: 38 additions & 0 deletions
diff --git a/‎rules/typescript/security/detect-buffer-noassert-typescript.yml
Lines changed: 93 additions & 0 deletions b/‎rules/typescript/security/detect-buffer-noassert-typescript.yml
Lines changed: 93 additions & 0 deletions
@@ -197,3 +197,4 @@ cscope.in.out
 cscope.po.out
 
 # End of https://www.toptal.com/developers/gitignore/api/node,tags,macos
+.claude
@@ -0,0 +1,59 @@
+id: argon2-weak-type-typescript
+severity: error
+language: typescript
+message: >-
+  Use secure encryption types when using `argon2`. Avoid using weak argon2 types
+  like argon2i or argon2d. Use argon2id instead for better security.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://github.com/ranisalt/node-argon2/wiki/Options#type
+ast-grep-essentials: true
+utils:
+  MATCH_ARGON2_WEAK_TYPE:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: member_expression
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: "^argon2$"
+            - has:
+                stopBy: neighbor
+                kind: property_identifier
+                regex: "^hash$"
+      - has:
+          stopBy: neighbor
+          kind: arguments
+          has:
+            stopBy: neighbor
+            kind: object
+            has:
+              stopBy: neighbor
+              kind: pair
+              all:
+                - has:
+                    stopBy: neighbor
+                    kind: property_identifier
+                    regex: "^type$"
+                - has:
+                    stopBy: neighbor
+                    kind: member_expression
+                    all:
+                      - has:
+                          stopBy: neighbor
+                          kind: identifier
+                          regex: "^argon2$"
+                      - has:
+                          stopBy: neighbor
+                          kind: property_identifier
+                          any:
+                            - regex: "^argon2i$"
+                            - regex: "^argon2d$"
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_ARGON2_WEAK_TYPE
@@ -0,0 +1,42 @@
+id: avoid-crypto-rc4-typescript
+severity: warning
+language: typescript
+message: >-
+  Avoid RC4 encryption. Use of the RC4 security protocol exposes your 
+  application to vulnerabilities. Consider using stronger encryption algorithms.
+note: >-
+  [CWE-328] Use of Weak Hash.
+  [REFERENCES]
+      - https://cryptojs.gitbook.io/docs/#ciphers
+ast-grep-essentials: true
+utils:
+  MATCH_RC4_USAGE:
+    kind: call_expression
+    has:
+      stopBy: neighbor
+      kind: member_expression
+      all:
+        - has:
+            stopBy: neighbor
+            kind: member_expression
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: "^CryptoJS$"
+              - has:
+                  stopBy: neighbor
+                  kind: property_identifier
+                  any:
+                    - regex: "^RC4$"
+                    - regex: "^RC4Drop$"
+        - has:
+            stopBy: neighbor
+            kind: property_identifier
+            any:
+              - regex: "^encrypt$"
+              - regex: "^decrypt$"
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_RC4_USAGE
@@ -0,0 +1,34 @@
+id: avoid-crypto-sha1-typescript
+severity: warning
+language: typescript
+message: >-
+  Avoid SHA1 security protocol. Use of insecure encryption or hashing protocols 
+  expose your application to vulnerabilities. Use stronger hashing algorithms like SHA-256.
+note: >-
+  [CWE-328] Use of Weak Hash.
+  [REFERENCES]
+      - https://cryptojs.gitbook.io/docs/#hmac
+ast-grep-essentials: true
+utils:
+  MATCH_SHA1_USAGE:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: member_expression
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: "^CryptoJS$"
+            - has:
+                stopBy: neighbor
+                kind: property_identifier
+                regex: "^HmacSHA1$"
+      - has:
+          stopBy: neighbor
+          kind: arguments
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_SHA1_USAGE
@@ -0,0 +1,42 @@
+id: avoid-des-typescript
+severity: warning
+language: typescript
+message: >-
+  Do not use DES or TripleDES, this is a weak security protocol. Use stronger 
+  encryption algorithms like AES instead.
+note: >-
+  [CWE-328] Use of Weak Hash.
+  [REFERENCES]
+      - https://cryptojs.gitbook.io/docs/#ciphers
+ast-grep-essentials: true
+utils:
+  MATCH_DES_USAGE:
+    kind: call_expression
+    has:
+      stopBy: neighbor
+      kind: member_expression
+      all:
+        - has:
+            stopBy: neighbor
+            kind: member_expression
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: "^CryptoJS$"
+              - has:
+                  stopBy: neighbor
+                  kind: property_identifier
+                  any:
+                    - regex: "^DES$"
+                    - regex: "^TripleDES$"
+        - has:
+            stopBy: neighbor
+            kind: property_identifier
+            any:
+              - regex: "^encrypt$"
+              - regex: "^decrypt$"
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_DES_USAGE
@@ -0,0 +1,35 @@
+id: chmod-permissions-typescript
+severity: warning
+language: typescript
+message: >-
+  Do not give 777 permissions to a file. Always make sure you restrict the 
+  permissions of your application files. Applications should not allow write 
+  and execution for other users.
+note: >-
+  [CWE-732] Incorrect Permission Assignment for Critical Resource.
+ast-grep-essentials: true
+utils:
+  MATCH_CHMOD_777:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: member_expression
+          has:
+            stopBy: neighbor
+            kind: property_identifier
+            any:
+              - regex: "^chmod$"
+              - regex: "^chmodSync$"
+      - has:
+          stopBy: neighbor
+          kind: arguments
+          all:
+            - has:
+                stopBy: neighbor
+                kind: number
+                regex: "^0o777$"
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_CHMOD_777
@@ -0,0 +1,35 @@
+id: command-injection-typescript
+severity: warning
+language: typescript
+message: >-
+  Avoid command injection. When executing a command, never use unchecked variables. 
+  Make sure that each variable of the command has been checked.
+note: >-
+  [CWE-78] OS Command Injection.
+ast-grep-essentials: true
+utils:
+  MATCH_COMMAND_INJECTION:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: member_expression
+          has:
+            stopBy: neighbor
+            kind: property_identifier
+            regex: "^(exec|execSync|spawn|spawnSync)$"
+      - has:
+          stopBy: neighbor
+          kind: arguments
+          has:
+            stopBy: neighbor
+            any:
+              - kind: template_string
+                has:
+                  stopBy: neighbor
+                  kind: template_substitution
+              - kind: binary_expression
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_COMMAND_INJECTION
@@ -0,0 +1,38 @@
+id: crypto-avoid-weak-hash-typescript
+severity: warning
+language: typescript
+message: >-
+  Avoid weak hash algorithm from CryptoJS. Use of insecure hash functions like 
+  MD5 or SHA1 can expose your application to vulnerabilities. Use stronger hash 
+  algorithms like SHA-256 or SHA-512.
+note: >-
+  [CWE-328] Use of Weak Hash.
+  [REFERENCES]
+      - https://cryptojs.gitbook.io/docs/#hashing
+ast-grep-essentials: true
+utils:
+  MATCH_WEAK_HASH:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: member_expression
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: "^CryptoJS$"
+            - has:
+                stopBy: neighbor
+                kind: property_identifier
+                any:
+                  - regex: "^MD5$"
+                  - regex: "^SHA1$"
+                  - regex: "^HmacMD5$"
+      - has:
+          stopBy: neighbor
+          kind: arguments
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_WEAK_HASH
@@ -0,0 +1,93 @@
+id: detect-buffer-noassert-typescript
+severity: error
+language: typescript
+message: >-
+  Avoid calls to 'buffer' with 'noAssert' flag set. If you skip the `offset` 
+  validation it can go beyond the end of the `Buffer`.
+note: >-
+  [CWE-119] Buffer Errors.
+ast-grep-essentials: true
+utils:
+  MATCH_BUFFER_NOASSERT_READ:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: member_expression
+          has:
+            stopBy: neighbor
+            kind: property_identifier
+            regex: "^(readUInt8|readUInt16LE|readUInt16BE|readUInt32LE|readUInt32BE|readInt8|readInt16LE|readInt16BE|readInt32LE|readInt32BE|readFloatLE|readFloatBE|readDoubleLE|readDoubleBE)$"
+      - has:
+          stopBy: neighbor
+          kind: arguments
+          all:
+            - has:
+                nthChild:
+                  position: 1
+                  ofRule:
+                    not:
+                      kind: comment
+            - has:
+                nthChild:
+                  position: 2
+                  ofRule:
+                    not:
+                      kind: comment
+            - not:
+                has:
+                  nthChild:
+                    position: 3
+                    ofRule:
+                      not:
+                        kind: comment
+            - has:
+                stopBy: neighbor
+                regex: ^true$
+  MATCH_BUFFER_NOASSERT_WRITE:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: member_expression
+          has:
+            stopBy: neighbor
+            kind: property_identifier
+            regex: "^(writeUInt8|writeUInt16LE|writeUInt16BE|writeUInt32LE|writeUInt32BE|writeInt8|writeInt16LE|writeInt16BE|writeInt32LE|writeInt32BE|writeFloatLE|writeFloatBE|writeDoubleLE|writeDoubleBE)$"
+      - has:
+          stopBy: neighbor
+          kind: arguments
+          all:
+            - has:
+                nthChild:
+                  position: 1
+                  ofRule:
+                    not:
+                      kind: comment
+            - has:
+                nthChild:
+                  position: 2
+                  ofRule:
+                    not:
+                      kind: comment
+            - has:
+                nthChild:
+                  position: 3
+                  ofRule:
+                    not:
+                      kind: comment
+            - not:
+                has:
+                  nthChild:
+                    position: 4
+                    ofRule:
+                      not:
+                        kind: comment
+            - has:
+                stopBy: neighbor
+                regex: ^true$
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_BUFFER_NOASSERT_READ
+    - matches: MATCH_BUFFER_NOASSERT_WRITE
Original file line number	Diff line number	Diff line change
`@@ -197,3 +197,4 @@ cscope.in.out`
`197`	`197`	`cscope.po.out`
`198`	`198`
`199`	`199`	`# End of https://www.toptal.com/developers/gitignore/api/node,tags,macos`
	`200`	`+.claude`