Skip to content

Add TypeScript security rules and tooling #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Add TypeScript security rules and tooling #198

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,3 +197,4 @@ cscope.in.out
cscope.po.out

# End of https://www.toptal.com/developers/gitignore/api/node,tags,macos
.claude
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,4 @@
"devDependencies": {
"@ast-grep/cli": "^0.31.1"
}
}
}
2 changes: 1 addition & 1 deletion rules/c/security/null-library-function-c.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,4 +259,4 @@ rule:
- inside:
stopBy: end
kind: return_statement


2 changes: 1 addition & 1 deletion rules/cpp/security/null-library-function-cpp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,4 +259,4 @@ rule:
- inside:
stopBy: end
kind: return_statement


Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove trailing whitespace on the new blank line to satisfy YAMLlint
YAMLlint flags trailing-spaces on this newly-added line. Strip the whitespace but keep the terminating newline to retain the intended EOF newline without breaking CI.

-   
+
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 262-262: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In rules/cpp/security/null-library-function-cpp.yml at line 262, there is
trailing whitespace on the new blank line causing a YAMLlint trailing-spaces
error. Remove all spaces or tabs from this line while keeping the newline
character intact to preserve the EOF newline and avoid CI failures.

2 changes: 1 addition & 1 deletion rules/go/security/grpc-client-insecure-connection-go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,4 +63,4 @@ rule:
kind: ERROR
- has:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/html/security/plaintext-http-link-html.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,4 +77,4 @@ rule:
stopBy: end
kind: attribute_value
regex: ^([Hh][Tt][Tt][Pp]://)


Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Strip trailing whitespace to satisfy YAML linting

YAML-lint reports a trailing-spaces error on this line. CI may fail until the stray blanks are removed.

-                          
+
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 80-80: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In rules/html/security/plaintext-http-link-html.yml at line 80, there are
trailing whitespace characters causing a YAML linting error. Remove all trailing
spaces or tabs at the end of this line to satisfy the YAML linter and prevent CI
failures.

2 changes: 1 addition & 1 deletion rules/java/security/hardcoded-connection-password-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -349,4 +349,4 @@ rule:
- matches: (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")
- matches: (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance
- matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...")
- matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance
- matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance
2 changes: 1 addition & 1 deletion rules/java/security/java-jwt-hardcoded-secret-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,4 +126,4 @@ rule:
kind: ERROR
- inside:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -827,4 +827,4 @@ rule:
- matches: clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("...")
- matches: clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...")
- matches: new clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...")
- matches: (clients.jedis.JedisClientConfig|clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...")
- matches: (clients.jedis.JedisClientConfig|clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...")
2 changes: 1 addition & 1 deletion rules/java/security/use-of-default-aes-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,4 +317,4 @@ constraints:
all:
- has:
kind: string_fragment
regex: ^\s*(AES)\s*$
regex: ^\s*(AES)\s*$
2 changes: 1 addition & 1 deletion rules/java/security/use-of-md5-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,4 +106,4 @@ constraints:
has:
kind: string_fragment
regex: ^MD5


Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove trailing whitespace to satisfy YAML linting

Line 109 is an otherwise blank line containing stray spaces, triggering YAMLlint (trailing-spaces).
Delete the spaces (or the entire blank line) to restore a clean file and unblock the pipeline.

-      
+
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 109-109: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In rules/java/security/use-of-md5-java.yml at line 109, there is trailing
whitespace on an otherwise blank line causing YAML linting errors. Remove all
spaces on this line or delete the blank line entirely to fix the trailing-spaces
lint issue and ensure the file passes validation.

2 changes: 1 addition & 1 deletion rules/java/security/use-of-sha1-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,4 +169,4 @@ rule:
- not:
has:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/php/security/openssl-cbc-static-iv-php.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -648,4 +648,4 @@ rule:
- not:
inside:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/python/security/hashids-with-django-secret-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,4 +282,4 @@ rule:
- matches: hashids.Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
- matches: hashids.Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet)
- matches: Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet)
- matches: Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
- matches: Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
2 changes: 1 addition & 1 deletion rules/python/security/python-peewee-pg-empty-password-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,4 +53,4 @@ rule:
- not:
inside:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/python/security/python-pg8000-hardcoded-secret-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,4 +72,4 @@ rule:
stopBy: end
kind: ERROR



Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove trailing whitespace to pass YAML lint

yamllint flags line 75 for trailing spaces. While harmless at runtime, this will fail style checks in CI. Strip the spaces and keep the blank line (or delete the line entirely).

-    
+
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 75-75: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In rules/python/security/python-pg8000-hardcoded-secret-python.yml at line 75,
there is trailing whitespace causing yamllint to fail. Remove all trailing
spaces from this line to pass the YAML lint check, either by stripping the
spaces or deleting the line if it is blank.

2 changes: 1 addition & 1 deletion rules/python/security/python-psycopg2-empty-password-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,4 +67,4 @@ rule:
kind: ERROR
- inside:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/python/security/python-psycopg2-hardcoded-secret-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,4 @@ rule:
kind: ERROR
- inside:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/python/security/python-redis-empty-password-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,4 @@ rule:
- not:
inside:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/python/security/python-redis-hardcoded-secret-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,4 +67,4 @@ rule:
- not:
inside:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,4 +129,4 @@ rule:

constraints:
PASS:
kind: string
kind: string
2 changes: 1 addition & 1 deletion rules/ruby/security/ruby-pg-empty-password-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,4 +156,4 @@ rule:
kind: ERROR
- inside:
stopBy: end
kind: ERROR
kind: ERROR
2 changes: 1 addition & 1 deletion rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,4 +196,4 @@ rule:
- inside:
stopBy: end
kind: ERROR


Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove trailing whitespace to satisfy YAML linting

yamllint is flagging a trailing-space violation on this line.
Trim the spaces to keep the file clean and prevent CI failures.

-        
+
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 199-199: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml at line 199, there is
trailing whitespace causing a YAML linting error. Remove any spaces or tabs at
the end of this line to satisfy yamllint and prevent CI failures.

2 changes: 1 addition & 1 deletion rules/rust/security/empty-password-rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1056,4 +1056,4 @@ rule:
- matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)
- matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)
- matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance
- matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance
- matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance
2 changes: 1 addition & 1 deletion rules/rust/security/hardcoded-password-rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1033,4 +1033,4 @@ rule:
- matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)
- matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)
- matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance
- matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance
- matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance
59 changes: 59 additions & 0 deletions rules/typescript/security/argon2-weak-type-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: argon2-weak-type-typescript
severity: error
language: typescript
message: >-
Use secure encryption types when using `argon2`. Avoid using weak argon2 types
like argon2i or argon2d. Use argon2id instead for better security.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://github.com/ranisalt/node-argon2/wiki/Options#type
ast-grep-essentials: true
utils:
MATCH_ARGON2_WEAK_TYPE:
kind: call_expression
all:
- has:
stopBy: neighbor
kind: member_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: "^argon2$"
- has:
stopBy: neighbor
kind: property_identifier
regex: "^hash$"
- has:
stopBy: neighbor
kind: arguments
has:
stopBy: neighbor
kind: object
has:
stopBy: neighbor
kind: pair
all:
- has:
stopBy: neighbor
kind: property_identifier
regex: "^type$"
- has:
stopBy: neighbor
kind: member_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: "^argon2$"
- has:
stopBy: neighbor
kind: property_identifier
any:
- regex: "^argon2i$"
- regex: "^argon2d$"
rule:
kind: call_expression
any:
- matches: MATCH_ARGON2_WEAK_TYPE
42 changes: 42 additions & 0 deletions rules/typescript/security/avoid-crypto-rc4-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
id: avoid-crypto-rc4-typescript
severity: warning
language: typescript
message: >-
Avoid RC4 encryption. Use of the RC4 security protocol exposes your
application to vulnerabilities. Consider using stronger encryption algorithms.
note: >-
[CWE-328] Use of Weak Hash.
[REFERENCES]
- https://cryptojs.gitbook.io/docs/#ciphers
ast-grep-essentials: true
utils:
MATCH_RC4_USAGE:
kind: call_expression
has:
stopBy: neighbor
kind: member_expression
all:
- has:
stopBy: neighbor
kind: member_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: "^CryptoJS$"
- has:
stopBy: neighbor
kind: property_identifier
any:
- regex: "^RC4$"
- regex: "^RC4Drop$"
- has:
stopBy: neighbor
kind: property_identifier
any:
- regex: "^encrypt$"
- regex: "^decrypt$"
rule:
kind: call_expression
any:
- matches: MATCH_RC4_USAGE
34 changes: 34 additions & 0 deletions rules/typescript/security/avoid-crypto-sha1-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
id: avoid-crypto-sha1-typescript
severity: warning
language: typescript
message: >-
Avoid SHA1 security protocol. Use of insecure encryption or hashing protocols
expose your application to vulnerabilities. Use stronger hashing algorithms like SHA-256.
Comment on lines +5 to +6
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove trailing spaces to unblock YAML-lint.

The current message block fails yamllint due to the two trailing blanks at EOL.
Strip them to keep the rule file CI-clean.

-  Avoid SHA1 security protocol. Use of insecure encryption or hashing protocols␠
+  Avoid SHA1 security protocol. Use of insecure encryption or hashing protocols
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Avoid SHA1 security protocol. Use of insecure encryption or hashing protocols
expose your application to vulnerabilities. Use stronger hashing algorithms like SHA-256.
Avoid SHA1 security protocol. Use of insecure encryption or hashing protocols
expose your application to vulnerabilities. Use stronger hashing algorithms like SHA-256.
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 5-5: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In rules/typescript/security/avoid-crypto-sha1-typescript.yml at lines 5 to 6,
remove the trailing spaces at the end of the message lines to fix the yamllint
error. Ensure no extra spaces remain after the text to keep the YAML file clean
and pass the linting checks.

note: >-
[CWE-328] Use of Weak Hash.
[REFERENCES]
- https://cryptojs.gitbook.io/docs/#hmac
ast-grep-essentials: true
utils:
MATCH_SHA1_USAGE:
kind: call_expression
all:
- has:
stopBy: neighbor
kind: member_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: "^CryptoJS$"
- has:
stopBy: neighbor
kind: property_identifier
regex: "^HmacSHA1$"
Comment on lines +23 to +27
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Broaden the pattern to catch CryptoJS.SHA1 as well.

Only HmacSHA1 is matched; CryptoJS.SHA1(..) (hash without HMAC) slips through.

-                regex: "^HmacSHA1$"
+                any:
+                  - regex: "^HmacSHA1$"
+                  - regex: "^SHA1$"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
regex: "^CryptoJS$"
- has:
stopBy: neighbor
kind: property_identifier
regex: "^HmacSHA1$"
regex: "^CryptoJS$"
- has:
stopBy: neighbor
kind: property_identifier
any:
- regex: "^HmacSHA1$"
- regex: "^SHA1$"
🤖 Prompt for AI Agents 
In rules/typescript/security/avoid-crypto-sha1-typescript.yml around lines 23 to
27, the pattern only matches CryptoJS.HmacSHA1 but misses CryptoJS.SHA1 usage.
Update the regex or add an additional pattern to also match CryptoJS.SHA1 to
ensure both HmacSHA1 and SHA1 calls are detected and flagged by the rule.

- has:
stopBy: neighbor
kind: arguments
rule:
kind: call_expression
any:
- matches: MATCH_SHA1_USAGE
42 changes: 42 additions & 0 deletions rules/typescript/security/avoid-des-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
id: avoid-des-typescript
severity: warning
language: typescript
message: >-
Do not use DES or TripleDES, this is a weak security protocol. Use stronger
encryption algorithms like AES instead.
Comment on lines +5 to +6
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Trim trailing spaces to satisfy linters.

-  Do not use DES or TripleDES, this is a weak security protocol. Use stronger ␠
+  Do not use DES or TripleDES, this is a weak security protocol. Use stronger
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Do not use DES or TripleDES, this is a weak security protocol. Use stronger
encryption algorithms like AES instead.
Do not use DES or TripleDES, this is a weak security protocol. Use stronger
encryption algorithms like AES instead.
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 5-5: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In rules/typescript/security/avoid-des-typescript.yml at lines 5 to 6, remove
any trailing spaces at the end of the lines to satisfy linter requirements.
Ensure no extra spaces remain after the last visible character on these lines.

note: >-
[CWE-328] Use of Weak Hash.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Incorrect CWE reference – use CWE-327 (Broken or Risky Crypto Algorithm).

DES weaknesses are covered by CWE-327, not CWE-328 (weak hash). Update for accuracy.

-  [CWE-328] Use of Weak Hash.
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
[CWE-328] Use of Weak Hash.
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
🤖 Prompt for AI Agents 
In rules/typescript/security/avoid-des-typescript.yml at line 8, the CWE
reference is incorrectly set to CWE-328 for DES weaknesses. Update the CWE
identifier to CWE-327 to accurately reflect the issue as Broken or Risky Crypto
Algorithm instead of Weak Hash.

[REFERENCES]
- https://cryptojs.gitbook.io/docs/#ciphers
ast-grep-essentials: true
utils:
MATCH_DES_USAGE:
kind: call_expression
has:
stopBy: neighbor
kind: member_expression
all:
- has:
stopBy: neighbor
kind: member_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: "^CryptoJS$"
- has:
stopBy: neighbor
kind: property_identifier
any:
- regex: "^DES$"
- regex: "^TripleDES$"
- has:
stopBy: neighbor
kind: property_identifier
any:
- regex: "^encrypt$"
- regex: "^decrypt$"
rule:
kind: call_expression
any:
- matches: MATCH_DES_USAGE
35 changes: 35 additions & 0 deletions rules/typescript/security/chmod-permissions-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
id: chmod-permissions-typescript
severity: warning
language: typescript
message: >-
Do not give 777 permissions to a file. Always make sure you restrict the
permissions of your application files. Applications should not allow write
and execution for other users.
note: >-
[CWE-732] Incorrect Permission Assignment for Critical Resource.
ast-grep-essentials: true
utils:
MATCH_CHMOD_777:
kind: call_expression
all:
- has:
stopBy: neighbor
kind: member_expression
has:
stopBy: neighbor
kind: property_identifier
any:
- regex: "^chmod$"
- regex: "^chmodSync$"
- has:
stopBy: neighbor
kind: arguments
all:
- has:
stopBy: neighbor
kind: number
regex: "^0o777$"
Comment on lines +30 to +31
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Broaden the numeric-mode pattern
^0o777$ misses common variants such as 0o0777, string literals ("777"), or decimal 0o-less forms. Consider:

-                regex: "^0o777$"
+                # Accept 777 expressed as 0o777, 0o0777, 0o000777, or plain 777
+                regex: "^(0o0*777|777)$"

This reduces false-negatives without widening scope excessively.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
kind: number
regex: "^0o777$"
kind: number
# Accept 777 expressed as 0o777, 0o0777, 0o000777, or plain 777
regex: "^(0o0*777|777)$"
🤖 Prompt for AI Agents 
In rules/typescript/security/chmod-permissions-typescript.yml at lines 30-31,
the regex pattern for numeric mode is too narrow, only matching exactly "0o777".
Broaden the regex to also match common variants like "0o0777", string literals
such as "777", and decimal forms without the "0o" prefix. Update the regex to
cover these cases while avoiding overly broad matches to reduce false negatives.

rule:
kind: call_expression
any:
- matches: MATCH_CHMOD_777
Loading