Update Semgrep, Max File Size, and Sequelize rules (#58)

* Bump Semgrep version to 0.45
* Update Max Scan file size from 25 to 5 MB.
* Added New Sequelize Rules from Semgrep, contributed by @0xdbe
```
 sequelize_tls
 sequelize_tls_cert_validation
 sequelize_weak_tls
```

njsscan/__init__.py

@@ -6,7 +6,7 @@
 __title__ = 'njsscan'
 __authors__ = 'Ajin Abraham'
 __copyright__ = f'Copyright {datetime.now().year} Ajin Abraham, OpenSecurity'
-__version__ = '0.2.3'
+__version__ = '0.2.4'
 __version_info__ = tuple(int(i) for i in __version__.split('.'))
 __all__ = [
     '__title__',

njsscan/rules/semantic_grep/database/sequelize_tls.yaml

@@ -0,0 +1,41 @@
+# Source: https://github.com/returntocorp/semgrep-rules/blob/develop/javascript/sequelize/security/audit/sequelize-enforce-tls.yaml
+rules:
+  - id: sequelize_tls
+    message: >
+      The Sequelize connection string indicates that database server does not use
+      TLS. Non TLS connections are susceptible to man in the
+      middle (MITM) attacks.
+    languages:
+      - javascript
+    severity: WARNING
+    metadata:
+      owasp: 'A6: 2017-Security Misconfiguration'
+      cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
+    patterns:
+      - pattern: |
+          {
+            host: $HOST,
+            database: $DATABASE,
+            dialect: $DIALECT
+           }
+      - pattern-not: |
+          {
+            host: $HOST,
+            database: $DATABASE,
+            dialect: "postgres",
+            dialectOptions: {
+                ssl: true
+            }
+          }
+      - pattern-not: |
+          {
+            host: $HOST,
+            database: $DATABASE,
+            dialect: $DIALECT,
+            dialectOptions: {
+              ssl: { ... }
+            }
+          }
+      - metavariable-regex:
+          metavariable: $DIALECT
+          regex: '[''"](mariadb|mysql|postgres)[''"]'

njsscan/rules/semantic_grep/database/sequelize_tls_validation.yaml

@@ -0,0 +1,31 @@
+# Source: https://github.com/returntocorp/semgrep-rules/blob/develop/javascript/sequelize/security/audit/sequelize-tls-disabled-cert-validation.yaml
+rules:
+  - id: sequelize_tls_cert_validation
+    message: >
+      The Sequelize connection string indicates that TLS certificate vailidation
+      of database server is disabled. This is equivalent to not having TLS. An
+      attacker can present any invalid certificate and Sequelize will make
+      database connection ignoring certificate errors. This setting make the
+      connection susceptible to man in the middle (MITM) attacks. Not
+      applicable to SQLite database.
+    severity: ERROR
+    languages:
+      - javascript
+    metadata:
+      owasp: 'A6: 2017-Security Misconfiguration'
+      cwe: 'CWE-295: Improper Certificate Validation'
+    patterns:
+      - pattern: |
+          {
+            host: $HOST,
+            database: $DATABASE,
+            dialect: $DIALECT,
+            dialectOptions: {
+              ssl: {
+                rejectUnauthorized: false
+              }
+            }
+           }
+      - metavariable-regex:
+          metavariable: $DIALECT
+          regex: '[''"](mariadb|mysql|postgres)[''"]'

njsscan/rules/semantic_grep/database/sequelize_weak_tls.yaml

@@ -0,0 +1,37 @@
+# Source: https://github.com/returntocorp/semgrep-rules/blob/develop/javascript/sequelize/security/audit/sequelize-weak-tls-version.yaml
+rules:
+  - id: sequelize_weak_tls
+    message: >
+      The Sequelize connection string indicates that an older version of TLS is
+      in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default,
+      Sequelize use TLSv1.2 but it's recommended to use TLS1.3. Not applicable
+      to SQLite database.
+    metadata:
+      owasp: 'A6: 2017-Security Misconfiguration'
+      cwe: >-
+        CWE-757: Selection of Less-Secure Algorithm During Negotiation
+        ('Algorithm Downgrade')
+    severity: ERROR
+    languages:
+      - javascript
+    patterns:
+      - pattern-inside: |
+          {
+            host: $HOST,
+            database: $DATABASE,
+            dialect: $DIALECT,
+            dialectOptions:
+              { ssl: ... }
+           }
+      - pattern-either:
+          - pattern: |
+              {
+                minVersion: 'TLSv1'
+              }
+          - pattern: |
+              {
+                minVersion: 'TLSv1.1'
+              }
+      - metavariable-regex:
+          metavariable: $DIALECT
+          regex: '[''"](mariadb|mysql|postgres)[''"]'

setup.py

@@ -49,7 +49,7 @@ def get_version(rel_path):
     long_description_content_type='text/markdown',
     install_requires=[
         'colorama>=0.4.3',
-        'libsast>=1.3.9',
+        'libsast>=1.4.0',
         'sarif-om>=1.0.4',
         'jschema-to-python>=1.2.3',
         'tabulate>=0.8.7',

tests/assets/node_source/true_negatives/safe_sequelize_strong_tls.js

@@ -0,0 +1,26 @@
+module.exports = {
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "postgres",
+    host: "127.0.0.1",
+    dialectOptions: {
+    // ok: sequelize_weak_tls
+    ssl: {
+        minVersion: 'TLSv1.2'
+    }
+    }
+}
+};
+// ok: sequelize_weak_tls
+module.exports = {
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "postgres",
+    host: "127.0.0.1",
+    dialectOptions: {
+        ssl: true
+    }
+}
+};

tests/assets/node_source/true_negatives/safe_sequelize_tls.js

@@ -0,0 +1,27 @@
+module.exports = {
+// ok: sequelize_tls
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "postgres",
+    host: "127.0.0.1",
+    dialectOptions: {
+    ssl: {
+        minVersion: 'TLSv1.3'
+    }
+    }
+}
+};
+
+module.exports = {
+// ok: sequelize_tls
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "postgres",
+    host: "127.0.0.1",
+    dialectOptions: {
+    ssl: true
+    }
+}
+};

tests/assets/node_source/true_negatives/safe_sequelize_tls_validation.js

@@ -0,0 +1,14 @@
+// Example for postgresql
+module.exports = {
+
+  // ok: sequelize_tls_cert_validation
+  dev: {
+    username: "0xdbe",
+    database: "app_db",
+    dialect: "postgres",
+    host: "127.0.0.1",
+    dialectOptions: {
+      ssl: true
+      }
+  }
+};

tests/assets/node_source/true_positives/sequelize_tls.js

@@ -0,0 +1,42 @@
+module.exports = {
+    // ruleid: sequelize_tls
+    local: {
+      username: "AppUser",
+      database: "AppDb",
+      dialect: "postgres",
+      host: "127.0.0.1"
+    }
+  };
+
+module.exports = {
+// ruleid: sequelize_tls
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "mariadb",
+    host: "127.0.0.1"
+}
+};
+
+module.exports = {
+// ruleid: sequelize_tls
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "mysql",
+    host: "127.0.0.1"
+}
+};
+
+module.exports = {
+// ruleid: sequelize_tls
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "postgres",
+    host: "127.0.0.1",
+    dialectOptions: {
+    ssl: false
+    }
+}
+};

tests/assets/node_source/true_positives/sequelize_tls_validation.js

@@ -0,0 +1,51 @@
+// Example for mysql
+module.exports = {
+
+// ruleid: sequelize_tls_cert_validation
+dev: {
+    username: "0xdbe",
+    database: "app_db",
+    dialect: "mariadb",
+    host: "127.0.0.1",
+    dialectOptions: {
+    ssl: {
+        rejectUnauthorized: false
+    }
+    }
+}
+};
+// Example for mysql
+module.exports = {
+
+// ruleid: sequelize_tls_cert_validation
+dev: {
+    username: "0xdbe",
+    database: "app_db",
+    dialect: "mysql",
+    host: "127.0.0.1",
+    dialectOptions: {
+    ssl: {
+        rejectUnauthorized: false
+    }
+    }
+}
+};
+
+
+// Example for postgresql
+module.exports = {
+
+// ruleid: sequelize_tls_cert_validation
+dev: {
+    username: "0xdbe",
+    database: "app_db",
+    dialect: "postgres",
+    host: "127.0.0.1",
+    dialectOptions: {
+    ssl: {
+        rejectUnauthorized: false
+    }
+    }
+}
+};
+

tests/assets/node_source/true_positives/sequelize_weak_tls.js

@@ -0,0 +1,60 @@
+module.exports = {
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "postgres",
+    host: "127.0.0.1",
+    dialectOptions: {
+    // ruleid: sequelize_weak_tls
+    ssl: {
+        minVersion: 'TLSv1'
+    }
+    }
+}
+};
+
+module.exports = {
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "postgres",
+    host: "127.0.0.1",
+    dialectOptions: {
+    // ruleid: sequelize_weak_tls
+    ssl: {
+        minVersion: 'TLSv1.1'
+    }
+    }
+}
+};
+
+module.exports = {
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "mysql",
+    host: "127.0.0.1",
+    dialectOptions: {
+    // ruleid: sequelize_weak_tls
+    ssl: {
+        minVersion: 'TLSv1.1'
+    }
+    }
+}
+};
+
+module.exports = {
+local: {
+    username: "AppUser",
+    database: "AppDb",
+    dialect: "mariadb",
+    host: "127.0.0.1",
+    dialectOptions: {
+    // ruleid: sequelize_weak_tls
+    ssl: {
+        minVersion: 'TLSv1.1'
+    }
+    }
+}
+};
+

tests/unit/test_nodejs.py

@@ -109,6 +109,9 @@
     'playwright_ssrf': 5,
     'express_lfr': 1,
     'express_lfr_warning': 1,
+    'sequelize_tls': 4,
+    'sequelize_tls_cert_validation': 3,
+    'sequelize_weak_tls': 4,
 }
 CONTROLS = {
     'anti_csrf_control': 0,