Skip to content
This repository has been archived by the owner on Sep 6, 2021. It is now read-only.

Commit

Permalink
updated minor version to 1.6.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@webschik
webschik committed Oct 9, 2018
1 parent 85eb9ee commit a0cb1cb
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 25 deletions.
2 changes: 1 addition & 1 deletion npm-shrinkwrap.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "tslint-config-security",
"version": "1.5.0",
"version": "1.6.0",
"description": "TSLint security rules",
"main": "./index.js",
"scripts": {
Expand Down
41 changes: 18 additions & 23 deletions src/rules/tsrDetectPossibleTimingAttacksRule.ts
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,12 @@
import * as ts from 'typescript';
import * as Lint from 'tslint';

const keywordMask = new RegExp('^.*((' + [
'password',
'secret',
'api',
'apiKey',
'token',
'auth',
'pass',
'hash'
].join(')|(') + ')).*$', 'im');
const keywordMask = new RegExp(
'^.*((' + ['password', 'secret', 'api', 'apiKey', 'token', 'auth', 'pass', 'hash'].join(')|(') + ')).*$',
'im'
);

function containsKeyword (node: ts.Expression): boolean {
function containsKeyword(node: ts.Expression): boolean {
switch (node.kind) {
case ts.SyntaxKind.CallExpression:
return containsKeywordCallExpression(node as ts.CallExpression);
Expand All @@ -27,24 +21,24 @@ function containsKeyword (node: ts.Expression): boolean {
}
}

function containsKeywordCallExpression (node: ts.CallExpression) {
function containsKeywordCallExpression(node: ts.CallExpression) {
return containsKeyword(node.expression);
}

function containsKeywordElementAccessExpression (node: ts.ElementAccessExpression) {
function containsKeywordElementAccessExpression(node: ts.ElementAccessExpression) {
if (node.argumentExpression.kind === ts.SyntaxKind.StringLiteral) {
const argumentExpression = (node.argumentExpression as ts.StringLiteral);
const argumentExpression = node.argumentExpression as ts.StringLiteral;
return containsKeyword(node.expression) || Boolean(keywordMask.test(argumentExpression.text));
} else {
return containsKeyword(node.expression) || containsKeyword(node.argumentExpression);
}
}

function containsKeywordIdentifier (node: ts.Identifier) {
function containsKeywordIdentifier(node: ts.Identifier) {
return Boolean(keywordMask.test(node.text));
}

function containsKeywordPropertyAccessExpression (node: ts.PropertyAccessExpression) {
function containsKeywordPropertyAccessExpression(node: ts.PropertyAccessExpression) {
return containsKeyword(node.expression) || containsKeyword(node.name);
}

Expand All @@ -65,15 +59,15 @@ function isVulnerableType(node: ts.Expression): boolean {
}
}

function isVulnerableCallExpression (node: ts.CallExpression) {
function isVulnerableCallExpression(node: ts.CallExpression) {
return isVulnerableType(node.expression);
}

function isVulnerableElementAccessExpression (node: ts.ElementAccessExpression) {
function isVulnerableElementAccessExpression(node: ts.ElementAccessExpression) {
return isVulnerableType(node.expression) || isVulnerableType(node.argumentExpression);
}

function isVulnerablePropertyAccessExpression (node: ts.PropertyAccessExpression) {
function isVulnerablePropertyAccessExpression(node: ts.PropertyAccessExpression) {
return isVulnerableType(node.expression) || isVulnerableType(node.name);
}

Expand All @@ -84,14 +78,15 @@ export class Rule extends Lint.Rules.AbstractRule {
}

class RuleWalker extends Lint.RuleWalker {
visitBinaryExpression (node: ts.BinaryExpression) {
visitBinaryExpression(node: ts.BinaryExpression) {
const operatorTokenKind = node.operatorToken.kind;

if (operatorTokenKind === ts.SyntaxKind.EqualsEqualsToken ||
if (
operatorTokenKind === ts.SyntaxKind.EqualsEqualsToken ||
operatorTokenKind === ts.SyntaxKind.EqualsEqualsEqualsToken ||
operatorTokenKind === ts.SyntaxKind.ExclamationEqualsToken ||
operatorTokenKind === ts.SyntaxKind.ExclamationEqualsEqualsToken) {

operatorTokenKind === ts.SyntaxKind.ExclamationEqualsEqualsToken
) {
if (isVulnerableType(node.left) && isVulnerableType(node.right)) {
if (containsKeyword(node.left)) {
this.addFailureAtNode(node, 'Potential timing attack on the left side of expression');
Expand Down

0 comments on commit a0cb1cb

Please sign in to comment.