From f8807c9d0504fa5f429ea6f63e6dc18ffcbb2e2e Mon Sep 17 00:00:00 2001
From: Prabhu Subramanian <prabhu@shiftleft.io>
Date: Wed, 8 Jul 2020 13:35:13 +0100
Subject: [PATCH] vuejs support (#123)

---
 app-build.sh         |   2 +-
 lib/builder.py       |   6 +-
 lib/config.py        |   7 +-
 lib/convert.py       |   6 +-
 lib/utils.py         |   2 +-
 scan                 |   7 +-
 test/data/njs2.json  | 420 +++++++++++++++++++++++++++++++++++++++++++
 test/test_convert.py |  26 +++
 test/test_utils.py   |   4 +
 9 files changed, 470 insertions(+), 10 deletions(-)
 create mode 100644 test/data/njs2.json

diff --git a/app-build.sh b/app-build.sh
index 546aae7..c30bb50 100755
--- a/app-build.sh
+++ b/app-build.sh
@@ -3,7 +3,7 @@
 rm -rf AppDir appimage-builder-cache
 rm *.AppImage*
 mkdir -p appimage-builder-cache
-cp ~/Downloads/runtime-x86_64 appimage-builder-cache/
+wget https://github.com/AppImage/AppImageKit/releases/download/12/runtime-x86_64 -O appimage-builder-cache/runtime-x86_64
 UPDATE_INFO="gh-releases-zsync|ShiftLeftSecurity|sast-scan|latest|*x86_64.AppImage.zsync" appimage-builder --recipe appimage-builder.yml --skip-test
 rm -rf AppDir appimage-builder-cache
 chmod +x *.AppImage
diff --git a/lib/builder.py b/lib/builder.py
index df131bc..c6aa824 100644
--- a/lib/builder.py
+++ b/lib/builder.py
@@ -75,9 +75,9 @@ def auto_build(type_list, src, reports_dir):
                 return ret
         # Look for any _scan function in this module for execution
         try:
-            getattr(sys.modules[__name__], "%s_build" % ptype)(
-                src, reports_dir, lang_tools
-            )
+            dfn = getattr(sys.modules[__name__], "%s_build" % ptype, None)
+            if dfn:
+                dfn(src, reports_dir, lang_tools)
         except Exception:
             continue
     return ret
diff --git a/lib/config.py b/lib/config.py
index c0d6e01..4f94780 100644
--- a/lib/config.py
+++ b/lib/config.py
@@ -75,6 +75,7 @@
     "credscan",
     "depscan",
     "go",
+    "groovy",
     "java",
     "jsp",
     "kotlin",
@@ -100,7 +101,6 @@
     ".mvn",
     ".idea",
     "dist",
-    "bin",
     "obj",
     "backup",
     "docs",
@@ -114,6 +114,9 @@
     ".serverless",
     "venv",
     ".virtualenv",
+    "vendor",
+    "bower_components",
+    ".vscode",
 ]
 
 # Ignore files list
@@ -138,6 +141,8 @@
     ".d.ts",
     ".min.js",
     ".min.css",
+    ".eslintrc.js",
+    ".babelrc.js",
 ]
 
 
diff --git a/lib/convert.py b/lib/convert.py
index d2dffef..92bbed7 100644
--- a/lib/convert.py
+++ b/lib/convert.py
@@ -53,7 +53,7 @@ def tweak_severity(tool_name, issue_dict):
     :return:
     """
     issue_severity = issue_dict["issue_severity"]
-    if tool_name in ["staticcheck", "psalm", "phpstan"]:
+    if tool_name in ["staticcheck", "psalm", "phpstan", "source-js"]:
         if issue_severity in ["HIGH", "CRITICAL"]:
             return "MEDIUM"
         return "LOW"
@@ -188,7 +188,11 @@ def extract_from_file(
                         )
             elif tool_name == "source-js":
                 njs_findings = report_data.get("nodejs", {})
+                njs_findings.update(report_data.get("templates", {}))
                 for k, v in njs_findings.items():
+                    # Password detection by njsscan is full of false positives
+                    if k == "node_password":
+                        continue
                     files = v.get("files", [])
                     metadata = v.get("metadata", {})
                     if not files or not metadata:
diff --git a/lib/utils.py b/lib/utils.py
index 4908eb4..b644b42 100644
--- a/lib/utils.py
+++ b/lib/utils.py
@@ -66,7 +66,7 @@ def is_ignored_file(base_dir, file_name):
         return False
     file_name = file_name.lower()
     extn = "".join(Path(file_name).suffixes)
-    if extn in config.ignore_files:
+    if extn in config.ignore_files or file_name in config.ignore_files:
         return True
     return False
 
diff --git a/scan b/scan
index a92ad3f..0cb9eb6 100755
--- a/scan
+++ b/scan
@@ -181,9 +181,7 @@ def scan(type_list, src, reports_dir, convert, scan_mode, repo_context):
                 else:
                     # Look for any _scan function in this module for execution
                     try:
-                        dfn = getattr(
-                            sys.modules[__name__], "%s_scan" % type_str, None
-                        )
+                        dfn = getattr(sys.modules[__name__], "%s_scan" % type_str, None)
                         if dfn:
                             pool.apply_async(
                                 dfn, (src, reports_dir, convert, repo_context)
@@ -466,7 +464,10 @@ def sec_scan(src, reports_dir, convert, repo_context):
     sec_cmd = "njsscan"
     sec_args = [sec_cmd, *convert_args]
     js_files = utils.find_files(src, ".js")
+    vue_files = utils.find_files(src, ".vue")
     sec_args += js_files
+    if vue_files:
+        sec_args += vue_files
     exec_tool("source-js", sec_args, src)
     if convert:
         crep_fname = utils.get_report_file(
diff --git a/test/data/njs2.json b/test/data/njs2.json
new file mode 100644
index 0000000..09bf8b7
--- /dev/null
+++ b/test/data/njs2.json
@@ -0,0 +1,420 @@
+{
+  "errors": [
+    {
+      "data": {
+        "check_id": "LexicalError",
+        "end": {
+          "col": 26,
+          "line": 1
+        },
+        "extra": {
+          "line": "RedirectMatch 403 (?i).*\\.log$",
+          "message": "Lexical error: unrecognised symbol, in token rule:\\"
+        },
+        "path": ".htaccess",
+        "start": {
+          "col": 25,
+          "line": 1
+        }
+      },
+      "message": "SemgrepCoreRuntimeErrors"
+    },
+    {
+      "data": {
+        "check_id": "LexicalError",
+        "end": {
+          "col": 140,
+          "line": 25
+        },
+        "extra": {
+          "line": "function(a){return a.substr(1).toUpperCase()})}}(),buildStyleHtml:function(a){a=[].concat(a);for(var g,d=[],b=0;b<a.length;b++)if(g=a[b])/@import|[{}]/.test(g)?d.push(\"\\x3cstyle\\x3e\"+g+\"\\x3c/style\\x3e\"):d.push('\\x3clink type\\x3d\"text/css\" rel\\x3dstylesheet href\\x3d\"'+g+'\"\\x3e');return d.join(\"\")},htmlEncode:function(a){return void 0===a||null===a?\"\":String(a).replace(c,\"\\x26amp;\").replace(m,\"\\x26gt;\").replace(h,\"\\x26lt;\")},htmlDecode:function(a){return a.replace(d,g)},htmlEncodeAttr:function(a){return CKEDITOR.tools.htmlEncode(a).replace(l,",
+          "message": "Lexical error: unrecognised symbol, in token rule:@"
+        },
+        "path": "vendor/ckeditor/ckeditor/ckeditor.js",
+        "start": {
+          "col": 139,
+          "line": 25
+        }
+      },
+      "message": "SemgrepCoreRuntimeErrors"
+    },
+    {
+      "data": {
+        "check_id": "LexicalError",
+        "end": {
+          "col": 2,
+          "line": 1
+        },
+        "extra": {
+          "line": "\ufffdPNG\r",
+          "message": "Lexical error: unrecognised symbol, in token rule:\ufffd"
+        },
+        "path": "layouts/resources/Logo/logo",
+        "start": {
+          "col": 1,
+          "line": 1
+        }
+      },
+      "message": "SemgrepCoreRuntimeErrors"
+    },
+    {
+      "data": {
+        "check_id": "LexicalError",
+        "end": {
+          "col": 2,
+          "line": 1
+        },
+        "extra": {
+          "line": "# test directories",
+          "message": "Lexical error: unrecognised symbol, in token rule:#"
+        },
+        "path": "src/.yarnclean",
+        "start": {
+          "col": 1,
+          "line": 1
+        }
+      },
+      "message": "SemgrepCoreRuntimeErrors"
+    }
+  ],
+  "nodejs": {
+    "node_insecure_random_generator": {
+      "files": [
+        {
+          "file_path": "vendor/ckeditor/ckeditor/vendor/promise.js",
+          "match_lines": [
+            7,
+            7
+          ],
+          "match_position": [
+            481,
+            492
+          ],
+          "match_string": "I=void 0,l=function(a,b){q[k]=a;q[k+1]=b;k+=2;2===k&&(I?I(n):Q())},A=(H=\"undefined\"!==typeof window?window:void 0)||{},J=A.MutationObserver||A.WebKitMutationObserver,A=\"undefined\"===typeof self&&\"undefined\"!==typeof process&&\"[object process]\"==={}.toString.call(process),aa=\"undefined\"!==typeof Uint8ClampedArray&&\"undefined\"!==typeof importScripts&&\"undefined\"!==typeof MessageChannel,q=Array(1E3),Q=void 0,Q=A?w():J?S():aa?T():void 0===H&&\"function\"===typeof require?U():C(),z=Math.random().toString(36).substring(2),"
+        },
+        {
+          "file_path": "layouts/resources/app.js",
+          "match_lines": [
+            1087,
+            1087
+          ],
+          "match_position": [
+            35,
+            46
+          ],
+          "match_string": "\t\tWindow.lastModalId = 'modal_' + Math.random().toString(36).substr(2, 9);"
+        },
+        {
+          "file_path": "layouts/resources/Fields.js",
+          "match_lines": [
+            387,
+            387
+          ],
+          "match_position": [
+            33,
+            44
+          ],
+          "match_string": "\t\t\t\tcolor += letters[Math.floor(Math.random() * 16)];"
+        },
+        {
+          "file_path": "layouts/resources/Fields.js",
+          "match_lines": [
+            1033,
+            1033
+          ],
+          "match_position": [
+            28,
+            39
+          ],
+          "match_string": "\t\t\tconst rand = Math.floor(Math.random() * chars.length);"
+        },
+        {
+          "file_path": "layouts/resources/Fields.js",
+          "match_lines": [
+            1044,
+            1044
+          ],
+          "match_position": [
+            5,
+            16
+          ],
+          "match_string": "\t\t\t\tMath.random().toString(36).substr(2, 10) +"
+        },
+        {
+          "file_path": "layouts/resources/Fields.js",
+          "match_lines": [
+            1045,
+            1045
+          ],
+          "match_position": [
+            5,
+            16
+          ],
+          "match_string": "\t\t\t\tMath.random().toString(36).substr(2, 10) +"
+        },
+        {
+          "file_path": "layouts/resources/Fields.js",
+          "match_lines": [
+            1047,
+            1047
+          ],
+          "match_position": [
+            5,
+            16
+          ],
+          "match_string": "\t\t\t\tMath.random().toString(36).substr(2, 6);"
+        },
+        {
+          "file_path": "layouts/basic/modules/OSSPasswords/resources/Edit.js",
+          "match_lines": [
+            84,
+            84
+          ],
+          "match_position": [
+            30,
+            41
+          ],
+          "match_string": "\t\t\tvar passlength = parseInt(Math.random() * (max - min) + min);"
+        },
+        {
+          "file_path": "layouts/basic/modules/OSSPasswords/resources/Edit.js",
+          "match_lines": [
+            88,
+            88
+          ],
+          "match_position": [
+            30,
+            41
+          ],
+          "match_string": "\t\t\t\tvar charIndex = parseInt(Math.random() * chArray.length);"
+        },
+        {
+          "file_path": "vendor/ckeditor/ckeditor/plugins/image2/dialogs/image2.js",
+          "match_lines": [
+            6,
+            6
+          ],
+          "match_position": [
+            24,
+            35
+          ],
+          "match_string": "(w.baseHref||\"\")+q+\"?\"+Math.random().toString(16).substring(2))}}function F(){var a=this.getValue();t(!1);a!==x.data.src?(G(a,function(a,b,c){t(!0);if(!a)return m(!1);g.setValue(!1===f.config.image2_prefillDimensions?0:b);h.setValue(!1===f.config.image2_prefillDimensions?0:c);u=k=b;v=l=c;m(H.checkHasNaturalRatio(a))}),n=!0):n?(t(!0),g.setValue(k),h.setValue(l),n=!1):t(!0)}function I(){if(e){var a=this.getValue();if(a&&(a.match(D)||m(!1),\"0\"!==a)){var b=\"width\"==this.id,c=k||u,d=l||v,a=b?Math.round(a/"
+        }
+      ],
+      "metadata": {
+        "cwe": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
+        "description": "crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.",
+        "owasp": "A9: Using Components with Known Vulnerabilities",
+        "severity": "WARNING"
+      }
+    },
+    "node_password": {
+      "files": [
+        {
+          "file_path": "layouts/basic/modules/OSSPasswords/resources/Edit.js",
+          "match_lines": [
+            74,
+            74
+          ],
+          "match_position": [
+            4,
+            21
+          ],
+          "match_string": "\t\t\tvar password = ''; // variable holding new password"
+        }
+      ],
+      "metadata": {
+        "cwe": "CWE-798: Use of Hard-coded Credentials",
+        "description": "A hardcoded password in plain text is identified. Store it properly in an environment variable.",
+        "owasp": "A3: Sensitive Data Exposure",
+        "severity": "ERROR"
+      }
+    },
+    "node_timing_attack": {
+      "files": [
+        {
+          "file_path": "layouts/resources/fields/MultiImage.js",
+          "match_lines": [
+            155,
+            156
+          ],
+          "match_position": [
+            4,
+            16
+          ],
+          "match_string": "\t\t\tif (file.hash === hash) {\n\n\t\t\t\treturn file;"
+        },
+        {
+          "file_path": "layouts/resources/fields/MultiImage.js",
+          "match_lines": [
+            767,
+            768
+          ],
+          "match_position": [
+            4,
+            25
+          ],
+          "match_string": "\t\t\tif (file.hash === hash) {\n\n\t\t\t\ttemplate += ` active`;"
+        },
+        {
+          "file_path": "install/tpl/resources/Index.js",
+          "match_lines": [
+            177,
+            178
+          ],
+          "match_position": [
+            5,
+            22
+          ],
+          "match_string": "\t\t\t\tif (password !== element.val()) {\n\n\t\t\t\t\tsetPasswordError();"
+        },
+        {
+          "file_path": "layouts/basic/modules/OSSPasswords/resources/Edit.js",
+          "match_lines": [
+            20,
+            37
+          ],
+          "match_position": [
+            5,
+            44
+          ],
+          "match_string": "\t\t\t\tif (password === '**********') {\n\n\t\t\t\t\tparams = {};\n\n\t\t\t\t\tparams.data = {\n\n\t\t\t\t\t\tmodule: 'OSSPasswords',\n\n\t\t\t\t\t\taction: 'GetPass',\n\n\t\t\t\t\t\trecord: id\n\n\t\t\t\t\t};\n\n\t\t\t\t\tparams.async = false;\n\n\t\t\t\t\tAppConnector.request(params).done(function (data) {\n\n\t\t\t\t\t\tvar response = data['result'];\n\n\t\t\t\t\t\tif (response['success']) {\n\n\t\t\t\t\t\t\tvar el = document.getElementById('OSSPasswords_editView_fieldName_password');\n\n\t\t\t\t\t\t\tel.value = response['password'];\n\n\t\t\t\t\t\t\tel.onchange();\n\n\t\t\t\t\t\t}\n\n\t\t\t\t\t});\n\n\t\t\t\t\t// validate password\n\n\t\t\t\t\tPasswordHelper.passwordStrength('', '');"
+        },
+        {
+          "file_path": "layouts/basic/modules/OSSPasswords/resources/gen_pass.js",
+          "match_lines": [
+            11,
+            12
+          ],
+          "match_position": [
+            3,
+            88
+          ],
+          "match_string": "\t\tif (password == '')\n\n\t\t\tpassword = document.getElementById('OSSPasswords_editView_fieldName_password').value;"
+        },
+        {
+          "file_path": "layouts/basic/modules/OSSPasswords/resources/gen_pass.js",
+          "match_lines": [
+            50,
+            62
+          ],
+          "match_position": [
+            3,
+            95
+          ],
+          "match_string": "\t\tif (password == '') {\n\n\t\t\tdocument.getElementById('passwordDescription').innerHTML = app.vtranslate(\n\n\t\t\t\t'Enter the password'\n\n\t\t\t);\n\n\t\t\tdocument.getElementById('passwordStrength').className = 'input-group-text strength0';\n\n\t\t} else if (password == '**********') {\n\n\t\t\tdocument.getElementById('passwordDescription').innerHTML = app.vtranslate(\n\n\t\t\t\t'Password is hidden'\n\n\t\t\t);\n\n\t\t\tdocument.getElementById('passwordStrength').className = 'input-group-text strength0';\n\n\t\t} else {\n\n\t\t\tdocument.getElementById('passwordDescription').innerHTML = desc[score];\n\n\t\t\tdocument.getElementById('passwordStrength').className = 'input-group-text strength' + score;"
+        },
+        {
+          "file_path": "layouts/basic/modules/OSSPasswords/resources/gen_pass.js",
+          "match_lines": [
+            55,
+            62
+          ],
+          "match_position": [
+            10,
+            95
+          ],
+          "match_string": "\t\t} else if (password == '**********') {\n\n\t\t\tdocument.getElementById('passwordDescription').innerHTML = app.vtranslate(\n\n\t\t\t\t'Password is hidden'\n\n\t\t\t);\n\n\t\t\tdocument.getElementById('passwordStrength').className = 'input-group-text strength0';\n\n\t\t} else {\n\n\t\t\tdocument.getElementById('passwordDescription').innerHTML = desc[score];\n\n\t\t\tdocument.getElementById('passwordStrength').className = 'input-group-text strength' + score;"
+        },
+        {
+          "file_path": "layouts/basic/modules/OSSPasswords/resources/zClipDetailView.js",
+          "match_lines": [
+            12,
+            13
+          ],
+          "match_position": [
+            3,
+            26
+          ],
+          "match_string": "\t\tif (password === '') {\n\n\t\t\tpassword = element.val();"
+        }
+      ],
+      "metadata": {
+        "cwe": "CWE-208: Observable Timing Discrepancy",
+        "description": "String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/",
+        "owasp": "A9: Using Components with Known Vulnerabilities",
+        "severity": "WARNING"
+      }
+    }
+  },
+  "templates": {
+    "vue_template": {
+      "files": [
+        {
+          "file_path": "src/layouts/resources/views/KnowledgeBase/KnowledgeBase.vue",
+          "match_position": [
+            4242,
+            4288
+          ],
+          "match_string": "v-html=\"translate('JS_FULL_TEXT_SEARCH_INFO')\""
+        },
+        {
+          "file_path": "src/layouts/resources/views/KnowledgeBase/components/ArticlesList.vue",
+          "match_position": [
+            1948,
+            1983
+          ],
+          "match_string": "v-html=\"props.row.assigned_user_id\""
+        },
+        {
+          "file_path": "src/layouts/resources/views/KnowledgeBase/components/ArticlePreviewContent.vue",
+          "match_position": [
+            5252,
+            5282
+          ],
+          "match_string": "v-html=\"relatedRecord.comment\""
+        },
+        {
+          "file_path": "src/layouts/resources/views/KnowledgeBase/components/ArticlePreviewContent.vue",
+          "match_position": [
+            3952,
+            4032
+          ],
+          "match_string": "v-html=\"typeof record.content === 'object' ? record.content[0] : record.content\""
+        },
+        {
+          "file_path": "src/layouts/resources/views/KnowledgeBase/components/ArticlePreviewContent.vue",
+          "match_position": [
+            725,
+            749
+          ],
+          "match_string": "v-html=\"record.category\""
+        },
+        {
+          "file_path": "src/layouts/resources/views/KnowledgeBase/components/Carousel.vue",
+          "match_position": [
+            670,
+            684
+          ],
+          "match_string": "v-html=\"slide\""
+        },
+        {
+          "file_path": "src/layouts/basic/modules/Chat/components/ChatPanelRight.vue",
+          "match_position": [
+            3714,
+            3744
+          ],
+          "match_string": "v-html=\"participant.role_name\""
+        },
+        {
+          "file_path": "src/layouts/basic/modules/Chat/components/ChatPanelRight.vue",
+          "match_position": [
+            3969,
+            3997
+          ],
+          "match_string": "v-html=\"participant.message\""
+        }
+      ],
+      "metadata": {
+        "cwe": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+        "description": "The Vue.js template has an unescaped variable. Untrusted user input passed to this variable results in Cross Site Scripting (XSS).",
+        "id": "vue_template",
+        "input_case": "exact",
+        "owasp": "A1: Injection",
+        "pattern": "v-html=[\\'|\"].+[\\'|\"]",
+        "severity": "ERROR",
+        "type": "Regex"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/test/test_convert.py b/test/test_convert.py
index b458f09..d3c41c1 100644
--- a/test/test_convert.py
+++ b/test/test_convert.py
@@ -610,6 +610,32 @@ def test_njsscan_extract_issue():
         "filename": "/Users/prabhu/work/NodeGoat/app/routes/index.js",
         "issue_confidence": "HIGH",
     }
+    issues, metrics, skips = convertLib.extract_from_file(
+        "source-js",
+        [],
+        Path(__file__).parent,
+        Path(__file__).parent / "data" / "njs2.json",
+    )
+    assert issues
+    assert len(issues) == 26
+    assert issues[0] == {
+        "rule_id": "a9-usingcomponentswithknownvulnerabilities",
+        "title": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
+        "description": "crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.",
+        "severity": "WARNING",
+        "line_number": 7,
+        "filename": "vendor/ckeditor/ckeditor/vendor/promise.js",
+        "issue_confidence": "HIGH",
+    }
+    assert issues[-1] == {
+        "rule_id": "a1-injection",
+        "title": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+        "description": "The Vue.js template has an unescaped variable. Untrusted user input passed to this variable results in Cross Site Scripting (XSS).",
+        "severity": "ERROR",
+        "line_number": 0,
+        "filename": "src/layouts/basic/modules/Chat/components/ChatPanelRight.vue",
+        "issue_confidence": "HIGH",
+    }
 
 
 def test_convert_dataflow():
diff --git a/test/test_utils.py b/test/test_utils.py
index f0fe773..73e20b1 100644
--- a/test/test_utils.py
+++ b/test/test_utils.py
@@ -62,3 +62,7 @@ def test_filter_ignored_files():
     assert d
     d = utils.is_ignored_file("", "bar.min.css")
     assert d
+    d = utils.is_ignored_file("", ".babelrc.js")
+    assert d
+    d = utils.is_ignored_file("", ".eslintrc.js")
+    assert d