-
-
Notifications
You must be signed in to change notification settings - Fork 109
/
detect-possible-timing-attacks.js
58 lines (51 loc) · 1.8 KB
/
detect-possible-timing-attacks.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
/**
* Looks for potential hotspot string comparisons
* @author Adam Baldwin / Jon Lamendola
*/
'use strict';
//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
const keywords = `((${['password', 'secret', 'api', 'apiKey', 'token', 'auth', 'pass', 'hash'].join(')|(')}))`;
const re = new RegExp(`^${keywords}$`, 'im');
const containsKeyword = (node) => {
if (node.type === 'Identifier') {
if (re.test(node.name)) {
return true;
}
}
return;
};
module.exports = {
meta: {
type: 'error',
docs: {
description: 'Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.',
category: 'Possible Security Vulnerability',
recommended: true,
url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-possible-timing-attacks.md',
},
},
create(context) {
return {
IfStatement: function (node) {
if (node.test && node.test.type === 'BinaryExpression') {
if (node.test.operator === '==' || node.test.operator === '===' || node.test.operator === '!=' || node.test.operator === '!==') {
if (node.test.left) {
const left = containsKeyword(node.test.left);
if (left) {
return context.report({ node: node, message: `Potential timing attack, left side: ${left}` });
}
}
if (node.test.right) {
const right = containsKeyword(node.test.right);
if (right) {
return context.report({ node: node, message: `Potential timing attack, right side: ${right}` });
}
}
}
}
},
};
},
};