ajinabraham.njsscan.database.sequelize_tls.sequelize_tls

ajinabraham

Author

unknown

Download Count*

License

The Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: sequelize_tls
    message: >
      The Sequelize connection string indicates that database server does not
      use TLS. Non TLS connections are susceptible to man in the middle (MITM)
      attacks.
    languages:
      - javascript
    severity: WARNING
    metadata:
      owasp-web: a6
      cwe: cwe-319
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other
    patterns:
      - pattern: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: $DIALECT
           }
      - pattern-not: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: "postgres",
            dialectOptions: {
                ssl: true
            }
          }
      - pattern-not: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: $DIALECT,
            dialectOptions: {
              ssl: { ... }
            }
          }
      - metavariable-regex:
          metavariable: $DIALECT
          regex: "['\"](mariadb|mysql|postgres|oracle)['\"]"

Short Link: https://sg.run/q3Qy