ajinabraham.njsscan.sequelize_tls.sequelize_tls

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
GPLv3
License

The Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: sequelize_tls
    message: >
      The Sequelize connection string indicates that database server does not
      use TLS. Non TLS connections are susceptible to man in the middle (MITM)
      attacks.
    languages:
      - javascript
    severity: WARNING
    metadata:
      owasp-web: a6
      cwe: cwe-319
      license: LGPL-3.0-or-later
    patterns:
      - pattern: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: $DIALECT
           }
      - pattern-not: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: "postgres",
            dialectOptions: {
                ssl: true
            }
          }
      - pattern-not: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: $DIALECT,
            dialectOptions: {
              ssl: { ... }
            }
          }
      - metavariable-regex:
          metavariable: $DIALECT
          regex: "['\"](mariadb|mysql|postgres|oracle)['\"]"