javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls

profile photo of semgrepsemgrep
Author
4,562
Download Count*

If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set "ssl: true" or define settings "ssl: {...}"

Run Locally

Run in CI

Defintion

rules:
  - id: sequelize-enforce-tls
    message: 'If TLS is disabled on server side (Postgresql server), Sequelize
      establishes connection without TLS and no error will be thrown. To prevent
      MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set
      "ssl: true" or define settings "ssl: {...}"'
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      references:
        - https://node-postgres.com/features/ssl
        - https://nodejs.org/api/tls.html#tls_class_tls_tlssocket
        - https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
        - https://nodejs.org/api/tls.html#tls_tls_default_min_version
      category: security
      technology:
        - sequelize
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: $DIALECT
           }
      - pattern-not: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: "postgres",
            dialectOptions: {
                ssl: true
            }
          }
      - pattern-not: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: $DIALECT,
            dialectOptions: {
              ssl: { ... }
            }
          }
      - metavariable-regex:
          metavariable: $DIALECT
          regex: "['\"](mariadb|mysql|postgres)['\"]"

Examples

sequelize-enforce-tls.js

module.exports = {
  // ruleid: sequelize-enforce-tls
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "postgres",
    host: "127.0.0.1"
  }
};

module.exports = {
  // ruleid: sequelize-enforce-tls
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "mariadb",
    host: "127.0.0.1"
  }
};

module.exports = {
  // ruleid: sequelize-enforce-tls
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "mysql",
    host: "127.0.0.1"
  }
};

module.exports = {
  // ok: sequelize-enforce-tls
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "postgres",
    host: "127.0.0.1",
    dialectOptions: {
      ssl: {
        minVersion: 'TLSv1.3'
      }
    }
  }
};

module.exports = {
  // ok: sequelize-enforce-tls
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "postgres",
    host: "127.0.0.1",
    dialectOptions: {
      ssl: true
    }
  }
};

module.exports = {
  // ruleid: sequelize-enforce-tls
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "postgres",
    host: "127.0.0.1",
    dialectOptions: {
      ssl: false
    }
  }
};