javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls
semgrep
Author
4,562
Download Count*
License
If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set "ssl: true" or define settings "ssl: {...}"
Run Locally
Run in CI
Defintion
rules:
- id: sequelize-enforce-tls
message: 'If TLS is disabled on server side (Postgresql server), Sequelize
establishes connection without TLS and no error will be thrown. To prevent
MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set
"ssl: true" or define settings "ssl: {...}"'
metadata:
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
references:
- https://node-postgres.com/features/ssl
- https://nodejs.org/api/tls.html#tls_class_tls_tlssocket
- https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
- https://nodejs.org/api/tls.html#tls_tls_default_min_version
category: security
technology:
- sequelize
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern: |
{
host: $HOST,
database: $DATABASE,
dialect: $DIALECT
}
- pattern-not: |
{
host: $HOST,
database: $DATABASE,
dialect: "postgres",
dialectOptions: {
ssl: true
}
}
- pattern-not: |
{
host: $HOST,
database: $DATABASE,
dialect: $DIALECT,
dialectOptions: {
ssl: { ... }
}
}
- metavariable-regex:
metavariable: $DIALECT
regex: "['\"](mariadb|mysql|postgres)['\"]"
Examples
sequelize-enforce-tls.js
module.exports = {
// ruleid: sequelize-enforce-tls
local: {
username: "AppUser",
database: "AppDb",
dialect: "postgres",
host: "127.0.0.1"
}
};
module.exports = {
// ruleid: sequelize-enforce-tls
local: {
username: "AppUser",
database: "AppDb",
dialect: "mariadb",
host: "127.0.0.1"
}
};
module.exports = {
// ruleid: sequelize-enforce-tls
local: {
username: "AppUser",
database: "AppDb",
dialect: "mysql",
host: "127.0.0.1"
}
};
module.exports = {
// ok: sequelize-enforce-tls
local: {
username: "AppUser",
database: "AppDb",
dialect: "postgres",
host: "127.0.0.1",
dialectOptions: {
ssl: {
minVersion: 'TLSv1.3'
}
}
}
};
module.exports = {
// ok: sequelize-enforce-tls
local: {
username: "AppUser",
database: "AppDb",
dialect: "postgres",
host: "127.0.0.1",
dialectOptions: {
ssl: true
}
}
};
module.exports = {
// ruleid: sequelize-enforce-tls
local: {
username: "AppUser",
database: "AppDb",
dialect: "postgres",
host: "127.0.0.1",
dialectOptions: {
ssl: false
}
}
};
Short Link: https://sg.run/yz6Z