javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version

profile photo of semgrepsemgrep
Author
4,562
Download Count*
LGPL Commons Clause
License

TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: sequelize-weak-tls-version
    message: TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By
      default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to
      TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks
      TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not
      really concerned by TLS configuration. This rule could be extended for
      MSSQL, but the dialectOptions is specific for Tedious.
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      references:
        - https://node-postgres.com/features/ssl
        - https://nodejs.org/api/tls.html#tls_class_tls_tlssocket
        - https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
        - https://nodejs.org/api/tls.html#tls_tls_default_min_version
      category: security
      technology:
        - sequelize
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-inside: |
          {
            host: $HOST,
            database: $DATABASE,
            dialect: $DIALECT,
            dialectOptions:
              { ssl: ... }
           }
      - pattern-either:
          - pattern: |
              {
                minVersion: 'TLSv1'
              }
          - pattern: |
              {
                minVersion: 'TLSv1.1'
              }
      - metavariable-regex:
          metavariable: $DIALECT
          regex: "['\"](mariadb|mysql|postgres)['\"]"

Examples

sequelize-weak-tls-version.js

module.exports = {
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "postgres",
    host: "127.0.0.1",
    dialectOptions: {
    // ruleid: sequelize-weak-tls-version
      ssl: {
        minVersion: 'TLSv1'
      }
    }
  }
};

module.exports = {
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "postgres",
    host: "127.0.0.1",
    dialectOptions: {
    // ruleid: sequelize-weak-tls-version
      ssl: {
        minVersion: 'TLSv1.1'
      }
    }
  }
};

module.exports = {
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "mysql",
    host: "127.0.0.1",
    dialectOptions: {
    // ruleid: sequelize-weak-tls-version
      ssl: {
        minVersion: 'TLSv1.1'
      }
    }
  }
};

module.exports = {
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "mariadb",
    host: "127.0.0.1",
    dialectOptions: {
    // ruleid: sequelize-weak-tls-version
      ssl: {
        minVersion: 'TLSv1.1'
      }
    }
  }
};


module.exports = {
  local: {
    username: "AppUser",
    database: "AppDb",
    dialect: "postgres",
    host: "127.0.0.1",
    dialectOptions: {
    // ok: sequelize-weak-tls-version
      ssl: {
        minVersion: 'TLSv1.2'
      }
    }
  }
};