aws-samples · AksChaudhari · Dec 23, 2024 · Dec 24, 2024 · grl-wang · Dec 24, 2024
diff --git a/typescript/src/detectors/typescript-code-injection/typescript-code-injection_compliant.ts b/typescript/src/detectors/typescript-code-injection/typescript-code-injection_compliant.ts
@@ -0,0 +1,18 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-code-injection@v1.0 defects=0}
+import express, { Request, Response } from 'express';
+import axios from 'axios';
+
+const app = express();
+
+function compliant(): void {
+    app.get("/add", function (req: Request, res: Response): void {
+        // Compliant: Trusted user input is being passed into dynamically executable code.
+        let calculated: number = eval("2 + 3");
+        res.send("Addition has been calculated");
+    });
+}
+
+// {/fact}
diff --git a/...script/src/detectors/typescript-code-injection/typescript-code-injection_non-compliant.ts b/...script/src/detectors/typescript-code-injection/typescript-code-injection_non-compliant.ts
@@ -0,0 +1,15 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-code-injection@v1.0 defects=1}
+import express, { Request, Response } from 'express';
+const app = express();
+
+function nonCompliant(): void {
+    app.get("/add/:num1/:num2", function (req: Request, res: Response): void {
+        // Noncompliant: Untrusted user input is being passed into dynamically executable code.
+        eval(req.params.num1 + "+" + req.params.num2);
+        res.send("Evaluated the result");
+    });
+}
+// {/fact}
diff --git a/...ectors/typescript-crypto-compliant-cipher/typescript-crypto-compliant-cipher_compliant.ts b/...ectors/typescript-crypto-compliant-cipher/typescript-crypto-compliant-cipher_compliant.ts
@@ -0,0 +1,30 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-crypto-compliant-cipher@v1.0 defects=0}
+import * as crypto from 'crypto';
+
+function compliant(): void {
+    const key: Buffer = crypto.randomBytes(24);
+    const iv: Buffer = crypto.randomBytes(12);
+
+    // Compliant: Usage of `aes` with `gcm`, which is a secure cipher algorithm.
+    const cipher: crypto.CipherGCM = crypto.createCipheriv('aes-192-gcm', key, iv);
+
+    const plaintext: string = "Hello world";
+
+    const aad: Buffer = Buffer.from("additional authenticated data", "utf8");
+
+    cipher.setAAD(aad, {
+        plaintextLength: Buffer.byteLength(plaintext)
+    });
+
+    let ciphertext: string = cipher.update(plaintext, "utf8", "hex");
+    ciphertext += cipher.final("hex");
+
+    const tag: Buffer = cipher.getAuthTag();
+
+    console.log("Ciphertext:", ciphertext);
+    console.log("Auth Tag:", tag.toString("hex"));
+}
+// {/fact}
diff --git a/...rs/typescript-crypto-compliant-cipher/typescript-crypto-compliant-cipher_non-compliant.ts b/...rs/typescript-crypto-compliant-cipher/typescript-crypto-compliant-cipher_non-compliant.ts
@@ -0,0 +1,31 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-crypto-compliant-cipher@v1.0 defects=1}
+import * as crypto from 'crypto';
+
+function nonCompliant(): void {
+    const key: Buffer = crypto.randomBytes(24);
+    const iv: Buffer = crypto.randomBytes(24);
+
+    // Noncompliant: Usage of `des`, which is not a secure cipher algorithm.
+    const cipher: crypto.Cipher = crypto.createCipheriv("DES", key, iv);
+
+    const plaintext: string = "Hello world";
+
+    const aad: Buffer = Buffer.from("00112233445566778899aabbccddeeff", "hex");
+
+    cipher.setAAD(aad, {
+        plaintextLength: Buffer.byteLength(plaintext)
+    });
+
+    let ciphertext: string = cipher.update(plaintext, "utf8", "hex");
+    ciphertext += cipher.final("hex");
+
+    const tag: Buffer = cipher.getAuthTag();
+
+    console.log("Ciphertext:", ciphertext);
+    console.log("Auth Tag:", tag.toString("hex"));
+}
+
+// {/fact}
diff --git a/...trusted-user-input/typescript-do-not-avoid-escaping-for-untrusted-user-input_compliant.ts b/...trusted-user-input/typescript-do-not-avoid-escaping-for-untrusted-user-input_compliant.ts
@@ -0,0 +1,44 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-do-not-avoid-escaping-for-untrusted-user-input@v1.0 defects=0}
+import csrf from 'csurf';
+import cookieParser from 'cookie-parser';
+import Handlebars from 'handlebars';
+import express, { Request, Response } from 'express';
+import fetch from 'node-fetch';
+
+const app = express();
+
+app.use(cookieParser());
+
+const csrfProtection = csrf();
+app.use(csrfProtection);
+
+async function compliant(): Promise<string> {
+    try {
+        const response = await fetch("link");
+        const data = await response.json();
+        // Compliant: Escape the data for security.
+        return Handlebars.escapeExpression(data);
+    } catch (error) {
+        console.error("Error in compliant function:", error);
+        throw error;
+    }
+}
+
+app.get('/secure', async (req: Request, res: Response) => {
+    try {
+        const sanitizedData = await compliant();
+        res.json({ data: sanitizedData });
+    } catch (error) {
+        res.status(500).send("An error occurred while processing your request.");
+    }
+});
+
+const PORT: number = process.env.PORT ? parseInt(process.env.PORT) : 3000;
+app.listen(PORT, () => {
+    console.log(`Server running on port ${PORT}`);
+});
+
+// {/fact}
diff --git a/...ted-user-input/typescript-do-not-avoid-escaping-for-untrusted-user-input_non-compliant.ts b/...ted-user-input/typescript-do-not-avoid-escaping-for-untrusted-user-input_non-compliant.ts
@@ -0,0 +1,43 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-do-not-avoid-escaping-for-untrusted-user-input@v1.0 defects=1}
+import csrf from 'csurf';
+import cookieParser from 'cookie-parser';
+import Handlebars from 'handlebars';
+import express, { Request, Response } from 'express';
+import fetch from 'node-fetch';
+
+const app = express();
+
+app.use(cookieParser());
+
+const csrfProtection = csrf();
+app.use(csrfProtection);
+
+async function compliant(): Promise<Handlebars.SafeString> {
+    try {
+        const response = await fetch("link");
+        const data = await response.json();
+        // Noncompliant: Using `Handlebars.SafeString()` with untrusted user input without escaping can lead to XSS vulnerabilities.
+        return new Handlebars.SafeString(data);
+    } catch (error) {
+        console.error("Error in compliant function:", error);
+        throw error;
+    }
+}
+
+app.get('/secure', async (req: Request, res: Response) => {
+    try {
+        const data = await compliant();
+        res.json({ data });
+    } catch (error) {
+        res.status(500).send("An error occurred while processing your request.");
+    }
+});
+
+const PORT: number = process.env.PORT ? parseInt(process.env.PORT) : 3000;
+app.listen(PORT, () => {
+    console.log(`Server running on port ${PORT}`);
+});
+// {/fact}
diff --git a/...om-user-input/typescript-do-not-construct-regular-expression-from-user-input_compliant.ts b/...om-user-input/typescript-do-not-construct-regular-expression-from-user-input_compliant.ts
@@ -0,0 +1,18 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-do-not-construct-regular-expression-from-user-input@v1.0 defects=0}
+import escapeStringRegexp from 'escape-string-regexp';
+import fetch from 'node-fetch';
+
+function complaint()
+{
+    fetch("some link")
+        // Compliant: Creating RegExp from validated user input. 
+        .then(res => res.json())
+        .then((data:string) => RegExp(escapeStringRegexp(data)))
+        .catch((error) => {
+            console.error("Error in function:", error);
+        });
+}
+// {/fact}
diff --git a/...ser-input/typescript-do-not-construct-regular-expression-from-user-input_non-compliant.ts b/...ser-input/typescript-do-not-construct-regular-expression-from-user-input_non-compliant.ts
@@ -0,0 +1,19 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-do-not-construct-regular-expression-from-user-input@v1.0 defects=1}
+import fetch from 'node-fetch';
+
+async function nonCompliant(): Promise<void> {
+    try {
+        const response = await fetch("some link");
+        const data = await response.text();
+        // Noncompliant: Creating RegExp from unvalidated user input is unsafe.
+        const regex = RegExp(data);
+    } catch (error) {
+        console.error("Error:", error);
+        throw error;
+    }
+}
+
+// {/fact}
diff --git a/...-using-http-proxy/typescript-do-not-forward-user-ip-address-using-http-proxy_compliant.ts b/...-using-http-proxy/typescript-do-not-forward-user-ip-address-using-http-proxy_compliant.ts
@@ -0,0 +1,19 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-do-not-forward-user-ip-address-using-http-proxy@v1.0 defects=0}
+import { createProxyMiddleware } from 'http-proxy-middleware';
+import express from 'express';
+
+const app = express();
+
+app.use(
+    createProxyMiddleware("/api", {
+        // Compliant: xfwd's defaults value is false.
+        target: 'http://localhost:8081/',
+        changeOrigin: true,
+    })
+);
+app.listen(3000);
+
+// {/fact}
diff --git a/...ng-http-proxy/typescript-do-not-forward-user-ip-address-using-http-proxy_non-compliant.ts b/...ng-http-proxy/typescript-do-not-forward-user-ip-address-using-http-proxy_non-compliant.ts
@@ -0,0 +1,41 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-do-not-forward-user-ip-address-using-http-proxy@v1.0 defects=1}
+import express from 'express';
+import { createProxyMiddleware, RequestHandler } from 'http-proxy-middleware';
+import { Request, Response } from 'express';
+
+const app = express();
+
+const nonCompliant = (): void => {
+    const app = express();
+
+    const onProxyReq = (proxyRes: Request): void => {
+        console.log('req');
+    };
+
+    const onProxyRes = (proxyRes: Response): void => {
+        console.log('res');
+    };
+
+    const getProxy = (): RequestHandler => {
+        return createProxyMiddleware({
+            target: "API_SERVICE_URL",
+            changeOrigin: true,
+            onProxyReq,
+            onProxyRes,
+            // Noncompliant: Setting true for xfwd is insecure.
+            xfwd: true
+        });
+    };
+
+    const PORT: number = 5000;
+    const HOST: string = "http://127.0.0.1";
+
+    app.listen(PORT, () => {
+        console.log(`Starting Proxy at ${HOST}:${PORT}`);
+    });
+};
+
+// {/fact}
diff --git a/...rc/detectors/typescript-dynamo-db-batch-keys/typescript-dynamo-db-batch-keys_compliant.ts b/...rc/detectors/typescript-dynamo-db-batch-keys/typescript-dynamo-db-batch-keys_compliant.ts
@@ -0,0 +1,35 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-dynamo-db-batch-keys@v1.0 defects=0}
+import * as AWS from 'aws-sdk';
+
+const dynamodb = new AWS.DynamoDB();
+
+function compliant(): void {
+    const params: AWS.DynamoDB.BatchGetItemInput = {
+        RequestItems: {
+            MyTable: {
+                Keys: [
+                    { id: { S: "123" } },
+                ],
+                ProjectionExpression: "id, attributeName",
+            },
+        },
+    };
+
+    dynamodb.batchGetItem(params, (err: AWS.AWSError, data: AWS.DynamoDB.BatchGetItemOutput) => {
+        if (err) {
+            console.error("Error occurred:", err);
+            return;
+        }
+
+        // Compliant: Checks for `Unprocessed` keys.
+        if (data.UnprocessedKeys && Object.keys(data.UnprocessedKeys).length > 0) {
+            console.log("Do something, we still have unprocessed data:", data.UnprocessedKeys);
+        } else {
+            console.log("We are all done:", data.Responses);
+        }
+    });
+}
+// {/fact}
diff --git a/...etectors/typescript-dynamo-db-batch-keys/typescript-dynamo-db-batch-keys_non-compliant.ts b/...etectors/typescript-dynamo-db-batch-keys/typescript-dynamo-db-batch-keys_non-compliant.ts
@@ -0,0 +1,39 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-dynamo-db-batch-keys@v1.0 defects=1}
+import * as AWS from 'aws-sdk';
+
+const dynamodb = new AWS.DynamoDB();
+
+function compliant(): void {
+    const params: AWS.DynamoDB.BatchGetItemInput = {
+        RequestItems: {
+            MyTable: {
+                Keys: [
+                    { id: { S: "123" } },
+                ],
+                ProjectionExpression: "id, attributeName",
+            },
+        },
+    };
+
+    dynamodb.batchGetItem(params, (err: AWS.AWSError, data: AWS.DynamoDB.BatchGetItemOutput) => {
+        if (err) {
+            console.error("Error occurred:", err);
+            return;
+        }
+
+        // Noncompliant: Missing check for unprocessed keys
+        console.log("Processed query:");
+        if (data.Responses) {
+            Object.entries(data.Responses).forEach(([tableName, items]) => {
+                console.log(`Table: ${tableName}`);
+                console.log("Items:", items);
+            });
+        } else {
+            console.log("No data found in the response.");
+        }
+    });
+}
+// {/fact}
diff --git a/...pt/src/detectors/typescript-express-bodyparser/typescript-express-bodyparser_compliant.ts b/...pt/src/detectors/typescript-express-bodyparser/typescript-express-bodyparser_compliant.ts
@@ -0,0 +1,19 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-2.0
+
+// {fact rule=typescript-express-bodyparser@v1.0 defects=0}
+import express, { Application } from 'express';
+
+const app: Application = express();
+
+const configureApp = (): void => {
+    app.set("port", process.env.PORT || 3000);
+    app.set("views", __dirname + "/views");
+    app.set("view engine", "jade");
+    // Compliant: BodyParser has not been used.
+    app.use(express.json());
+    app.use(express.urlencoded({ extended: true }));
+};
+
+configureApp();
+// {/fact}