Home Explore Help
Sign In
CocoRoboLabs
/
CocoRoboDesktop
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
CocoRoboDesk...
/
pdf1.js
/
node_modules
/
eslint-plugin-security
/
rules
/
detect-possible-timing-attacks.js

detect-possible-timing-attacks.js 1.6 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. /**
    2. 

  2.  * Looks for potential hotspot string comparisons
    3. 

  3.  * @author Adam Baldwin / Jon Lamendola
    4. 

  4.  */
    5. 

  5. 

  6. //------------------------------------------------------------------------------
    7. 

  7. // Rule Definition
    8. 

  8. //------------------------------------------------------------------------------
    9. 

  9. 

  10. var keywords = '((' + [
    11. 

  11.     'password',
    12. 

  12.     'secret',
    13. 

  13.     'api',
    14. 

  14.     'apiKey',
    15. 

  15.     'token',
    16. 

  16.     'auth',
    17. 

  17.     'pass',
    18. 

  18.     'hash'
    19. 

  19. ].join(')|(') + '))';
    20. 

  20. 

  21. var re = new RegExp('^' + keywords + '$', 'im');
    22. 

  22. 

  23. function containsKeyword (node) {
    24. 

  24.     if (node.type === 'Identifier') {
    25. 

  25.         if (re.test(node.name))
    26. 

  26.             return true;
    27. 

  27.         }
    28. 

  28.         return
    29. 

  29. }
    30. 

  30. 

  31. module.exports = function(context) {
    32. 

  32. 

  33.     "use strict";
    34. 

  34. 

  35.     return {
    36. 

  36.         "IfStatement": function(node) {
    37. 

  37.             if (node.test && node.test.type === 'BinaryExpression') {
    38. 

  38.                 if (node.test.operator === '==' || node.test.operator === '===' || node.test.operator === '!=' || node.test.operator === '!==') {
    39. 

  39. 

  40.                     var token = context.getTokens(node)[0];
    41. 

  41. 

  42.                     if (node.test.left) {
    43. 

  43.                     var left = containsKeyword(node.test.left);
    44. 

  44.                         if (left) {
    45. 

  45.                             return context.report(node, "Potential timing attack, left side: " + left);
    46. 

  46.                         }
    47. 

  47.                     }
    48. 

  48. 

  49.                     if (node.test.right) {
    50. 

  50.                     var right = containsKeyword(node.test.right);
    51. 

  51.                         if (right) {
    52. 

  52.                             return context.report(node, "Potential timing attack, right side: " + right);
    53. 

  53.                         }
    54. 

  54.                     }
    55. 

  55.                 }
    56. 

  56.             }
    57. 

  57.         }
    58. 

  58.     };
    59. 

  59. 

  60. };
    61.