Expand scope of detect-possible-timing-attack #6
Conversation
There was a problem hiding this comment.
Hi @g-marconet !
Thanks for your help! I have some comments about the code style and removing of the auth keyword
| 'password', | ||
| 'secret', | ||
| 'api', | ||
| 'apiKey', | ||
| 'token', | ||
| 'auth', |
There was a problem hiding this comment.
why do you think that auth keyword shouldn't be a part of this validation?
There was a problem hiding this comment.
Admittedly it's pretty anecdotal, but in our codebase, any time the auth keyword was found was either a false positive or already covered by another keyword (mostly token). That said, not super married to that and it can definitely be left in if you think that's best!
| function isVulnerableType (node: ts.Expression): boolean { | ||
| switch (node.kind) { | ||
| case ts.SyntaxKind.CallExpression: | ||
| return isVulnCallExpression(node as ts.CallExpression); |
There was a problem hiding this comment.
I think it's better to have more readable function names: isVuln* => isVulnerable*
| this.addFailureAtNode(expression, 'Potential timing attack on the right side of expression'); | ||
|
|
||
| visitBinaryExpression (node: ts.BinaryExpression) { | ||
| if (node.operatorToken.kind === ts.SyntaxKind.EqualsEqualsToken || |
There was a problem hiding this comment.
const {kind: operatorTokenKind} = node.operatorToken;
if (
operatorTokenKind === ts.SyntaxKind.EqualsEqualsToken ||
operatorTokenKind === ts.SyntaxKind.EqualsEqualsEqualsToken ||
...
| @@ -84,6 +84,7 @@ export class Rule extends Lint.Rules.AbstractRule { | |||
|
|
|||
| class RuleWalker extends Lint.RuleWalker { | |||
| visitBinaryExpression (node: ts.BinaryExpression) { | |||
| const operatorTokenKind = node.operatorToken.kind; | |||
There was a problem hiding this comment.
Great! But below all node.operatorToken.kind expressions should be replaced with operatorTokenKind ;)
There was a problem hiding this comment.
This is embarrassing... forgot to hit ctrl+s :D
| 'password', | ||
| 'secret', | ||
| 'api', | ||
| 'apiKey', |
There was a problem hiding this comment.
By accident, I've merged your change on this line, but I think we should add auth keyword back into this list
There was a problem hiding this comment.
I'm fine with that. Added back
In my usage, I found detect-possible-timing-attack to be essentially toothless. Rarely did I find issues as simple as
password === 'mypass'. More often, it would be something like,password.toString() === expectedPassword, which the old version does not recognize.Changes
if (checkPassword(a, b)) { ... }wherecheckPassword = (password, expected) => password === expected;user.password === 'password',user['password'] === 'password', andpassword.toString() === 'password', for examplepassword === truedoes not cause an issue anymoreexpectedPassword === 'password'will now be flaggedauthas keyword. In practice, it caused many false-positives and any actual positive was already captured by another keyword.This is to tslint-config-security what eslint-community/eslint-plugin-security#37 is to eslint-plugin-security