-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TypeScript example #17
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prisma Cloud has found errors in this PR ⬇️
} | ||
|
||
exports.passwordRepeatChallenge = () => (req: Request, res: Response, next: NextFunction) => { | ||
challengeUtils.solveIf(challenges.passwordRepeatChallenge, () => { return req.body && req.body.passwordRepeat !== req.body.password }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Observable timing discrepancy
File: verify.ts | Checkov ID: CKV3_SAST_161
Description
CWE: CWE-208: Observable Timing Discrepancy
This SAST policy detects string comparisons using the ===
, !==
, ==
, or !=
operators against security-sensitive values. These string comparisons are not constant time, meaning that the conditional statement will immediately exit as soon as the first character that does not match is found. This can lead to observable timing discrepancies and potentially allow an adversary to calculate or observe small timing differences to brute force a string that matches the expected value.
Vulnerable code example:
if (password == userInput) {
// Do something
}
The above code is vulnerable because it compares the user's input with a security-sensitive value, password
, using the ==
operator. This type of comparison is not constant time and allows an adversary to potentially guess the correct value by monitoring the timing differences.
const decoded = jws.decode(token) ? jwt.decode(token) : null | ||
jwt.verify(token, security.publicKey, (err: VerifyErrors | null, verified: JwtPayload) => { | ||
if (err === null) { | ||
challengeUtils.solveIf(challenge, () => { return hasAlgorithm(token, algorithm) && hasEmail(decoded, email) }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Observable timing discrepancy
File: verify.ts | Checkov ID: CKV3_SAST_161
Description
CWE: CWE-208: Observable Timing Discrepancy
This SAST policy detects string comparisons using the ===
, !==
, ==
, or !=
operators against security-sensitive values. These string comparisons are not constant time, meaning that the conditional statement will immediately exit as soon as the first character that does not match is found. This can lead to observable timing discrepancies and potentially allow an adversary to calculate or observe small timing differences to brute force a string that matches the expected value.
Vulnerable code example:
if (password == userInput) {
// Do something
}
The above code is vulnerable because it compares the user's input with a security-sensitive value, password
, using the ==
operator. This type of comparison is not constant time and allows an adversary to potentially guess the correct value by monitoring the timing differences.
|
||
function hasAlgorithm (token: string, algorithm: string) { | ||
const header = JSON.parse(Buffer.from(token.split('.')[0], 'base64').toString()) | ||
return token && header && header.alg === algorithm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Observable timing discrepancy
File: verify.ts | Checkov ID: CKV3_SAST_161
Description
CWE: CWE-208: Observable Timing Discrepancy
This SAST policy detects string comparisons using the ===
, !==
, ==
, or !=
operators against security-sensitive values. These string comparisons are not constant time, meaning that the conditional statement will immediately exit as soon as the first character that does not match is found. This can lead to observable timing discrepancies and potentially allow an adversary to calculate or observe small timing differences to brute force a string that matches the expected value.
Vulnerable code example:
if (password == userInput) {
// Do something
}
The above code is vulnerable because it compares the user's input with a security-sensitive value, password
, using the ==
operator. This type of comparison is not constant time and allows an adversary to potentially guess the correct value by monitoring the timing differences.
function jwtChallenge (challenge: Challenge, req: Request, algorithm: string, email: string | RegExp) { | ||
const token = utils.jwtFrom(req) | ||
if (token) { | ||
const decoded = jws.decode(token) ? jwt.decode(token) : null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JSON Web Tokens (JWT) signature verification bypass
File: verify.ts | Checkov ID: CKV3_SAST_181
Description
CWE: CWE-347: Improper Verification of Cryptographic Signature
OWASP: A02:2021-Cryptographic Failures
This policy identifies instances in JavaScript where JSON Web Tokens (JWT) are decoded or processed without proper verification of the token's signature.
Vulnerable code example:
let jwt = require('jsonwebtoken');
let decoded = jwt.decode(token);
The above code is vulnerable to cryptographic failures as it improperly verifies the cryptographic signature of the JSON Web Token. This could potentially result in JWT signature verification bypass.
No description provided.