Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Eas-1673 #31

Closed
wants to merge 551 commits into from
Closed

Eas-1673 #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
551 commits
Select commit Hold shift + click to select a range
790bae6
Merge remote-tracking branch 'refs/remotes/origin/EAS-1893' into EAS-…
Jan 8, 2024
eafbb5c
rebased EAS-1893
Jan 8, 2024
c752d7d
feat: tracking functions exposed in jira:adminPage module added. TODO…
Jan 3, 2024
3365f96
rebasing EAS-1673 to be head of EAS-1893
Jan 8, 2024
d2c6d07
chore: cleaning up and reverting iterator to og name.
Jan 5, 2024
6372e5b
clean: removed commented out functions
Jan 8, 2024
6d85f9c
Merge remote-tracking branch 'refs/remotes/origin/EAS-1673' into EAS-…
Jan 8, 2024
8ff9fac
chore: resolving more conflicts
Jan 8, 2024
8bbe702
fix: update checker spawning to use new entrypoint flags
jwong101 Jan 9, 2024
4928acc
chore: remove unused imports in forge_loader
jwong101 Jan 9, 2024
fc69b59
chore: updated main.rs file to remove vscode notes
aliner-wang Jan 11, 2024
15e814b
resolving merge conflicts for rebase
aliner-wang Jan 11, 2024
96f4917
added more todo statements and cleaned up struct definitions
aliner-wang Jan 11, 2024
ad665ab
resolving merge conflicts for rebase
aliner-wang Jan 11, 2024
b58c126
resolving merge conflicts
aliner-wang Jan 11, 2024
36bde44
resolving merge conflicts
aliner-wang Jan 11, 2024
4073a5e
resolving merge conflicts
aliner-wang Jan 11, 2024
6909475
resolving merge conflicts
aliner-wang Jan 11, 2024
3426614
added new modules for additional endpoints in user invokable modules
aliner-wang Jan 11, 2024
4dbdfc7
added methods for adding additional user invokable endpoints to vecto…
aliner-wang Jan 11, 2024
d4eb264
resolving merge conflicts
aliner-wang Jan 11, 2024
6279910
changed entrypoints to entrypoint. Working on other comments
aliner-wang Jan 11, 2024
556f10f
resolving merge conflicts
aliner-wang Jan 11, 2024
4eceabf
resolving merge conflicts
aliner-wang Jan 11, 2024
5d7be6e
finished updating methods to check functions_to_scan and update entry…
aliner-wang Jan 11, 2024
f04d418
resolving merge conflicts
aliner-wang Jan 11, 2024
cde73af
updated search_suggestion in customfield to be an optional value.
aliner-wang Jan 11, 2024
4955157
modified into_analyzable_functions with Josh and implementation in ma…
aliner-wang Jan 11, 2024
8deeb4d
added new structs for user non-invokable modules
aliner-wang Jan 11, 2024
216de88
added more todo statements and cleaned up struct definitions
aliner-wang Jan 11, 2024
3926803
created iterators of all known user non-invokable functions to be sca…
aliner-wang Jan 11, 2024
5a206c2
fixed all the red squigglies
aliner-wang Jan 11, 2024
a6b8c96
added user-invokable module with additional entry points for macros. …
aliner-wang Jan 11, 2024
8348195
added test to deserialize macros with additional entry points like co…
aliner-wang Jan 11, 2024
b52dfad
edited main to iterate over vector of functions. TODO: edit add_funcs…
aliner-wang Jan 11, 2024
86efbe2
added new modules for additional endpoints in user invokable modules
aliner-wang Jan 11, 2024
5ff8ae4
added methods for adding additional user invokable endpoints to vecto…
aliner-wang Jan 11, 2024
26011e4
removed callback mod and abstracted structs to use MacroMod to repres…
aliner-wang Jan 11, 2024
40856e1
changed entrypoints to entrypoint. Working on other comments
aliner-wang Jan 11, 2024
df2517b
updated struct serde features and rust attributes. Updated customFiel…
aliner-wang Jan 11, 2024
b819cbf
abstracted structs to use a CommonKeys struct that holds: key, functi…
aliner-wang Jan 11, 2024
0181e97
finished updating methods to check functions_to_scan and update entry…
aliner-wang Jan 11, 2024
f1c3f47
commented out consumer filter
aliner-wang Jan 11, 2024
87e953c
updated search_suggestion in customfield to be an optional value.
aliner-wang Jan 11, 2024
f3b2fcc
modified into_analyzable_functions with Josh and implementation in ma…
aliner-wang Jan 11, 2024
bdd9b49
rebased EAS-1893
aliner-wang Jan 11, 2024
9634116
chore: updated main.rs file to remove vscode notes
aliner-wang Jan 11, 2024
09c7603
Merge remote-tracking branch 'refs/remotes/origin/EAS-1893' into EAS-…
aliner-wang Jan 11, 2024
741fe07
chore: tried rebasing to change all author's on commits. Partially wo…
aliner-wang Jan 11, 2024
f2203f7
rebased EAS-1893 - changing author attempt
aliner-wang Jan 8, 2024
a75e817
NEW: Fresh branch branching off of EAS-1893 to whitelist admin module…
Jan 3, 2024
e9f8a0b
chore: resetting head on EAS-1673 to minimize commits
aliner-wang Jan 11, 2024
b45932c
Merge branch 'main' into EAS-1673
aliner-wang Jan 11, 2024
e1b6f5b
chore: resolved error. Fixed local tests that were failing
aliner-wang Jan 12, 2024
11aff52
chore: resolved linter error msg
aliner-wang Jan 12, 2024
467eb54
feat: resolving PR comments in progress
aliner-wang Jan 26, 2024
ed999b9
feat: implmented helper function append_function. And updated existin…
aliner-wang Feb 5, 2024
52ed5d8
fix: added compass and confluence modules to get deserialized. Todo: …
aliner-wang Feb 5, 2024
ac8c09a
feat: added rest of jira modules. Updated into_analyzable_functions …
aliner-wang Feb 6, 2024
44ae29f
resolve: destructured ForgeModule struct to address comment on tracki…
aliner-wang Feb 6, 2024
7aecd63
fixx addressed most comments. Updated fields to be optional or a stru…
aliner-wang Feb 6, 2024
8ae7687
resolve: uadded JSM modules with functions. And updated into_analyzab…
aliner-wang Feb 6, 2024
ee2e747
feat: new trait implemented to append functions. Updated into_analyza…
aliner-wang Feb 7, 2024
41c8403
resolving merge conflicts for rebase
aliner-wang Jan 11, 2024
8a8a0ae
added more todo statements and cleaned up struct definitions
aliner-wang Jan 11, 2024
172644c
resolving merge conflicts for rebase
aliner-wang Jan 11, 2024
2c4cd22
resolving merge conflicts
aliner-wang Jan 11, 2024
569c1df
resolving merge conflicts
aliner-wang Jan 11, 2024
40cdf4f
resolving merge conflicts
aliner-wang Jan 11, 2024
94acd6d
resolving merge conflicts
aliner-wang Jan 11, 2024
0cbf1a6
added new modules for additional endpoints in user invokable modules
aliner-wang Jan 11, 2024
a84775f
added methods for adding additional user invokable endpoints to vecto…
aliner-wang Jan 11, 2024
14ddd61
resolving merge conflicts
aliner-wang Jan 11, 2024
a125465
changed entrypoints to entrypoint. Working on other comments
aliner-wang Jan 11, 2024
02939ce
resolving merge conflicts
aliner-wang Jan 11, 2024
d2fe248
resolving merge conflicts
aliner-wang Jan 11, 2024
2ce0e9f
finished updating methods to check functions_to_scan and update entry…
aliner-wang Jan 11, 2024
d15caec
resolving merge conflicts
aliner-wang Jan 11, 2024
2a1ae05
updated search_suggestion in customfield to be an optional value.
aliner-wang Jan 11, 2024
e29d5fc
modified into_analyzable_functions with Josh and implementation in ma…
aliner-wang Jan 11, 2024
48b20ea
added new structs for user non-invokable modules
aliner-wang Jan 11, 2024
f88b71f
added more todo statements and cleaned up struct definitions
aliner-wang Jan 11, 2024
abf5103
created iterators of all known user non-invokable functions to be sca…
aliner-wang Jan 11, 2024
1327fcd
fixed all the red squigglies
aliner-wang Jan 11, 2024
e693381
added user-invokable module with additional entry points for macros. …
aliner-wang Jan 11, 2024
2b8ff7c
added test to deserialize macros with additional entry points like co…
aliner-wang Jan 11, 2024
02509c9
edited main to iterate over vector of functions. TODO: edit add_funcs…
aliner-wang Jan 11, 2024
2e5c288
added new modules for additional endpoints in user invokable modules
aliner-wang Jan 11, 2024
244ffe7
added methods for adding additional user invokable endpoints to vecto…
aliner-wang Jan 11, 2024
e22c912
removed callback mod and abstracted structs to use MacroMod to repres…
aliner-wang Jan 11, 2024
b21dec0
changed entrypoints to entrypoint. Working on other comments
aliner-wang Jan 11, 2024
6c770fe
updated struct serde features and rust attributes. Updated customFiel…
aliner-wang Jan 11, 2024
6f70f2d
abstracted structs to use a CommonKeys struct that holds: key, functi…
aliner-wang Jan 11, 2024
f40fa88
finished updating methods to check functions_to_scan and update entry…
aliner-wang Jan 11, 2024
0f0649f
commented out consumer filter
aliner-wang Jan 11, 2024
b0d32c6
updated search_suggestion in customfield to be an optional value.
aliner-wang Jan 11, 2024
9814698
modified into_analyzable_functions with Josh and implementation in ma…
aliner-wang Jan 11, 2024
8ec6866
rebased EAS-1893
aliner-wang Jan 11, 2024
db608ea
chore: updated main.rs file to remove vscode notes
aliner-wang Jan 11, 2024
42a2831
resolving merge conflicts for rebase
aliner-wang Jan 8, 2024
a95d2f0
added more todo statements and cleaned up struct definitions
aliner-wang Sep 11, 2023
05e1572
resolving merge conflicts for rebase
aliner-wang Jan 8, 2024
c85ca77
resolving merge conflicts
aliner-wang Jan 8, 2024
cab1b8d
resolving merge conflicts
aliner-wang Jan 8, 2024
07bea42
resolving merge conflicts
aliner-wang Jan 8, 2024
b229ad1
changed entrypoints to entrypoint. Working on other comments
aliner-wang Sep 18, 2023
0475adb
resolving merge conflicts
aliner-wang Jan 8, 2024
9fb82e8
resolving merge conflicts
aliner-wang Jan 8, 2024
7572b16
finished updating methods to check functions_to_scan and update entry…
aliner-wang Sep 20, 2023
de569cb
manually resolved some thigns
aliner-wang Feb 9, 2024
9bb3a76
added new structs for user non-invokable modules
aliner-wang Sep 11, 2023
4738a80
added more todo statements and cleaned up struct definitions
aliner-wang Sep 11, 2023
dad24aa
edited main to iterate over vector of functions. TODO: edit add_funcs…
aliner-wang Sep 15, 2023
c7d2a3e
resolving more confliicts T.T'
aliner-wang Feb 9, 2024
aa6893d
resolving more confliicts T.T'
aliner-wang Feb 9, 2024
fe30d12
removed callback mod and abstracted structs to use MacroMod to repres…
aliner-wang Sep 18, 2023
0eba620
updated struct serde features and rust attributes. Updated customFiel…
aliner-wang Sep 19, 2023
d13df57
abstracted structs to use a CommonKeys struct that holds: key, functi…
aliner-wang Sep 20, 2023
f9a282c
modified into_analyzable_functions with Josh and implementation in ma…
aliner-wang Oct 5, 2023
57c64cd
rebased EAS-1893 - changing author attempt
aliner-wang Jan 8, 2024
116bf18
chore: tried rebasing to change all author's on commits. Partially wo…
aliner-wang Jan 11, 2024
b6a2aef
Merge remote-tracking branch 'refs/remotes/origin/EAS-1893' into EAS-…
aliner-wang Feb 9, 2024
fa3b5d4
docs: update example help
jwong101 Nov 11, 2022
f3148ed
feat: add new resolver
jwong101 Nov 25, 2022
78d01c1
chore: bump deps
jwong101 Nov 25, 2022
e23cd6d
wip
jwong101 Nov 27, 2022
93a445f
feat: detect resolver definitions
jwong101 Nov 29, 2022
f9898e4
feat: lower to IR 2.0
jwong101 Nov 30, 2022
8e8a1e7
chore: add test case for issue #1
jwong101 Nov 30, 2022
632dc97
feat: interp v2
jwong101 Dec 8, 2022
0054b6a
chore: bump deps and add time crate
jwong101 Dec 18, 2022
54f2fba
feat: migrate to IR v2
jwong101 Dec 18, 2022
ef6a76b
feat: serialize AuthZVuln
jwong101 Dec 21, 2022
6de6957
feat: use IR 2.0 with AuthN checker
jwong33 Dec 21, 2022
e2bf1e2
refactor(analyzer): remove dead code
jwong33 Dec 21, 2022
a0d5016
refactor: clean up unused code
jwong33 Dec 21, 2022
62a276c
fix(parser): parse files with decorators
jwong101 Jan 18, 2023
c8842f9
feat: EAS-1592 mistakingly classifies resolvers exposed from consumer…
gersbach Jun 7, 2023
7b78e0b
removing changes to files
gersbach Jun 13, 2023
375b574
removing changes to files
gersbach Jun 13, 2023
4700553
adding ir for insering symbols
gersbach Jun 14, 2023
6904df3
adding projections instead of assignment
gersbach Jun 15, 2023
0047856
reverting changes that are unneeded
gersbach Jun 15, 2023
1e851e6
basic checker
gersbach Jun 16, 2023
fe5af2e
moving inst checking to the transfer block
gersbach Jun 16, 2023
0c6ee69
wip
gersbach Jun 23, 2023
15c3704
definition analysis
gersbach Jun 23, 2023
07ab24b
wip
gersbach Jun 25, 2023
3c0b168
updates to parsing worklist arguments
gersbach Jun 25, 2023
32ba8a3
correclty resolving permissions
gersbach Jun 26, 2023
03686c3
fix bug with adding arguments
gersbach Jun 27, 2023
c87b6b1
various updates
gersbach Jul 6, 2023
9866c54
fix to the worklist
gersbach Jun 27, 2023
4810f4a
converting defid to varid
gersbach Jul 3, 2023
cc1ffd9
wip
gersbach Jul 9, 2023
24afac9
wip
gersbach Jul 10, 2023
2427175
Update crates/forge_analyzer/src/checkers.rs
gersbach Jul 10, 2023
b6162c0
wip
gersbach Jul 11, 2023
bd599d3
wip
gersbach Jul 12, 2023
cbe7ea9
fix to not reading the second argument
gersbach Jul 12, 2023
c2967ae
wip
gersbach Jul 14, 2023
77899bd
fix to unlimited looping beteween visit blocks
gersbach Jul 14, 2023
55549be
fix to unlimited looping beteween visit blocks
gersbach Jul 14, 2023
b47deca
cleaning up
gersbach Jul 16, 2023
fb56c91
wip
gersbach Jul 18, 2023
9192cdc
fix to the issue of not resolving default exports
gersbach Jul 19, 2023
3594d4d
removing unneeded comments
gersbach Jul 19, 2023
00094fa
small updates
gersbach Aug 2, 2023
526dada
removing unneeded file
gersbach Aug 4, 2023
d81602e
fixes to projections
gersbach Jun 15, 2023
2e9d5a6
lowering functions that are called with handlers
gersbach Jul 10, 2023
6bd5f3a
Update crates/forge_analyzer/src/interp.rs
gersbach Jul 11, 2023
93a7900
fixes to comments
gersbach Jul 11, 2023
c05947b
lowering then and array functions
gersbach Jul 24, 2023
1f4127f
updates to pr
gersbach Jul 27, 2023
9e2ebe3
handling lowering of useEffect functions
gersbach Jul 20, 2023
aef8184
cleaning up
gersbach Jul 20, 2023
c9e54da
feat: generate check name based on stacktrace
jwong101 Aug 2, 2023
d26f6fd
handling default and nodejs exports
gersbach Jul 20, 2023
56da839
cleaning up
gersbach Jul 20, 2023
e44a3eb
more code
gersbach Jul 20, 2023
c9c6536
formatitng
gersbach Jul 20, 2023
072fc95
fixes to comments on pr
gersbach Jul 25, 2023
6aecf42
formatting
gersbach Jul 25, 2023
83c0474
fixes to pr
gersbach Jul 25, 2023
1cebba0
prevents scan if the code is transplied
gersbach Jul 24, 2023
d7a6da2
cleaning up code
gersbach Jul 19, 2023
37cc049
wip
gersbach Aug 4, 2023
284af26
final permission resolver
gersbach Aug 3, 2023
acd64ce
cleaning up
gersbach Aug 3, 2023
d413d40
fixed to pr
gersbach Aug 4, 2023
a1cb913
erros with defintion analysis -- correct intermixing of exprs and quasis
gersbach Aug 5, 2023
0f1d184
working module exports
gersbach Aug 6, 2023
c492533
formatting
gersbach Aug 6, 2023
d05751d
working body definition analysis
gersbach Aug 7, 2023
e45059e
cleaning up codebase
gersbach Aug 7, 2023
9bcc6e3
failed attemp to put the definition analysis into the interp
gersbach Aug 7, 2023
5bcaeec
working definition analysis seperated analysis and permission checker
gersbach Aug 8, 2023
8cca695
finalize secret scanner
gersbach Aug 8, 2023
e14ffcf
patch to definition analysis
gersbach Aug 8, 2023
b939c1a
formatting
gersbach Aug 8, 2023
d6f1bd2
cleaning up
gersbach Aug 9, 2023
7b5d289
functioning definition export
gersbach Aug 10, 2023
b0dd29b
fix bug for exporting default classes
gersbach Aug 10, 2023
2331c0e
improvments to performance
gersbach Aug 10, 2023
e291266
working global lowerer
gersbach Aug 11, 2023
3161af1
fix to permission checker
gersbach Aug 11, 2023
da3b616
formatting
gersbach Aug 11, 2023
b9ddcc5
currnet
gersbach Aug 11, 2023
8b98406
chore: move test module directly below the permission_resolver module…
jwong101 Sep 7, 2023
67b79be
cleaning up codebase
gersbach Oct 16, 2023
2a700d4
refractoring to a value manager
gersbach Oct 17, 2023
5ef7c90
feat: recognize manual authorization for custom fields
jwong101 Sep 26, 2023
91f7bb9
fix: lower while loop body
jwong101 Sep 26, 2023
8917e3d
fix: remove stacker usage in interp
jwong101 Sep 26, 2023
5df5e38
chore: added additional known common package functions in forge apps …
Oct 30, 2023
91d6f46
feat: added scanning in secret scanner for packages imported using st…
Nov 6, 2023
a2b6c0d
feat: added crypto-js to secretdata.yaml scanning list. And updated D…
Nov 6, 2023
c557851
feat: updated secretdata.yaml with new flag identifier to catch objec…
Nov 8, 2023
9cc4fbd
fixed: revised fix_import to check for default and named functions. A…
Nov 20, 2023
6afd028
chore: cleaned up test cases in util.js. Added verify to secretdata.y…
Nov 27, 2023
d1cc73d
chore: bump deps
jwong101 Nov 28, 2023
e09ed8b
chore: bump swc version
jwong101 Nov 28, 2023
6836375
fix: swc compile errors
jwong101 Nov 28, 2023
9c5a14c
refactor: rebuilt as_intrinsic to be sleaker and more organized. Test…
Nov 29, 2023
54e317e
fix: resolving PR comments. Pushing fixes to see which comments are left
Nov 29, 2023
0b002fb
fix: removed the unwrap() on self.default and made add_defult return …
Nov 30, 2023
f2f4069
fix: clean up some code
jwong101 Nov 30, 2023
cc62b91
feat: add initial implementation of the prototype pollution scanner
jwong101 Dec 6, 2023
58f7cd4
feat: enable new scanners by default
jwong101 Dec 22, 2023
abc03d9
fix: use correct check name in secret scanner vulner report
jwong101 Jan 3, 2024
99eb53a
NEW: Fresh branch branching off of EAS-1893 to whitelist admin module…
Jan 3, 2024
eec1d4b
feat: tracking functions exposed in jira:adminPage module added. TODO…
Jan 3, 2024
112bd9a
rebasing EAS-1673 to be head of EAS-1893
Jan 8, 2024
c98a468
chore: cleaning up and reverting iterator to og name.
Jan 5, 2024
010388d
feat: wrote smol test to check for admin flag based on current behavior
Jan 5, 2024
d4693d2
chore: cleaning up and reverting iterator to og name.
Jan 5, 2024
f99c158
chore: resolving more conflicts
Jan 8, 2024
6b17156
fix: update checker spawning to use new entrypoint flags
jwong101 Jan 9, 2024
a8263a3
chore: remove unused imports in forge_loader
jwong101 Jan 9, 2024
13efe7e
chore: resolved error. Fixed local tests that were failing
aliner-wang Jan 12, 2024
5242436
feat: resolving PR comments in progress
aliner-wang Jan 26, 2024
1387aba
feat: implmented helper function append_function. And updated existin…
aliner-wang Feb 5, 2024
e35c34d
fix: added compass and confluence modules to get deserialized. Todo: …
aliner-wang Feb 5, 2024
1822294
feat: added rest of jira modules. Updated into_analyzable_functions …
aliner-wang Feb 6, 2024
a6cf055
resolve: destructured ForgeModule struct to address comment on tracki…
aliner-wang Feb 6, 2024
aec5b6e
fixx addressed most comments. Updated fields to be optional or a stru…
aliner-wang Feb 6, 2024
3012f13
resolve: uadded JSM modules with functions. And updated into_analyzab…
aliner-wang Feb 6, 2024
85ac890
feat: new trait implemented to append functions. Updated into_analyza…
aliner-wang Feb 7, 2024
b64754d
rebase: final step to merge diverging branches and resolve conflicts
aliner-wang Feb 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added .DS_Store
View file
Open in desktop
Binary file not shown.
95 changes: 84 additions & 11 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

A static analysis tool for finding common [Forge][1] vulnerabilities.

[1]: <https://developer.atlassian.com/platform/forge> "Forge platform"
[1]: https://developer.atlassian.com/platform/forge "Forge platform"

## Usage

Expand All @@ -31,9 +31,9 @@ latest stable release, and adding the toolchain

[^1]: Cargo is technically not required if you want to download every dependency, invoke `rustc`, and link everything manually. However, I wouldn't recommend doing this unless you're extremely bored.

[Rust]: <https://www.rust-lang.org/>
[Rustup]: <https://github.com/rust-lang/rustup> "Rustup"
[Cargo]: <https://github.com/rust-lang/cargo>
[Rust]: https://www.rust-lang.org/
[Rustup]: https://github.com/rust-lang/rustup "Rustup"
[Cargo]: https://github.com/rust-lang/cargo

Installing from source:

Expand Down Expand Up @@ -70,7 +70,7 @@ Contributions to FSRT are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md)

## License

Copyright (c) 2022 Atlassian and others.
Copyright (c) 2022 Atlassian and others.

FSRT is dual licensed under the MIT and Apache 2.0 licenses.

Expand Down
Loading