feat(policies): initial Rails JWT leaks (#182)

* feat: initial Rails JWT leaks

* chore: update snapshot

integration/custom_detectors/.snapshots/TestCustomDetectors-detect_rails_jwt

@@ -0,0 +1,45 @@
+data_types:
+    - name: Email Address
+      detectors:
+        - name: detect_rails_jwt
+          locations:
+            - filename: testdata/ruby/detect_rails_jwt.rb
+              line_number: 12
+        - name: ruby
+          locations:
+            - filename: testdata/ruby/detect_rails_jwt.rb
+              line_number: 12
+    - name: Physical Address
+      detectors:
+        - name: detect_rails_jwt
+          locations:
+            - filename: testdata/ruby/detect_rails_jwt.rb
+              line_number: 10
+        - name: ruby
+          locations:
+            - filename: testdata/ruby/detect_rails_jwt.rb
+              line_number: 10
+risks:
+    - detector_id: detect_rails_jwt
+      data_types:
+        - name: Email Address
+          stored: false
+          locations:
+            - filename: testdata/ruby/detect_rails_jwt.rb
+              line_number: 12
+          parent:
+            line_number: 10
+            content: JWT.encode user.address, nil, "none"
+        - name: Physical Address
+          stored: false
+          locations:
+            - filename: testdata/ruby/detect_rails_jwt.rb
+              line_number: 10
+          parent:
+            line_number: 10
+            content: JWT.encode user.address, nil, "none"
+components: []
+
+
+--
+

integration/custom_detectors/custom_detectors_test.go

@@ -19,6 +19,7 @@ func TestCustomDetectors(t *testing.T) {
 		newScanTest("ruby", "detect_ruby_logger", "detect_ruby_logger.rb"),
 		newScanTest("ruby", "ruby_file_detection", "ruby_file_detection.rb"),
 		newScanTest("ruby", "detect_rails_session", "detect_rails_session.rb"),
+		newScanTest("ruby", "detect_rails_jwt", "detect_rails_jwt.rb"),
 	}
 
 	testhelper.RunTests(t, tests)

integration/custom_detectors/testdata/ruby/detect_rails_jwt.rb

@@ -0,0 +1,12 @@
+payload = {
+	user: {
+		first_name: "John",
+		last_name: "Doe",
+	}
+}
+
+token1 = JWT.encode payload, nil, "none"
+
+token2 = JWT.encode user.address, nil, "none"
+
+token3 = JWT.encode(user.email, nil, "none")

integration/flags/.snapshots/TestInitCommand-init

@@ -24,6 +24,20 @@ scan:
             root_lowercase: true
             metavars: {}
             stored: false
+        detect_rails_jwt:
+            disabled: false
+            type: risk
+            languages:
+                - ruby
+            patterns:
+                - |
+                  JWT.encode(<$ARGUMENT>)
+            param_parenting: false
+            processors: []
+            root_singularize: false
+            root_lowercase: false
+            metavars: {}
+            stored: false
         detect_rails_logger:
             disabled: false
             type: risk

pkg/commands/process/settings/custom_detector.yml

@@ -53,6 +53,13 @@ detect_rails_session:
       session[...] = $ANYTHING
   languages:
     - ruby
+detect_rails_jwt:
+  type: "risk"
+  patterns:
+    - |
+      JWT.encode(<$ARGUMENT>)
+  languages:
+    - ruby
 detect_encrypted_ruby_class_properties:
   type: "verifier"
   patterns:

pkg/commands/process/settings/policies.yml

@@ -18,6 +18,16 @@ session_leaks:
   modules:
     - path: policies/leakage.rego
       name: bearer.leakage
+jwt_leaks:
+  description: "JWT leaks detected"
+  name: "JWT leaking"
+  id: "detect_rails_jwt"
+  query: |
+    critical = data.bearer.leakage.critical
+    high = data.bearer.leakage.high
+  modules:
+    - path: policies/leakage.rego
+      name: bearer.leakage
 application_level_encryption_missing:
   description: "Application level encryption missing"
   name: "Application level encryption missing"