vsec 0.0.1

Detect secrets and in Rust codebases
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207

// src/models/comparison.rs

/// Represents an equality comparison in code
#[derive(Debug, Clone)]
pub struct Comparison {
    /// The left side of the comparison
    pub left: ComparisonSide,

    /// The right side of the comparison
    pub right: ComparisonSide,

    /// The comparison operator
    pub operator: ComparisonOp,

    /// The consequence (what happens if comparison succeeds)
    pub consequence: Option<Consequence>,

    /// Whether left and right are swapped from canonical form
    /// (canonical: variable == constant)
    pub is_swapped: bool,
}

impl Comparison {
    /// Get the constant side (if any)
    pub fn constant_side(&self) -> Option<&ComparisonSide> {
        if self.left.is_constant() {
            Some(&self.left)
        } else if self.right.is_constant() {
            Some(&self.right)
        } else {
            None
        }
    }

    /// Get the variable side (if any)
    pub fn variable_side(&self) -> Option<&ComparisonSide> {
        if self.left.is_variable() {
            Some(&self.left)
        } else if self.right.is_variable() {
            Some(&self.right)
        } else {
            None
        }
    }
}

/// One side of a comparison
#[derive(Debug, Clone)]
pub enum ComparisonSide {
    /// A constant reference: `SECRET_KEY`
    ConstantRef {
        name: String,
        resolved_value: Option<String>,
    },

    /// A string literal: `"secret"`
    StringLiteral(String),

    /// A variable: `input`
    Variable {
        name: String,
        source: Option<VariableSource>,
    },

    /// A field access: `request.header`
    FieldAccess { base: String, field: String },

    /// A method call: `headers.get("auth")`
    MethodCall {
        receiver: String,
        method: String,
        args: Vec<String>,
    },

    /// A function call: `env::var("TOKEN")`
    FunctionCall { path: String, args: Vec<String> },

    /// Something else
    Other(String),
}

impl ComparisonSide {
    pub fn is_constant(&self) -> bool {
        matches!(self, Self::ConstantRef { .. } | Self::StringLiteral(_))
    }

    pub fn is_variable(&self) -> bool {
        matches!(self, Self::Variable { .. } | Self::FieldAccess { .. })
    }

    /// Get the name for scoring (variable name, field name, etc.)
    pub fn name_for_scoring(&self) -> Option<&str> {
        match self {
            Self::Variable { name, .. } => Some(name),
            Self::FieldAccess { field, .. } => Some(field),
            Self::MethodCall { method, .. } => Some(method),
            _ => None,
        }
    }
}

/// Where a variable came from
#[derive(Debug, Clone)]
pub enum VariableSource {
    /// Function parameter
    Parameter,

    /// Environment variable
    Environment,

    /// HTTP header
    Header,

    /// HTTP query parameter
    QueryParam,

    /// HTTP body
    RequestBody,

    /// File contents
    FileRead,

    /// User input
    Stdin,

    /// Database query
    Database,

    /// Unknown
    Unknown,
}

/// Comparison operators
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ComparisonOp {
    /// `==`
    Eq,
    /// `!=`
    Ne,
    /// `.eq()`
    MethodEq,
    /// `matches!`
    PatternMatch,
}

/// What happens after the comparison
#[derive(Debug, Clone)]
pub struct Consequence {
    /// The block of code that executes
    pub block_summary: BlockSummary,

    /// Specific dangerous operations found
    pub dangerous_ops: Vec<DangerousOp>,

    /// Whether this seems benign
    pub is_benign: bool,
}

/// Summary of a code block's effects
#[derive(Debug, Clone, Default)]
pub struct BlockSummary {
    /// Is the block empty?
    pub is_empty: bool,

    /// Only contains logging/printing?
    pub only_logging: bool,

    /// Contains return statement?
    pub has_return: bool,

    /// Contains early exit (return, break, continue)?
    pub has_early_exit: bool,

    /// Contains state mutation?
    pub has_mutation: bool,

    /// Contains function calls?
    pub function_calls: Vec<String>,

    /// Contains field assignments?
    pub field_assignments: Vec<String>,
}

/// Dangerous operations that raise score
#[derive(Debug, Clone)]
pub enum DangerousOp {
    /// Setting admin/auth state
    AuthStateChange { field: String },

    /// Calling auth-related function
    AuthFunctionCall { function: String },

    /// Process control (exit, exec, spawn)
    ProcessControl { function: String },

    /// Database operation
    DatabaseOp { operation: String },

    /// Network operation
    NetworkOp { operation: String },

    /// File system operation
    FileSystemOp { operation: String },

    /// Cryptographic operation
    CryptoOp { operation: String },
}