Add security rules for JWT verification and RSA key length validation (#74)

* jwt-simple-noverify-javascript * node-rsa-weak-key-javascript * modification in node-rsa-weak-key-javascript --------- Co-authored-by: Sakshis <sakshil@abc.com>

Author: ESS-ENN

rules/javascript/security/jwt-simple-noverify-javascript.yml

@@ -0,0 +1,44 @@
+id: jwt-simple-noverify-javascript
+language: JavaScript
+severity: warning
+message: >-
+ "Detected the decoding of a JWT token without a verify step. JWT tokens
+ must be verified before use, otherwise the token's integrity is unknown.
+ This means a malicious actor could forge a JWT token with any claims. Set
+ 'verify' to `true` before using the token."
+note: >-
+ [CWE-287] Improper Authentication
+ [CWE-345] Insufficient Verification of Data Authenticity
+ [CWE-347] Improper Verification of Cryptographic Signature
+ [REFERENCES]
+ - https://www.npmjs.com/package/jwt-simple
+ - https://cwe.mitre.org/data/definitions/287
+ - https://cwe.mitre.org/data/definitions/345
+ - https://cwe.mitre.org/data/definitions/347
+rule:
+ kind: call_expression
+ any:
+ - pattern: $JWT.decode($TOKEN, $SECRET, true $$$)
+ - pattern: $JWT.decode($TOKEN, $SECRET, "$$$" $$$)
+ - pattern: $JWT.decode($TOKEN, $SECRET, '$$$' $$$)
+ - pattern: $JWT.decode($TOKEN, $SECRET, `$$$` $$$)
+ inside:
+ stopBy: end
+ follows:
+ stopBy: end
+ any:
+ - kind: lexical_declaration
+ all:
+ - has:
+ stopBy: end
+ kind: identifier
+ pattern: $JWT
+ - has:
+ stopBy: end
+ kind: call_expression
+ pattern: require('jwt-simple')
+ - kind: expression_statement
+ has:
+ stopBy: end
+ kind: assignment_expression
+ pattern: $JWT = require('jwt-simple')