[Query Create]: Typescript boolean logic on an unawaited promise #15
Description
Target Language
actions
Query Name (Optional)
NoMisusedPromises
Query Type
Security
Query Description
This rule forbids providing Promises to logical locations such as if statements in places where the TypeScript compiler allows them but they are not handled properly. These situations can often arise due to a missing await keyword or just a misunderstanding of the way async functions are handled/awaited.
Finds an code that returns a Promise
export const validatePassword = (password: string, bcryptPassword: string): Promise<boolean> =>
bcrypt.compare(getPassword(password), bcryptPassword);
However, when that function was used, the value of the Promise was not settled (e.g. by adding an await keyword in front of validatePassword):
const valid = user.services?.password?.bcrypt && validatePassword(password, user.services.password.bcrypt);
if (!valid) {
return false;
}
This led to the result of validatePassword being ANDed with true. Since a returned Promise is always “truthy” speaking in JavaScript terms, the boolean valid subsequently was always true when a user had a bcrypt password set.
Expected Severity
Critical
Code Examples
export const validatePassword = (password: string, bcryptPassword: string): Promise<boolean> =>
bcrypt.compare(getPassword(password), bcryptPassword);
const valid = user.services?.password?.bcrypt && validatePassword(password, user.services.password.bcrypt);
if (!valid) {
return false;
}
CWE/CVE Reference (Optional)
CWE-287
References (Optional)
https://typescript-eslint.io/rules/no-misused-promises/ https://github.blog/security/how-to-scan-for-vulnerabilities-with-github-security-labs-open-source-ai-powered-framework/#h-signing GHSA-w6vw-mrgv-69vf
Code of Conduct
- I agree to follow this project's Code of Conduct