HS-PRIVACY-1: For handling the log/print of users documents (CPF and RG)
HS-PRIVACY-2: For handling the hardcoded usage of those same documents.
- How to verify it
HS-PRIVACY-1:
Creates a file
touch index.js
Use a log function to print the sensitive data
console.log("CPF: " + client.doc);
Run horusec on folder
horusec start
Should point out the vulnerability HS-PRIVACY-1
HS-PRIVACY-2:
Creates a file
touch main.py
Hard code the sensible data on the code:
client = {
"cpf": "123.456.789-10"
}
Run horusec
horusec start
Should point out the HS-PRIVACY-2
Obs
My objective is expanding this feature maybe adding a flag to Horusec to control which country/region we want our applications to conform with (like discussed on #1107)
This is, in my opinion, the first step on building a greater feature.
- What I did Developing rules related to #1107
Created two rules related to Brazil specific law.
- How to verify it
Creates a file
touch index.jsUse a log function to print the sensitive data
Run horusec on folder
horusec startShould point out the vulnerability HS-PRIVACY-1
Creates a file
touch main.pyHard code the sensible data on the code:
Run horusec
horusec startShould point out the HS-PRIVACY-2
Obs
My objective is expanding this feature maybe adding a flag to Horusec to control which country/region we want our applications to conform with (like discussed on #1107)
This is, in my opinion, the first step on building a greater feature.
- Description for the changelog