@hclsoftware/secagent/src/Rules/HookRules/SequelizeSinkRule.js

IAST agent

//IASTIGNORE
/*
 * ****************************************************
 * Licensed Materials - Property of HCL.
 * (c) Copyright HCL Technologies Ltd. 2017, 2025.
 * Note to U.S. Government Users *Restricted Rights.
 * ****************************************************
 */

const HookRule = require('./HookRule')
const TaintTracker = require('../../TaintTracker')
const StackInfo = require('../../StackInfo')

class SequelizeSinkRule extends HookRule {
    doHook (hookValues) {
        const param = HookRule.getActualParam(this.data.from, hookValues)
        // check param if it has field with name bind and if it does, don't trigger sink
        if (param && param.bind) {
            return
        }
        const parameters = StackInfo.getParamsStringArrayPostHook(hookValues.that, hookValues.simpleThat, hookValues.methodName, hookValues.simpleArgs, hookValues.simpleRet)
        TaintTracker.sinkTrigger(param, this.data.vulnerability, parameters)
    }
}

module.exports = SequelizeSinkRule