@apiposture/cli 1.0.1

package/dist/rules/surface/sensitive-route-keywords.js

@@ -0,0 +1,63 @@
+import { createFinding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityClassification } from '../../core/models/security-classification.js';
+/**
+ * AP007: Sensitive route keywords
+ *
+ * Detects publicly accessible routes that contain sensitive keywords
+ * like 'admin', 'debug', 'internal', 'export', etc. These routes
+ * typically should not be publicly accessible.
+ */
+export class SensitiveRouteKeywords {
+    id = 'AP007';
+    name = 'Sensitive route keywords';
+    description = 'Public route contains sensitive keywords';
+    severity = Severity.Medium;
+    sensitiveKeywords = [
+        'admin',
+        'debug',
+        'internal',
+        'export',
+        'import',
+        'backup',
+        'config',
+        'settings',
+        'system',
+        'management',
+        'dashboard',
+        'metrics',
+        'logs',
+        'audit',
+        'secret',
+        'private',
+        'hidden',
+        'test',
+        'dev',
+        'staging',
+    ];
+    evaluate(endpoint) {
+        const findings = [];
+        const auth = endpoint.authorization;
+        // Only check public endpoints
+        if (auth.classification !== SecurityClassification.Public) {
+            return findings;
+        }
+        const routeLower = endpoint.route.toLowerCase();
+        const foundKeywords = this.sensitiveKeywords.filter((keyword) => routeLower.includes(keyword));
+        if (foundKeywords.length > 0) {
+            findings.push(createFinding({
+                ruleId: this.id,
+                ruleName: this.name,
+                severity: this.severity,
+                message: `${endpoint.method} ${endpoint.route} is public but contains sensitive keywords: ${foundKeywords.join(', ')}`,
+                endpoint,
+                location: endpoint.location,
+                recommendation: `Routes containing "${foundKeywords[0]}" typically indicate sensitive functionality ` +
+                    'that should require authentication. Add authentication middleware or guards, ' +
+                    'or rename the route if it is truly meant to be public.',
+            }));
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=sensitive-route-keywords.js.map

package/dist/rules/surface/unprotected-endpoint.d.ts

@@ -0,0 +1,20 @@
+import { Endpoint } from '../../core/models/endpoint.js';
+import { Finding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityRule } from '../rule-interface.js';
+/**
+ * AP008: Unprotected endpoint
+ *
+ * Detects endpoints with no authentication middleware chain at all.
+ * This is different from AP001 in that it specifically checks for
+ * the absence of any middleware, not just auth middleware.
+ */
+export declare class UnprotectedEndpoint implements SecurityRule {
+    readonly id = "AP008";
+    readonly name = "Unprotected endpoint";
+    readonly description = "Endpoint has no middleware chain for protection";
+    readonly severity = Severity.High;
+    evaluate(endpoint: Endpoint): Finding[];
+    private getRecommendation;
+}
+//# sourceMappingURL=unprotected-endpoint.d.ts.map

package/dist/rules/surface/unprotected-endpoint.js

@@ -0,0 +1,61 @@
+import { createFinding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityClassification } from '../../core/models/security-classification.js';
+/**
+ * AP008: Unprotected endpoint
+ *
+ * Detects endpoints with no authentication middleware chain at all.
+ * This is different from AP001 in that it specifically checks for
+ * the absence of any middleware, not just auth middleware.
+ */
+export class UnprotectedEndpoint {
+    id = 'AP008';
+    name = 'Unprotected endpoint';
+    description = 'Endpoint has no middleware chain for protection';
+    severity = Severity.High;
+    evaluate(endpoint) {
+        const findings = [];
+        const auth = endpoint.authorization;
+        // Only flag if:
+        // 1. It's public (no auth)
+        // 2. No middleware chain at all
+        // 3. No guards
+        // 4. Not explicitly marked as public
+        if (auth.classification === SecurityClassification.Public &&
+            auth.middlewareChain.length === 0 &&
+            auth.guardNames.length === 0 &&
+            !auth.isExplicitlyPublic) {
+            findings.push(createFinding({
+                ruleId: this.id,
+                ruleName: this.name,
+                severity: this.severity,
+                message: `${endpoint.method} ${endpoint.route} has no middleware chain`,
+                endpoint,
+                location: endpoint.location,
+                recommendation: this.getRecommendation(endpoint),
+            }));
+        }
+        return findings;
+    }
+    getRecommendation(endpoint) {
+        switch (endpoint.type) {
+            case 'express':
+                return ('This endpoint has no middleware. Consider adding: ' +
+                    '(1) Authentication middleware, (2) Rate limiting, (3) Input validation, ' +
+                    '(4) Request logging. Example: app.get("/path", auth, validate, handler)');
+            case 'nestjs':
+                return ('This endpoint has no guards or interceptors. Consider adding: ' +
+                    '(1) @UseGuards() for authentication, (2) @UseInterceptors() for logging, ' +
+                    '(3) @UsePipes() for validation.');
+            case 'fastify':
+                return ('This endpoint has no hooks. Consider adding preHandler hooks for ' +
+                    'authentication, validation, and logging.');
+            case 'koa':
+                return ('This endpoint has no middleware chain. Consider adding middleware for ' +
+                    'authentication, validation, and error handling.');
+            default:
+                return 'Add middleware for authentication, validation, and security.';
+        }
+    }
+}
+//# sourceMappingURL=unprotected-endpoint.js.map

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@apiposture/cli",
+  "version": "1.0.1",
+  "description": "Static source-code analysis CLI for Node.js API frameworks to identify authorization misconfigurations and security risks",
+  "main": "dist/index.js",
+  "bin": {
+    "apiposture": "dist/index.js"
+  },
+  "type": "module",
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "start": "node dist/index.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "eslint src --ext .ts",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "security",
+    "api",
+    "authorization",
+    "express",
+    "nestjs",
+    "fastify",
+    "koa",
+    "cli",
+    "static-analysis"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/BlagoCuljak/ApiPosture.Node.js"
+  },
+  "bugs": {
+    "url": "https://github.com/BlagoCuljak/ApiPosture.Node.js/issues"
+  },
+  "homepage": "https://github.com/BlagoCuljak/ApiPosture.Node.js#readme",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "axios": "^1.6.0",
+    "chalk": "^5.3.0",
+    "cli-table3": "^0.6.3",
+    "commander": "^12.0.0",
+    "glob": "^10.3.0",
+    "ora": "^8.0.1"
+  },
+  "devDependencies": {
+    "@types/node": "^20.10.0",
+    "@typescript-eslint/eslint-plugin": "^6.18.0",
+    "@typescript-eslint/parser": "^6.18.0",
+    "eslint": "^8.56.0",
+    "tsx": "^4.7.0",
+    "typescript": "^5.3.0",
+    "vitest": "^1.0.0"
+  }
+}