@auth0/auth0-checkmate 1.4.0

package/THIRD-PARTY-NOTICES

@@ -0,0 +1,226 @@
+Checkmate for Auth0 Third Party Licenses and Notices
+
+This document contains third party open source licenses and notices for the Checkmate for Auth0 product. Certain licenses and notices may appear in other parts of the
+product in accordance with the applicable license requirements.
+
+The Checkmate for Auth0 product that this document references does not necessarily use all the
+open source software packages referred to below and may also only use portions
+of a given package.
+
+Third Party Notices
+-------------------------------------------------------------------------------
+
+acorn (8.14.0)
+License: MIT
+Copyright (c) 2012-2022 by various contributors (see AUTHORS)
+Repository: https://github.com/acornjs/acorn
+
+axios (1.12.0)
+License: MIT
+Copyright (c) 2014-present Matt Zabriskie & Collaborators
+Repository: https://github.com/axios/axios
+
+chalk (4.1.2)
+License: MIT
+Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+Repository: https://github.com/chalk/chalk
+
+cli-table3 (0.6.5)
+License: MIT
+Copyright (c) 2014 James Talmage <james@talmage.io>
+Repository: https://github.com/cli-table/cli-table3
+
+estree-walker (2.0.2)
+License: MIT
+Copyright (c) 2015-20 [these people](https://github.com/Rich-Harris/estree-walker/graphs/contributors)
+Repository: https://github.com/Rich-Harris/estree-walker
+
+figlet (1.8.0)
+License: MIT
+Copyright (C) 2014-present Patrick Gillespie and other contributors
+Repository: https://github.com/patorjk/figlet.js
+
+glob (11.0.1)
+License: ISC
+Copyright (c) 2009-2023 Isaac Z. Schlueter and Contributors
+Repository: https://github.com/isaacs/node-glob
+
+handlebars (4.7.8)
+License: MIT
+Copyright (C) 2011-2019 by Yehuda Katz
+Repository: https://github.com/handlebars-lang/handlebars.js
+
+i18n (0.15.1)
+License: MIT
+Copyright (c) 2011-present Marcus Spiegel <marcus.spiegel@gmail.com>
+Repository: https://github.com/mashpie/i18n-node
+
+inquirer (12.3.3)
+License: MIT
+Copyright (c) 2025 Simon Boudrias
+Repository: https://github.com/SBoudrias/Inquirer.js
+
+jsonwebtoken (9.0.2)
+License: MIT
+Copyright (c) 2015 Auth0, Inc. <support@auth0.com> (http://auth0.com)
+Repository: https://github.com/auth0/node-jsonwebtoken
+
+lodash (4.17.21)
+License: MIT
+Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
+Repository: https://github.com/lodash/lodash
+
+moment (2.30.1)
+License: MIT
+Copyright (c) JS Foundation and other contributors
+Repository: https://github.com/moment/moment
+
+puppeteer (23.10.0)
+License: Apache-2.0
+Copyright 2017 Google Inc.
+Repository: https://github.com/puppeteer/puppeteer
+
+semver (7.7.1)
+License: ISC
+Copyright (c) Isaac Z. Schlueter and Contributors
+Repository: https://github.com/npm/node-semver
+
+winston (3.17.0)
+License: MIT
+Copyright (c) 2010 Charlie Robbins
+Repository: https://github.com/winstonjs/winston
+
+-------------------------------------------------------------------------------
+Development Dependencies
+-------------------------------------------------------------------------------
+
+@eslint/js (9.23.0)
+License: MIT
+Copyright OpenJS Foundation and other contributors, <www.openjsf.org>
+Repository: https://github.com/eslint/eslint
+
+chai (5.2.0)
+License: MIT
+Copyright (c) 2017 Chai.js Assertion Library
+Repository: https://github.com/chaijs/chai
+
+eslint (9.23.0)
+License: MIT
+Copyright OpenJS Foundation and other contributors, <www.openjsf.org>
+Repository: https://github.com/eslint/eslint
+
+eslint-plugin-mocha (10.5.0)
+License: MIT
+Copyright (c) 2014 Mathias Schreck <schreck.mathias@gmail.com>
+Repository: https://github.com/lo1tuma/eslint-plugin-mocha
+
+globals (16.0.0)
+License: MIT
+Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+Repository: https://github.com/sindresorhus/globals
+
+mocha (11.1.0)
+License: MIT
+Copyright (c) 2011-2022 OpenJS Foundation and contributors, https://openjsf.org
+Repository: https://github.com/mochajs/mocha
+
+nock (14.0.1)
+License: MIT
+Copyright (c) 2011-2019 Pedro Teixeira and other contributors
+Repository: https://github.com/nock/nock
+
+nyc (17.1.0)
+License: ISC
+Copyright (c) 2015, Contributors
+Repository: https://github.com/istanbuljs/nyc
+
+proxyquire (2.1.3)
+License: MIT
+Copyright 2013 Thorsten Lorenz
+Repository: https://github.com/thlorenz/proxyquire
+
+sinon (19.0.2)
+License: BSD-3-Clause
+Copyright (c) 2010-2020, Christian Johansen
+Repository: https://github.com/sinonjs/sinon
+
+-------------------------------------------------------------------------------
+License Texts
+-------------------------------------------------------------------------------
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+ISC License
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+Apache License 2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+BSD 3-Clause License
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+

package/analyzer/lib/actions/checkActionsHardCodedValues.js

@@ -0,0 +1,151 @@
+/*
+{
+  "actions": [
+    {
+      "id": "0cdb84c6-9faf-4344-b1c5-affa9db5a63f",
+      "name": "Custom Phone Provider",
+      "supported_triggers": [
+        {
+          "id": "custom-phone-provider",
+          "version": "v1"
+        }
+      ],
+      "created_at": "2024-12-05T03:14:55.811465959Z",
+      "updated_at": "2024-12-05T03:14:55.831277001Z",
+      "code": "exports.onExecuteCustomPhoneProvider = async (event, api) => {\n  // Code goes here\n  return;\n};",
+        "dependencies": [],
+        "runtime": "node18",
+        "status": "built",
+        "secrets": [],
+        "all_changes_deployed": false
+      },
+      {
+        "id": "89df9e29-d521-43f4-9b80-8a8f9623ad39",
+        "name": "Console Log",
+        "supported_triggers": [
+          {
+            "id": "post-login",
+            "version": "v3"
+          }
+        ],
+        "created_at": "2024-12-05T03:48:52.546705182Z",
+        "updated_at": "2025-02-05T04:33:20.935611754Z",
+        "code": "exports.onExecutePostLogin = async (event, api) => {\n  const PASSWORD = \"abcd1234\";\n  console.log(JSON.stringify(event.user, null, 2));\n};",
+        "dependencies": [
+          {
+            "name": "aws-sdk",
+            "version": "2.1448.0"
+          }
+        ],
+        "runtime": "node18-actions",
+        "status": "built",
+        "secrets": [],
+        "all_changes_deployed": true
+      },
+      {
+        "id": "7d24512b-aa56-4ddc-8b51-68583110c5fa",
+        "name": "action example 1",
+        "supported_triggers": [
+          {
+            "id": "post-login",
+            "version": "v3"
+          }
+        ],
+        "created_at": "2025-02-05T03:03:04.643668771Z",
+        "updated_at": "2025-02-05T03:03:04.666046787Z",
+        "code": "exports.onExecutePostLogin = async (event, api) => {\n};",
+        "dependencies": [],
+        "runtime": "node22",
+        "status": "built",
+        "secrets": [],
+        "all_changes_deployed": false
+      }
+    ],
+    "total": 3
+  }
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const acorn = require("acorn");
+const walk = require("estree-walker").walk;
+
+function detectHardcodedValues(code, scriptName) {
+  let processedCode = code.replace(/(?!\w+#)\b#(\w+)/g, "_$1");
+  const ast = acorn.parse(processedCode, {
+    ecmaVersion: "latest",
+    locations: true,
+  });
+
+  const hardcodedValues = [];
+
+  // Walk through the AST
+  walk(ast, {
+    enter(node) {
+      // Check for variable assignments with hardcoded literals
+      if (node.type === "VariableDeclaration") {
+        node.declarations.forEach((declaration) => {
+          if (
+            declaration.init &&
+            declaration.init.type === "Literal" &&
+            typeof declaration.init.value === "string"
+          ) {
+            // Add the variable name and the type of the hardcoded literal
+            hardcodedValues.push({
+              scriptName: scriptName,
+              variableName: declaration.id.name,
+              field: "hard_coded_value_detected",
+              status: CONSTANTS.FAIL,
+              type: typeof declaration.init.value,
+              line: declaration.loc.start.line,
+              column: declaration.loc.start.column,
+            });
+          }
+        });
+      }
+    },
+  });
+
+  return hardcodedValues.filter(
+    (entry) =>
+      !isCommonException(entry.value) && !isConstantDeclaration(this.parent),
+  );
+}
+
+// Helper functions
+function isCommonException(value) {
+  const exceptions = [
+    /^[0-1]$/, // Allow 0 and 1
+    /^[a-z]$/i, // Single letters
+    /^\s*$/, // Whitespace-only
+    /^[{}()[]<>]+$/, // Common brackets
+  ];
+  return exceptions.some((regex) => regex.test(String(value)));
+}
+
+function isConstantDeclaration(node) {
+  return node?.type === "VariableDeclarator" && node.parent?.kind === "const";
+}
+
+function checkActionsHardCodedValues(options) {
+  const { actions } = options || [];
+  return executeCheck("checkActionsHardCodedValues", (callback) => {
+    const actionsList = _.isArray(actions) ? actions : actions.actions;
+    const reports = [];
+    if (_.isEmpty(actionsList)) {
+      return callback(reports);
+    }
+    actionsList.forEach((action) => {
+      var actionName = action.name.concat(
+        ` (${action.supported_triggers[0].id})`,
+      );
+      var report = detectHardcodedValues(action.code, actionName);
+      if (report.length > 0) {
+        reports.push({ name: actionName, report: report });
+      }
+    });
+    return callback(reports);
+  });
+}
+
+module.exports = checkActionsHardCodedValues;

package/analyzer/lib/actions/checkActionsRuntime.js

@@ -0,0 +1,105 @@
+/*
+{
+  "actions": [
+    {
+      "id": "0cdb84c6-9faf-4344-b1c5-affa9db5a63f",
+      "name": "Custom Phone Provider",
+      "supported_triggers": [
+        {
+          "id": "custom-phone-provider",
+          "version": "v1"
+        }
+      ],
+      "created_at": "2024-12-05T03:14:55.811465959Z",
+      "updated_at": "2024-12-05T03:14:55.831277001Z",
+      "code": "exports.onExecuteCustomPhoneProvider = async (event, api) => {\n  // Code goes here\n  return;\n};",
+        "dependencies": [],
+        "runtime": "node18",
+        "status": "built",
+        "secrets": [],
+        "all_changes_deployed": false
+      },
+      {
+        "id": "89df9e29-d521-43f4-9b80-8a8f9623ad39",
+        "name": "Console Log",
+        "supported_triggers": [
+          {
+            "id": "post-login",
+            "version": "v3"
+          }
+        ],
+        "created_at": "2024-12-05T03:48:52.546705182Z",
+        "updated_at": "2025-02-05T04:33:20.935611754Z",
+        "code": "exports.onExecutePostLogin = async (event, api) => {\n  const PASSWORD = \"abcd1234\";\n  console.log(JSON.stringify(event.user, null, 2));\n};",
+        "dependencies": [
+          {
+            "name": "aws-sdk",
+            "version": "2.1448.0"
+          }
+        ],
+        "runtime": "node18-actions",
+        "status": "built",
+        "secrets": [],
+        "all_changes_deployed": true
+      },
+      {
+        "id": "7d24512b-aa56-4ddc-8b51-68583110c5fa",
+        "name": "action example 1",
+        "supported_triggers": [
+          {
+            "id": "post-login",
+            "version": "v3"
+          }
+        ],
+        "created_at": "2025-02-05T03:03:04.643668771Z",
+        "updated_at": "2025-02-05T03:03:04.666046787Z",
+        "code": "exports.onExecutePostLogin = async (event, api) => {\n};",
+        "dependencies": [],
+        "runtime": "node22",
+        "status": "built",
+        "secrets": [],
+        "all_changes_deployed": false
+      }
+    ],
+    "total": 3
+  }
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+const getRuntimeVersion = (runtime) => {
+  const regex = /node(\d*)/;
+  const [, version] = runtime.match(regex) ?? [];
+  return Number(version);
+};
+function checkActionsRuntime(options) {
+  const { actions } = options || [];
+  return executeCheck("checkActionsRuntime", (callback) => {
+    const report = [];
+    if (_.isEmpty(actions)) {
+      return callback(report);
+    }
+    const actionsList = _.isArray(actions) ? actions : actions.actions;
+    if (_.isEmpty(actionsList)) {
+      return callback(report);
+    }
+    actionsList.forEach((action) => {
+      if (action.runtime.includes("node")) {
+        const version = getRuntimeVersion(action.runtime);
+        if (version < CONSTANTS.MINIMUM_NODE_VERSION) {
+          report.push({
+            name: action.name.concat(` (${action.supported_triggers[0].id})`),
+            field: "old_node_version",
+            status: CONSTANTS.FAIL,
+            value: version,
+          });
+          return;
+        }
+      }
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkActionsRuntime;

package/analyzer/lib/actions/checkDependencies.js

@@ -0,0 +1,111 @@
+/*
+{
+  "actions": [
+    {
+      "id": "0cdb84c6-9faf-4344-b1c5-affa9db5a63f",
+      "name": "Custom Phone Provider",
+      "supported_triggers": [
+        {
+          "id": "custom-phone-provider",
+          "version": "v1"
+        }
+      ],
+      "created_at": "2024-12-05T03:14:55.811465959Z",
+      "updated_at": "2024-12-05T03:14:55.831277001Z",
+      "code": "exports.onExecuteCustomPhoneProvider = async (event, api) => {\n  // Code goes here\n  return;\n};",
+        "dependencies": [],
+        "runtime": "node18",
+        "status": "built",
+        "secrets": [],
+        "all_changes_deployed": false
+      },
+      {
+        "id": "89df9e29-d521-43f4-9b80-8a8f9623ad39",
+        "name": "Console Log",
+        "supported_triggers": [
+          {
+            "id": "post-login",
+            "version": "v3"
+          }
+        ],
+        "created_at": "2024-12-05T03:48:52.546705182Z",
+        "updated_at": "2025-02-05T04:33:20.935611754Z",
+        "code": "exports.onExecutePostLogin = async (event, api) => {\n  const PASSWORD = \"abcd1234\";\n  console.log(JSON.stringify(event.user, null, 2));\n};",
+        "dependencies": [
+          {
+            "name": "aws-sdk",
+            "version": "2.1448.0"
+          }
+        ],
+        "runtime": "node18-actions",
+        "status": "built",
+        "secrets": [],
+        "all_changes_deployed": true
+      },
+      {
+        "id": "7d24512b-aa56-4ddc-8b51-68583110c5fa",
+        "name": "action example 1",
+        "supported_triggers": [
+          {
+            "id": "post-login",
+            "version": "v3"
+          }
+        ],
+        "created_at": "2025-02-05T03:03:04.643668771Z",
+        "updated_at": "2025-02-05T03:03:04.666046787Z",
+        "code": "exports.onExecutePostLogin = async (event, api) => {\n};",
+        "dependencies": [],
+        "runtime": "node22",
+        "status": "built",
+        "secrets": [],
+        "all_changes_deployed": false
+      }
+    ],
+    "total": 3
+  }
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const { getActionDependencies } = require("../../tools/helpers");
+const CONSTANTS = require("../constants");
+
+async function checkDependencies(options) {
+  const { actions } = options || [];
+  return executeCheck("checkDependencies", async (callback) => {
+    const report = [];
+    if (_.isEmpty(actions)) {
+      return callback(report);
+    }
+    const actionsList = _.isArray(actions) ? actions : actions.actions;
+    if (_.isEmpty(actionsList)) {
+      return callback(report);
+    }
+    var actionDependencyVulnList = await getActionDependencies(actionsList);
+    for (let i = 0; i < actionDependencyVulnList.length; i++) {
+      var actionDependencyVuln = actionDependencyVulnList[i];
+
+      if (!_.isEmpty(actionDependencyVulnList[i])) {
+        const vulnFindings = actionDependencyVuln.vulnFindings.filter(
+          (item) => item.severity === "high" || item.severity === "critical",
+        );
+        if (vulnFindings.length > 0) {
+          report.push({
+            name: actionDependencyVuln.actionName.concat(
+              ` (${actionDependencyVuln.trigger}-action)`,
+            ),
+            field: "dependency_with_vuln",
+            status: CONSTANTS.FAIL,
+            vulnFindings: vulnFindings,
+            value:
+              actionDependencyVuln.name +
+              " version " +
+              actionDependencyVuln.version,
+          });
+        }
+      }
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkDependencies;

package/analyzer/lib/attack_protection/checkBotDetectionSetting.js

@@ -0,0 +1,76 @@
+/*
+{
+    "selected": "auth0_v2",
+    "policy": "off",
+    "passwordless_policy": "always_on",
+    "password_reset_policy": "off",
+    "providers": {
+    },
+    "allowlist": []
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function validateBotDetectionSettings(config) {
+  const report = [];
+  if (_.isEmpty(config)) {
+    return report;
+  }
+  if (config.policy !== "off") {
+    report.push({
+      field: "policy_enabled",
+      status: CONSTANTS.SUCCESS,
+    });
+  } else {
+    report.push({
+      field: "policy_disabled",
+      status: CONSTANTS.FAIL,
+    });
+  }
+  if (config.passwordless_policy !== "off") {
+    report.push({
+      field: "passwordless_policy_enabled",
+      status: CONSTANTS.SUCCESS,
+    });
+  } else {
+    report.push({
+      field: "passwordless_policy_disabled",
+      status: CONSTANTS.FAIL,
+    });
+  }
+  if (config.password_reset_policy !== "off") {
+    report.push({
+      field: "password_reset_policy_enabled",
+      status: CONSTANTS.SUCCESS,
+    });
+  } else {
+    report.push({
+      field: "password_reset_policy_disabled",
+      status: CONSTANTS.FAIL,
+    });
+  }
+  // Check allowlist
+  if (config.allowlist.length > 0) {
+    report.push({
+      field: "allowlistPresent",
+      status: CONSTANTS.FAIL,
+      value: config.allowlist.join(", "),
+    });
+  } else {
+    report.push({
+      field: "allowlistEmpty",
+      status: CONSTANTS.SUCCESS,
+    });
+  }
+  // Return the validation report
+  return report;
+}
+function checkBotDetectionSetting(options) {
+  const { botDetection } = options.attackProtection || {};
+  return executeCheck("checkBotDetectionSetting", (callback) => {
+    return callback(validateBotDetectionSettings(botDetection));
+  });
+}
+module.exports = checkBotDetectionSetting;