@capgo/capgo-sec 1.0.4

package/src/rules/storage.ts

@@ -0,0 +1,241 @@
+import type { Rule, Finding } from '../types.js';
+
+export const storageRules: Rule[] = [
+  {
+    id: 'STO001',
+    name: 'Unencrypted Sensitive Data in Preferences',
+    description: 'Detects storage of sensitive data in Capacitor Preferences without encryption',
+    severity: 'high',
+    category: 'storage',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Pattern for Preferences.set with sensitive keys
+      const sensitiveKeys = /(?:password|token|secret|key|auth|session|credential|pin|ssn|credit.?card)/i;
+      const preferencesPattern = /Preferences\.set\s*\(\s*\{[^}]*key:\s*['"]([^'"]+)['"]/g;
+
+      let match;
+      while ((match = preferencesPattern.exec(content)) !== null) {
+        const keyName = match[1];
+        if (sensitiveKeys.test(keyName)) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'STO001',
+            ruleName: 'Unencrypted Sensitive Data in Preferences',
+            severity: 'high',
+            category: 'storage',
+            message: `Sensitive data "${keyName}" stored in Preferences without encryption`,
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Use @capgo/capacitor-native-biometric or iOS Keychain/Android Keystore for sensitive data storage.',
+            references: [
+              'https://capacitor-sec.dev/docs/rules/storage',
+              'https://capacitorjs.com/docs/apis/preferences'
+            ]
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use secure storage solutions like @capgo/capacitor-native-biometric for sensitive data.'
+  },
+  {
+    id: 'STO002',
+    name: 'localStorage Usage for Sensitive Data',
+    description: 'Detects usage of localStorage for storing sensitive information',
+    severity: 'high',
+    category: 'storage',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const sensitiveKeys = /(?:password|token|secret|key|auth|session|credential|pin|ssn|credit.?card|jwt|bearer)/i;
+      const localStoragePattern = /localStorage\.setItem\s*\(\s*['"]([^'"]+)['"]/g;
+
+      let match;
+      while ((match = localStoragePattern.exec(content)) !== null) {
+        const keyName = match[1];
+        if (sensitiveKeys.test(keyName)) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'STO002',
+            ruleName: 'localStorage Usage for Sensitive Data',
+            severity: 'high',
+            category: 'storage',
+            message: `Sensitive data "${keyName}" stored in localStorage which is not secure`,
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Use Capacitor Preferences with encryption or secure native storage instead of localStorage.',
+            references: ['https://capacitor-sec.dev/docs/rules/localstorage']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Avoid localStorage for sensitive data. Use Capacitor\'s secure storage APIs.'
+  },
+  {
+    id: 'STO003',
+    name: 'SQLite Database Without Encryption',
+    description: 'Detects SQLite database usage without encryption enabled',
+    severity: 'medium',
+    category: 'storage',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for SQLite plugin without encryption
+      const sqlitePattern = /(?:CapacitorSQLite|SQLite)\.(?:createConnection|open)\s*\(/g;
+      const hasEncryption = /encrypted:\s*true|secret:\s*['"][^'"]+['"]/;
+
+      let match;
+      while ((match = sqlitePattern.exec(content)) !== null) {
+        // Look for encryption in the surrounding context (100 chars)
+        const context = content.substring(Math.max(0, match.index - 50), match.index + 200);
+        if (!hasEncryption.test(context)) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'STO003',
+            ruleName: 'SQLite Database Without Encryption',
+            severity: 'medium',
+            category: 'storage',
+            message: 'SQLite database created without encryption enabled',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Enable SQLite encryption using the encrypted option and provide a secure encryption key.',
+            references: ['https://github.com/capacitor-community/sqlite']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Enable SQLCipher encryption for SQLite databases containing sensitive data.'
+  },
+  {
+    id: 'STO004',
+    name: 'Filesystem Storage of Sensitive Data',
+    description: 'Detects writing sensitive data to the filesystem without encryption',
+    severity: 'high',
+    category: 'storage',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const writePattern = /Filesystem\.writeFile\s*\(/g;
+      const sensitiveContent = /(?:password|token|secret|key|auth|credential|private)/i;
+
+      let match;
+      while ((match = writePattern.exec(content)) !== null) {
+        const context = content.substring(match.index, Math.min(content.length, match.index + 300));
+        if (sensitiveContent.test(context)) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'STO004',
+            ruleName: 'Filesystem Storage of Sensitive Data',
+            severity: 'high',
+            category: 'storage',
+            message: 'Potentially sensitive data written to filesystem without encryption',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Encrypt sensitive data before writing to filesystem. Consider using secure storage alternatives.',
+            references: ['https://capacitorjs.com/docs/apis/filesystem']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Encrypt data before filesystem storage or use secure storage APIs.'
+  },
+  {
+    id: 'STO005',
+    name: 'Insecure Data Caching',
+    description: 'Detects caching of sensitive data that could persist beyond session',
+    severity: 'medium',
+    category: 'storage',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for various caching patterns with sensitive data
+      const cachePatterns = [
+        /sessionStorage\.setItem\s*\(\s*['"](?:[^'"]*(?:token|auth|session|credential)[^'"]*)['"]/gi,
+        /\.cache\s*\(\s*['"](?:[^'"]*(?:token|auth|user|session)[^'"]*)['"]/gi,
+        /IndexedDB.*(?:token|auth|password|credential)/gi
+      ];
+
+      for (const pattern of cachePatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'STO005',
+            ruleName: 'Insecure Data Caching',
+            severity: 'medium',
+            category: 'storage',
+            message: 'Sensitive data may be cached insecurely',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Avoid caching sensitive data. If necessary, use encrypted storage with proper expiration.',
+            references: ['https://capacitor-sec.dev/docs/rules/caching']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Implement secure caching with encryption and proper data expiration.'
+  },
+  {
+    id: 'STO006',
+    name: 'Keychain/Keystore Not Used for Credentials',
+    description: 'Detects credential storage that should use native secure storage',
+    severity: 'high',
+    category: 'storage',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for credential storage without using native biometric/secure storage
+      const insecureStoragePattern = /(?:Preferences|localStorage|sessionStorage).*(?:password|credential|biometric|pin)/gi;
+
+      let match;
+      while ((match = insecureStoragePattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        findings.push({
+          ruleId: 'STO006',
+          ruleName: 'Keychain/Keystore Not Used for Credentials',
+          severity: 'high',
+          category: 'storage',
+          message: 'Credentials should be stored in iOS Keychain or Android Keystore',
+          filePath,
+          line: lineNum,
+          codeSnippet: lines[lineNum - 1]?.trim(),
+          remediation: 'Use @capgo/capacitor-native-biometric or similar plugin for secure credential storage.',
+          references: [
+            'https://github.com/nickcox/capacitor-native-biometric',
+            'https://capacitor-sec.dev/docs/rules/secure-storage'
+          ]
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Use iOS Keychain and Android Keystore through appropriate Capacitor plugins.'
+  }
+];

package/src/rules/webview.ts

@@ -0,0 +1,232 @@
+import type { Rule, Finding } from '../types.js';
+
+export const webviewRules: Rule[] = [
+  {
+    id: 'WEB001',
+    name: 'WebView JavaScript Injection',
+    description: 'Detects potential JavaScript injection vulnerabilities in WebView',
+    severity: 'critical',
+    category: 'webview',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx', '**/*.html'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for innerHTML with user input
+      const dangerousPatterns = [
+        { pattern: /innerHTML\s*=\s*(?!['"`]<)/, message: 'innerHTML assignment with potential user input' },
+        { pattern: /document\.write\s*\(/, message: 'document.write can inject arbitrary content' },
+        { pattern: /outerHTML\s*=\s*(?!['"`]<)/, message: 'outerHTML assignment with potential user input' },
+        { pattern: /insertAdjacentHTML\s*\(/, message: 'insertAdjacentHTML can inject HTML/scripts' }
+      ];
+
+      for (const { pattern, message } of dangerousPatterns) {
+        let match;
+        const regex = new RegExp(pattern.source, 'gi');
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'WEB001',
+            ruleName: 'WebView JavaScript Injection',
+            severity: 'high',
+            category: 'webview',
+            message,
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Use textContent for text or create elements with DOM APIs. Sanitize any HTML input.',
+            references: [
+              'https://owasp.org/www-community/attacks/xss/',
+              'https://capacitor-sec.dev/docs/rules/xss'
+            ]
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use textContent or sanitize HTML input before insertion.'
+  },
+  {
+    id: 'WEB002',
+    name: 'Unsafe iframe Configuration',
+    description: 'Detects iframes without proper sandboxing',
+    severity: 'high',
+    category: 'webview',
+    filePatterns: ['**/*.html', '**/*.tsx', '**/*.jsx', '**/*.vue'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for iframes without sandbox
+      const iframePattern = /<iframe[^>]*>/gi;
+
+      let match;
+      while ((match = iframePattern.exec(content)) !== null) {
+        const iframeTag = match[0];
+        const hasSandbox = /sandbox\s*=/.test(iframeTag);
+        const hasAllowScripts = /allow-scripts/.test(iframeTag);
+        const hasAllowSameOrigin = /allow-same-origin/.test(iframeTag);
+
+        if (!hasSandbox) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'WEB002',
+            ruleName: 'Unsafe iframe Configuration',
+            severity: 'high',
+            category: 'webview',
+            message: 'iframe without sandbox attribute',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Add sandbox attribute to iframe with minimal required permissions.',
+            references: ['https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox']
+          });
+        } else if (hasAllowScripts && hasAllowSameOrigin) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'WEB002',
+            ruleName: 'Unsafe iframe Configuration',
+            severity: 'medium',
+            category: 'webview',
+            message: 'iframe with allow-scripts and allow-same-origin is nearly equivalent to no sandbox',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Avoid combining allow-scripts with allow-same-origin if possible.',
+            references: ['https://capacitor-sec.dev/docs/rules/iframe']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use sandbox attribute with minimal permissions on iframes.'
+  },
+  {
+    id: 'WEB003',
+    name: 'External Script Loading',
+    description: 'Detects loading of scripts from external sources without integrity',
+    severity: 'medium',
+    category: 'webview',
+    filePatterns: ['**/*.html', '**/index.html'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for external scripts without integrity
+      const scriptPattern = /<script[^>]*src\s*=\s*['"]https?:\/\/[^'"]+['"][^>]*>/gi;
+
+      let match;
+      while ((match = scriptPattern.exec(content)) !== null) {
+        const scriptTag = match[0];
+        const hasIntegrity = /integrity\s*=/.test(scriptTag);
+        const hasCrossorigin = /crossorigin/.test(scriptTag);
+
+        if (!hasIntegrity) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'WEB003',
+            ruleName: 'External Script Loading',
+            severity: 'medium',
+            category: 'webview',
+            message: 'External script loaded without Subresource Integrity (SRI)',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Add integrity and crossorigin attributes to external scripts.',
+            references: ['https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Add SRI (integrity) attribute to external script tags.'
+  },
+  {
+    id: 'WEB004',
+    name: 'Content Security Policy Missing',
+    description: 'Detects missing or weak Content Security Policy',
+    severity: 'medium',
+    category: 'webview',
+    filePatterns: ['**/index.html', '**/capacitor.config.*'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+
+      if (filePath.includes('index.html')) {
+        const hasCSP = /<meta[^>]*http-equiv\s*=\s*['"]Content-Security-Policy['"][^>]*>/i.test(content);
+        const hasUnsafeInline = /unsafe-inline|unsafe-eval/i.test(content);
+
+        if (!hasCSP) {
+          findings.push({
+            ruleId: 'WEB004',
+            ruleName: 'Content Security Policy Missing',
+            severity: 'medium',
+            category: 'webview',
+            message: 'No Content Security Policy meta tag found',
+            filePath,
+            line: 1,
+            remediation: 'Add a Content Security Policy meta tag to restrict resource loading.',
+            references: ['https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP']
+          });
+        } else if (hasUnsafeInline) {
+          findings.push({
+            ruleId: 'WEB004',
+            ruleName: 'Content Security Policy Missing',
+            severity: 'medium',
+            category: 'webview',
+            message: 'CSP contains unsafe-inline or unsafe-eval which weakens protection',
+            filePath,
+            line: 1,
+            remediation: 'Remove unsafe-inline and unsafe-eval. Use nonces or hashes for inline scripts.',
+            references: ['https://capacitor-sec.dev/docs/rules/csp']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Implement a strict Content Security Policy.'
+  },
+  {
+    id: 'WEB005',
+    name: 'Target _blank Without noopener',
+    description: 'Detects links with target="_blank" missing rel="noopener"',
+    severity: 'low',
+    category: 'webview',
+    filePatterns: ['**/*.html', '**/*.tsx', '**/*.jsx', '**/*.vue'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for target="_blank" without noopener
+      const linkPattern = /<a[^>]*target\s*=\s*['"]_blank['"][^>]*>/gi;
+
+      let match;
+      while ((match = linkPattern.exec(content)) !== null) {
+        const linkTag = match[0];
+        const hasNoopener = /rel\s*=\s*['"][^'"]*noopener[^'"]*['"]/.test(linkTag);
+
+        if (!hasNoopener) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'WEB005',
+            ruleName: 'Target _blank Without noopener',
+            severity: 'low',
+            category: 'webview',
+            message: 'Link with target="_blank" missing rel="noopener" (Tabnabbing vulnerability)',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Add rel="noopener noreferrer" to links with target="_blank".',
+            references: ['https://owasp.org/www-community/attacks/Reverse_Tabnabbing']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Add rel="noopener noreferrer" to external links.'
+  }
+];