@capgo/capgo-sec 1.0.4

package/src/rules/ios.ts

@@ -0,0 +1,326 @@
+import type { Rule, Finding } from '../types.js';
+
+export const iosRules: Rule[] = [
+  {
+    id: 'IOS001',
+    name: 'App Transport Security Disabled',
+    description: 'Detects when App Transport Security (ATS) is disabled or has exceptions',
+    severity: 'critical',
+    category: 'ios',
+    filePatterns: ['**/Info.plist'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for ATS disabled
+      const atsDisabledPatterns = [
+        { pattern: /<key>NSAllowsArbitraryLoads<\/key>\s*<true\s*\/>/, message: 'App Transport Security is completely disabled' },
+        { pattern: /<key>NSAllowsArbitraryLoadsInWebContent<\/key>\s*<true\s*\/>/, message: 'ATS disabled for WebView content' },
+        { pattern: /<key>NSAllowsLocalNetworking<\/key>\s*<true\s*\/>/, message: 'ATS allows local networking' },
+        { pattern: /<key>NSExceptionAllowsInsecureHTTPLoads<\/key>\s*<true\s*\/>/, message: 'ATS exception allows insecure HTTP' }
+      ];
+
+      for (const { pattern, message } of atsDisabledPatterns) {
+        if (pattern.test(content)) {
+          const match = content.match(pattern);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'IOS001',
+              ruleName: 'App Transport Security Disabled',
+              severity: 'critical',
+              category: 'ios',
+              message,
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Enable App Transport Security and use HTTPS. Add specific exceptions only for domains that truly require them.',
+              references: ['https://developer.apple.com/documentation/security/preventing_insecure_network_connections']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Enable ATS and use HTTPS exclusively. Minimize domain exceptions.'
+  },
+  {
+    id: 'IOS002',
+    name: 'Insecure Keychain Access',
+    description: 'Detects insecure Keychain access configuration',
+    severity: 'high',
+    category: 'ios',
+    filePatterns: ['**/*.swift', '**/*.m', '**/*.ts', '**/*.tsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for insecure Keychain accessibility
+      const insecurePatterns = [
+        { pattern: /kSecAttrAccessibleAlways/, message: 'Keychain item accessible when device is locked' },
+        { pattern: /kSecAttrAccessibleAlwaysThisDeviceOnly/, message: 'Keychain item accessible when device is locked' },
+        { pattern: /kSecAttrAccessibleAfterFirstUnlock/, message: 'Keychain item accessible after first unlock - consider more restrictive option' }
+      ];
+
+      for (const { pattern, message } of insecurePatterns) {
+        let match;
+        const regex = new RegExp(pattern.source, 'g');
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'IOS002',
+            ruleName: 'Insecure Keychain Access',
+            severity: 'high',
+            category: 'ios',
+            message,
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Use kSecAttrAccessibleWhenUnlockedThisDeviceOnly or kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly for sensitive data.',
+            references: ['https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use the most restrictive Keychain accessibility that meets your needs.'
+  },
+  {
+    id: 'IOS003',
+    name: 'URL Scheme Without Validation',
+    description: 'Detects custom URL scheme handlers without proper validation',
+    severity: 'high',
+    category: 'ios',
+    filePatterns: ['**/Info.plist', '**/*.swift', '**/AppDelegate.swift'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      if (filePath.includes('Info.plist')) {
+        // Check for URL schemes
+        if (/<key>CFBundleURLSchemes<\/key>/.test(content)) {
+          findings.push({
+            ruleId: 'IOS003',
+            ruleName: 'URL Scheme Without Validation',
+            severity: 'info',
+            category: 'ios',
+            message: 'Custom URL scheme detected - ensure proper validation in handler',
+            filePath,
+            line: 1,
+            remediation: 'Validate all URL scheme inputs before processing. Implement Universal Links for better security.',
+            references: ['https://developer.apple.com/documentation/xcode/defining-a-custom-url-scheme-for-your-app']
+          });
+        }
+      }
+
+      if (filePath.includes('.swift') || filePath.includes('AppDelegate')) {
+        // Check for URL handler without validation
+        const urlHandlerPattern = /func\s+application.*open\s+url:\s*URL/g;
+        if (urlHandlerPattern.test(content)) {
+          const hasValidation = /url\.scheme\s*==|url\.host\s*==|validateURL|isValidURL/.test(content);
+          if (!hasValidation) {
+            findings.push({
+              ruleId: 'IOS003',
+              ruleName: 'URL Scheme Without Validation',
+              severity: 'high',
+              category: 'ios',
+              message: 'URL scheme handler without apparent validation',
+              filePath,
+              line: 1,
+              remediation: 'Validate URL scheme, host, and parameters before processing.',
+              references: ['https://capacitor-sec.dev/docs/rules/url-schemes']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Validate all components of incoming URLs before processing.'
+  },
+  {
+    id: 'IOS004',
+    name: 'iOS Pasteboard Sensitive Data',
+    description: 'Detects potential exposure of sensitive data through pasteboard',
+    severity: 'medium',
+    category: 'ios',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for clipboard usage with sensitive data
+      const clipboardPattern = /(?:Clipboard|Pasteboard)\.(?:write|set)/gi;
+      const sensitiveData = /(?:password|token|secret|key|auth|credential|credit.?card|ssn)/i;
+
+      let match;
+      while ((match = clipboardPattern.exec(content)) !== null) {
+        const context = content.substring(Math.max(0, match.index - 100), match.index + 200);
+        if (sensitiveData.test(context)) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'IOS004',
+            ruleName: 'iOS Pasteboard Sensitive Data',
+            severity: 'medium',
+            category: 'ios',
+            message: 'Sensitive data may be written to pasteboard where other apps can access it',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Avoid writing sensitive data to clipboard. If necessary, use expiring clipboard items on iOS 16+.',
+            references: ['https://capacitor-sec.dev/docs/rules/pasteboard']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Avoid copying sensitive data to clipboard.'
+  },
+  {
+    id: 'IOS005',
+    name: 'Insecure iOS Entitlements',
+    description: 'Detects potentially dangerous iOS entitlements',
+    severity: 'high',
+    category: 'ios',
+    filePatterns: ['**/*.entitlements'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const dangerousEntitlements = [
+        { key: 'get-task-allow', message: 'get-task-allow entitlement should be false in release builds' },
+        { key: 'com.apple.developer.associated-domains', message: 'Review associated domains for security implications' }
+      ];
+
+      for (const { key, message } of dangerousEntitlements) {
+        const pattern = new RegExp(`<key>${key}</key>\\s*<true\\s*/>`);
+        if (pattern.test(content)) {
+          const match = content.match(pattern);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'IOS005',
+              ruleName: 'Insecure iOS Entitlements',
+              severity: key === 'get-task-allow' ? 'critical' : 'info',
+              category: 'ios',
+              message,
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Review entitlements for release builds. Disable debugging entitlements.',
+              references: ['https://developer.apple.com/documentation/bundleresources/entitlements']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Review and minimize iOS entitlements for production.'
+  },
+  {
+    id: 'IOS006',
+    name: 'Background App Refresh Data Exposure',
+    description: 'Detects background refresh that may expose sensitive operations',
+    severity: 'low',
+    category: 'ios',
+    filePatterns: ['**/Info.plist'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for background modes
+      const backgroundPattern = /<key>UIBackgroundModes<\/key>/;
+      if (backgroundPattern.test(content)) {
+        findings.push({
+          ruleId: 'IOS006',
+          ruleName: 'Background App Refresh Data Exposure',
+          severity: 'info',
+          category: 'ios',
+          message: 'App has background modes enabled - ensure sensitive operations are protected',
+          filePath,
+          line: 1,
+          remediation: 'Review background operations for sensitive data handling. Encrypt data in background tasks.',
+          references: ['https://capacitor-sec.dev/docs/rules/background']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Secure sensitive operations running in background.'
+  },
+  {
+    id: 'IOS007',
+    name: 'Missing iOS Jailbreak Detection',
+    description: 'No jailbreak detection found for sensitive iOS application',
+    severity: 'medium',
+    category: 'ios',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.swift'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+
+      // Only check main entry files
+      if (!filePath.includes('App.') && !filePath.includes('main.') && !filePath.includes('AppDelegate')) {
+        return findings;
+      }
+
+      const hasSensitiveOps = /(?:payment|banking|wallet|crypto|biometric|auth)/i.test(content);
+      const hasJailbreakDetection = /(?:isJailbroken|jailbreak|Cydia|checkra1n|unc0ver|freeRASP)/i.test(content);
+
+      if (hasSensitiveOps && !hasJailbreakDetection) {
+        findings.push({
+          ruleId: 'IOS007',
+          ruleName: 'Missing iOS Jailbreak Detection',
+          severity: 'medium',
+          category: 'ios',
+          message: 'Sensitive operations without jailbreak detection',
+          filePath,
+          line: 1,
+          remediation: 'Implement jailbreak detection for sensitive apps using @niclas-niclas/capacitor-freerasp.',
+          references: [
+            'https://github.com/niclas-niclas/capacitor-freerasp',
+            'https://capacitor-sec.dev/docs/rules/jailbreak'
+          ]
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Add jailbreak detection for sensitive applications.'
+  },
+  {
+    id: 'IOS008',
+    name: 'Screenshots Not Disabled for Sensitive Screens',
+    description: 'Detects when screenshot protection is missing for sensitive UI',
+    severity: 'low',
+    category: 'ios',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+
+      // Check for password/PIN input without screenshot protection
+      const sensitiveUI = /(?:password|pin|otp|cvv|credit.?card).*(?:input|field|form)/i.test(content);
+      const hasScreenshotProtection = /(?:preventScreenCapture|secureWindow|isSecure)/i.test(content);
+
+      if (sensitiveUI && !hasScreenshotProtection) {
+        findings.push({
+          ruleId: 'IOS008',
+          ruleName: 'Screenshots Not Disabled for Sensitive Screens',
+          severity: 'low',
+          category: 'ios',
+          message: 'Sensitive input UI without screenshot protection',
+          filePath,
+          line: 1,
+          remediation: 'Consider preventing screenshots on screens with sensitive data entry.',
+          references: ['https://capacitor-sec.dev/docs/rules/screenshots']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Implement screenshot protection for sensitive UI screens.'
+  }
+];

package/src/rules/logging.ts

@@ -0,0 +1,218 @@
+import type { Rule, Finding } from '../types.js';
+
+export const loggingRules: Rule[] = [
+  {
+    id: 'LOG001',
+    name: 'Sensitive Data in Console Logs',
+    description: 'Detects logging of sensitive data to console',
+    severity: 'high',
+    category: 'logging',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip test files
+      if (filePath.includes('.test.') || filePath.includes('.spec.')) {
+        return findings;
+      }
+
+      // Check for console logs with sensitive data
+      const consolePattern = /console\.(?:log|debug|info|warn|error)\s*\([^)]*(?:password|token|secret|key|auth|credential|apikey|bearer|jwt)[^)]*\)/gi;
+
+      let match;
+      while ((match = consolePattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        findings.push({
+          ruleId: 'LOG001',
+          ruleName: 'Sensitive Data in Console Logs',
+          severity: 'high',
+          category: 'logging',
+          message: 'Sensitive data may be exposed in console output',
+          filePath,
+          line: lineNum,
+          codeSnippet: lines[lineNum - 1]?.trim(),
+          remediation: 'Remove sensitive data from logs. Use structured logging with data masking.',
+          references: ['https://capacitor-sec.dev/docs/rules/logging']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Remove sensitive data from logs or implement data masking.'
+  },
+  {
+    id: 'LOG002',
+    name: 'Console Logs in Production',
+    description: 'Detects console.log statements that should be removed in production',
+    severity: 'low',
+    category: 'logging',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+
+      // Skip test files, dev files, and build scripts
+      if (filePath.includes('.test.') || filePath.includes('.spec.') ||
+          filePath.includes('.dev.') || filePath.includes('scripts/')) {
+        return findings;
+      }
+
+      // Count console.log statements
+      const consoleLogCount = (content.match(/console\.log\s*\(/g) || []).length;
+
+      if (consoleLogCount > 5) {
+        findings.push({
+          ruleId: 'LOG002',
+          ruleName: 'Console Logs in Production',
+          severity: 'low',
+          category: 'logging',
+          message: `File contains ${consoleLogCount} console.log statements that may be visible in production`,
+          filePath,
+          line: 1,
+          remediation: 'Remove or conditionally disable console.log in production builds.',
+          references: ['https://capacitor-sec.dev/docs/rules/console-logs']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Use a proper logging library that can be disabled in production.'
+  }
+];
+
+export const debugRules: Rule[] = [
+  {
+    id: 'DBG001',
+    name: 'Debugger Statement',
+    description: 'Detects debugger statements left in code',
+    severity: 'medium',
+    category: 'debug',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const debuggerPattern = /\bdebugger\b/g;
+
+      let match;
+      while ((match = debuggerPattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        findings.push({
+          ruleId: 'DBG001',
+          ruleName: 'Debugger Statement',
+          severity: 'medium',
+          category: 'debug',
+          message: 'Debugger statement found - will pause execution in development tools',
+          filePath,
+          line: lineNum,
+          codeSnippet: lines[lineNum - 1]?.trim(),
+          remediation: 'Remove debugger statements before production deployment.',
+          references: ['https://capacitor-sec.dev/docs/rules/debugger']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Remove all debugger statements.'
+  },
+  {
+    id: 'DBG002',
+    name: 'Test Credentials in Code',
+    description: 'Detects test or demo credentials in source code',
+    severity: 'high',
+    category: 'debug',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx', '**/*.json'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip actual test files
+      if (filePath.includes('.test.') || filePath.includes('.spec.') || filePath.includes('__tests__')) {
+        return findings;
+      }
+
+      const testCredPatterns = [
+        /test(?:user|account|email|password)\s*[:=]\s*['"][^'"]+['"]/gi,
+        /demo(?:user|account|password)\s*[:=]\s*['"][^'"]+['"]/gi,
+        /admin(?:password|pass)\s*[:=]\s*['"][^'"]+['"]/gi,
+        /(?:password|email)\s*[:=]\s*['"](?:test|demo|admin|password|123456|qwerty)['"]/gi
+      ];
+
+      for (const pattern of testCredPatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'DBG002',
+            ruleName: 'Test Credentials in Code',
+            severity: 'high',
+            category: 'debug',
+            message: 'Test/demo credentials found in source code',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim().replace(/['"][^'"]{5,}['"]/g, '"***"'),
+            remediation: 'Remove test credentials from source code. Use environment-based configuration.',
+            references: ['https://capacitor-sec.dev/docs/rules/test-credentials']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Remove test credentials and use environment variables.'
+  },
+  {
+    id: 'DBG003',
+    name: 'Development URL in Production',
+    description: 'Detects localhost or development URLs that may be left in code',
+    severity: 'medium',
+    category: 'debug',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx', '**/capacitor.config.*'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip test and config files typically used for dev
+      if (filePath.includes('.test.') || filePath.includes('.spec.') ||
+          filePath.includes('.local.') || filePath.includes('.dev.')) {
+        return findings;
+      }
+
+      // Check for dev URLs in non-conditional code
+      const devUrlPatterns = [
+        /['"]http:\/\/localhost[^'"]*['"]/g,
+        /['"]http:\/\/127\.0\.0\.1[^'"]*['"]/g,
+        /['"]http:\/\/10\.\d{1,3}\.\d{1,3}\.\d{1,3}[^'"]*['"]/g,
+        /['"]http:\/\/192\.168\.[^'"]+['"]/g
+      ];
+
+      for (const pattern of devUrlPatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          // Check if it's in a development condition
+          const context = content.substring(Math.max(0, match.index - 100), match.index);
+          const isDevelopmentGuard = /(?:isDev|process\.env\.NODE_ENV|__DEV__|development)/i.test(context);
+
+          if (!isDevelopmentGuard) {
+            const lineNum = content.substring(0, match.index).split('\n').length;
+            findings.push({
+              ruleId: 'DBG003',
+              ruleName: 'Development URL in Production',
+              severity: 'medium',
+              category: 'debug',
+              message: 'Development URL found that may be accessible in production',
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Use environment variables for URLs. Guard development URLs with environment checks.',
+              references: ['https://capacitor-sec.dev/docs/rules/dev-urls']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use environment-based URL configuration.'
+  }
+];