@capgo/capgo-sec 1.0.4

package/src/rules/network.ts

@@ -0,0 +1,310 @@
+import type { Rule, Finding } from '../types.js';
+
+export const networkRules: Rule[] = [
+  {
+    id: 'NET001',
+    name: 'HTTP Cleartext Traffic',
+    description: 'Detects usage of HTTP instead of HTTPS for network requests',
+    severity: 'high',
+    category: 'network',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx', '**/capacitor.config.*'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip test files and mocks
+      if (filePath.includes('.test.') || filePath.includes('.spec.') || filePath.includes('__mocks__')) {
+        return findings;
+      }
+
+      // Check for HTTP URLs (excluding localhost for development)
+      const httpPattern = /['"`]http:\/\/(?!localhost|127\.0\.0\.1|10\.|192\.168\.|172\.(?:1[6-9]|2\d|3[01])\.)[^'"`]+['"`]/g;
+
+      let match;
+      while ((match = httpPattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        findings.push({
+          ruleId: 'NET001',
+          ruleName: 'HTTP Cleartext Traffic',
+          severity: 'high',
+          category: 'network',
+          message: `Insecure HTTP URL detected: ${match[0].substring(0, 50)}...`,
+          filePath,
+          line: lineNum,
+          codeSnippet: lines[lineNum - 1]?.trim(),
+          remediation: 'Use HTTPS for all network communications to prevent man-in-the-middle attacks.',
+          references: ['https://capacitor-sec.dev/docs/rules/https']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Always use HTTPS. Configure proper SSL/TLS certificates.'
+  },
+  {
+    id: 'NET002',
+    name: 'SSL/TLS Certificate Pinning Missing',
+    description: 'Detects network requests without certificate pinning for sensitive APIs',
+    severity: 'medium',
+    category: 'network',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for API calls to sensitive endpoints without pinning context
+      const apiCallPattern = /(?:fetch|axios|http\.(?:get|post|put|delete))\s*\(\s*['"`][^'"`]*(?:api|auth|login|payment|bank)[^'"`]*['"`]/gi;
+
+      // Check if certificate pinning is configured in the file or imports
+      const hasPinning = /(?:certificatePinning|ssl-pinning|pinned|TrustKit|cert)/i.test(content);
+
+      if (!hasPinning) {
+        let match;
+        while ((match = apiCallPattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'NET002',
+            ruleName: 'SSL/TLS Certificate Pinning Missing',
+            severity: 'medium',
+            category: 'network',
+            message: 'Sensitive API call without certificate pinning detected',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Implement SSL certificate pinning for sensitive API endpoints using capacitor-ssl-pinning or similar.',
+            references: [
+              'https://github.com/niclas-niclas/capacitor-ssl-pinning',
+              'https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning'
+            ]
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Implement certificate pinning for APIs handling sensitive data.'
+  },
+  {
+    id: 'NET003',
+    name: 'Capacitor Server Cleartext Enabled',
+    description: 'Detects cleartext traffic enabled in Capacitor configuration',
+    severity: 'critical',
+    category: 'network',
+    filePatterns: ['**/capacitor.config.ts', '**/capacitor.config.js', '**/capacitor.config.json'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for cleartext: true in server config
+      const cleartextPattern = /cleartext\s*:\s*true/i;
+
+      if (cleartextPattern.test(content)) {
+        const match = content.match(cleartextPattern);
+        if (match) {
+          const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+          findings.push({
+            ruleId: 'NET003',
+            ruleName: 'Capacitor Server Cleartext Enabled',
+            severity: 'critical',
+            category: 'network',
+            message: 'Cleartext traffic is enabled in Capacitor configuration',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Remove cleartext: true from capacitor.config. Use HTTPS for all server communications.',
+            references: ['https://capacitorjs.com/docs/config']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Remove cleartext configuration and use HTTPS exclusively.'
+  },
+  {
+    id: 'NET004',
+    name: 'Insecure WebSocket Connection',
+    description: 'Detects usage of ws:// instead of wss:// for WebSocket connections',
+    severity: 'high',
+    category: 'network',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip localhost connections
+      const wsPattern = /['"`]ws:\/\/(?!localhost|127\.0\.0\.1)[^'"`]+['"`]/g;
+
+      let match;
+      while ((match = wsPattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        findings.push({
+          ruleId: 'NET004',
+          ruleName: 'Insecure WebSocket Connection',
+          severity: 'high',
+          category: 'network',
+          message: 'Insecure WebSocket (ws://) connection detected',
+          filePath,
+          line: lineNum,
+          codeSnippet: lines[lineNum - 1]?.trim(),
+          remediation: 'Use secure WebSocket connections (wss://) for all production traffic.',
+          references: ['https://capacitor-sec.dev/docs/rules/websocket']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Use wss:// for all WebSocket connections.'
+  },
+  {
+    id: 'NET005',
+    name: 'CORS Wildcard Configuration',
+    description: 'Detects overly permissive CORS configuration',
+    severity: 'medium',
+    category: 'network',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx', '**/capacitor.config.*'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for wildcard in allowNavigation or CORS settings
+      const wildcardPattern = /(?:allowNavigation|Access-Control-Allow-Origin|cors).*['"]\*['"]/gi;
+
+      let match;
+      while ((match = wildcardPattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        findings.push({
+          ruleId: 'NET005',
+          ruleName: 'CORS Wildcard Configuration',
+          severity: 'medium',
+          category: 'network',
+          message: 'Wildcard (*) CORS configuration detected',
+          filePath,
+          line: lineNum,
+          codeSnippet: lines[lineNum - 1]?.trim(),
+          remediation: 'Specify explicit allowed origins instead of using wildcards.',
+          references: ['https://capacitor-sec.dev/docs/rules/cors']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Use specific domain allowlists instead of wildcard CORS.'
+  },
+  {
+    id: 'NET006',
+    name: 'Insecure Deep Link Validation',
+    description: 'Detects deep link handlers without proper validation',
+    severity: 'high',
+    category: 'network',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for App.addListener for appUrlOpen without validation
+      const deepLinkPattern = /App\.addListener\s*\(\s*['"]appUrlOpen['"]/g;
+      const hasValidation = /(?:validate|verify|check|sanitize|parse).*url/i;
+
+      let match;
+      while ((match = deepLinkPattern.exec(content)) !== null) {
+        const context = content.substring(match.index, Math.min(content.length, match.index + 500));
+        if (!hasValidation.test(context)) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'NET006',
+            ruleName: 'Insecure Deep Link Validation',
+            severity: 'high',
+            category: 'network',
+            message: 'Deep link handler without URL validation detected',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Validate and sanitize all incoming deep link URLs before processing.',
+            references: [
+              'https://capacitorjs.com/docs/apis/app#addlistenerappurlopen-',
+              'https://capacitor-sec.dev/docs/rules/deeplinks'
+            ]
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Always validate deep link URLs against an allowlist of expected schemes and hosts.'
+  },
+  {
+    id: 'NET007',
+    name: 'Capacitor HTTP Plugin Misuse',
+    description: 'Detects potential security issues with Capacitor HTTP plugin usage',
+    severity: 'medium',
+    category: 'network',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for CapacitorHttp without timeout
+      const httpPattern = /CapacitorHttp\.(?:get|post|put|delete|patch)\s*\(\s*\{/g;
+      const hasTimeout = /timeout\s*:/;
+
+      let match;
+      while ((match = httpPattern.exec(content)) !== null) {
+        const context = content.substring(match.index, Math.min(content.length, match.index + 300));
+        if (!hasTimeout.test(context)) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'NET007',
+            ruleName: 'Capacitor HTTP Plugin Misuse',
+            severity: 'low',
+            category: 'network',
+            message: 'HTTP request without timeout configuration',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Set appropriate timeout values for HTTP requests to prevent hanging connections.',
+            references: ['https://capacitorjs.com/docs/apis/http']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Configure appropriate timeouts and error handling for HTTP requests.'
+  },
+  {
+    id: 'NET008',
+    name: 'Sensitive Data in URL Parameters',
+    description: 'Detects sensitive data passed in URL query parameters',
+    severity: 'high',
+    category: 'network',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for sensitive params in URLs
+      const sensitiveParamPattern = /['"`][^'"`]*\?[^'"`]*(?:password|token|secret|key|auth|apikey|api_key)=[^'"`]*['"`]/gi;
+
+      let match;
+      while ((match = sensitiveParamPattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        findings.push({
+          ruleId: 'NET008',
+          ruleName: 'Sensitive Data in URL Parameters',
+          severity: 'high',
+          category: 'network',
+          message: 'Sensitive data found in URL query parameters',
+          filePath,
+          line: lineNum,
+          codeSnippet: lines[lineNum - 1]?.trim().substring(0, 80),
+          remediation: 'Pass sensitive data in request headers or body, not in URL parameters.',
+          references: ['https://capacitor-sec.dev/docs/rules/url-params']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Use request headers or body for sensitive data transmission.'
+  }
+];

package/src/rules/secrets.ts

@@ -0,0 +1,163 @@
+import type { Rule, Finding } from '../types.js';
+
+// API Key and Secret patterns - 30+ patterns
+const SECRET_PATTERNS: Array<{ name: string; pattern: RegExp; severity: 'critical' | 'high' }> = [
+  // AWS
+  { name: 'AWS Access Key ID', pattern: /AKIA[0-9A-Z]{16}/g, severity: 'critical' },
+  { name: 'AWS Secret Access Key', pattern: /(?:aws)?_?(?:secret)?_?(?:access)?_?key['"]?\s*[:=]\s*['"][A-Za-z0-9/+=]{40}['"]/gi, severity: 'critical' },
+
+  // Google
+  { name: 'Google API Key', pattern: /AIza[0-9A-Za-z_-]{35}/g, severity: 'high' },
+  { name: 'Google OAuth Client ID', pattern: /[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com/g, severity: 'high' },
+  { name: 'Firebase API Key', pattern: /(?:firebase|fcm).*['"][A-Za-z0-9_-]{20,}['"]/gi, severity: 'high' },
+
+  // Stripe
+  { name: 'Stripe Live Secret Key', pattern: /sk_live_[0-9a-zA-Z]{24,}/g, severity: 'critical' },
+  { name: 'Stripe Test Secret Key', pattern: /sk_test_[0-9a-zA-Z]{24,}/g, severity: 'medium' as any },
+  { name: 'Stripe Publishable Key', pattern: /pk_(?:live|test)_[0-9a-zA-Z]{24,}/g, severity: 'high' },
+
+  // GitHub/GitLab
+  { name: 'GitHub Token', pattern: /(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}/g, severity: 'critical' },
+  { name: 'GitHub OAuth', pattern: /github.*['"][0-9a-zA-Z]{35,40}['"]/gi, severity: 'critical' },
+  { name: 'GitLab Token', pattern: /glpat-[A-Za-z0-9_-]{20,}/g, severity: 'critical' },
+
+  // Slack
+  { name: 'Slack Token', pattern: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*/g, severity: 'critical' },
+  { name: 'Slack Webhook', pattern: /hooks\.slack\.com\/services\/T[A-Z0-9]{8}\/B[A-Z0-9]{8,}\/[A-Za-z0-9]{24}/g, severity: 'high' },
+
+  // Twilio
+  { name: 'Twilio API Key', pattern: /SK[0-9a-fA-F]{32}/g, severity: 'high' },
+  { name: 'Twilio Account SID', pattern: /AC[0-9a-fA-F]{32}/g, severity: 'high' },
+
+  // SendGrid
+  { name: 'SendGrid API Key', pattern: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g, severity: 'critical' },
+
+  // Mailgun
+  { name: 'Mailgun API Key', pattern: /key-[0-9a-zA-Z]{32}/g, severity: 'high' },
+
+  // DigitalOcean
+  { name: 'DigitalOcean Token', pattern: /dop_v1_[a-f0-9]{64}/g, severity: 'critical' },
+  { name: 'DigitalOcean OAuth', pattern: /doo_v1_[a-f0-9]{64}/g, severity: 'critical' },
+
+  // Heroku
+  { name: 'Heroku API Key', pattern: /heroku.*['"][0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}['"]/gi, severity: 'critical' },
+
+  // NPM
+  { name: 'NPM Token', pattern: /npm_[A-Za-z0-9]{36}/g, severity: 'critical' },
+
+  // Supabase
+  { name: 'Supabase Service Key', pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g, severity: 'high' },
+
+  // Private Keys
+  { name: 'RSA Private Key', pattern: /-----BEGIN RSA PRIVATE KEY-----/g, severity: 'critical' },
+  { name: 'SSH Private Key', pattern: /-----BEGIN (?:DSA|EC|OPENSSH) PRIVATE KEY-----/g, severity: 'critical' },
+  { name: 'PGP Private Key', pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/g, severity: 'critical' },
+
+  // Generic patterns
+  { name: 'Generic API Key', pattern: /(?:api[_-]?key|apikey|api[_-]?secret)['"]?\s*[:=]\s*['"][A-Za-z0-9_-]{20,}['"]/gi, severity: 'high' },
+  { name: 'Generic Secret', pattern: /(?:secret|password|passwd|pwd)['"]?\s*[:=]\s*['"][^'"]{8,}['"]/gi, severity: 'high' },
+  { name: 'Generic Token', pattern: /(?:access[_-]?token|auth[_-]?token|bearer)['"]?\s*[:=]\s*['"][A-Za-z0-9_.-]{20,}['"]/gi, severity: 'high' },
+
+  // Database URLs
+  { name: 'Database URL with Credentials', pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^:]+:[^@]+@[^/]+/gi, severity: 'critical' },
+];
+
+export const secretsRules: Rule[] = [
+  {
+    id: 'SEC001',
+    name: 'Hardcoded API Keys & Secrets',
+    description: 'Detects hardcoded API keys, tokens, and secrets in source code',
+    severity: 'critical',
+    category: 'secrets',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx', '**/*.json', '**/*.env*'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip node_modules and common false positives
+      if (filePath.includes('node_modules') || filePath.includes('.lock')) {
+        return findings;
+      }
+
+      for (const secretPattern of SECRET_PATTERNS) {
+        let match;
+        const pattern = new RegExp(secretPattern.pattern.source, secretPattern.pattern.flags);
+
+        while ((match = pattern.exec(content)) !== null) {
+          // Find line number
+          let lineNum = 1;
+          let charCount = 0;
+          for (let i = 0; i < lines.length; i++) {
+            charCount += lines[i].length + 1;
+            if (charCount > match.index) {
+              lineNum = i + 1;
+              break;
+            }
+          }
+
+          // Mask the secret for display
+          const maskedValue = match[0].substring(0, 10) + '***REDACTED***';
+
+          findings.push({
+            ruleId: 'SEC001',
+            ruleName: 'Hardcoded API Keys & Secrets',
+            severity: secretPattern.severity,
+            category: 'secrets',
+            message: `Found ${secretPattern.name}: ${maskedValue}`,
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim().substring(0, 100),
+            remediation: 'Move secrets to environment variables or a secure secrets manager. Never commit secrets to source control.',
+            references: [
+              'https://capacitor-sec.dev/docs/rules/secrets',
+              'https://owasp.org/www-project-mobile-top-10/'
+            ]
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use environment variables or a secure secrets manager. Consider using @capgo/capacitor-social-login for OAuth flows.',
+    references: ['https://owasp.org/www-project-mobile-top-10/']
+  },
+  {
+    id: 'SEC002',
+    name: 'Exposed .env File',
+    description: 'Detects .env files that may contain sensitive configuration',
+    severity: 'critical',
+    category: 'secrets',
+    filePatterns: ['**/.env', '**/.env.*', '!**/.env.example', '!**/.env.template'],
+    check: (content: string, filePath: string): Finding[] => {
+      if (filePath.includes('.example') || filePath.includes('.template')) {
+        return [];
+      }
+
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      lines.forEach((line, index) => {
+        if (line.trim() && !line.startsWith('#') && line.includes('=')) {
+          const [key] = line.split('=');
+          if (key && /(?:key|secret|password|token|auth|credential)/i.test(key)) {
+            findings.push({
+              ruleId: 'SEC002',
+              ruleName: 'Exposed .env File',
+              severity: 'critical',
+              category: 'secrets',
+              message: `Sensitive variable "${key.trim()}" found in .env file`,
+              filePath,
+              line: index + 1,
+              codeSnippet: `${key.trim()}=***REDACTED***`,
+              remediation: 'Ensure .env files are in .gitignore and never committed to version control.',
+              references: ['https://capacitor-sec.dev/docs/rules/env-files']
+            });
+          }
+        }
+      });
+
+      return findings;
+    },
+    remediation: 'Add .env files to .gitignore. Use .env.example for documentation with placeholder values.'
+  }
+];