@nahisaho/musubix-security 2.0.1 → 2.1.0

package/dist/rules/owasp/a04-insecure-design.js

@@ -0,0 +1,403 @@
+/**
+ * @fileoverview OWASP A04:2021 - Insecure Design Rule
+ * @module @nahisaho/musubix-security/rules/owasp/a04-insecure-design
+ * @trace TSK-RULE-003
+ *
+ * Detects:
+ * - Missing rate limiting
+ * - Missing input validation
+ * - Missing output encoding
+ * - Insecure defaults
+ * - Business logic flaws
+ */
+/**
+ * OWASP A04 - Insecure Design
+ */
+export const owaspA04InsecureDesign = {
+    id: 'owasp-a04-insecure-design',
+    name: 'OWASP A04:2021 - Insecure Design',
+    description: 'Detects design-level security flaws such as missing rate limiting, validation, and encoding',
+    defaultSeverity: 'high',
+    detectionMethod: 'pattern-match',
+    tags: ['owasp', 'design', 'rate-limiting', 'validation', 'security'],
+    owasp: ['A04:2021'],
+    cwe: ['73', '183', '209', '256', '501', '522', '602', '656', '799', '840'],
+    references: [
+        { title: 'OWASP A04:2021 - Insecure Design', url: 'https://owasp.org/Top10/A04_2021-Insecure_Design/' },
+        { title: 'CWE-501: Trust Boundary Violation', url: 'https://cwe.mitre.org/data/definitions/501.html' },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const sourceFile = context.sourceFile;
+        if (!sourceFile)
+            return findings;
+        // Check for missing rate limiting
+        checkMissingRateLimiting(context, findings);
+        // Check for missing input validation
+        checkMissingInputValidation(context, findings);
+        // Check for missing output encoding
+        checkMissingOutputEncoding(context, findings);
+        // Check for insecure defaults
+        checkInsecureDefaults(context, findings);
+        // Check for missing security headers
+        checkMissingSecurityHeaders(context, findings);
+        // Check for business logic issues
+        checkBusinessLogicFlaws(context, findings);
+        return findings;
+    },
+};
+/**
+ * Check for missing rate limiting on sensitive endpoints
+ */
+function checkMissingRateLimiting(context, findings) {
+    const sourceCode = context.sourceCode;
+    // Check if rate limiting is imported/used
+    const hasRateLimiting = /rateLimit|express-rate-limit|rate-limiter|throttle/i.test(sourceCode);
+    // Sensitive endpoints that should have rate limiting
+    const sensitiveEndpointPatterns = [
+        /\.(post|put)\s*\(\s*['"`]\/(?:api\/)?(?:login|signin|auth)/gi,
+        /\.(post|put)\s*\(\s*['"`]\/(?:api\/)?(?:register|signup)/gi,
+        /\.(post|put)\s*\(\s*['"`]\/(?:api\/)?(?:reset-password|forgot-password)/gi,
+        /\.(post|put)\s*\(\s*['"`]\/(?:api\/)?(?:otp|verify|code)/gi,
+    ];
+    if (!hasRateLimiting) {
+        const lines = sourceCode.split('\n');
+        for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+            const line = lines[lineNum];
+            for (const pattern of sensitiveEndpointPatterns) {
+                pattern.lastIndex = 0;
+                if (pattern.test(line)) {
+                    findings.push({
+                        id: `owasp-a04-rate-${findings.length + 1}`,
+                        ruleId: 'owasp-a04-insecure-design',
+                        severity: 'high',
+                        message: 'Sensitive endpoint without rate limiting - vulnerable to brute force attacks',
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        suggestion: {
+                            description: 'Add rate limiting to sensitive endpoints',
+                            example: `// Add rate limiting middleware:
+const rateLimit = require('express-rate-limit');
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 5,
+  message: 'Too many attempts, please try again later'
+});
+app.post('/login', authLimiter, loginHandler);`,
+                        },
+                    });
+                    break;
+                }
+            }
+        }
+    }
+}
+/**
+ * Check for missing input validation
+ */
+function checkMissingInputValidation(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    // Check for direct use of req.body/query/params without validation
+    const directUsePatterns = [
+        // Direct assignment from request
+        { pattern: /(?:const|let|var)\s+\w+\s*=\s*req\.body\s*;/gi, type: 'body' },
+        { pattern: /(?:const|let|var)\s+\w+\s*=\s*req\.query\s*;/gi, type: 'query' },
+        { pattern: /(?:const|let|var)\s+\w+\s*=\s*req\.params\s*;/gi, type: 'params' },
+        // Destructuring without validation
+        { pattern: /(?:const|let|var)\s+\{[^}]+\}\s*=\s*req\.body\s*;?\s*(?!.*validate)/gi, type: 'body destructuring' },
+    ];
+    // Check if validation library is present
+    const hasValidation = /(?:joi|yup|zod|express-validator|class-validator|ajv)/i.test(sourceCode);
+    if (!hasValidation) {
+        for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+            const line = lines[lineNum];
+            for (const { pattern, type } of directUsePatterns) {
+                pattern.lastIndex = 0;
+                if (pattern.test(line)) {
+                    // Check surrounding context for validation
+                    const surroundingCode = lines.slice(lineNum, Math.min(lines.length, lineNum + 10)).join('\n');
+                    if (!hasInputValidation(surroundingCode)) {
+                        findings.push({
+                            id: `owasp-a04-validation-${findings.length + 1}`,
+                            ruleId: 'owasp-a04-insecure-design',
+                            severity: 'medium',
+                            message: `Request ${type} used without input validation`,
+                            location: {
+                                file: context.filePath,
+                                startLine: lineNum + 1,
+                                endLine: lineNum + 1,
+                                startColumn: 0,
+                                endColumn: line.length,
+                            },
+                            suggestion: {
+                                description: 'Use a validation library',
+                                example: `// Use a validation library:
+const { z } = require('zod');
+const schema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8)
+});
+const validated = schema.parse(req.body);`,
+                            },
+                        });
+                    }
+                    break;
+                }
+            }
+        }
+    }
+}
+/**
+ * Check for missing output encoding
+ */
+function checkMissingOutputEncoding(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const outputPatterns = [
+        // res.send with user data
+        { pattern: /res\.send\s*\([^)]*(?:req\.body|req\.query|req\.params|user\.|data\.)/gi, type: 'res.send' },
+        // Setting HTML directly
+        { pattern: /\.html\s*\([^)]*(?:req\.|user\.|data\.)/gi, type: 'HTML response' },
+        // Template rendering without sanitization
+        { pattern: /res\.render\s*\([^)]*(?:req\.|user\.|data\.)/gi, type: 'template render' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type } of outputPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                // Check if there's encoding/sanitization
+                if (!hasOutputEncoding(line)) {
+                    findings.push({
+                        id: `owasp-a04-encoding-${findings.length + 1}`,
+                        ruleId: 'owasp-a04-insecure-design',
+                        severity: 'medium',
+                        message: `${type} with user data may need output encoding`,
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        suggestion: {
+                            description: 'Encode HTML entities in output',
+                            example: `// Encode HTML entities:
+const encode = require('he');
+res.send(encode.encode(userInput));
+// Or use a template engine with auto-escaping`,
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for insecure defaults
+ */
+function checkInsecureDefaults(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const insecureDefaultPatterns = [
+        // Debug mode enabled
+        { pattern: /debug\s*[:=]\s*true/gi, issue: 'Debug mode enabled', severity: 'medium' },
+        // Trust proxy without validation
+        { pattern: /trust\s*proxy\s*[:=]\s*true/gi, issue: 'Trust proxy enabled globally', severity: 'low' },
+        // Session without secure flag
+        { pattern: /session\s*\(\s*\{[^}]*(?!secure\s*:\s*true)/gi, issue: 'Session without secure flag', severity: 'medium' },
+        // Cookie without httpOnly
+        { pattern: /cookie\s*[:=]\s*\{[^}]*(?!httpOnly)/gi, issue: 'Cookie without httpOnly flag', severity: 'medium' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, issue, severity } of insecureDefaultPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a04-default-${findings.length + 1}`,
+                    ruleId: 'owasp-a04-insecure-design',
+                    severity,
+                    message: `Insecure default: ${issue}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    suggestion: {
+                        description: 'Use secure defaults',
+                        example: `// Use secure defaults:
+app.use(session({
+  secret: process.env.SESSION_SECRET,
+  cookie: {
+    secure: true,
+    httpOnly: true,
+    sameSite: 'strict'
+  }
+}));`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for missing security headers
+ */
+function checkMissingSecurityHeaders(context, findings) {
+    const sourceCode = context.sourceCode;
+    // Check if helmet or manual security headers are set
+    const hasSecurityHeaders = /helmet|X-Content-Type-Options|X-Frame-Options|Content-Security-Policy|Strict-Transport-Security/i.test(sourceCode);
+    // Check if it's an Express app
+    const isExpressApp = /express\(\)|createServer|app\.use|app\.get|app\.post/i.test(sourceCode);
+    if (isExpressApp && !hasSecurityHeaders) {
+        findings.push({
+            id: `owasp-a04-headers-${findings.length + 1}`,
+            ruleId: 'owasp-a04-insecure-design',
+            severity: 'medium',
+            message: 'Express app without security headers (consider using Helmet)',
+            location: {
+                file: context.filePath,
+                startLine: 1,
+                endLine: 1,
+                startColumn: 0,
+                endColumn: 0,
+            },
+            suggestion: {
+                description: 'Add security headers with Helmet',
+                example: `// Add Helmet:
+const helmet = require('helmet');
+app.use(helmet());`,
+            },
+        });
+    }
+    // Check for CSRF protection
+    const hasCsrfProtection = /csrf|csurf|csrfToken/i.test(sourceCode);
+    const hasFormPost = /\.(post|put|patch)\s*\(/gi.test(sourceCode);
+    if (isExpressApp && hasFormPost && !hasCsrfProtection) {
+        findings.push({
+            id: `owasp-a04-csrf-${findings.length + 1}`,
+            ruleId: 'owasp-a04-insecure-design',
+            severity: 'medium',
+            message: 'POST/PUT endpoints without CSRF protection',
+            location: {
+                file: context.filePath,
+                startLine: 1,
+                endLine: 1,
+                startColumn: 0,
+                endColumn: 0,
+            },
+            suggestion: {
+                description: 'Add CSRF protection',
+                example: `// Add CSRF protection:
+const csrf = require('csurf');
+app.use(csrf({ cookie: true }));`,
+            },
+        });
+    }
+}
+/**
+ * Check for business logic flaws
+ */
+function checkBusinessLogicFlaws(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const businessLogicPatterns = [
+        // Price/amount from client without validation
+        { pattern: /(?:price|amount|total|cost)\s*[:=]\s*(?:req\.body|req\.query)/gi, issue: 'Price/amount from client input', severity: 'high' },
+        // Discount without limit check
+        { pattern: /discount\s*[:=]\s*(?:req\.body|req\.query)[^;]*(?!.*(?:max|limit|check))/gi, issue: 'Discount without validation', severity: 'medium' },
+        // Quantity without bounds
+        { pattern: /quantity\s*[:=]\s*(?:req\.body|req\.query)[^;]*(?!.*(?:max|min|limit))/gi, issue: 'Quantity without bounds checking', severity: 'medium' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, issue, severity } of businessLogicPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                // Check surrounding code for validation
+                const surroundingCode = lines.slice(lineNum, Math.min(lines.length, lineNum + 5)).join('\n');
+                if (!hasBusinessValidation(surroundingCode)) {
+                    findings.push({
+                        id: `owasp-a04-logic-${findings.length + 1}`,
+                        ruleId: 'owasp-a04-insecure-design',
+                        severity,
+                        message: `Potential business logic flaw: ${issue}`,
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        suggestion: {
+                            description: 'Add bounds checking and validation',
+                            example: `// Add bounds checking:
+const quantity = Math.min(Math.max(parseInt(req.body.quantity) || 0, 1), 100);
+// Always calculate prices server-side
+const price = await getProductPrice(productId);`,
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check if code has input validation
+ */
+function hasInputValidation(code) {
+    const validationPatterns = [
+        /validate/i,
+        /schema/i,
+        /parse/i,
+        /sanitize/i,
+        /check/i,
+        /assert/i,
+        /joi\./i,
+        /yup\./i,
+        /zod\./i,
+    ];
+    return validationPatterns.some(p => p.test(code));
+}
+/**
+ * Check if output has encoding
+ */
+function hasOutputEncoding(code) {
+    const encodingPatterns = [
+        /encode/i,
+        /escape/i,
+        /sanitize/i,
+        /\.json\s*\(/i,
+        /DOMPurify/i,
+    ];
+    return encodingPatterns.some(p => p.test(code));
+}
+/**
+ * Check if code has business validation
+ */
+function hasBusinessValidation(code) {
+    const validationPatterns = [
+        /Math\.(?:min|max)/i,
+        /Number\.(?:isFinite|isInteger)/i,
+        />=?\s*\d/,
+        /<=?\s*\d/,
+        /validate/i,
+        /check/i,
+        /throw/i,
+    ];
+    return validationPatterns.some(p => p.test(code));
+}
+export default owaspA04InsecureDesign;
+//# sourceMappingURL=a04-insecure-design.js.map

package/dist/rules/owasp/a04-insecure-design.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"a04-insecure-design.js","sourceRoot":"","sources":["../../../src/rules/owasp/a04-insecure-design.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiB;IAClD,EAAE,EAAE,2BAA2B;IAC/B,IAAI,EAAE,kCAAkC;IACxC,WAAW,EAAE,6FAA6F;IAC1G,eAAe,EAAE,MAAM;IACvB,eAAe,EAAE,eAAe;IAChC,IAAI,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,YAAY,EAAE,UAAU,CAAC;IACpE,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;IAC1E,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,kCAAkC,EAAE,GAAG,EAAE,mDAAmD,EAAE;QACvG,EAAE,KAAK,EAAE,mCAAmC,EAAE,GAAG,EAAE,iDAAiD,EAAE;KACvG;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACtC,IAAI,CAAC,UAAU;YAAE,OAAO,QAAQ,CAAC;QAEjC,kCAAkC;QAClC,wBAAwB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE5C,qCAAqC;QACrC,2BAA2B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE/C,oCAAoC;QACpC,0BAA0B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE9C,8BAA8B;QAC9B,qBAAqB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAEzC,qCAAqC;QACrC,2BAA2B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE/C,kCAAkC;QAClC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE3C,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,wBAAwB,CAAC,OAAoB,EAAE,QAAuB;IAC7E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAEtC,0CAA0C;IAC1C,MAAM,eAAe,GAAG,qDAAqD,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAE/F,qDAAqD;IACrD,MAAM,yBAAyB,GAAG;QAChC,8DAA8D;QAC9D,4DAA4D;QAC5D,2EAA2E;QAC3E,4DAA4D;KAC7D,CAAC;IAEF,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAErC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;YACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;YAE5B,KAAK,MAAM,OAAO,IAAI,yBAAyB,EAAE,CAAC;gBAChD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,kBAAkB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC3C,MAAM,EAAE,2BAA2B;wBACnC,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,8EAA8E;wBACvF,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,OAAO,GAAG,CAAC;4BACtB,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,UAAU,EAAE;4BACV,WAAW,EAAE,0CAA0C;4BACvD,OAAO,EAAE;;;;;;;+CAOwB;yBAClC;qBACF,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAAC,OAAoB,EAAE,QAAuB;IAChF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,mEAAmE;IACnE,MAAM,iBAAiB,GAAG;QACxB,iCAAiC;QACjC,EAAE,OAAO,EAAE,+CAA+C,EAAE,IAAI,EAAE,MAAM,EAAE;QAC1E,EAAE,OAAO,EAAE,gDAAgD,EAAE,IAAI,EAAE,OAAO,EAAE;QAC5E,EAAE,OAAO,EAAE,iDAAiD,EAAE,IAAI,EAAE,QAAQ,EAAE;QAC9E,mCAAmC;QACnC,EAAE,OAAO,EAAE,uEAAuE,EAAE,IAAI,EAAE,oBAAoB,EAAE;KACjH,CAAC;IAEF,yCAAyC;IACzC,MAAM,aAAa,GAAG,wDAAwD,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEhG,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;YACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;YAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,iBAAiB,EAAE,CAAC;gBAClD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,2CAA2C;oBAC3C,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAE9F,IAAI,CAAC,kBAAkB,CAAC,eAAe,CAAC,EAAE,CAAC;wBACzC,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,wBAAwB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;4BACjD,MAAM,EAAE,2BAA2B;4BACnC,QAAQ,EAAE,QAAQ;4BAClB,OAAO,EAAE,WAAW,IAAI,gCAAgC;4BACxD,QAAQ,EAAE;gCACR,IAAI,EAAE,OAAO,CAAC,QAAQ;gCACtB,SAAS,EAAE,OAAO,GAAG,CAAC;gCACtB,OAAO,EAAE,OAAO,GAAG,CAAC;gCACpB,WAAW,EAAE,CAAC;gCACd,SAAS,EAAE,IAAI,CAAC,MAAM;6BACvB;4BACD,UAAU,EAAE;gCACV,WAAW,EAAE,0BAA0B;gCACvC,OAAO,EAAE;;;;;;0CAMiB;6BAC3B;yBACF,CAAC,CAAC;oBACL,CAAC;oBACD,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B,CAAC,OAAoB,EAAE,QAAuB;IAC/E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,cAAc,GAAG;QACrB,0BAA0B;QAC1B,EAAE,OAAO,EAAE,yEAAyE,EAAE,IAAI,EAAE,UAAU,EAAE;QACxG,wBAAwB;QACxB,EAAE,OAAO,EAAE,2CAA2C,EAAE,IAAI,EAAE,eAAe,EAAE;QAC/E,0CAA0C;QAC1C,EAAE,OAAO,EAAE,gDAAgD,EAAE,IAAI,EAAE,iBAAiB,EAAE;KACvF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,cAAc,EAAE,CAAC;YAC/C,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,yCAAyC;gBACzC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,sBAAsB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC/C,MAAM,EAAE,2BAA2B;wBACnC,QAAQ,EAAE,QAAQ;wBAClB,OAAO,EAAE,GAAG,IAAI,0CAA0C;wBAC1D,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,OAAO,GAAG,CAAC;4BACtB,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,UAAU,EAAE;4BACV,WAAW,EAAE,gCAAgC;4BAC7C,OAAO,EAAE;;;+CAGwB;yBAClC;qBACF,CAAC,CAAC;gBACL,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,OAAoB,EAAE,QAAuB;IAC1E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,uBAAuB,GAAG;QAC9B,qBAAqB;QACrB,EAAE,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,QAAiB,EAAE;QAC9F,iCAAiC;QACjC,EAAE,OAAO,EAAE,+BAA+B,EAAE,KAAK,EAAE,8BAA8B,EAAE,QAAQ,EAAE,KAAc,EAAE;QAC7G,8BAA8B;QAC9B,EAAE,OAAO,EAAE,+CAA+C,EAAE,KAAK,EAAE,6BAA6B,EAAE,QAAQ,EAAE,QAAiB,EAAE;QAC/H,0BAA0B;QAC1B,EAAE,OAAO,EAAE,uCAAuC,EAAE,KAAK,EAAE,8BAA8B,EAAE,QAAQ,EAAE,QAAiB,EAAE;KACzH,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,uBAAuB,EAAE,CAAC;YACnE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,qBAAqB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC9C,MAAM,EAAE,2BAA2B;oBACnC,QAAQ;oBACR,OAAO,EAAE,qBAAqB,KAAK,EAAE;oBACrC,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,UAAU,EAAE;wBACV,WAAW,EAAE,qBAAqB;wBAClC,OAAO,EAAE;;;;;;;;KAQhB;qBACM;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAAC,OAAoB,EAAE,QAAuB;IAChF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAEtC,qDAAqD;IACrD,MAAM,kBAAkB,GAAG,kGAAkG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAE/I,+BAA+B;IAC/B,MAAM,YAAY,GAAG,uDAAuD,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAE9F,IAAI,YAAY,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxC,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,qBAAqB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;YAC9C,MAAM,EAAE,2BAA2B;YACnC,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,8DAA8D;YACvE,QAAQ,EAAE;gBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;gBACtB,SAAS,EAAE,CAAC;gBACZ,OAAO,EAAE,CAAC;gBACV,WAAW,EAAE,CAAC;gBACd,SAAS,EAAE,CAAC;aACb;YACD,UAAU,EAAE;gBACV,WAAW,EAAE,kCAAkC;gBAC/C,OAAO,EAAE;;mBAEE;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,4BAA4B;IAC5B,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACnE,MAAM,WAAW,GAAG,2BAA2B,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEjE,IAAI,YAAY,IAAI,WAAW,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,kBAAkB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;YAC3C,MAAM,EAAE,2BAA2B;YACnC,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,4CAA4C;YACrD,QAAQ,EAAE;gBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;gBACtB,SAAS,EAAE,CAAC;gBACZ,OAAO,EAAE,CAAC;gBACV,WAAW,EAAE,CAAC;gBACd,SAAS,EAAE,CAAC;aACb;YACD,UAAU,EAAE;gBACV,WAAW,EAAE,qBAAqB;gBAClC,OAAO,EAAE;;iCAEgB;aAC1B;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,OAAoB,EAAE,QAAuB;IAC5E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,qBAAqB,GAAG;QAC5B,8CAA8C;QAC9C,EAAE,OAAO,EAAE,iEAAiE,EAAE,KAAK,EAAE,gCAAgC,EAAE,QAAQ,EAAE,MAAe,EAAE;QAClJ,+BAA+B;QAC/B,EAAE,OAAO,EAAE,4EAA4E,EAAE,KAAK,EAAE,6BAA6B,EAAE,QAAQ,EAAE,QAAiB,EAAE;QAC5J,0BAA0B;QAC1B,EAAE,OAAO,EAAE,0EAA0E,EAAE,KAAK,EAAE,kCAAkC,EAAE,QAAQ,EAAE,QAAiB,EAAE;KAChK,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,qBAAqB,EAAE,CAAC;YACjE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,wCAAwC;gBACxC,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAE7F,IAAI,CAAC,qBAAqB,CAAC,eAAe,CAAC,EAAE,CAAC;oBAC5C,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,mBAAmB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC5C,MAAM,EAAE,2BAA2B;wBACnC,QAAQ;wBACR,OAAO,EAAE,kCAAkC,KAAK,EAAE;wBAClD,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,OAAO,GAAG,CAAC;4BACtB,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,UAAU,EAAE;4BACV,WAAW,EAAE,oCAAoC;4BACjD,OAAO,EAAE;;;gDAGyB;yBACnC;qBACF,CAAC,CAAC;gBACL,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,IAAY;IACtC,MAAM,kBAAkB,GAAG;QACzB,WAAW;QACX,SAAS;QACT,QAAQ;QACR,WAAW;QACX,QAAQ;QACR,SAAS;QACT,QAAQ;QACR,QAAQ;QACR,QAAQ;KACT,CAAC;IAEF,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAY;IACrC,MAAM,gBAAgB,GAAG;QACvB,SAAS;QACT,SAAS;QACT,WAAW;QACX,cAAc;QACd,YAAY;KACb,CAAC;IAEF,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,kBAAkB,GAAG;QACzB,oBAAoB;QACpB,iCAAiC;QACjC,UAAU;QACV,UAAU;QACV,WAAW;QACX,QAAQ;QACR,QAAQ;KACT,CAAC;IAEF,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,eAAe,sBAAsB,CAAC"}

package/dist/rules/owasp/a05-security-misconfiguration.d.ts

@@ -0,0 +1,19 @@
+/**
+ * @fileoverview OWASP A05:2021 - Security Misconfiguration Rule
+ * @module @nahisaho/musubix-security/rules/owasp/a05-security-misconfiguration
+ * @trace TSK-RULE-003
+ *
+ * Detects:
+ * - Default credentials
+ * - Verbose error messages
+ * - Unnecessary features enabled
+ * - Missing security headers
+ * - Development settings in production
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * OWASP A05 - Security Misconfiguration
+ */
+export declare const owaspA05SecurityMisconfiguration: SecurityRule;
+export default owaspA05SecurityMisconfiguration;
+//# sourceMappingURL=a05-security-misconfiguration.d.ts.map

package/dist/rules/owasp/a05-security-misconfiguration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"a05-security-misconfiguration.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp/a05-security-misconfiguration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,gCAAgC,EAAE,YAuC9C,CAAC;AAoWF,eAAe,gCAAgC,CAAC"}