@nahisaho/musubix-security 2.0.1 → 2.1.0

package/dist/rules/owasp/a10-ssrf.js

@@ -0,0 +1,349 @@
+/**
+ * @fileoverview OWASP A10:2021 - Server-Side Request Forgery (SSRF)
+ * @module @nahisaho/musubix-security/rules/owasp/a10
+ * @trace REQ-SEC-OWASP-010
+ */
+/**
+ * OWASP A10:2021 - Server-Side Request Forgery (SSRF)
+ *
+ * Detects:
+ * - URL fetching with user input
+ * - Missing URL validation
+ * - Internal network access risks
+ * - Metadata endpoint access
+ */
+export const owaspA10SSRF = {
+    id: 'owasp-a10-ssrf',
+    name: 'OWASP A10:2021 - Server-Side Request Forgery (SSRF)',
+    description: 'Detects potential SSRF vulnerabilities where user input controls server-side requests',
+    defaultSeverity: 'critical',
+    category: 'ssrf',
+    owasp: ['A10:2021'],
+    cwe: ['918', '441', '611'],
+    references: [
+        {
+            title: 'OWASP A10:2021',
+            url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/',
+        },
+        {
+            title: 'CWE-918: Server-Side Request Forgery (SSRF)',
+            url: 'https://cwe.mitre.org/data/definitions/918.html',
+        },
+    ],
+    async analyze(context) {
+        const findings = [];
+        checkUserControlledURLs(context, findings);
+        checkMetadataEndpoints(context, findings);
+        checkInternalNetworkAccess(context, findings);
+        checkRedirectFollowing(context, findings);
+        checkXMLExternalEntities(context, findings);
+        return findings;
+    },
+};
+/**
+ * Check for user-controlled URLs in fetch/request operations
+ */
+function checkUserControlledURLs(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const ssrfPatterns = [
+        // fetch with user input
+        { pattern: /fetch\s*\(\s*(?:req\.(?:body|query|params)\.\w+|url|targetUrl|endpoint)/i, type: 'fetch' },
+        { pattern: /fetch\s*\(\s*`[^`]*\$\{req\./i, type: 'fetch with template' },
+        // axios with user input
+        { pattern: /axios\.(?:get|post|put|delete|patch)\s*\(\s*(?:req\.(?:body|query|params)|url|targetUrl)/i, type: 'axios' },
+        { pattern: /axios\s*\(\s*\{[^}]*url\s*:\s*(?:req\.|url|targetUrl)/i, type: 'axios config' },
+        // request library
+        { pattern: /request\s*\(\s*(?:req\.(?:body|query|params)|url|targetUrl)/i, type: 'request' },
+        // got library
+        { pattern: /got\s*\(\s*(?:req\.(?:body|query|params)|url|targetUrl)/i, type: 'got' },
+        // http/https module
+        { pattern: /https?\.(?:get|request)\s*\(\s*(?:req\.(?:body|query|params)|url|targetUrl)/i, type: 'http(s) module' },
+        // URL constructor with user input
+        { pattern: /new\s+URL\s*\(\s*req\.(?:body|query|params)/i, type: 'URL constructor' },
+        // Image loading from user URL
+        { pattern: /(?:img|image)\.src\s*=\s*(?:req\.|url|userUrl)/i, type: 'image source' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type } of ssrfPatterns) {
+            if (pattern.test(line)) {
+                // Check for URL validation
+                const surroundingCode = lines.slice(Math.max(0, lineNum - 5), lineNum + 1).join('\n');
+                const hasValidation = /(?:validate.*url|allowlist|whitelist|isValidUrl|URL\.parse|new URL)/i.test(surroundingCode);
+                const hasAllowlist = /(?:allowedHosts|allowedDomains|whitelist)/i.test(surroundingCode);
+                if (!hasValidation && !hasAllowlist) {
+                    findings.push({
+                        id: `owasp-a10-url-${findings.length + 1}`,
+                        ruleId: 'owasp-a10-ssrf',
+                        severity: 'critical',
+                        message: `Potential SSRF vulnerability: ${type} with user-controlled URL`,
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        cwe: ['918'],
+                        suggestion: {
+                            description: 'Validate and restrict URLs to allowed domains',
+                            example: `// Validate URLs with allowlist:
+const ALLOWED_HOSTS = ['api.trusted.com', 'cdn.trusted.com'];
+
+function isAllowedUrl(urlString) {
+  try {
+    const url = new URL(urlString);
+    return ALLOWED_HOSTS.includes(url.hostname) && 
+           url.protocol === 'https:';
+  } catch {
+    return false;
+  }
+}
+
+if (!isAllowedUrl(req.body.url)) {
+  return res.status(400).json({ error: 'Invalid URL' });
+}`,
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for access to cloud metadata endpoints
+ */
+function checkMetadataEndpoints(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const metadataPatterns = [
+        // AWS metadata
+        { pattern: /169\.254\.169\.254/i, cloud: 'AWS', endpoint: 'EC2 metadata' },
+        // GCP metadata
+        { pattern: /metadata\.google\.internal/i, cloud: 'GCP', endpoint: 'metadata service' },
+        { pattern: /169\.254\.169\.254.*computeMetadata/i, cloud: 'GCP', endpoint: 'compute metadata' },
+        // Azure metadata
+        { pattern: /169\.254\.169\.254.*metadata\/instance/i, cloud: 'Azure', endpoint: 'instance metadata' },
+        // Generic internal IPs that might be targeted
+        { pattern: /(?:10\.\d+\.\d+\.\d+|172\.(?:1[6-9]|2\d|3[01])\.\d+\.\d+|192\.168\.\d+\.\d+)/i, cloud: 'Private', endpoint: 'internal network' },
+        // localhost variants
+        { pattern: /(?:localhost|127\.0\.0\.1|0\.0\.0\.0|::1)(?::\d+)?/i, cloud: 'Local', endpoint: 'localhost' },
+    ];
+    // Check if user input can control these
+    const hasUserInput = /(?:req\.(?:body|query|params)|url\s*=|targetUrl|endpoint)/i.test(sourceCode);
+    if (!hasUserInput)
+        return;
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, cloud, endpoint } of metadataPatterns) {
+            if (pattern.test(line)) {
+                // This is more of an informational finding - the real risk is if user input can reach these
+                findings.push({
+                    id: `owasp-a10-metadata-${findings.length + 1}`,
+                    ruleId: 'owasp-a10-ssrf',
+                    severity: cloud === 'Private' ? 'high' : 'critical',
+                    message: `${cloud} ${endpoint} detected - ensure user input cannot access this`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['918'],
+                    suggestion: {
+                        description: 'Block access to metadata endpoints and internal networks',
+                        example: `// Block internal/metadata URLs:
+const BLOCKED_HOSTS = [
+  /^169\\.254\\.169\\.254$/,
+  /^metadata\\.google\\.internal$/,
+  /^10\\./,
+  /^172\\.(1[6-9]|2\\d|3[01])\\./,
+  /^192\\.168\\./,
+  /^localhost$/,
+  /^127\\./
+];
+
+function isBlockedUrl(urlString) {
+  const url = new URL(urlString);
+  return BLOCKED_HOSTS.some(pattern => pattern.test(url.hostname));
+}`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for internal network access patterns
+ */
+function checkInternalNetworkAccess(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const internalPatterns = [
+        // File protocol
+        { pattern: /['"`]file:\/\//i, protocol: 'file://', issue: 'Local file access' },
+        // gopher protocol
+        { pattern: /['"`]gopher:\/\//i, protocol: 'gopher://', issue: 'Gopher protocol (can be used for SSRF attacks)' },
+        // dict protocol
+        { pattern: /['"`]dict:\/\//i, protocol: 'dict://', issue: 'Dict protocol' },
+        // ftp with credentials
+        { pattern: /['"`]ftp:\/\/[^@]*@/i, protocol: 'ftp://', issue: 'FTP with credentials in URL' },
+        // Internal hostnames
+        { pattern: /['"`]https?:\/\/(?:internal|intranet|corp|private|admin)\./i, protocol: 'http(s)', issue: 'Internal hostname pattern' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, protocol, issue } of internalPatterns) {
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a10-internal-${findings.length + 1}`,
+                    ruleId: 'owasp-a10-ssrf',
+                    severity: 'high',
+                    message: `Potential internal access via ${protocol}: ${issue}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['918'],
+                    suggestion: {
+                        description: 'Restrict allowed protocols and validate URLs',
+                        example: `// Only allow safe protocols:
+const ALLOWED_PROTOCOLS = ['https:'];
+
+function validateUrl(urlString) {
+  const url = new URL(urlString);
+  if (!ALLOWED_PROTOCOLS.includes(url.protocol)) {
+    throw new Error('Protocol not allowed');
+  }
+  return url;
+}`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for unsafe redirect following
+ */
+function checkRedirectFollowing(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const redirectPatterns = [
+        // Follow redirects without limit
+        { pattern: /follow.*redirect.*(?:true|unlimited)/i, issue: 'Unlimited redirect following' },
+        { pattern: /maxRedirects\s*:\s*(?:-1|Infinity|100|50)/i, issue: 'High redirect limit' },
+        // Location header following
+        { pattern: /res\.headers\.location/i, issue: 'Manual redirect following' },
+        // Open redirect potential
+        { pattern: /res\.redirect\s*\(\s*(?:req\.(?:body|query|params)|url|next|returnUrl)/i, issue: 'Open redirect vulnerability' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, issue } of redirectPatterns) {
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a10-redirect-${findings.length + 1}`,
+                    ruleId: 'owasp-a10-ssrf',
+                    severity: issue.includes('Open redirect') ? 'high' : 'medium',
+                    message: `Unsafe redirect handling: ${issue}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['918', '601'],
+                    suggestion: {
+                        description: 'Limit redirects and validate redirect targets',
+                        example: `// Limit redirects and validate targets:
+const response = await fetch(url, {
+  redirect: 'manual', // Handle redirects manually
+  follow: 0
+});
+
+// For user-controlled redirects:
+const ALLOWED_REDIRECT_HOSTS = ['mysite.com', 'auth.mysite.com'];
+
+function safeRedirect(url, allowedHosts) {
+  const parsed = new URL(url, 'https://mysite.com');
+  if (!allowedHosts.includes(parsed.hostname)) {
+    return '/';
+  }
+  return parsed.pathname + parsed.search;
+}`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for XML External Entity (XXE) vulnerabilities related to SSRF
+ */
+function checkXMLExternalEntities(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const xxePatterns = [
+        // XML parsing without disabling external entities
+        { pattern: /xml2js.*parseString|DOMParser\(\)|XMLParser/i, parser: 'XML parser', issue: 'XML parsing - ensure external entities disabled' },
+        // libxmljs
+        { pattern: /libxmljs.*parseXml/i, parser: 'libxmljs', issue: 'Ensure noent: false, nonet: true' },
+        // External entity reference
+        { pattern: /<!ENTITY/i, parser: 'XML', issue: 'XML entity declaration detected' },
+        // SVG processing (can contain XXE)
+        { pattern: /(?:svg|image\/svg\+xml)/i, parser: 'SVG', issue: 'SVG processing may contain XXE risks' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, parser, issue } of xxePatterns) {
+            if (pattern.test(line)) {
+                // Check for safe configuration
+                const surroundingCode = lines.slice(Math.max(0, lineNum - 3), Math.min(lines.length, lineNum + 4)).join('\n');
+                const hasDisabledExternal = /(?:noent|external.*false|disableEntity|NOENT)/i.test(surroundingCode);
+                if (!hasDisabledExternal) {
+                    findings.push({
+                        id: `owasp-a10-xxe-${findings.length + 1}`,
+                        ruleId: 'owasp-a10-ssrf',
+                        severity: 'high',
+                        message: `XXE/SSRF risk via ${parser}: ${issue}`,
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        cwe: ['611', '918'],
+                        suggestion: {
+                            description: 'Disable external entity processing in XML parsers',
+                            example: `// Disable external entities in XML parsing:
+const parser = new xml2js.Parser({
+  explicitRoot: false,
+  // xml2js is safe by default, but verify configuration
+});
+
+// For DOMParser in Node:
+const doc = new DOMParser().parseFromString(xml, 'text/xml');
+
+// Validate/sanitize SVG before processing`,
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+export default owaspA10SSRF;
+//# sourceMappingURL=a10-ssrf.js.map

package/dist/rules/owasp/a10-ssrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"a10-ssrf.js","sourceRoot":"","sources":["../../../src/rules/owasp/a10-ssrf.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,YAAY,GAAiB;IACxC,EAAE,EAAE,gBAAgB;IACpB,IAAI,EAAE,qDAAqD;IAC3D,WAAW,EAAE,uFAAuF;IACpG,eAAe,EAAE,UAAU;IAC3B,QAAQ,EAAE,MAAM;IAChB,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;IAC1B,UAAU,EAAE;QACV;YACE,KAAK,EAAE,gBAAgB;YACvB,GAAG,EAAE,0EAA0E;SAChF;QACD;YACE,KAAK,EAAE,6CAA6C;YACpD,GAAG,EAAE,iDAAiD;SACvD;KACiB;IAEpB,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QAEnC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC3C,sBAAsB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC1C,0BAA0B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,sBAAsB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC1C,wBAAwB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,uBAAuB,CAAC,OAAoB,EAAE,QAAuB;IAC5E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,YAAY,GAAG;QACnB,wBAAwB;QACxB,EAAE,OAAO,EAAE,0EAA0E,EAAE,IAAI,EAAE,OAAO,EAAE;QACtG,EAAE,OAAO,EAAE,+BAA+B,EAAE,IAAI,EAAE,qBAAqB,EAAE;QACzE,wBAAwB;QACxB,EAAE,OAAO,EAAE,2FAA2F,EAAE,IAAI,EAAE,OAAO,EAAE;QACvH,EAAE,OAAO,EAAE,wDAAwD,EAAE,IAAI,EAAE,cAAc,EAAE;QAC3F,kBAAkB;QAClB,EAAE,OAAO,EAAE,8DAA8D,EAAE,IAAI,EAAE,SAAS,EAAE;QAC5F,cAAc;QACd,EAAE,OAAO,EAAE,0DAA0D,EAAE,IAAI,EAAE,KAAK,EAAE;QACpF,oBAAoB;QACpB,EAAE,OAAO,EAAE,8EAA8E,EAAE,IAAI,EAAE,gBAAgB,EAAE;QACnH,kCAAkC;QAClC,EAAE,OAAO,EAAE,8CAA8C,EAAE,IAAI,EAAE,iBAAiB,EAAE;QACpF,8BAA8B;QAC9B,EAAE,OAAO,EAAE,iDAAiD,EAAE,IAAI,EAAE,cAAc,EAAE;KACrF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,YAAY,EAAE,CAAC;YAC7C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,2BAA2B;gBAC3B,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtF,MAAM,aAAa,GAAG,sEAAsE,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;gBACnH,MAAM,YAAY,GAAG,4CAA4C,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;gBAExF,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY,EAAE,CAAC;oBACpC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC1C,MAAM,EAAE,gBAAgB;wBACxB,QAAQ,EAAE,UAAU;wBACpB,OAAO,EAAE,iCAAiC,IAAI,2BAA2B;wBACzE,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,OAAO,GAAG,CAAC;4BACtB,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,+CAA+C;4BAC5D,OAAO,EAAE;;;;;;;;;;;;;;;EAerB;yBACW;qBACF,CAAC,CAAC;gBACL,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,OAAoB,EAAE,QAAuB;IAC3E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,gBAAgB,GAAG;QACvB,eAAe;QACf,EAAE,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAE;QAC1E,eAAe;QACf,EAAE,OAAO,EAAE,6BAA6B,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QACtF,EAAE,OAAO,EAAE,sCAAsC,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC/F,iBAAiB;QACjB,EAAE,OAAO,EAAE,yCAAyC,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE;QACrG,8CAA8C;QAC9C,EAAE,OAAO,EAAE,+EAA+E,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC5I,qBAAqB;QACrB,EAAE,OAAO,EAAE,qDAAqD,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE;KAC1G,CAAC;IAEF,wCAAwC;IACxC,MAAM,YAAY,GAAG,4DAA4D,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEnG,IAAI,CAAC,YAAY;QAAE,OAAO;IAE1B,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,gBAAgB,EAAE,CAAC;YAC5D,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,4FAA4F;gBAC5F,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,sBAAsB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC/C,MAAM,EAAE,gBAAgB;oBACxB,QAAQ,EAAE,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU;oBACnD,OAAO,EAAE,GAAG,KAAK,IAAI,QAAQ,kDAAkD;oBAC/E,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,CAAC;oBACZ,UAAU,EAAE;wBACV,WAAW,EAAE,0DAA0D;wBACvE,OAAO,EAAE;;;;;;;;;;;;;;EAcnB;qBACS;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B,CAAC,OAAoB,EAAE,QAAuB;IAC/E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,gBAAgB,GAAG;QACvB,gBAAgB;QAChB,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,mBAAmB,EAAE;QAC/E,kBAAkB;QAClB,EAAE,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,EAAE,gDAAgD,EAAE;QAChH,gBAAgB;QAChB,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,eAAe,EAAE;QAC3E,uBAAuB;QACvB,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,6BAA6B,EAAE;QAC7F,qBAAqB;QACrB,EAAE,OAAO,EAAE,6DAA6D,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,2BAA2B,EAAE;KACpI,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,gBAAgB,EAAE,CAAC;YAC5D,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,sBAAsB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC/C,MAAM,EAAE,gBAAgB;oBACxB,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,iCAAiC,QAAQ,KAAK,KAAK,EAAE;oBAC9D,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,CAAC;oBACZ,UAAU,EAAE;wBACV,WAAW,EAAE,8CAA8C;wBAC3D,OAAO,EAAE;;;;;;;;;EASnB;qBACS;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,OAAoB,EAAE,QAAuB;IAC3E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,gBAAgB,GAAG;QACvB,iCAAiC;QACjC,EAAE,OAAO,EAAE,uCAAuC,EAAE,KAAK,EAAE,8BAA8B,EAAE;QAC3F,EAAE,OAAO,EAAE,4CAA4C,EAAE,KAAK,EAAE,qBAAqB,EAAE;QACvF,4BAA4B;QAC5B,EAAE,OAAO,EAAE,yBAAyB,EAAE,KAAK,EAAE,2BAA2B,EAAE;QAC1E,0BAA0B;QAC1B,EAAE,OAAO,EAAE,yEAAyE,EAAE,KAAK,EAAE,6BAA6B,EAAE;KAC7H,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,gBAAgB,EAAE,CAAC;YAClD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,sBAAsB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC/C,MAAM,EAAE,gBAAgB;oBACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;oBAC7D,OAAO,EAAE,6BAA6B,KAAK,EAAE;oBAC7C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,+CAA+C;wBAC5D,OAAO,EAAE;;;;;;;;;;;;;;;EAenB;qBACS;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,OAAoB,EAAE,QAAuB;IAC7E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,WAAW,GAAG;QAClB,kDAAkD;QAClD,EAAE,OAAO,EAAE,8CAA8C,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE,iDAAiD,EAAE;QAC3I,WAAW;QACX,EAAE,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,kCAAkC,EAAE;QACjG,4BAA4B;QAC5B,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,iCAAiC,EAAE;QACjF,mCAAmC;QACnC,EAAE,OAAO,EAAE,0BAA0B,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,sCAAsC,EAAE;KACtG,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,WAAW,EAAE,CAAC;YACrD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,+BAA+B;gBAC/B,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC9G,MAAM,mBAAmB,GAAG,gDAAgD,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;gBAEnG,IAAI,CAAC,mBAAmB,EAAE,CAAC;oBACzB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC1C,MAAM,EAAE,gBAAgB;wBACxB,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,qBAAqB,MAAM,KAAK,KAAK,EAAE;wBAChD,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,OAAO,GAAG,CAAC;4BACtB,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;wBACnB,UAAU,EAAE;4BACV,WAAW,EAAE,mDAAmD;4BAChE,OAAO,EAAE;;;;;;;;;2CASoB;yBAC9B;qBACF,CAAC,CAAC;gBACL,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,eAAe,YAAY,CAAC"}

package/dist/rules/owasp/index.d.ts

@@ -0,0 +1,20 @@
+/**
+ * @fileoverview OWASP Top 10 Rules Module
+ * @module @nahisaho/musubix-security/rules/owasp
+ * @trace TSK-RULE-003, TSK-RULE-004
+ */
+export { owaspA01BrokenAccessControl } from './a01-broken-access-control.js';
+export { owaspA02CryptographicFailures } from './a02-cryptographic-failures.js';
+export { owaspA03Injection } from './a03-injection.js';
+export { owaspA04InsecureDesign } from './a04-insecure-design.js';
+export { owaspA05SecurityMisconfiguration } from './a05-security-misconfiguration.js';
+export { owaspA06VulnerableComponents } from './a06-vulnerable-components.js';
+export { owaspA07AuthFailures } from './a07-auth-failures.js';
+export { owaspA08IntegrityFailures } from './a08-integrity-failures.js';
+export { owaspA09LoggingFailures } from './a09-logging-failures.js';
+export { owaspA10SSRF } from './a10-ssrf.js';
+export declare const owaspRulesA01A05: import("../types.js").SecurityRule[];
+export declare const owaspRulesA06A10: import("../types.js").SecurityRule[];
+export declare const owaspTop10Rules: import("../types.js").SecurityRule[];
+export { owaspA01BrokenAccessControl as default } from './a01-broken-access-control.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/rules/owasp/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAiBH,OAAO,EAAE,2BAA2B,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,6BAA6B,EAAE,MAAM,iCAAiC,CAAC;AAChF,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,gCAAgC,EAAE,MAAM,oCAAoC,CAAC;AAGtF,OAAO,EAAE,4BAA4B,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAC;AACxE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,eAAO,MAAM,gBAAgB,sCAM5B,CAAC;AAGF,eAAO,MAAM,gBAAgB,sCAM5B,CAAC;AAGF,eAAO,MAAM,eAAe,sCAG3B,CAAC;AAGF,OAAO,EAAE,2BAA2B,IAAI,OAAO,EAAE,MAAM,gCAAgC,CAAC"}

package/dist/rules/owasp/index.js

@@ -0,0 +1,53 @@
+/**
+ * @fileoverview OWASP Top 10 Rules Module
+ * @module @nahisaho/musubix-security/rules/owasp
+ * @trace TSK-RULE-003, TSK-RULE-004
+ */
+// Import A01-A05 rules
+import { owaspA01BrokenAccessControl } from './a01-broken-access-control.js';
+import { owaspA02CryptographicFailures } from './a02-cryptographic-failures.js';
+import { owaspA03Injection } from './a03-injection.js';
+import { owaspA04InsecureDesign } from './a04-insecure-design.js';
+import { owaspA05SecurityMisconfiguration } from './a05-security-misconfiguration.js';
+// Import A06-A10 rules
+import { owaspA06VulnerableComponents } from './a06-vulnerable-components.js';
+import { owaspA07AuthFailures } from './a07-auth-failures.js';
+import { owaspA08IntegrityFailures } from './a08-integrity-failures.js';
+import { owaspA09LoggingFailures } from './a09-logging-failures.js';
+import { owaspA10SSRF } from './a10-ssrf.js';
+// Re-export individual rules (A01-A05)
+export { owaspA01BrokenAccessControl } from './a01-broken-access-control.js';
+export { owaspA02CryptographicFailures } from './a02-cryptographic-failures.js';
+export { owaspA03Injection } from './a03-injection.js';
+export { owaspA04InsecureDesign } from './a04-insecure-design.js';
+export { owaspA05SecurityMisconfiguration } from './a05-security-misconfiguration.js';
+// Re-export individual rules (A06-A10)
+export { owaspA06VulnerableComponents } from './a06-vulnerable-components.js';
+export { owaspA07AuthFailures } from './a07-auth-failures.js';
+export { owaspA08IntegrityFailures } from './a08-integrity-failures.js';
+export { owaspA09LoggingFailures } from './a09-logging-failures.js';
+export { owaspA10SSRF } from './a10-ssrf.js';
+// All OWASP A01-A05 rules
+export const owaspRulesA01A05 = [
+    owaspA01BrokenAccessControl,
+    owaspA02CryptographicFailures,
+    owaspA03Injection,
+    owaspA04InsecureDesign,
+    owaspA05SecurityMisconfiguration,
+];
+// All OWASP A06-A10 rules
+export const owaspRulesA06A10 = [
+    owaspA06VulnerableComponents,
+    owaspA07AuthFailures,
+    owaspA08IntegrityFailures,
+    owaspA09LoggingFailures,
+    owaspA10SSRF,
+];
+// All OWASP Top 10 rules
+export const owaspTop10Rules = [
+    ...owaspRulesA01A05,
+    ...owaspRulesA06A10,
+];
+// Re-export default for convenience
+export { owaspA01BrokenAccessControl as default } from './a01-broken-access-control.js';
+//# sourceMappingURL=index.js.map

package/dist/rules/owasp/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rules/owasp/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,uBAAuB;AACvB,OAAO,EAAE,2BAA2B,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,6BAA6B,EAAE,MAAM,iCAAiC,CAAC;AAChF,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,gCAAgC,EAAE,MAAM,oCAAoC,CAAC;AAEtF,uBAAuB;AACvB,OAAO,EAAE,4BAA4B,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAC;AACxE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,uCAAuC;AACvC,OAAO,EAAE,2BAA2B,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,6BAA6B,EAAE,MAAM,iCAAiC,CAAC;AAChF,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,gCAAgC,EAAE,MAAM,oCAAoC,CAAC;AAEtF,uCAAuC;AACvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAC;AACxE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,0BAA0B;AAC1B,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,2BAA2B;IAC3B,6BAA6B;IAC7B,iBAAiB;IACjB,sBAAsB;IACtB,gCAAgC;CACjC,CAAC;AAEF,0BAA0B;AAC1B,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,4BAA4B;IAC5B,oBAAoB;IACpB,yBAAyB;IACzB,uBAAuB;IACvB,YAAY;CACb,CAAC;AAEF,yBAAyB;AACzB,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,GAAG,gBAAgB;IACnB,GAAG,gBAAgB;CACpB,CAAC;AAEF,oCAAoC;AACpC,OAAO,EAAE,2BAA2B,IAAI,OAAO,EAAE,MAAM,gCAAgC,CAAC"}