@nahisaho/musubix-security 2.0.1 → 2.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/enhanced-taint-analyzer.d.ts +120 -0
- package/dist/analysis/enhanced-taint-analyzer.d.ts.map +1 -0
- package/dist/analysis/enhanced-taint-analyzer.js +450 -0
- package/dist/analysis/enhanced-taint-analyzer.js.map +1 -0
- package/dist/analysis/index.d.ts +1 -0
- package/dist/analysis/index.d.ts.map +1 -1
- package/dist/analysis/index.js +1 -0
- package/dist/analysis/index.js.map +1 -1
- package/dist/analysis/interprocedural/call-graph-builder.d.ts +192 -0
- package/dist/analysis/interprocedural/call-graph-builder.d.ts.map +1 -0
- package/dist/analysis/interprocedural/call-graph-builder.js +510 -0
- package/dist/analysis/interprocedural/call-graph-builder.js.map +1 -0
- package/dist/analysis/interprocedural/dfg-adapter.d.ts +166 -0
- package/dist/analysis/interprocedural/dfg-adapter.d.ts.map +1 -0
- package/dist/analysis/interprocedural/dfg-adapter.js +455 -0
- package/dist/analysis/interprocedural/dfg-adapter.js.map +1 -0
- package/dist/analysis/interprocedural/index.d.ts +9 -0
- package/dist/analysis/interprocedural/index.d.ts.map +1 -0
- package/dist/analysis/interprocedural/index.js +9 -0
- package/dist/analysis/interprocedural/index.js.map +1 -0
- package/dist/analysis/interprocedural/taint-propagator.d.ts +250 -0
- package/dist/analysis/interprocedural/taint-propagator.d.ts.map +1 -0
- package/dist/analysis/interprocedural/taint-propagator.js +435 -0
- package/dist/analysis/interprocedural/taint-propagator.js.map +1 -0
- package/dist/analysis/sanitizers/command-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/command-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/command-sanitizers.js +123 -0
- package/dist/analysis/sanitizers/command-sanitizers.js.map +1 -0
- package/dist/analysis/sanitizers/html-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/html-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/html-sanitizers.js +213 -0
- package/dist/analysis/sanitizers/html-sanitizers.js.map +1 -0
- package/dist/analysis/sanitizers/index.d.ts +35 -0
- package/dist/analysis/sanitizers/index.d.ts.map +1 -0
- package/dist/analysis/sanitizers/index.js +59 -0
- package/dist/analysis/sanitizers/index.js.map +1 -0
- package/dist/analysis/sanitizers/path-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/path-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/path-sanitizers.js +163 -0
- package/dist/analysis/sanitizers/path-sanitizers.js.map +1 -0
- package/dist/analysis/sanitizers/sql-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/sql-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/sql-sanitizers.js +216 -0
- package/dist/analysis/sanitizers/sql-sanitizers.js.map +1 -0
- package/dist/analysis/sanitizers/types.d.ts +78 -0
- package/dist/analysis/sanitizers/types.d.ts.map +1 -0
- package/dist/analysis/sanitizers/types.js +7 -0
- package/dist/analysis/sanitizers/types.js.map +1 -0
- package/dist/analysis/sanitizers/validation-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/validation-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/validation-sanitizers.js +268 -0
- package/dist/analysis/sanitizers/validation-sanitizers.js.map +1 -0
- package/dist/analysis/sinks/code-eval.d.ts +12 -0
- package/dist/analysis/sinks/code-eval.d.ts.map +1 -0
- package/dist/analysis/sinks/code-eval.js +231 -0
- package/dist/analysis/sinks/code-eval.js.map +1 -0
- package/dist/analysis/sinks/command-exec.d.ts +12 -0
- package/dist/analysis/sinks/command-exec.d.ts.map +1 -0
- package/dist/analysis/sinks/command-exec.js +187 -0
- package/dist/analysis/sinks/command-exec.js.map +1 -0
- package/dist/analysis/sinks/file-operations.d.ts +12 -0
- package/dist/analysis/sinks/file-operations.d.ts.map +1 -0
- package/dist/analysis/sinks/file-operations.js +239 -0
- package/dist/analysis/sinks/file-operations.js.map +1 -0
- package/dist/analysis/sinks/html-output.d.ts +12 -0
- package/dist/analysis/sinks/html-output.d.ts.map +1 -0
- package/dist/analysis/sinks/html-output.js +256 -0
- package/dist/analysis/sinks/html-output.js.map +1 -0
- package/dist/analysis/sinks/index.d.ts +30 -0
- package/dist/analysis/sinks/index.d.ts.map +1 -0
- package/dist/analysis/sinks/index.js +46 -0
- package/dist/analysis/sinks/index.js.map +1 -0
- package/dist/analysis/sinks/sql-query.d.ts +12 -0
- package/dist/analysis/sinks/sql-query.d.ts.map +1 -0
- package/dist/analysis/sinks/sql-query.js +209 -0
- package/dist/analysis/sinks/sql-query.js.map +1 -0
- package/dist/analysis/sinks/types.d.ts +97 -0
- package/dist/analysis/sinks/types.d.ts.map +1 -0
- package/dist/analysis/sinks/types.js +7 -0
- package/dist/analysis/sinks/types.js.map +1 -0
- package/dist/analysis/sources/database.d.ts +12 -0
- package/dist/analysis/sources/database.d.ts.map +1 -0
- package/dist/analysis/sources/database.js +211 -0
- package/dist/analysis/sources/database.js.map +1 -0
- package/dist/analysis/sources/environment.d.ts +12 -0
- package/dist/analysis/sources/environment.d.ts.map +1 -0
- package/dist/analysis/sources/environment.js +158 -0
- package/dist/analysis/sources/environment.js.map +1 -0
- package/dist/analysis/sources/file-system.d.ts +12 -0
- package/dist/analysis/sources/file-system.d.ts.map +1 -0
- package/dist/analysis/sources/file-system.js +180 -0
- package/dist/analysis/sources/file-system.js.map +1 -0
- package/dist/analysis/sources/http-request.d.ts +12 -0
- package/dist/analysis/sources/http-request.d.ts.map +1 -0
- package/dist/analysis/sources/http-request.js +179 -0
- package/dist/analysis/sources/http-request.js.map +1 -0
- package/dist/analysis/sources/index.d.ts +26 -0
- package/dist/analysis/sources/index.d.ts.map +1 -0
- package/dist/analysis/sources/index.js +40 -0
- package/dist/analysis/sources/index.js.map +1 -0
- package/dist/analysis/sources/types.d.ts +93 -0
- package/dist/analysis/sources/types.d.ts.map +1 -0
- package/dist/analysis/sources/types.js +7 -0
- package/dist/analysis/sources/types.js.map +1 -0
- package/dist/analysis/sources/user-input.d.ts +12 -0
- package/dist/analysis/sources/user-input.d.ts.map +1 -0
- package/dist/analysis/sources/user-input.js +261 -0
- package/dist/analysis/sources/user-input.js.map +1 -0
- package/dist/cve/cpe-matcher.d.ts +183 -0
- package/dist/cve/cpe-matcher.d.ts.map +1 -0
- package/dist/cve/cpe-matcher.js +396 -0
- package/dist/cve/cpe-matcher.js.map +1 -0
- package/dist/cve/cve-cache.d.ts +225 -0
- package/dist/cve/cve-cache.d.ts.map +1 -0
- package/dist/cve/cve-cache.js +452 -0
- package/dist/cve/cve-cache.js.map +1 -0
- package/dist/cve/cve-cache.test.d.ts +6 -0
- package/dist/cve/cve-cache.test.d.ts.map +1 -0
- package/dist/cve/cve-cache.test.js +363 -0
- package/dist/cve/cve-cache.test.js.map +1 -0
- package/dist/cve/dependency-parser.d.ts +204 -0
- package/dist/cve/dependency-parser.d.ts.map +1 -0
- package/dist/cve/dependency-parser.js +338 -0
- package/dist/cve/dependency-parser.js.map +1 -0
- package/dist/cve/index.d.ts +20 -0
- package/dist/cve/index.d.ts.map +1 -0
- package/dist/cve/index.js +13 -0
- package/dist/cve/index.js.map +1 -0
- package/dist/cve/nvd-client.d.ts +137 -0
- package/dist/cve/nvd-client.d.ts.map +1 -0
- package/dist/cve/nvd-client.js +333 -0
- package/dist/cve/nvd-client.js.map +1 -0
- package/dist/cve/rate-limiter.d.ts +194 -0
- package/dist/cve/rate-limiter.d.ts.map +1 -0
- package/dist/cve/rate-limiter.js +276 -0
- package/dist/cve/rate-limiter.js.map +1 -0
- package/dist/cve/report-generator.d.ts +145 -0
- package/dist/cve/report-generator.d.ts.map +1 -0
- package/dist/cve/report-generator.js +377 -0
- package/dist/cve/report-generator.js.map +1 -0
- package/dist/cve/report-generator.test.d.ts +6 -0
- package/dist/cve/report-generator.test.d.ts.map +1 -0
- package/dist/cve/report-generator.test.js +275 -0
- package/dist/cve/report-generator.test.js.map +1 -0
- package/dist/cve/vulnerability-scanner.d.ts +198 -0
- package/dist/cve/vulnerability-scanner.d.ts.map +1 -0
- package/dist/cve/vulnerability-scanner.js +311 -0
- package/dist/cve/vulnerability-scanner.js.map +1 -0
- package/dist/cve/vulnerability-scanner.test.d.ts +6 -0
- package/dist/cve/vulnerability-scanner.test.d.ts.map +1 -0
- package/dist/cve/vulnerability-scanner.test.js +329 -0
- package/dist/cve/vulnerability-scanner.test.js.map +1 -0
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +4 -0
- package/dist/index.js.map +1 -1
- package/dist/rules/config/config-parser.d.ts +119 -0
- package/dist/rules/config/config-parser.d.ts.map +1 -0
- package/dist/rules/config/config-parser.js +376 -0
- package/dist/rules/config/config-parser.js.map +1 -0
- package/dist/rules/config/index.d.ts +8 -0
- package/dist/rules/config/index.d.ts.map +1 -0
- package/dist/rules/config/index.js +8 -0
- package/dist/rules/config/index.js.map +1 -0
- package/dist/rules/config/profiles.d.ts +85 -0
- package/dist/rules/config/profiles.d.ts.map +1 -0
- package/dist/rules/config/profiles.js +226 -0
- package/dist/rules/config/profiles.js.map +1 -0
- package/dist/rules/cwe/cwe-119-buffer-overflow.d.ts +9 -0
- package/dist/rules/cwe/cwe-119-buffer-overflow.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-119-buffer-overflow.js +54 -0
- package/dist/rules/cwe/cwe-119-buffer-overflow.js.map +1 -0
- package/dist/rules/cwe/cwe-125-oob-read.d.ts +20 -0
- package/dist/rules/cwe/cwe-125-oob-read.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-125-oob-read.js +247 -0
- package/dist/rules/cwe/cwe-125-oob-read.js.map +1 -0
- package/dist/rules/cwe/cwe-190-integer-overflow.d.ts +9 -0
- package/dist/rules/cwe/cwe-190-integer-overflow.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-190-integer-overflow.js +55 -0
- package/dist/rules/cwe/cwe-190-integer-overflow.js.map +1 -0
- package/dist/rules/cwe/cwe-20-input-validation.d.ts +21 -0
- package/dist/rules/cwe/cwe-20-input-validation.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-20-input-validation.js +342 -0
- package/dist/rules/cwe/cwe-20-input-validation.js.map +1 -0
- package/dist/rules/cwe/cwe-22-path-traversal.d.ts +20 -0
- package/dist/rules/cwe/cwe-22-path-traversal.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-22-path-traversal.js +306 -0
- package/dist/rules/cwe/cwe-22-path-traversal.js.map +1 -0
- package/dist/rules/cwe/cwe-269-improper-privilege.d.ts +9 -0
- package/dist/rules/cwe/cwe-269-improper-privilege.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-269-improper-privilege.js +58 -0
- package/dist/rules/cwe/cwe-269-improper-privilege.js.map +1 -0
- package/dist/rules/cwe/cwe-276-default-permissions.d.ts +9 -0
- package/dist/rules/cwe/cwe-276-default-permissions.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-276-default-permissions.js +54 -0
- package/dist/rules/cwe/cwe-276-default-permissions.js.map +1 -0
- package/dist/rules/cwe/cwe-287-improper-auth.d.ts +9 -0
- package/dist/rules/cwe/cwe-287-improper-auth.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-287-improper-auth.js +57 -0
- package/dist/rules/cwe/cwe-287-improper-auth.js.map +1 -0
- package/dist/rules/cwe/cwe-306-missing-auth-critical.d.ts +9 -0
- package/dist/rules/cwe/cwe-306-missing-auth-critical.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-306-missing-auth-critical.js +53 -0
- package/dist/rules/cwe/cwe-306-missing-auth-critical.js.map +1 -0
- package/dist/rules/cwe/cwe-352-csrf.d.ts +9 -0
- package/dist/rules/cwe/cwe-352-csrf.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-352-csrf.js +51 -0
- package/dist/rules/cwe/cwe-352-csrf.js.map +1 -0
- package/dist/rules/cwe/cwe-362-race-condition.d.ts +9 -0
- package/dist/rules/cwe/cwe-362-race-condition.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-362-race-condition.js +55 -0
- package/dist/rules/cwe/cwe-362-race-condition.js.map +1 -0
- package/dist/rules/cwe/cwe-416-use-after-free.d.ts +23 -0
- package/dist/rules/cwe/cwe-416-use-after-free.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-416-use-after-free.js +402 -0
- package/dist/rules/cwe/cwe-416-use-after-free.js.map +1 -0
- package/dist/rules/cwe/cwe-434-file-upload.d.ts +9 -0
- package/dist/rules/cwe/cwe-434-file-upload.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-434-file-upload.js +55 -0
- package/dist/rules/cwe/cwe-434-file-upload.js.map +1 -0
- package/dist/rules/cwe/cwe-476-null-deref.d.ts +9 -0
- package/dist/rules/cwe/cwe-476-null-deref.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-476-null-deref.js +55 -0
- package/dist/rules/cwe/cwe-476-null-deref.js.map +1 -0
- package/dist/rules/cwe/cwe-502-deserialization.d.ts +9 -0
- package/dist/rules/cwe/cwe-502-deserialization.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-502-deserialization.js +57 -0
- package/dist/rules/cwe/cwe-502-deserialization.js.map +1 -0
- package/dist/rules/cwe/cwe-77-command-injection.d.ts +9 -0
- package/dist/rules/cwe/cwe-77-command-injection.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-77-command-injection.js +55 -0
- package/dist/rules/cwe/cwe-77-command-injection.js.map +1 -0
- package/dist/rules/cwe/cwe-78-command-injection.d.ts +20 -0
- package/dist/rules/cwe/cwe-78-command-injection.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-78-command-injection.js +259 -0
- package/dist/rules/cwe/cwe-78-command-injection.js.map +1 -0
- package/dist/rules/cwe/cwe-787-oob-write.d.ts +21 -0
- package/dist/rules/cwe/cwe-787-oob-write.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-787-oob-write.js +321 -0
- package/dist/rules/cwe/cwe-787-oob-write.js.map +1 -0
- package/dist/rules/cwe/cwe-79-xss.d.ts +22 -0
- package/dist/rules/cwe/cwe-79-xss.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-79-xss.js +386 -0
- package/dist/rules/cwe/cwe-79-xss.js.map +1 -0
- package/dist/rules/cwe/cwe-798-hardcoded-credentials.d.ts +9 -0
- package/dist/rules/cwe/cwe-798-hardcoded-credentials.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-798-hardcoded-credentials.js +58 -0
- package/dist/rules/cwe/cwe-798-hardcoded-credentials.js.map +1 -0
- package/dist/rules/cwe/cwe-862-missing-auth.d.ts +9 -0
- package/dist/rules/cwe/cwe-862-missing-auth.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-862-missing-auth.js +55 -0
- package/dist/rules/cwe/cwe-862-missing-auth.js.map +1 -0
- package/dist/rules/cwe/cwe-863-incorrect-auth.d.ts +9 -0
- package/dist/rules/cwe/cwe-863-incorrect-auth.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-863-incorrect-auth.js +58 -0
- package/dist/rules/cwe/cwe-863-incorrect-auth.js.map +1 -0
- package/dist/rules/cwe/cwe-89-sql-injection.d.ts +21 -0
- package/dist/rules/cwe/cwe-89-sql-injection.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-89-sql-injection.js +456 -0
- package/dist/rules/cwe/cwe-89-sql-injection.js.map +1 -0
- package/dist/rules/cwe/cwe-918-ssrf.d.ts +9 -0
- package/dist/rules/cwe/cwe-918-ssrf.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-918-ssrf.js +59 -0
- package/dist/rules/cwe/cwe-918-ssrf.js.map +1 -0
- package/dist/rules/cwe/cwe-94-code-injection.d.ts +9 -0
- package/dist/rules/cwe/cwe-94-code-injection.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-94-code-injection.js +59 -0
- package/dist/rules/cwe/cwe-94-code-injection.js.map +1 -0
- package/dist/rules/cwe/index.d.ts +43 -0
- package/dist/rules/cwe/index.d.ts.map +1 -0
- package/dist/rules/cwe/index.js +99 -0
- package/dist/rules/cwe/index.js.map +1 -0
- package/dist/rules/engine/index.d.ts +10 -0
- package/dist/rules/engine/index.d.ts.map +1 -0
- package/dist/rules/engine/index.js +9 -0
- package/dist/rules/engine/index.js.map +1 -0
- package/dist/rules/engine/rule-context.d.ts +99 -0
- package/dist/rules/engine/rule-context.d.ts.map +1 -0
- package/dist/rules/engine/rule-context.js +175 -0
- package/dist/rules/engine/rule-context.js.map +1 -0
- package/dist/rules/engine/rule-engine.d.ts +132 -0
- package/dist/rules/engine/rule-engine.d.ts.map +1 -0
- package/dist/rules/engine/rule-engine.js +379 -0
- package/dist/rules/engine/rule-engine.js.map +1 -0
- package/dist/rules/engine/rule-registry.d.ts +133 -0
- package/dist/rules/engine/rule-registry.d.ts.map +1 -0
- package/dist/rules/engine/rule-registry.js +281 -0
- package/dist/rules/engine/rule-registry.js.map +1 -0
- package/dist/rules/index.d.ts +14 -0
- package/dist/rules/index.d.ts.map +1 -0
- package/dist/rules/index.js +16 -0
- package/dist/rules/index.js.map +1 -0
- package/dist/rules/owasp/a01-broken-access-control.d.ts +19 -0
- package/dist/rules/owasp/a01-broken-access-control.d.ts.map +1 -0
- package/dist/rules/owasp/a01-broken-access-control.js +295 -0
- package/dist/rules/owasp/a01-broken-access-control.js.map +1 -0
- package/dist/rules/owasp/a02-cryptographic-failures.d.ts +19 -0
- package/dist/rules/owasp/a02-cryptographic-failures.d.ts.map +1 -0
- package/dist/rules/owasp/a02-cryptographic-failures.js +327 -0
- package/dist/rules/owasp/a02-cryptographic-failures.js.map +1 -0
- package/dist/rules/owasp/a03-injection.d.ts +21 -0
- package/dist/rules/owasp/a03-injection.d.ts.map +1 -0
- package/dist/rules/owasp/a03-injection.js +342 -0
- package/dist/rules/owasp/a03-injection.js.map +1 -0
- package/dist/rules/owasp/a04-insecure-design.d.ts +19 -0
- package/dist/rules/owasp/a04-insecure-design.d.ts.map +1 -0
- package/dist/rules/owasp/a04-insecure-design.js +403 -0
- package/dist/rules/owasp/a04-insecure-design.js.map +1 -0
- package/dist/rules/owasp/a05-security-misconfiguration.d.ts +19 -0
- package/dist/rules/owasp/a05-security-misconfiguration.d.ts.map +1 -0
- package/dist/rules/owasp/a05-security-misconfiguration.js +371 -0
- package/dist/rules/owasp/a05-security-misconfiguration.js.map +1 -0
- package/dist/rules/owasp/a06-vulnerable-components.d.ts +18 -0
- package/dist/rules/owasp/a06-vulnerable-components.d.ts.map +1 -0
- package/dist/rules/owasp/a06-vulnerable-components.js +243 -0
- package/dist/rules/owasp/a06-vulnerable-components.js.map +1 -0
- package/dist/rules/owasp/a07-auth-failures.d.ts +19 -0
- package/dist/rules/owasp/a07-auth-failures.d.ts.map +1 -0
- package/dist/rules/owasp/a07-auth-failures.js +300 -0
- package/dist/rules/owasp/a07-auth-failures.js.map +1 -0
- package/dist/rules/owasp/a08-integrity-failures.d.ts +18 -0
- package/dist/rules/owasp/a08-integrity-failures.d.ts.map +1 -0
- package/dist/rules/owasp/a08-integrity-failures.js +306 -0
- package/dist/rules/owasp/a08-integrity-failures.js.map +1 -0
- package/dist/rules/owasp/a09-logging-failures.d.ts +18 -0
- package/dist/rules/owasp/a09-logging-failures.d.ts.map +1 -0
- package/dist/rules/owasp/a09-logging-failures.js +339 -0
- package/dist/rules/owasp/a09-logging-failures.js.map +1 -0
- package/dist/rules/owasp/a10-ssrf.d.ts +18 -0
- package/dist/rules/owasp/a10-ssrf.d.ts.map +1 -0
- package/dist/rules/owasp/a10-ssrf.js +349 -0
- package/dist/rules/owasp/a10-ssrf.js.map +1 -0
- package/dist/rules/owasp/index.d.ts +20 -0
- package/dist/rules/owasp/index.d.ts.map +1 -0
- package/dist/rules/owasp/index.js +53 -0
- package/dist/rules/owasp/index.js.map +1 -0
- package/dist/rules/types.d.ts +277 -0
- package/dist/rules/types.d.ts.map +1 -0
- package/dist/rules/types.js +34 -0
- package/dist/rules/types.js.map +1 -0
- package/dist/tests/integration/epic-integration.test.d.ts +7 -0
- package/dist/tests/integration/epic-integration.test.d.ts.map +1 -0
- package/dist/tests/integration/epic-integration.test.js +390 -0
- package/dist/tests/integration/epic-integration.test.js.map +1 -0
- package/dist/tests/rules/cwe/cwe-top25-1-13.test.d.ts +2 -0
- package/dist/tests/rules/cwe/cwe-top25-1-13.test.d.ts.map +1 -0
- package/dist/tests/rules/cwe/cwe-top25-1-13.test.js +154 -0
- package/dist/tests/rules/cwe/cwe-top25-1-13.test.js.map +1 -0
- package/dist/tests/rules/cwe/cwe-top25-14-25.test.d.ts +2 -0
- package/dist/tests/rules/cwe/cwe-top25-14-25.test.d.ts.map +1 -0
- package/dist/tests/rules/cwe/cwe-top25-14-25.test.js +121 -0
- package/dist/tests/rules/cwe/cwe-top25-14-25.test.js.map +1 -0
- package/dist/types/cve.d.ts +278 -0
- package/dist/types/cve.d.ts.map +1 -0
- package/dist/types/cve.js +7 -0
- package/dist/types/cve.js.map +1 -0
- package/dist/types/index.d.ts +2 -0
- package/dist/types/index.d.ts.map +1 -1
- package/dist/types/rule.d.ts +245 -0
- package/dist/types/rule.d.ts.map +1 -0
- package/dist/types/rule.js +7 -0
- package/dist/types/rule.js.map +1 -0
- package/package.json +1 -1
|
@@ -0,0 +1,306 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-22-path-traversal
|
|
4
|
+
* @trace TSK-RULE-005
|
|
5
|
+
*
|
|
6
|
+
* Detects:
|
|
7
|
+
* - Path concatenation with user input
|
|
8
|
+
* - Missing path normalization
|
|
9
|
+
* - Directory escape attempts
|
|
10
|
+
* - Symlink attacks
|
|
11
|
+
*
|
|
12
|
+
* CWE-22 is #8 in CWE Top 25 2023.
|
|
13
|
+
*/
|
|
14
|
+
/**
|
|
15
|
+
* CWE-22 - Path Traversal
|
|
16
|
+
*/
|
|
17
|
+
export const cwe22PathTraversal = {
|
|
18
|
+
id: 'cwe-22-path-traversal',
|
|
19
|
+
name: 'CWE-22: Path Traversal',
|
|
20
|
+
description: 'Detects path traversal vulnerabilities from unsafe path construction',
|
|
21
|
+
defaultSeverity: 'high',
|
|
22
|
+
category: 'file-system',
|
|
23
|
+
tags: ['cwe', 'path', 'traversal', 'lfi', 'security'],
|
|
24
|
+
cwe: ['22'],
|
|
25
|
+
references: [
|
|
26
|
+
{
|
|
27
|
+
title: 'CWE-22: Path Traversal',
|
|
28
|
+
url: 'https://cwe.mitre.org/data/definitions/22.html',
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
title: 'OWASP Path Traversal',
|
|
32
|
+
url: 'https://owasp.org/www-community/attacks/Path_Traversal',
|
|
33
|
+
},
|
|
34
|
+
],
|
|
35
|
+
async analyze(context) {
|
|
36
|
+
const findings = [];
|
|
37
|
+
const sourceCode = context.sourceCode;
|
|
38
|
+
checkPathConcatenation(context, sourceCode, findings);
|
|
39
|
+
checkFileOperations(context, sourceCode, findings);
|
|
40
|
+
checkPathNormalization(context, sourceCode, findings);
|
|
41
|
+
return findings;
|
|
42
|
+
},
|
|
43
|
+
};
|
|
44
|
+
/**
|
|
45
|
+
* Check for path concatenation with user input
|
|
46
|
+
*/
|
|
47
|
+
function checkPathConcatenation(context, sourceCode, findings) {
|
|
48
|
+
const lines = sourceCode.split('\n');
|
|
49
|
+
const pathPatterns = [
|
|
50
|
+
{
|
|
51
|
+
pattern: /path\.join\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi,
|
|
52
|
+
type: 'path.join with user input',
|
|
53
|
+
message: 'path.join with user input allows path traversal',
|
|
54
|
+
severity: 'high',
|
|
55
|
+
},
|
|
56
|
+
{
|
|
57
|
+
pattern: /path\.resolve\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi,
|
|
58
|
+
type: 'path.resolve with user input',
|
|
59
|
+
message: 'path.resolve with user input allows path traversal',
|
|
60
|
+
severity: 'high',
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
pattern: /['"`]\/.*['"`]\s*\+\s*(?:req\.|params\.|query\.|body\.)/gi,
|
|
64
|
+
type: 'String path concatenation',
|
|
65
|
+
message: 'Path string concatenation with user input is vulnerable',
|
|
66
|
+
severity: 'critical',
|
|
67
|
+
},
|
|
68
|
+
{
|
|
69
|
+
pattern: /`[^`]*\/[^`]*\$\{(?:req\.|params\.|query\.|body\.)/gi,
|
|
70
|
+
type: 'Template path with user input',
|
|
71
|
+
message: 'Template literal path with user input is vulnerable',
|
|
72
|
+
severity: 'critical',
|
|
73
|
+
},
|
|
74
|
+
{
|
|
75
|
+
pattern: /__dirname\s*\+\s*(?:req\.|params\.|query\.|body\.)/gi,
|
|
76
|
+
type: '__dirname concatenation',
|
|
77
|
+
message: '__dirname + user input allows path traversal',
|
|
78
|
+
severity: 'high',
|
|
79
|
+
},
|
|
80
|
+
{
|
|
81
|
+
pattern: /process\.cwd\(\)\s*\+\s*(?:req\.|params\.|query\.|body\.)/gi,
|
|
82
|
+
type: 'process.cwd concatenation',
|
|
83
|
+
message: 'process.cwd() + user input allows path traversal',
|
|
84
|
+
severity: 'high',
|
|
85
|
+
},
|
|
86
|
+
];
|
|
87
|
+
for (let lineNum = 0; lineNum < lines.length; lineNum++) {
|
|
88
|
+
const line = lines[lineNum];
|
|
89
|
+
for (const { pattern, type, message, severity } of pathPatterns) {
|
|
90
|
+
pattern.lastIndex = 0;
|
|
91
|
+
if (pattern.test(line)) {
|
|
92
|
+
findings.push({
|
|
93
|
+
id: `cwe-22-concat-${findings.length + 1}`,
|
|
94
|
+
ruleId: 'cwe-22-path-traversal',
|
|
95
|
+
severity,
|
|
96
|
+
message: `Path Traversal - ${type}: ${message}`,
|
|
97
|
+
location: {
|
|
98
|
+
file: context.filePath,
|
|
99
|
+
startLine: lineNum + 1,
|
|
100
|
+
endLine: lineNum + 1,
|
|
101
|
+
startColumn: 0,
|
|
102
|
+
endColumn: line.length,
|
|
103
|
+
},
|
|
104
|
+
cwe: ['22'],
|
|
105
|
+
suggestion: {
|
|
106
|
+
description: 'Validate and normalize path, check it stays within allowed directory',
|
|
107
|
+
example: `const path = require('path');
|
|
108
|
+
const allowedDir = '/safe/uploads';
|
|
109
|
+
|
|
110
|
+
function getSafePath(userPath) {
|
|
111
|
+
// Normalize and resolve
|
|
112
|
+
const resolved = path.resolve(allowedDir, userPath);
|
|
113
|
+
|
|
114
|
+
// Verify it's still within allowed directory
|
|
115
|
+
if (!resolved.startsWith(allowedDir + path.sep)) {
|
|
116
|
+
throw new Error('Path traversal detected');
|
|
117
|
+
}
|
|
118
|
+
|
|
119
|
+
return resolved;
|
|
120
|
+
}`,
|
|
121
|
+
},
|
|
122
|
+
});
|
|
123
|
+
}
|
|
124
|
+
}
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
/**
|
|
128
|
+
* Check for unsafe file operations
|
|
129
|
+
*/
|
|
130
|
+
function checkFileOperations(context, sourceCode, findings) {
|
|
131
|
+
const lines = sourceCode.split('\n');
|
|
132
|
+
const filePatterns = [
|
|
133
|
+
{
|
|
134
|
+
pattern: /fs\.(?:readFile|readFileSync)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi,
|
|
135
|
+
type: 'readFile with user input',
|
|
136
|
+
message: 'Reading file with user-controlled path allows LFI',
|
|
137
|
+
severity: 'critical',
|
|
138
|
+
},
|
|
139
|
+
{
|
|
140
|
+
pattern: /fs\.(?:writeFile|writeFileSync)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi,
|
|
141
|
+
type: 'writeFile with user input',
|
|
142
|
+
message: 'Writing file with user-controlled path is dangerous',
|
|
143
|
+
severity: 'critical',
|
|
144
|
+
},
|
|
145
|
+
{
|
|
146
|
+
pattern: /fs\.(?:unlink|unlinkSync|rm|rmSync)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi,
|
|
147
|
+
type: 'unlink with user input',
|
|
148
|
+
message: 'Deleting file with user-controlled path is very dangerous',
|
|
149
|
+
severity: 'critical',
|
|
150
|
+
},
|
|
151
|
+
{
|
|
152
|
+
pattern: /fs\.(?:createReadStream|createWriteStream)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi,
|
|
153
|
+
type: 'createStream with user input',
|
|
154
|
+
message: 'Stream creation with user path allows traversal',
|
|
155
|
+
severity: 'high',
|
|
156
|
+
},
|
|
157
|
+
{
|
|
158
|
+
pattern: /fs\.(?:access|stat|lstat)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi,
|
|
159
|
+
type: 'stat with user input',
|
|
160
|
+
message: 'File stat with user path leaks file existence',
|
|
161
|
+
severity: 'medium',
|
|
162
|
+
},
|
|
163
|
+
{
|
|
164
|
+
pattern: /fs\.(?:mkdir|mkdirSync)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi,
|
|
165
|
+
type: 'mkdir with user input',
|
|
166
|
+
message: 'Creating directories with user input path',
|
|
167
|
+
severity: 'medium',
|
|
168
|
+
},
|
|
169
|
+
{
|
|
170
|
+
pattern: /require\s*\(\s*(?:req\.|params\.|query\.|body\.)/gi,
|
|
171
|
+
type: 'require with user input',
|
|
172
|
+
message: 'Dynamic require with user input allows code execution',
|
|
173
|
+
severity: 'critical',
|
|
174
|
+
},
|
|
175
|
+
{
|
|
176
|
+
pattern: /import\s*\(\s*(?:req\.|params\.|query\.|body\.)/gi,
|
|
177
|
+
type: 'dynamic import with user input',
|
|
178
|
+
message: 'Dynamic import with user input allows code execution',
|
|
179
|
+
severity: 'critical',
|
|
180
|
+
},
|
|
181
|
+
];
|
|
182
|
+
for (let lineNum = 0; lineNum < lines.length; lineNum++) {
|
|
183
|
+
const line = lines[lineNum];
|
|
184
|
+
for (const { pattern, type, message, severity } of filePatterns) {
|
|
185
|
+
pattern.lastIndex = 0;
|
|
186
|
+
if (pattern.test(line)) {
|
|
187
|
+
findings.push({
|
|
188
|
+
id: `cwe-22-file-${findings.length + 1}`,
|
|
189
|
+
ruleId: 'cwe-22-path-traversal',
|
|
190
|
+
severity,
|
|
191
|
+
message: `Path Traversal - ${type}: ${message}`,
|
|
192
|
+
location: {
|
|
193
|
+
file: context.filePath,
|
|
194
|
+
startLine: lineNum + 1,
|
|
195
|
+
endLine: lineNum + 1,
|
|
196
|
+
startColumn: 0,
|
|
197
|
+
endColumn: line.length,
|
|
198
|
+
},
|
|
199
|
+
cwe: ['22'],
|
|
200
|
+
suggestion: {
|
|
201
|
+
description: 'Validate path before file operations',
|
|
202
|
+
example: `const path = require('path');
|
|
203
|
+
const fs = require('fs').promises;
|
|
204
|
+
|
|
205
|
+
async function safeReadFile(baseDir, userFilename) {
|
|
206
|
+
// Remove any path components
|
|
207
|
+
const basename = path.basename(userFilename);
|
|
208
|
+
|
|
209
|
+
// Construct safe path
|
|
210
|
+
const safePath = path.join(baseDir, basename);
|
|
211
|
+
|
|
212
|
+
// Verify within allowed directory
|
|
213
|
+
const realPath = await fs.realpath(safePath);
|
|
214
|
+
if (!realPath.startsWith(await fs.realpath(baseDir))) {
|
|
215
|
+
throw new Error('Access denied');
|
|
216
|
+
}
|
|
217
|
+
|
|
218
|
+
return fs.readFile(safePath);
|
|
219
|
+
}`,
|
|
220
|
+
},
|
|
221
|
+
});
|
|
222
|
+
}
|
|
223
|
+
}
|
|
224
|
+
}
|
|
225
|
+
}
|
|
226
|
+
/**
|
|
227
|
+
* Check for path normalization issues
|
|
228
|
+
*/
|
|
229
|
+
function checkPathNormalization(context, sourceCode, findings) {
|
|
230
|
+
const lines = sourceCode.split('\n');
|
|
231
|
+
const normPatterns = [
|
|
232
|
+
{
|
|
233
|
+
pattern: /\.\.\/|\.\.\\|\.\.\%2f|\.\.\%5c/gi,
|
|
234
|
+
type: 'Path traversal sequence',
|
|
235
|
+
message: 'Literal path traversal sequence detected',
|
|
236
|
+
severity: 'info',
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
pattern: /decodeURIComponent\s*\([^)]*\)[^;]*(?:fs\.|path\.)/gi,
|
|
240
|
+
type: 'URL decode before path operation',
|
|
241
|
+
message: 'URL decoding before path operation may bypass filters',
|
|
242
|
+
severity: 'medium',
|
|
243
|
+
},
|
|
244
|
+
{
|
|
245
|
+
pattern: /\.replace\s*\(\s*['"`]\.\.['"`]\s*,/gi,
|
|
246
|
+
type: 'Simple .. replacement',
|
|
247
|
+
message: 'Simple string replacement for .. can be bypassed',
|
|
248
|
+
severity: 'medium',
|
|
249
|
+
},
|
|
250
|
+
{
|
|
251
|
+
pattern: /\.includes\s*\(\s*['"`]\.\.['"`]\s*\)/gi,
|
|
252
|
+
type: 'Simple .. check',
|
|
253
|
+
message: 'Simple includes check for .. can be bypassed',
|
|
254
|
+
severity: 'medium',
|
|
255
|
+
},
|
|
256
|
+
];
|
|
257
|
+
for (let lineNum = 0; lineNum < lines.length; lineNum++) {
|
|
258
|
+
const line = lines[lineNum];
|
|
259
|
+
for (const { pattern, type, message, severity } of normPatterns) {
|
|
260
|
+
pattern.lastIndex = 0;
|
|
261
|
+
if (pattern.test(line)) {
|
|
262
|
+
findings.push({
|
|
263
|
+
id: `cwe-22-norm-${findings.length + 1}`,
|
|
264
|
+
ruleId: 'cwe-22-path-traversal',
|
|
265
|
+
severity,
|
|
266
|
+
message: `Path Normalization - ${type}: ${message}`,
|
|
267
|
+
location: {
|
|
268
|
+
file: context.filePath,
|
|
269
|
+
startLine: lineNum + 1,
|
|
270
|
+
endLine: lineNum + 1,
|
|
271
|
+
startColumn: 0,
|
|
272
|
+
endColumn: line.length,
|
|
273
|
+
},
|
|
274
|
+
cwe: ['22'],
|
|
275
|
+
suggestion: {
|
|
276
|
+
description: 'Use path.normalize and realpath for proper validation',
|
|
277
|
+
example: `const path = require('path');
|
|
278
|
+
const fs = require('fs').promises;
|
|
279
|
+
|
|
280
|
+
async function validatePath(baseDir, userPath) {
|
|
281
|
+
// Normalize path
|
|
282
|
+
const normalized = path.normalize(userPath);
|
|
283
|
+
const fullPath = path.join(baseDir, normalized);
|
|
284
|
+
|
|
285
|
+
// Resolve symlinks and get real path
|
|
286
|
+
try {
|
|
287
|
+
const realPath = await fs.realpath(fullPath);
|
|
288
|
+
const realBase = await fs.realpath(baseDir);
|
|
289
|
+
|
|
290
|
+
// Ensure resolved path is within base
|
|
291
|
+
if (!realPath.startsWith(realBase + path.sep)) {
|
|
292
|
+
throw new Error('Path traversal attempt');
|
|
293
|
+
}
|
|
294
|
+
return realPath;
|
|
295
|
+
} catch (err) {
|
|
296
|
+
throw new Error('Invalid path');
|
|
297
|
+
}
|
|
298
|
+
}`,
|
|
299
|
+
},
|
|
300
|
+
});
|
|
301
|
+
}
|
|
302
|
+
}
|
|
303
|
+
}
|
|
304
|
+
}
|
|
305
|
+
export default cwe22PathTraversal;
|
|
306
|
+
//# sourceMappingURL=cwe-22-path-traversal.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-22-path-traversal.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-22-path-traversal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAiB;IAC9C,EAAE,EAAE,uBAAuB;IAC3B,IAAI,EAAE,wBAAwB;IAC9B,WAAW,EACT,sEAAsE;IACxE,eAAe,EAAE,MAAM;IACvB,QAAQ,EAAE,aAAa;IACvB,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,CAAC;IACrD,GAAG,EAAE,CAAC,IAAI,CAAC;IACX,UAAU,EAAE;QACV;YACE,KAAK,EAAE,wBAAwB;YAC/B,GAAG,EAAE,gDAAgD;SACtD;QACD;YACE,KAAK,EAAE,sBAAsB;YAC7B,GAAG,EAAE,wDAAwD;SAC9D;KACF;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAEtC,sBAAsB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACtD,mBAAmB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACnD,sBAAsB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QAEtD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,sBAAsB,CAC7B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,YAAY,GAAG;QACnB;YACE,OAAO,EAAE,yDAAyD;YAClE,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,iDAAiD;YAC1D,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,4DAA4D;YACrE,IAAI,EAAE,8BAA8B;YACpC,OAAO,EAAE,oDAAoD;YAC7D,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,2DAA2D;YACpE,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,yDAAyD;YAClE,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,sDAAsD;YAC/D,IAAI,EAAE,+BAA+B;YACrC,OAAO,EAAE,qDAAqD;YAC9D,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,sDAAsD;YAC/D,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,8CAA8C;YACvD,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,6DAA6D;YACtE,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,kDAAkD;YAC3D,QAAQ,EAAE,MAAe;SAC1B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;YAChE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC1C,MAAM,EAAE,uBAAuB;oBAC/B,QAAQ;oBACR,OAAO,EAAE,oBAAoB,IAAI,KAAK,OAAO,EAAE;oBAC/C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE;wBACV,WAAW,EAAE,sEAAsE;wBACnF,OAAO,EAAE;;;;;;;;;;;;;EAanB;qBACS;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,YAAY,GAAG;QACnB;YACE,OAAO,EAAE,4EAA4E;YACrF,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE,mDAAmD;YAC5D,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,8EAA8E;YACvF,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,qDAAqD;YAC9D,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,kFAAkF;YAC3F,IAAI,EAAE,wBAAwB;YAC9B,OAAO,EAAE,2DAA2D;YACpE,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,yFAAyF;YAClG,IAAI,EAAE,8BAA8B;YACpC,OAAO,EAAE,iDAAiD;YAC1D,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,wEAAwE;YACjF,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EAAE,+CAA+C;YACxD,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,sEAAsE;YAC/E,IAAI,EAAE,uBAAuB;YAC7B,OAAO,EAAE,2CAA2C;YACpD,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,oDAAoD;YAC7D,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,uDAAuD;YAChE,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,mDAAmD;YAC5D,IAAI,EAAE,gCAAgC;YACtC,OAAO,EAAE,sDAAsD;YAC/D,QAAQ,EAAE,UAAmB;SAC9B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;YAChE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,eAAe,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBACxC,MAAM,EAAE,uBAAuB;oBAC/B,QAAQ;oBACR,OAAO,EAAE,oBAAoB,IAAI,KAAK,OAAO,EAAE;oBAC/C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE;wBACV,WAAW,EAAE,sCAAsC;wBACnD,OAAO,EAAE;;;;;;;;;;;;;;;;;EAiBnB;qBACS;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,YAAY,GAAG;QACnB;YACE,OAAO,EAAE,mCAAmC;YAC5C,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,0CAA0C;YACnD,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,sDAAsD;YAC/D,IAAI,EAAE,kCAAkC;YACxC,OAAO,EAAE,uDAAuD;YAChE,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,uCAAuC;YAChD,IAAI,EAAE,uBAAuB;YAC7B,OAAO,EAAE,kDAAkD;YAC3D,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,yCAAyC;YAClD,IAAI,EAAE,iBAAiB;YACvB,OAAO,EAAE,8CAA8C;YACvD,QAAQ,EAAE,QAAiB;SAC5B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;YAChE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,eAAe,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBACxC,MAAM,EAAE,uBAAuB;oBAC/B,QAAQ;oBACR,OAAO,EAAE,wBAAwB,IAAI,KAAK,OAAO,EAAE;oBACnD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE;wBACV,WAAW,EAAE,uDAAuD;wBACpE,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;EAqBnB;qBACS;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,eAAe,kBAAkB,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-269: Improper Privilege Management
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-269-improper-privilege
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
import type { SecurityRule } from '../types.js';
|
|
7
|
+
export declare const cwe269ImproperPrivilege: SecurityRule;
|
|
8
|
+
export default cwe269ImproperPrivilege;
|
|
9
|
+
//# sourceMappingURL=cwe-269-improper-privilege.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-269-improper-privilege.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-269-improper-privilege.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,uBAAuB,EAAE,YAqDrC,CAAC;AAEF,eAAe,uBAAuB,CAAC"}
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-269: Improper Privilege Management
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-269-improper-privilege
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
export const cwe269ImproperPrivilege = {
|
|
7
|
+
id: 'cwe-269-improper-privilege',
|
|
8
|
+
name: 'CWE-269: Improper Privilege Management',
|
|
9
|
+
description: 'Detects improper privilege assignment and escalation risks',
|
|
10
|
+
defaultSeverity: 'high',
|
|
11
|
+
category: 'authorization',
|
|
12
|
+
tags: ['cwe', 'privilege', 'escalation', 'security'],
|
|
13
|
+
cwe: ['269'],
|
|
14
|
+
owasp: ['A01:2021'],
|
|
15
|
+
references: [
|
|
16
|
+
{ title: 'CWE-269', url: 'https://cwe.mitre.org/data/definitions/269.html' },
|
|
17
|
+
],
|
|
18
|
+
async analyze(context) {
|
|
19
|
+
const findings = [];
|
|
20
|
+
const lines = context.sourceCode.split('\n');
|
|
21
|
+
const patterns = [
|
|
22
|
+
{ pattern: /role\s*[:=]\s*['"`]admin['"`]/gi, type: 'Direct admin role assignment', severity: 'high' },
|
|
23
|
+
{ pattern: /isAdmin\s*[:=]\s*true/gi, type: 'Direct admin flag set', severity: 'high' },
|
|
24
|
+
{ pattern: /setuid|setgid|seteuid/gi, type: 'Privilege elevation function', severity: 'critical' },
|
|
25
|
+
{ pattern: /sudo|runas/gi, type: 'Privilege escalation command', severity: 'critical' },
|
|
26
|
+
{ pattern: /chmod\s*\(\s*['"`]?0?7/gi, type: 'Overly permissive chmod', severity: 'high' },
|
|
27
|
+
{ pattern: /user\.role\s*=\s*req\./gi, type: 'Role from user input', severity: 'critical' },
|
|
28
|
+
{ pattern: /\.grant\s*\(\s*['"`]\*/gi, type: 'Wildcard permission grant', severity: 'high' },
|
|
29
|
+
];
|
|
30
|
+
for (let i = 0; i < lines.length; i++) {
|
|
31
|
+
for (const { pattern, type, severity } of patterns) {
|
|
32
|
+
pattern.lastIndex = 0;
|
|
33
|
+
if (pattern.test(lines[i])) {
|
|
34
|
+
findings.push({
|
|
35
|
+
id: `cwe-269-${findings.length + 1}`,
|
|
36
|
+
ruleId: 'cwe-269-improper-privilege',
|
|
37
|
+
severity,
|
|
38
|
+
message: `Privilege Management - ${type}: Follow least privilege principle`,
|
|
39
|
+
location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
|
|
40
|
+
cwe: ['269'],
|
|
41
|
+
owasp: ['A01:2021'],
|
|
42
|
+
suggestion: {
|
|
43
|
+
description: 'Apply least privilege principle',
|
|
44
|
+
example: `// Use role-based access control
|
|
45
|
+
const permissions = rbac.getPermissions(user.role);
|
|
46
|
+
if (!permissions.includes('admin:write')) {
|
|
47
|
+
throw new ForbiddenError();
|
|
48
|
+
}`,
|
|
49
|
+
},
|
|
50
|
+
});
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
return findings;
|
|
55
|
+
},
|
|
56
|
+
};
|
|
57
|
+
export default cwe269ImproperPrivilege;
|
|
58
|
+
//# sourceMappingURL=cwe-269-improper-privilege.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-269-improper-privilege.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-269-improper-privilege.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,uBAAuB,GAAiB;IACnD,EAAE,EAAE,4BAA4B;IAChC,IAAI,EAAE,wCAAwC;IAC9C,WAAW,EAAE,4DAA4D;IACzE,eAAe,EAAE,MAAM;IACvB,QAAQ,EAAE,eAAe;IACzB,IAAI,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,CAAC;IACpD,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,iCAAiC,EAAE,IAAI,EAAE,8BAA8B,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC/G,EAAE,OAAO,EAAE,yBAAyB,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,MAAe,EAAE;YAChG,EAAE,OAAO,EAAE,yBAAyB,EAAE,IAAI,EAAE,8BAA8B,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAC3G,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,8BAA8B,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAChG,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,MAAe,EAAE;YACnG,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACpG,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,2BAA2B,EAAE,QAAQ,EAAE,MAAe,EAAE;SACtG,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,4BAA4B;wBACpC,QAAQ;wBACR,OAAO,EAAE,0BAA0B,IAAI,oCAAoC;wBAC3E,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,KAAK,EAAE,CAAC,UAAU,CAAC;wBACnB,UAAU,EAAE;4BACV,WAAW,EAAE,iCAAiC;4BAC9C,OAAO,EAAE;;;;EAIrB;yBACW;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,uBAAuB,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-276: Incorrect Default Permissions
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-276-default-permissions
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
import type { SecurityRule } from '../types.js';
|
|
7
|
+
export declare const cwe276DefaultPermissions: SecurityRule;
|
|
8
|
+
export default cwe276DefaultPermissions;
|
|
9
|
+
//# sourceMappingURL=cwe-276-default-permissions.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-276-default-permissions.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-276-default-permissions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,wBAAwB,EAAE,YAiDtC,CAAC;AAEF,eAAe,wBAAwB,CAAC"}
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-276: Incorrect Default Permissions
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-276-default-permissions
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
export const cwe276DefaultPermissions = {
|
|
7
|
+
id: 'cwe-276-default-permissions',
|
|
8
|
+
name: 'CWE-276: Incorrect Default Permissions',
|
|
9
|
+
description: 'Detects overly permissive default file/resource permissions',
|
|
10
|
+
defaultSeverity: 'medium',
|
|
11
|
+
category: 'configuration',
|
|
12
|
+
tags: ['cwe', 'permissions', 'configuration', 'security'],
|
|
13
|
+
cwe: ['276'],
|
|
14
|
+
references: [
|
|
15
|
+
{ title: 'CWE-276', url: 'https://cwe.mitre.org/data/definitions/276.html' },
|
|
16
|
+
],
|
|
17
|
+
async analyze(context) {
|
|
18
|
+
const findings = [];
|
|
19
|
+
const lines = context.sourceCode.split('\n');
|
|
20
|
+
const patterns = [
|
|
21
|
+
{ pattern: /chmod\s*\(\s*['"`]?0?777/gi, type: 'World-writable permissions', severity: 'critical' },
|
|
22
|
+
{ pattern: /chmod\s*\(\s*['"`]?0?666/gi, type: 'World-readable/writable file', severity: 'high' },
|
|
23
|
+
{ pattern: /umask\s*\(\s*0*0*0\s*\)/gi, type: 'No umask restriction', severity: 'high' },
|
|
24
|
+
{ pattern: /mode\s*:\s*0o?777/gi, type: 'Mode 777 in options', severity: 'critical' },
|
|
25
|
+
{ pattern: /fs\.chmod.*0o?7[0-7][0-7]/gi, type: 'fs.chmod with execute for all', severity: 'high' },
|
|
26
|
+
{ pattern: /writeFile.*\{\s*mode\s*:\s*0o?[67]/gi, type: 'writeFile with permissive mode', severity: 'medium' },
|
|
27
|
+
{ pattern: /mkdir.*\{\s*mode\s*:\s*0o?777/gi, type: 'mkdir with 777', severity: 'critical' },
|
|
28
|
+
];
|
|
29
|
+
for (let i = 0; i < lines.length; i++) {
|
|
30
|
+
for (const { pattern, type, severity } of patterns) {
|
|
31
|
+
pattern.lastIndex = 0;
|
|
32
|
+
if (pattern.test(lines[i])) {
|
|
33
|
+
findings.push({
|
|
34
|
+
id: `cwe-276-${findings.length + 1}`,
|
|
35
|
+
ruleId: 'cwe-276-default-permissions',
|
|
36
|
+
severity,
|
|
37
|
+
message: `Default Permissions - ${type}: Use restrictive permissions`,
|
|
38
|
+
location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
|
|
39
|
+
cwe: ['276'],
|
|
40
|
+
suggestion: {
|
|
41
|
+
description: 'Use least privilege permissions',
|
|
42
|
+
example: `// Use restrictive permissions
|
|
43
|
+
fs.writeFileSync(path, data, { mode: 0o600 }); // Owner only
|
|
44
|
+
fs.mkdirSync(dir, { mode: 0o700 }); // Owner only`,
|
|
45
|
+
},
|
|
46
|
+
});
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
return findings;
|
|
51
|
+
},
|
|
52
|
+
};
|
|
53
|
+
export default cwe276DefaultPermissions;
|
|
54
|
+
//# sourceMappingURL=cwe-276-default-permissions.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-276-default-permissions.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-276-default-permissions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,wBAAwB,GAAiB;IACpD,EAAE,EAAE,6BAA6B;IACjC,IAAI,EAAE,wCAAwC;IAC9C,WAAW,EAAE,6DAA6D;IAC1E,eAAe,EAAE,QAAQ;IACzB,QAAQ,EAAE,eAAe;IACzB,IAAI,EAAE,CAAC,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,UAAU,CAAC;IACzD,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,4BAA4B,EAAE,IAAI,EAAE,4BAA4B,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAC5G,EAAE,OAAO,EAAE,4BAA4B,EAAE,IAAI,EAAE,8BAA8B,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC1G,EAAE,OAAO,EAAE,2BAA2B,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,MAAe,EAAE;YACjG,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAC9F,EAAE,OAAO,EAAE,6BAA6B,EAAE,IAAI,EAAE,+BAA+B,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC5G,EAAE,OAAO,EAAE,sCAAsC,EAAE,IAAI,EAAE,gCAAgC,EAAE,QAAQ,EAAE,QAAiB,EAAE;YACxH,EAAE,OAAO,EAAE,iCAAiC,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAmB,EAAE;SACtG,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,6BAA6B;wBACrC,QAAQ;wBACR,OAAO,EAAE,yBAAyB,IAAI,+BAA+B;wBACrE,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,iCAAiC;4BAC9C,OAAO,EAAE;;kDAE2B;yBACrC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,wBAAwB,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-287: Improper Authentication
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-287-improper-auth
|
|
4
|
+
* @trace TSK-RULE-005
|
|
5
|
+
*/
|
|
6
|
+
import type { SecurityRule } from '../types.js';
|
|
7
|
+
export declare const cwe287ImproperAuth: SecurityRule;
|
|
8
|
+
export default cwe287ImproperAuth;
|
|
9
|
+
//# sourceMappingURL=cwe-287-improper-auth.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-287-improper-auth.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-287-improper-auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,kBAAkB,EAAE,YAoDhC,CAAC;AAEF,eAAe,kBAAkB,CAAC"}
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-287: Improper Authentication
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-287-improper-auth
|
|
4
|
+
* @trace TSK-RULE-005
|
|
5
|
+
*/
|
|
6
|
+
export const cwe287ImproperAuth = {
|
|
7
|
+
id: 'cwe-287-improper-auth',
|
|
8
|
+
name: 'CWE-287: Improper Authentication',
|
|
9
|
+
description: 'Detects weak or improper authentication patterns',
|
|
10
|
+
defaultSeverity: 'high',
|
|
11
|
+
category: 'authentication',
|
|
12
|
+
tags: ['cwe', 'authentication', 'security'],
|
|
13
|
+
owasp: ['A07:2021'],
|
|
14
|
+
cwe: ['287'],
|
|
15
|
+
references: [
|
|
16
|
+
{ title: 'CWE-287', url: 'https://cwe.mitre.org/data/definitions/287.html' },
|
|
17
|
+
],
|
|
18
|
+
async analyze(context) {
|
|
19
|
+
const findings = [];
|
|
20
|
+
const lines = context.sourceCode.split('\n');
|
|
21
|
+
const patterns = [
|
|
22
|
+
{ pattern: /password\s*===?\s*['"`]\w+['"`]/gi, type: 'Hardcoded password check', severity: 'critical' },
|
|
23
|
+
{ pattern: /if\s*\(\s*req\.headers\.authorization\s*\)/gi, type: 'Simple auth header check', severity: 'medium' },
|
|
24
|
+
{ pattern: /\.compare\s*\(\s*password\s*,\s*password/gi, type: 'Password compared to itself', severity: 'high' },
|
|
25
|
+
{ pattern: /jwt\.verify\s*\([^)]*\{\s*\}\s*\)/gi, type: 'JWT verify without options', severity: 'high' },
|
|
26
|
+
{ pattern: /algorithms\s*:\s*\[\s*['"`]none['"`]/gi, type: 'JWT none algorithm', severity: 'critical' },
|
|
27
|
+
{ pattern: /session\.cookie\.secure\s*=\s*false/gi, type: 'Insecure session cookie', severity: 'high' },
|
|
28
|
+
];
|
|
29
|
+
for (let i = 0; i < lines.length; i++) {
|
|
30
|
+
for (const { pattern, type, severity } of patterns) {
|
|
31
|
+
pattern.lastIndex = 0;
|
|
32
|
+
if (pattern.test(lines[i])) {
|
|
33
|
+
findings.push({
|
|
34
|
+
id: `cwe-287-${findings.length + 1}`,
|
|
35
|
+
ruleId: 'cwe-287-improper-auth',
|
|
36
|
+
severity,
|
|
37
|
+
message: `Authentication - ${type}: Use secure authentication`,
|
|
38
|
+
location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
|
|
39
|
+
cwe: ['287'],
|
|
40
|
+
owasp: ['A07:2021'],
|
|
41
|
+
suggestion: {
|
|
42
|
+
description: 'Use proper authentication libraries',
|
|
43
|
+
example: `// Use bcrypt for password comparison
|
|
44
|
+
const isValid = await bcrypt.compare(inputPassword, hashedPassword);
|
|
45
|
+
|
|
46
|
+
// JWT with proper options
|
|
47
|
+
jwt.verify(token, secret, { algorithms: ['HS256'] });`,
|
|
48
|
+
},
|
|
49
|
+
});
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
return findings;
|
|
54
|
+
},
|
|
55
|
+
};
|
|
56
|
+
export default cwe287ImproperAuth;
|
|
57
|
+
//# sourceMappingURL=cwe-287-improper-auth.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-287-improper-auth.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-287-improper-auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,kBAAkB,GAAiB;IAC9C,EAAE,EAAE,uBAAuB;IAC3B,IAAI,EAAE,kCAAkC;IACxC,WAAW,EAAE,kDAAkD;IAC/D,eAAe,EAAE,MAAM;IACvB,QAAQ,EAAE,gBAAgB;IAC1B,IAAI,EAAE,CAAC,KAAK,EAAE,gBAAgB,EAAE,UAAU,CAAC;IAC3C,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,mCAAmC,EAAE,IAAI,EAAE,0BAA0B,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACjH,EAAE,OAAO,EAAE,8CAA8C,EAAE,IAAI,EAAE,0BAA0B,EAAE,QAAQ,EAAE,QAAiB,EAAE;YAC1H,EAAE,OAAO,EAAE,4CAA4C,EAAE,IAAI,EAAE,6BAA6B,EAAE,QAAQ,EAAE,MAAe,EAAE;YACzH,EAAE,OAAO,EAAE,qCAAqC,EAAE,IAAI,EAAE,4BAA4B,EAAE,QAAQ,EAAE,MAAe,EAAE;YACjH,EAAE,OAAO,EAAE,wCAAwC,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAChH,EAAE,OAAO,EAAE,uCAAuC,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,MAAe,EAAE;SACjH,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,uBAAuB;wBAC/B,QAAQ;wBACR,OAAO,EAAE,oBAAoB,IAAI,6BAA6B;wBAC9D,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,KAAK,EAAE,CAAC,UAAU,CAAC;wBACnB,UAAU,EAAE;4BACV,WAAW,EAAE,qCAAqC;4BAClD,OAAO,EAAE;;;;sDAI+B;yBACzC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,kBAAkB,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-306: Missing Authentication for Critical Function
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-306-missing-auth-critical
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
import type { SecurityRule } from '../types.js';
|
|
7
|
+
export declare const cwe306MissingAuthCritical: SecurityRule;
|
|
8
|
+
export default cwe306MissingAuthCritical;
|
|
9
|
+
//# sourceMappingURL=cwe-306-missing-auth-critical.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-306-missing-auth-critical.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-306-missing-auth-critical.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,yBAAyB,EAAE,YAgDvC,CAAC;AAEF,eAAe,yBAAyB,CAAC"}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-306: Missing Authentication for Critical Function
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-306-missing-auth-critical
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
export const cwe306MissingAuthCritical = {
|
|
7
|
+
id: 'cwe-306-missing-auth-critical',
|
|
8
|
+
name: 'CWE-306: Missing Authentication for Critical Function',
|
|
9
|
+
description: 'Detects critical functions without authentication',
|
|
10
|
+
defaultSeverity: 'critical',
|
|
11
|
+
category: 'authentication',
|
|
12
|
+
tags: ['cwe', 'authentication', 'critical', 'security'],
|
|
13
|
+
cwe: ['306'],
|
|
14
|
+
owasp: ['A07:2021'],
|
|
15
|
+
references: [
|
|
16
|
+
{ title: 'CWE-306', url: 'https://cwe.mitre.org/data/definitions/306.html' },
|
|
17
|
+
],
|
|
18
|
+
async analyze(context) {
|
|
19
|
+
const findings = [];
|
|
20
|
+
const lines = context.sourceCode.split('\n');
|
|
21
|
+
const patterns = [
|
|
22
|
+
{ pattern: /app\.(post|put|delete)\s*\(\s*['"`]\/admin/gi, type: 'Admin route without auth middleware', severity: 'critical' },
|
|
23
|
+
{ pattern: /app\.(post|put|delete)\s*\(\s*['"`]\/api\/.*(?:delete|update|create)/gi, type: 'Critical API without auth', severity: 'high' },
|
|
24
|
+
{ pattern: /router\.(post|put|delete)\s*\(\s*['"`]\//gi, type: 'State-changing route', severity: 'medium' },
|
|
25
|
+
{ pattern: /\.destroy\s*\(\s*\)|\bdelete\s*\(/gi, type: 'Destructive operation', severity: 'medium' },
|
|
26
|
+
{ pattern: /password.*reset|reset.*password/gi, type: 'Password reset function', severity: 'high' },
|
|
27
|
+
];
|
|
28
|
+
for (let i = 0; i < lines.length; i++) {
|
|
29
|
+
for (const { pattern, type, severity } of patterns) {
|
|
30
|
+
pattern.lastIndex = 0;
|
|
31
|
+
if (pattern.test(lines[i])) {
|
|
32
|
+
findings.push({
|
|
33
|
+
id: `cwe-306-${findings.length + 1}`,
|
|
34
|
+
ruleId: 'cwe-306-missing-auth-critical',
|
|
35
|
+
severity,
|
|
36
|
+
message: `Missing Auth - ${type}: Add authentication middleware`,
|
|
37
|
+
location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
|
|
38
|
+
cwe: ['306'],
|
|
39
|
+
owasp: ['A07:2021'],
|
|
40
|
+
suggestion: {
|
|
41
|
+
description: 'Add authentication middleware',
|
|
42
|
+
example: `// Add auth middleware
|
|
43
|
+
app.delete('/admin/user/:id', authMiddleware, adminOnly, handler);`,
|
|
44
|
+
},
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
return findings;
|
|
50
|
+
},
|
|
51
|
+
};
|
|
52
|
+
export default cwe306MissingAuthCritical;
|
|
53
|
+
//# sourceMappingURL=cwe-306-missing-auth-critical.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-306-missing-auth-critical.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-306-missing-auth-critical.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,yBAAyB,GAAiB;IACrD,EAAE,EAAE,+BAA+B;IACnC,IAAI,EAAE,uDAAuD;IAC7D,WAAW,EAAE,mDAAmD;IAChE,eAAe,EAAE,UAAU;IAC3B,QAAQ,EAAE,gBAAgB;IAC1B,IAAI,EAAE,CAAC,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,UAAU,CAAC;IACvD,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,8CAA8C,EAAE,IAAI,EAAE,qCAAqC,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACvI,EAAE,OAAO,EAAE,wEAAwE,EAAE,IAAI,EAAE,2BAA2B,EAAE,QAAQ,EAAE,MAAe,EAAE;YACnJ,EAAE,OAAO,EAAE,4CAA4C,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,QAAiB,EAAE;YACpH,EAAE,OAAO,EAAE,qCAAqC,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,QAAiB,EAAE;YAC9G,EAAE,OAAO,EAAE,mCAAmC,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,MAAe,EAAE;SAC7G,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,+BAA+B;wBACvC,QAAQ;wBACR,OAAO,EAAE,kBAAkB,IAAI,iCAAiC;wBAChE,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,KAAK,EAAE,CAAC,UAAU,CAAC;wBACnB,UAAU,EAAE;4BACV,WAAW,EAAE,+BAA+B;4BAC5C,OAAO,EAAE;mEAC4C;yBACtD;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,yBAAyB,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-352: Cross-Site Request Forgery (CSRF)
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-352-csrf
|
|
4
|
+
* @trace TSK-RULE-005
|
|
5
|
+
*/
|
|
6
|
+
import type { SecurityRule } from '../types.js';
|
|
7
|
+
export declare const cwe352CSRF: SecurityRule;
|
|
8
|
+
export default cwe352CSRF;
|
|
9
|
+
//# sourceMappingURL=cwe-352-csrf.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-352-csrf.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-352-csrf.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,UAAU,EAAE,YA8CxB,CAAC;AAEF,eAAe,UAAU,CAAC"}
|