@nahisaho/musubix-security 2.0.1 → 2.1.1

package/dist/rules/owasp/a09-logging-failures.js

@@ -0,0 +1,339 @@
+/**
+ * @fileoverview OWASP A09:2021 - Security Logging and Monitoring Failures
+ * @module @nahisaho/musubix-security/rules/owasp/a09
+ * @trace REQ-SEC-OWASP-009
+ */
+/**
+ * OWASP A09:2021 - Security Logging and Monitoring Failures
+ *
+ * Detects:
+ * - Missing security event logging
+ * - Sensitive data in logs
+ * - Insufficient log detail
+ * - Missing log integrity protection
+ */
+export const owaspA09LoggingFailures = {
+    id: 'owasp-a09-logging-failures',
+    name: 'OWASP A09:2021 - Security Logging and Monitoring Failures',
+    description: 'Detects insufficient logging and monitoring for security events',
+    defaultSeverity: 'medium',
+    category: 'logging',
+    owasp: ['A09:2021'],
+    cwe: ['117', '223', '532', '778'],
+    references: [
+        {
+            title: 'OWASP A09:2021',
+            url: 'https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/',
+        },
+        {
+            title: 'CWE-778: Insufficient Logging',
+            url: 'https://cwe.mitre.org/data/definitions/778.html',
+        },
+    ],
+    async analyze(context) {
+        const findings = [];
+        checkMissingSecurityLogging(context, findings);
+        checkSensitiveDataInLogs(context, findings);
+        checkLogInjection(context, findings);
+        checkInsufficientLogContext(context, findings);
+        checkMissingErrorLogging(context, findings);
+        return findings;
+    },
+};
+/**
+ * Check for missing security event logging
+ */
+function checkMissingSecurityLogging(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    // Security events that should be logged
+    const securityEvents = [
+        { pattern: /(?:login|signin|authenticate)\s*(?:async\s*)?\(/i, event: 'authentication', needsLog: true },
+        { pattern: /(?:logout|signout)\s*(?:async\s*)?\(/i, event: 'logout', needsLog: true },
+        { pattern: /(?:password|credential).*(?:change|update|reset)/i, event: 'credential change', needsLog: true },
+        { pattern: /(?:permission|role|access).*(?:grant|revoke|change)/i, event: 'authorization change', needsLog: true },
+        { pattern: /(?:admin|administrative).*(?:action|operation)/i, event: 'admin action', needsLog: true },
+        { pattern: /(?:delete|remove).*(?:user|account)/i, event: 'account deletion', needsLog: true },
+    ];
+    // Function to check if logging exists nearby
+    const hasLoggingNearby = (startLine) => {
+        const searchRange = 15; // lines to search
+        const surroundingCode = lines.slice(Math.max(0, startLine - 2), Math.min(lines.length, startLine + searchRange)).join('\n');
+        return /(?:logger|log|audit|winston|pino|bunyan)\.(?:info|warn|error|log|audit)/i.test(surroundingCode);
+    };
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, event, needsLog } of securityEvents) {
+            if (pattern.test(line) && needsLog) {
+                if (!hasLoggingNearby(lineNum)) {
+                    findings.push({
+                        id: `owasp-a09-missing-${findings.length + 1}`,
+                        ruleId: 'owasp-a09-logging-failures',
+                        severity: 'medium',
+                        message: `Missing security logging for ${event} event`,
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        cwe: ['778'],
+                        suggestion: {
+                            description: `Add audit logging for ${event} events`,
+                            example: `// Add security audit logging:
+logger.info('security.${event.replace(/\s+/g, '_')}', {
+  userId: user.id,
+  action: '${event}',
+  timestamp: new Date().toISOString(),
+  ipAddress: req.ip,
+  userAgent: req.headers['user-agent']
+});`,
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for sensitive data in logs
+ */
+function checkSensitiveDataInLogs(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const sensitiveLogPatterns = [
+        // Password in log
+        { pattern: /(?:console|logger|log|winston|pino)\.(?:log|info|debug|warn|error)\s*\([^)]*password/i, data: 'password' },
+        // Token in log
+        { pattern: /(?:console|logger|log)\.(?:log|info|debug|warn|error)\s*\([^)]*(?:token|jwt|bearer)/i, data: 'authentication token' },
+        // Credit card
+        { pattern: /(?:console|logger|log)\.(?:log|info|debug|warn|error)\s*\([^)]*(?:credit.*card|card.*number|cvv)/i, data: 'credit card information' },
+        // SSN
+        { pattern: /(?:console|logger|log)\.(?:log|info|debug|warn|error)\s*\([^)]*(?:ssn|social.*security)/i, data: 'SSN' },
+        // API key
+        { pattern: /(?:console|logger|log)\.(?:log|info|debug|warn|error)\s*\([^)]*(?:api.*key|secret.*key|private.*key)/i, data: 'API key' },
+        // Full request body (might contain sensitive data)
+        { pattern: /(?:console|logger|log)\.(?:log|info|debug)\s*\([^)]*req\.body\s*\)/i, data: 'full request body' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, data } of sensitiveLogPatterns) {
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a09-sensitive-${findings.length + 1}`,
+                    ruleId: 'owasp-a09-logging-failures',
+                    severity: 'high',
+                    message: `Sensitive data in logs: ${data}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['532'],
+                    suggestion: {
+                        description: 'Redact sensitive data before logging',
+                        example: `// Redact sensitive data:
+const redact = (obj) => {
+  const sensitive = ['password', 'token', 'ssn', 'creditCard'];
+  const redacted = { ...obj };
+  for (const key of sensitive) {
+    if (redacted[key]) redacted[key] = '[REDACTED]';
+  }
+  return redacted;
+};
+
+logger.info('Request:', redact(req.body));`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for log injection vulnerabilities
+ */
+function checkLogInjection(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const logInjectionPatterns = [
+        // Direct user input in log message
+        { pattern: /(?:console|logger|log)\.(?:log|info|debug|warn|error)\s*\(\s*req\.(?:body|query|params)\./i, issue: 'User input directly in log message' },
+        // Template literal with user input
+        { pattern: /(?:console|logger|log)\.(?:log|info|debug|warn|error)\s*\(\s*`[^`]*\$\{req\./i, issue: 'User input in log template literal' },
+        // String concatenation with user input
+        { pattern: /(?:console|logger|log)\.(?:log|info|debug|warn|error)\s*\([^)]*\+\s*req\./i, issue: 'User input concatenated in log' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, issue } of logInjectionPatterns) {
+            if (pattern.test(line)) {
+                // Check if input is sanitized
+                const surroundingCode = lines.slice(Math.max(0, lineNum - 3), lineNum + 1).join('\n');
+                const hasSanitization = /(?:sanitize|escape|encode|clean|filter)/i.test(surroundingCode);
+                if (!hasSanitization) {
+                    findings.push({
+                        id: `owasp-a09-injection-${findings.length + 1}`,
+                        ruleId: 'owasp-a09-logging-failures',
+                        severity: 'medium',
+                        message: `Log injection vulnerability: ${issue}`,
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        cwe: ['117'],
+                        suggestion: {
+                            description: 'Sanitize user input before logging',
+                            example: `// Sanitize user input for logging:
+const sanitizeForLog = (input) => {
+  if (typeof input !== 'string') return String(input);
+  return input
+    .replace(/\\n/g, '\\\\n')
+    .replace(/\\r/g, '\\\\r')
+    .substring(0, 1000); // Limit length
+};
+
+logger.info('User action', { input: sanitizeForLog(req.body.input) });`,
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for insufficient log context
+ */
+function checkInsufficientLogContext(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    // Look for security-related functions without proper context logging
+    const securityFunctions = [
+        /async function.*(?:auth|login|verify)/i,
+        /const\s+\w+\s*=\s*async\s*\([^)]*\)\s*=>\s*\{.*(?:auth|login|verify)/i,
+    ];
+    let inSecurityFunction = false;
+    let functionStartLine = 0;
+    let braceCount = 0;
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        // Track function boundaries
+        for (const pattern of securityFunctions) {
+            if (pattern.test(line)) {
+                inSecurityFunction = true;
+                functionStartLine = lineNum;
+                braceCount = 0;
+                break;
+            }
+        }
+        if (inSecurityFunction) {
+            braceCount += (line.match(/\{/g) || []).length;
+            braceCount -= (line.match(/\}/g) || []).length;
+            if (braceCount <= 0 && lineNum > functionStartLine) {
+                // End of function - check for proper logging
+                const functionCode = lines.slice(functionStartLine, lineNum + 1).join('\n');
+                const hasContextLogging = /logger\.(?:info|warn|error)\s*\([^)]*(?:userId|user\.id|ipAddress|req\.ip)/i.test(functionCode);
+                if (!hasContextLogging) {
+                    findings.push({
+                        id: `owasp-a09-context-${findings.length + 1}`,
+                        ruleId: 'owasp-a09-logging-failures',
+                        severity: 'low',
+                        message: 'Security function lacks contextual logging (userId, IP, etc.)',
+                        location: {
+                            file: context.filePath,
+                            startLine: functionStartLine + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        cwe: ['223'],
+                        suggestion: {
+                            description: 'Add contextual information to security logs',
+                            example: `// Include relevant context in security logs:
+logger.info('Authentication attempt', {
+  userId: user?.id,
+  email: user?.email,
+  ipAddress: req.ip,
+  userAgent: req.headers['user-agent'],
+  timestamp: new Date().toISOString(),
+  success: true
+});`,
+                        },
+                    });
+                }
+                inSecurityFunction = false;
+            }
+        }
+    }
+}
+/**
+ * Check for missing error logging
+ */
+function checkMissingErrorLogging(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    // Check catch blocks without logging
+    let inCatchBlock = false;
+    let catchStartLine = 0;
+    let catchBraceCount = 0;
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        if (/catch\s*\(/i.test(line)) {
+            inCatchBlock = true;
+            catchStartLine = lineNum;
+            catchBraceCount = 0;
+        }
+        if (inCatchBlock) {
+            catchBraceCount += (line.match(/\{/g) || []).length;
+            catchBraceCount -= (line.match(/\}/g) || []).length;
+            if (catchBraceCount <= 0 && lineNum > catchStartLine) {
+                const catchCode = lines.slice(catchStartLine, lineNum + 1).join('\n');
+                // Check if error is logged
+                const hasErrorLogging = /(?:console|logger|log)\.(?:error|warn)\s*\(/i.test(catchCode);
+                const isEmptyCatch = catchCode.replace(/[{}]/g, '').trim().length < 20;
+                const hasRethrow = /throw\s+/i.test(catchCode);
+                if (!hasErrorLogging && !isEmptyCatch && !hasRethrow) {
+                    findings.push({
+                        id: `owasp-a09-error-${findings.length + 1}`,
+                        ruleId: 'owasp-a09-logging-failures',
+                        severity: 'low',
+                        message: 'Error caught without logging',
+                        location: {
+                            file: context.filePath,
+                            startLine: catchStartLine + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        cwe: ['223'],
+                        suggestion: {
+                            description: 'Log errors for debugging and monitoring',
+                            example: `// Log errors with context:
+try {
+  // ... operation
+} catch (error) {
+  logger.error('Operation failed', {
+    error: error.message,
+    stack: error.stack,
+    context: { /* relevant data */ }
+  });
+  throw error; // or handle appropriately
+}`,
+                        },
+                    });
+                }
+                inCatchBlock = false;
+            }
+        }
+    }
+}
+export default owaspA09LoggingFailures;
+//# sourceMappingURL=a09-logging-failures.js.map

package/dist/rules/owasp/a09-logging-failures.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"a09-logging-failures.js","sourceRoot":"","sources":["../../../src/rules/owasp/a09-logging-failures.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAiB;IACnD,EAAE,EAAE,4BAA4B;IAChC,IAAI,EAAE,2DAA2D;IACjE,WAAW,EAAE,iEAAiE;IAC9E,eAAe,EAAE,QAAQ;IACzB,QAAQ,EAAE,SAAS;IACnB,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;IACjC,UAAU,EAAE;QACV;YACE,KAAK,EAAE,gBAAgB;YACvB,GAAG,EAAE,4EAA4E;SAClF;QACD;YACE,KAAK,EAAE,+BAA+B;YACtC,GAAG,EAAE,iDAAiD;SACvD;KACiB;IAEpB,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QAEnC,2BAA2B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/C,wBAAwB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC5C,iBAAiB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrC,2BAA2B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/C,wBAAwB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,2BAA2B,CAAC,OAAoB,EAAE,QAAuB;IAChF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,wCAAwC;IACxC,MAAM,cAAc,GAAG;QACrB,EAAE,OAAO,EAAE,kDAAkD,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,IAAI,EAAE;QACxG,EAAE,OAAO,EAAE,uCAAuC,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;QACrF,EAAE,OAAO,EAAE,mDAAmD,EAAE,KAAK,EAAE,mBAAmB,EAAE,QAAQ,EAAE,IAAI,EAAE;QAC5G,EAAE,OAAO,EAAE,sDAAsD,EAAE,KAAK,EAAE,sBAAsB,EAAE,QAAQ,EAAE,IAAI,EAAE;QAClH,EAAE,OAAO,EAAE,iDAAiD,EAAE,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE;QACrG,EAAE,OAAO,EAAE,sCAAsC,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,IAAI,EAAE;KAC/F,CAAC;IAEF,6CAA6C;IAC7C,MAAM,gBAAgB,GAAG,CAAC,SAAiB,EAAW,EAAE;QACtD,MAAM,WAAW,GAAG,EAAE,CAAC,CAAC,kBAAkB;QAC1C,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CACjC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,EAC1B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,WAAW,CAAC,CAChD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEb,OAAO,0EAA0E,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC1G,CAAC,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,cAAc,EAAE,CAAC;YAC1D,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACnC,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC/B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,qBAAqB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC9C,MAAM,EAAE,4BAA4B;wBACpC,QAAQ,EAAE,QAAQ;wBAClB,OAAO,EAAE,gCAAgC,KAAK,QAAQ;wBACtD,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,OAAO,GAAG,CAAC;4BACtB,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,yBAAyB,KAAK,SAAS;4BACpD,OAAO,EAAE;wBACC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;;aAErC,KAAK;;;;IAId;yBACS;qBACF,CAAC,CAAC;gBACL,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,OAAoB,EAAE,QAAuB;IAC7E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,oBAAoB,GAAG;QAC3B,kBAAkB;QAClB,EAAE,OAAO,EAAE,uFAAuF,EAAE,IAAI,EAAE,UAAU,EAAE;QACtH,eAAe;QACf,EAAE,OAAO,EAAE,sFAAsF,EAAE,IAAI,EAAE,sBAAsB,EAAE;QACjI,cAAc;QACd,EAAE,OAAO,EAAE,mGAAmG,EAAE,IAAI,EAAE,yBAAyB,EAAE;QACjJ,MAAM;QACN,EAAE,OAAO,EAAE,0FAA0F,EAAE,IAAI,EAAE,KAAK,EAAE;QACpH,UAAU;QACV,EAAE,OAAO,EAAE,uGAAuG,EAAE,IAAI,EAAE,SAAS,EAAE;QACrI,mDAAmD;QACnD,EAAE,OAAO,EAAE,qEAAqE,EAAE,IAAI,EAAE,mBAAmB,EAAE;KAC9G,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,oBAAoB,EAAE,CAAC;YACrD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,uBAAuB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAChD,MAAM,EAAE,4BAA4B;oBACpC,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,2BAA2B,IAAI,EAAE;oBAC1C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,CAAC;oBACZ,UAAU,EAAE;wBACV,WAAW,EAAE,sCAAsC;wBACnD,OAAO,EAAE;;;;;;;;;;2CAUsB;qBAChC;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,OAAoB,EAAE,QAAuB;IACtE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,oBAAoB,GAAG;QAC3B,mCAAmC;QACnC,EAAE,OAAO,EAAE,4FAA4F,EAAE,KAAK,EAAE,oCAAoC,EAAE;QACtJ,mCAAmC;QACnC,EAAE,OAAO,EAAE,+EAA+E,EAAE,KAAK,EAAE,oCAAoC,EAAE;QACzI,uCAAuC;QACvC,EAAE,OAAO,EAAE,4EAA4E,EAAE,KAAK,EAAE,gCAAgC,EAAE;KACnI,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,oBAAoB,EAAE,CAAC;YACtD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,8BAA8B;gBAC9B,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtF,MAAM,eAAe,GAAG,0CAA0C,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;gBAEzF,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,uBAAuB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAChD,MAAM,EAAE,4BAA4B;wBACpC,QAAQ,EAAE,QAAQ;wBAClB,OAAO,EAAE,gCAAgC,KAAK,EAAE;wBAChD,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,OAAO,GAAG,CAAC;4BACtB,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,oCAAoC;4BACjD,OAAO,EAAE;;;;;;;;;uEASgD;yBAC1D;qBACF,CAAC,CAAC;gBACL,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAAC,OAAoB,EAAE,QAAuB;IAChF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,qEAAqE;IACrE,MAAM,iBAAiB,GAAG;QACxB,wCAAwC;QACxC,uEAAuE;KACxE,CAAC;IAEF,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAC/B,IAAI,iBAAiB,GAAG,CAAC,CAAC;IAC1B,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,4BAA4B;QAC5B,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,iBAAiB,GAAG,OAAO,CAAC;gBAC5B,UAAU,GAAG,CAAC,CAAC;gBACf,MAAM;YACR,CAAC;QACH,CAAC;QAED,IAAI,kBAAkB,EAAE,CAAC;YACvB,UAAU,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAC/C,UAAU,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAE/C,IAAI,UAAU,IAAI,CAAC,IAAI,OAAO,GAAG,iBAAiB,EAAE,CAAC;gBACnD,6CAA6C;gBAC7C,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,iBAAiB,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAE5E,MAAM,iBAAiB,GAAG,6EAA6E,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;gBAE3H,IAAI,CAAC,iBAAiB,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,qBAAqB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC9C,MAAM,EAAE,4BAA4B;wBACpC,QAAQ,EAAE,KAAK;wBACf,OAAO,EAAE,+DAA+D;wBACxE,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,iBAAiB,GAAG,CAAC;4BAChC,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,6CAA6C;4BAC1D,OAAO,EAAE;;;;;;;;IAQnB;yBACS;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,kBAAkB,GAAG,KAAK,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,OAAoB,EAAE,QAAuB;IAC7E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,qCAAqC;IACrC,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,eAAe,GAAG,CAAC,CAAC;IAExB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,YAAY,GAAG,IAAI,CAAC;YACpB,cAAc,GAAG,OAAO,CAAC;YACzB,eAAe,GAAG,CAAC,CAAC;QACtB,CAAC;QAED,IAAI,YAAY,EAAE,CAAC;YACjB,eAAe,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YACpD,eAAe,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAEpD,IAAI,eAAe,IAAI,CAAC,IAAI,OAAO,GAAG,cAAc,EAAE,CAAC;gBACrD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,cAAc,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEtE,2BAA2B;gBAC3B,MAAM,eAAe,GAAG,8CAA8C,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACvF,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC;gBACvE,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAE/C,IAAI,CAAC,eAAe,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,EAAE,CAAC;oBACrD,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,mBAAmB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC5C,MAAM,EAAE,4BAA4B;wBACpC,QAAQ,EAAE,KAAK;wBACf,OAAO,EAAE,8BAA8B;wBACvC,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,cAAc,GAAG,CAAC;4BAC7B,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,yCAAyC;4BACtD,OAAO,EAAE;;;;;;;;;;EAUrB;yBACW;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,YAAY,GAAG,KAAK,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,eAAe,uBAAuB,CAAC"}

package/dist/rules/owasp/a10-ssrf.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @fileoverview OWASP A10:2021 - Server-Side Request Forgery (SSRF)
+ * @module @nahisaho/musubix-security/rules/owasp/a10
+ * @trace REQ-SEC-OWASP-010
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * OWASP A10:2021 - Server-Side Request Forgery (SSRF)
+ *
+ * Detects:
+ * - URL fetching with user input
+ * - Missing URL validation
+ * - Internal network access risks
+ * - Metadata endpoint access
+ */
+export declare const owaspA10SSRF: SecurityRule;
+export default owaspA10SSRF;
+//# sourceMappingURL=a10-ssrf.d.ts.map

package/dist/rules/owasp/a10-ssrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"a10-ssrf.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp/a10-ssrf.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA2C,MAAM,aAAa,CAAC;AAEzF;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY,EAAE,YA8B1B,CAAC;AA0UF,eAAe,YAAY,CAAC"}