@oculum/scanner 1.0.0

package/src/layer2/auth-antipatterns.ts

@@ -0,0 +1,394 @@
+/**
+ * Layer 2: Authentication Anti-Pattern Detection
+ * Identifies weak or missing authentication/authorization patterns
+ * 
+ * Key improvements:
+ * - Respects global middleware protection (caps severity at info)
+ * - Detects throwing auth helpers and suppresses redundant null checks
+ * - Properly classifies public endpoints
+ */
+
+import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
+import { isRouteProtectedByMiddleware, getRoutePathFromFile } from '../utils/middleware-detector'
+import type { AuthHelper, AuthHelperContext } from '../utils/auth-helper-detector'
+import { hasAuthHelperCallBefore, isUserIdAlreadyValidated } from '../utils/auth-helper-detector'
+import type { FileAuthImports } from '../utils/imported-auth-detector'
+
+interface AuthAntiPattern {
+  name: string
+  pattern: RegExp
+  severity: VulnerabilitySeverity
+  description: string
+  suggestedFix: string
+}
+
+const AUTH_ANTIPATTERNS: AuthAntiPattern[] = [
+  // Missing auth checks
+  {
+    name: 'Unprotected API route',
+    pattern: /export\s+(async\s+)?function\s+(GET|POST|PUT|DELETE|PATCH)\s*\(/gi,
+    severity: 'medium',
+    description: 'API route handler may lack authentication - verify auth is checked',
+    suggestedFix: 'Add authentication middleware or check session at the start of the handler',
+  },
+  {
+    name: 'Express route without auth middleware',
+    pattern: /\.(get|post|put|delete|patch)\s*\(\s*['"][^'"]+['"]\s*,\s*(async\s*)?\(\s*(req|request)/gi,
+    severity: 'medium',
+    description: 'Express route may lack authentication middleware',
+    suggestedFix: 'Add authentication middleware before the route handler',
+  },
+  
+  // Weak authentication patterns
+  {
+    name: 'Hardcoded credentials check',
+    pattern: /if\s*\(\s*(username|user|email)\s*===?\s*['"][^'"]+['"]\s*&&\s*(password|pass|pwd)\s*===?\s*['"][^'"]+['"]/gi,
+    severity: 'critical',
+    description: 'Hardcoded credentials in authentication logic',
+    suggestedFix: 'Use a proper user database with hashed passwords',
+  },
+  {
+    name: 'Password in plain text comparison',
+    pattern: /password\s*===?\s*user\.password|user\.password\s*===?\s*password/gi,
+    severity: 'high',
+    description: 'Plain text password comparison detected',
+    suggestedFix: 'Use bcrypt.compare() or similar for password verification',
+  },
+  {
+    name: 'JWT without verification',
+    pattern: /jwt\.decode\s*\([^)]+\)(?!.*verify)/gi,
+    severity: 'high',
+    description: 'JWT decoded without signature verification',
+    suggestedFix: 'Use jwt.verify() instead of jwt.decode() for authentication',
+  },
+  {
+    name: 'Weak JWT secret',
+    pattern: /jwt\.sign\s*\([^)]+,\s*['"][^'"]{1,20}['"]/gi,
+    severity: 'high',
+    description: 'JWT signed with a short/weak secret',
+    suggestedFix: 'Use a strong, random secret of at least 256 bits from environment variables',
+  },
+  
+  // Session issues
+  {
+    name: 'Session without secure flag',
+    pattern: /session\s*\(\s*\{[^}]*(?!secure\s*:\s*true)[^}]*\}/gi,
+    severity: 'medium',
+    description: 'Session configuration may lack secure flag',
+    suggestedFix: 'Set secure: true for cookies in production',
+  },
+  {
+    name: 'Cookie without httpOnly',
+    pattern: /cookie\s*\(\s*['"][^'"]+['"]\s*,[^)]*(?!httpOnly)[^)]*\)|setCookie\s*\([^)]*(?!httpOnly)/gi,
+    severity: 'medium',
+    description: 'Cookie set without httpOnly flag',
+    suggestedFix: 'Add httpOnly: true to prevent XSS access to cookies',
+  },
+  
+  // Authorization issues
+  // NOTE: We intentionally do NOT flag "if (!user)" or "if (!userId)" patterns as issues
+  // when throwing auth helpers are in use. Those helpers guarantee the user exists.
+  // This pattern is now much more targeted.
+  {
+    name: 'Missing role check for admin operation',
+    pattern: /\b(admin|superuser|moderator|owner)\b.*(?:delete|remove|update|modify|grant|revoke)/gi,
+    severity: 'low',
+    description: 'Potentially privileged operation - verify role/permission checks are in place',
+    suggestedFix: 'Add role-based access control for sensitive operations',
+  },
+  {
+    name: 'Client-side only auth check',
+    pattern: /if\s*\(\s*!?\s*(isAuthenticated|isLoggedIn|user)\s*\)\s*\{?\s*(router\.push|navigate|redirect|window\.location)/gi,
+    severity: 'medium',
+    description: 'Client-side only authentication redirect detected',
+    suggestedFix: 'Implement server-side authentication checks as well',
+  },
+  
+  // Insecure token handling
+  {
+    name: 'Token in URL',
+    pattern: /\?.*token=|&token=|\?.*api_key=|&api_key=/gi,
+    severity: 'high',
+    description: 'Sensitive token passed in URL query parameter',
+    suggestedFix: 'Pass tokens in Authorization header or request body',
+  },
+  {
+    name: 'Token in localStorage',
+    pattern: /localStorage\.(setItem|getItem)\s*\(\s*['"](token|jwt|auth|session|apiKey)/gi,
+    severity: 'medium',
+    description: 'Sensitive token stored in localStorage (XSS vulnerable)',
+    suggestedFix: 'Use httpOnly cookies for token storage',
+  },
+  
+  // OAuth/Social auth issues
+  {
+    name: 'OAuth state parameter missing',
+    pattern: /oauth|authorize\?.*(?!state=)/gi,
+    severity: 'medium',
+    description: 'OAuth flow may lack state parameter for CSRF protection',
+    suggestedFix: 'Include a random state parameter in OAuth requests',
+  },
+  
+  // Password handling issues
+  {
+    name: 'Password logged',
+    pattern: /console\.(log|info|debug|warn|error)\s*\([^)]*password/gi,
+    severity: 'critical',
+    description: 'Password may be logged to console',
+    suggestedFix: 'Never log passwords or sensitive credentials',
+  },
+  {
+    name: 'Password in error message',
+    pattern: /throw\s+new\s+Error\s*\([^)]*password|Error\s*\([^)]*password/gi,
+    severity: 'high',
+    description: 'Password may be included in error message',
+    suggestedFix: 'Never include passwords in error messages',
+  },
+  
+  // Rate limiting
+  {
+    name: 'Login without rate limiting',
+    pattern: /\/(login|signin|auth|authenticate)\s*['"],\s*(async\s*)?\(/gi,
+    severity: 'medium',
+    description: 'Login endpoint may lack rate limiting',
+    suggestedFix: 'Add rate limiting to prevent brute force attacks',
+  },
+  
+  // 2FA bypass
+  {
+    name: 'Potential 2FA bypass',
+    pattern: /skip2fa|bypass2fa|disable2fa|twoFactor\s*[=:]\s*false/gi,
+    severity: 'high',
+    description: 'Two-factor authentication bypass detected',
+    suggestedFix: 'Remove 2FA bypass options in production',
+  },
+]
+
+// Check if line is a comment
+function isComment(line: string): boolean {
+  const trimmed = line.trim()
+  return (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*')
+  )
+}
+
+// Check if file is likely an auth-related file
+function isAuthRelatedFile(filePath: string): boolean {
+  const authKeywords = ['auth', 'login', 'session', 'user', 'account', 'credential', 'password', 'token', 'jwt', 'oauth']
+  const lowerPath = filePath.toLowerCase()
+  return authKeywords.some(keyword => lowerPath.includes(keyword))
+}
+
+// Check if endpoint is a known public endpoint (health checks, webhooks, cron)
+function isKnownPublicEndpoint(lineContent: string, filePath: string): boolean {
+  const PUBLIC_ENDPOINTS = [
+    // Health checks
+    /\/health\b/i,
+    /\/healthz\b/i,
+    /\/ready\b/i,
+    /\/live\b/i,
+    /\/ping\b/i,
+    /\/status\b/i,
+
+    // Webhooks (receive external calls)
+    /\/webhook\b/i,
+    /\/webhooks\//i,
+    /\/callback\b/i,
+
+    // Cron/scheduled tasks
+    /\/cron\//i,
+    /\/scheduled\//i,
+    /\/tasks\//i,
+
+    // Public APIs
+    /\/public\//i,
+    /\bGET\b.*\/api\/\w+\/\[id\]/i,  // Public resource reads with ID param
+  ]
+
+  return PUBLIC_ENDPOINTS.some(pattern =>
+    pattern.test(lineContent) || pattern.test(filePath)
+  )
+}
+
+// Check if there are auth indicators in nearby lines (within 15 lines)
+function hasAuthCheckNearby(lines: string[], lineIndex: number): boolean {
+  const startLine = Math.max(0, lineIndex)
+  const endLine = Math.min(lines.length, lineIndex + 15)
+  const searchWindow = lines.slice(startLine, endLine)
+
+  const authIndicators = [
+    /authorization/i,
+    /bearer\s+token/i,
+    /req\.user/,
+    /request\.user/,
+    /isAuthenticated/,
+    /requireAuth/,
+    /verifyToken/,
+    /checkPermission/,
+    /getServerSession/,
+    /auth\(\)/,
+    /middleware.*auth/i,
+    /session\s*\.\s*user/,
+    // Internal secret checks (network-level auth)
+    /internal.?secret/i,
+    /INTERNAL_SECRET/,
+    /x-internal-secret/i,
+    /admin.?secret/i,
+    /service.?token/i,
+    // BYOK patterns - user provides their own API key (implicit auth)
+    /userApiKey|user_api_key|clientApiKey/i,
+    /req\.body\.(?:apiKey|api_key|openaiKey|anthropicKey)/i,
+    /headers\[['"`]x-(?:openai|api|anthropic)-key['"`]\]/i,
+  ]
+
+  return searchWindow.some(line =>
+    authIndicators.some(pattern => pattern.test(line))
+  )
+}
+
+export interface AuthAntipatternOptions {
+  middlewareConfig?: MiddlewareAuthConfig
+  authHelpers?: AuthHelperContext
+  fileAuthImports?: Map<string, FileAuthImports>
+}
+
+export function detectAuthAntipatterns(
+  content: string,
+  filePath: string,
+  options: AuthAntipatternOptions = {}
+): Vulnerability[] {
+  const { middlewareConfig, authHelpers, fileAuthImports } = options
+  const vulnerabilities: Vulnerability[] = []
+  const lines = content.split('\n')
+  const isAuthFile = isAuthRelatedFile(filePath)
+
+  // Check if this route is protected by global middleware
+  const routePath = getRoutePathFromFile(filePath)
+  const middlewareProtection = routePath && middlewareConfig
+    ? isRouteProtectedByMiddleware(routePath, middlewareConfig)
+    : { isProtected: false, reason: '' }
+
+  // Check if file uses imported auth middleware/helpers
+  const importedAuthProtection = fileAuthImports?.get(filePath)
+  const usesImportedAuth = importedAuthProtection?.usesImportedAuth ?? false
+
+  // Check if file uses throwing auth helpers
+  const helpersList = authHelpers?.helpers || []
+
+  lines.forEach((line, index) => {
+    // Skip comment lines
+    if (isComment(line)) return
+
+    for (const pattern of AUTH_ANTIPATTERNS) {
+      const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+
+      if (regex.test(line)) {
+        // Special handling for unprotected route patterns
+        if (pattern.name === 'Unprotected API route' ||
+            pattern.name === 'Express route without auth middleware') {
+
+          // PRIORITY 0: Check if this is actually a route file
+          // In Next.js, routes must be in `route.ts/js` files. Files like `handlers.ts`,
+          // `safe-handlers.ts`, `utils.ts` etc. are NOT actual API routes even if they
+          // export GET/POST functions.
+          const isActualRouteFile = /\/(route|page)\.(ts|js|tsx|jsx)$/i.test(filePath) ||
+            /\/(api|routes?)\/.*\/(index|route)\.(ts|js)$/i.test(filePath) ||
+            // Express/Koa routes typically have 'routes' or 'router' in path
+            /\/(routes?|router|controllers?)\.[tj]s$/i.test(filePath)
+
+          // Files explicitly named as handlers, helpers, utils are not routes
+          const isUtilityFile = /(handler|helper|util|mock|test|fixture|safe|example)/i.test(filePath)
+
+          if (!isActualRouteFile || isUtilityFile) {
+            // Not an actual route file - skip this finding
+            break
+          }
+
+          // PRIORITY 1: Check if route is protected by global middleware
+          // This is the STRONGEST signal - if middleware protects the route, suppress entirely
+          if (middlewareProtection.isProtected) {
+            // Route is authenticated by middleware - no finding needed
+            break // Skip this pattern, route is protected
+          }
+
+          // PRIORITY 1.5: Check if file imports and uses auth middleware
+          // e.g., import { authMiddleware } from '@/lib/auth' + wraps handlers
+          if (usesImportedAuth) {
+            // File imports auth middleware and uses it - no finding needed
+            break // Skip this pattern, route is protected via imported auth
+          }
+
+          // PRIORITY 2: Check if file uses throwing auth helpers
+          // If getCurrentUserId() or similar is called, the route is authenticated
+          const authHelperCall = hasAuthHelperCallBefore(content, index, helpersList)
+          if (authHelperCall.hasCall && authHelperCall.helper) {
+            // Route uses a throwing auth helper - no finding needed
+            // The auth helper guarantees authenticated context
+            break // Skip this pattern, route is protected
+          }
+
+          // PRIORITY 3: Check if this is a known public endpoint
+          if (isKnownPublicEndpoint(line, filePath)) {
+            vulnerabilities.push({
+              id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
+              filePath,
+              lineNumber: index + 1,
+              lineContent: line.trim(),
+              severity: 'info',
+              category: 'missing_auth',
+              title: pattern.name + ' (public endpoint)',
+              description: 'This appears to be a public endpoint (health check, webhook, cron, etc.). Verify this is intentionally public and consider rate limiting if needed.',
+              suggestedFix: 'If this is a webhook or cron endpoint, ensure it has appropriate authentication (API keys, signatures, etc.). Health checks typically do not need auth.',
+              confidence: 'low',
+              layer: 2,
+            })
+            break // Only report once per line
+          }
+
+          // PRIORITY 4: Check if auth check exists nearby (inline check)
+          if (hasAuthCheckNearby(lines, index)) {
+            vulnerabilities.push({
+              id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
+              filePath,
+              lineNumber: index + 1,
+              lineContent: line.trim(),
+              severity: 'low',
+              category: 'missing_auth',
+              title: pattern.name,
+              description: pattern.description + ' (auth check detected in nearby lines)',
+              suggestedFix: pattern.suggestedFix,
+              confidence: 'low',
+              layer: 2,
+            })
+            break // Only report once per line
+          }
+        }
+
+        // Standard handling for all patterns (or fallback for route patterns)
+        // Boost confidence for auth-related files
+        const confidence = isAuthFile ? 'high' : 'medium'
+
+        vulnerabilities.push({
+          id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
+          filePath,
+          lineNumber: index + 1,
+          lineContent: line.trim(),
+          severity: pattern.severity,
+          category: 'missing_auth',
+          title: pattern.name,
+          description: pattern.description,
+          suggestedFix: pattern.suggestedFix,
+          confidence,
+          layer: 2,
+        })
+        break // Only report once per line
+      }
+    }
+  })
+
+  return vulnerabilities
+}