@reliabilityworks/ruleset-astro 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/rules.json +792 -0
package/package.json CHANGED
@@ -1,4 +1,4 @@
1
1
  {
2
2
  "name": "@reliabilityworks/ruleset-astro",
3
- "version": "0.5.0"
3
+ "version": "0.7.0"
4
4
  }
package/rules.json CHANGED
@@ -22,5 +22,797 @@
22
22
  "pattern": "\\bis:inline\\b",
23
23
  "message": "Inline script detected; prefer external scripts and CSP"
24
24
  }
25
+ },
26
+ {
27
+ "id": "astro/inline-style",
28
+ "severity": "low",
29
+ "title": "Inline style usage",
30
+ "description": "Inline styles complicate CSP and can increase injection risk when combined with untrusted data.",
31
+ "matcher": {
32
+ "type": "regex",
33
+ "fileGlobs": ["**/*.astro"],
34
+ "pattern": "\\bstyle=\\\"",
35
+ "message": "Inline style attribute detected"
36
+ }
37
+ },
38
+ {
39
+ "id": "astro/inline-event-handler",
40
+ "severity": "high",
41
+ "title": "Inline DOM event handler",
42
+ "description": "Inline event handlers (onclick/onerror/...) are a common XSS sink and weaken CSP.",
43
+ "matcher": {
44
+ "type": "regex",
45
+ "fileGlobs": ["**/*.astro"],
46
+ "pattern": "\\bon[a-zA-Z]+\\s*=",
47
+ "message": "Inline event handler attribute detected"
48
+ }
49
+ },
50
+ {
51
+ "id": "astro/onerror-handler",
52
+ "severity": "high",
53
+ "title": "onerror handler present",
54
+ "description": "onerror handlers can execute arbitrary JS when resources fail to load.",
55
+ "matcher": {
56
+ "type": "regex",
57
+ "fileGlobs": ["**/*.astro"],
58
+ "pattern": "\\bonerror\\s*=",
59
+ "message": "onerror handler detected"
60
+ }
61
+ },
62
+ {
63
+ "id": "astro/onclick-handler",
64
+ "severity": "medium",
65
+ "title": "onclick handler present",
66
+ "description": "Inline onclick handlers can enable XSS and weaken CSP.",
67
+ "matcher": {
68
+ "type": "regex",
69
+ "fileGlobs": ["**/*.astro"],
70
+ "pattern": "\\bonclick\\s*=",
71
+ "message": "onclick handler detected"
72
+ }
73
+ },
74
+ {
75
+ "id": "astro/onload-handler",
76
+ "severity": "medium",
77
+ "title": "onload handler present",
78
+ "description": "Inline onload handlers can execute JS automatically when elements load.",
79
+ "matcher": {
80
+ "type": "regex",
81
+ "fileGlobs": ["**/*.astro"],
82
+ "pattern": "\\bonload\\s*=",
83
+ "message": "onload handler detected"
84
+ }
85
+ },
86
+ {
87
+ "id": "astro/javascript-url",
88
+ "severity": "high",
89
+ "title": "javascript: URL usage",
90
+ "description": "javascript: URLs can execute script in the browser and are a common XSS vector.",
91
+ "matcher": {
92
+ "type": "regex",
93
+ "fileGlobs": ["**/*.astro"],
94
+ "pattern": "\\bjavascript:",
95
+ "message": "javascript: URL detected"
96
+ }
97
+ },
98
+ {
99
+ "id": "astro/data-url",
100
+ "severity": "medium",
101
+ "title": "data: URL usage",
102
+ "description": "data: URLs can embed content directly. Be careful when values can be influenced by untrusted input.",
103
+ "matcher": {
104
+ "type": "regex",
105
+ "fileGlobs": ["**/*.astro"],
106
+ "pattern": "\\bdata:",
107
+ "message": "data: URL detected"
108
+ }
109
+ },
110
+ {
111
+ "id": "astro/http-url",
112
+ "severity": "high",
113
+ "title": "Insecure http:// URL usage",
114
+ "description": "Using http:// can expose traffic to interception. Prefer https://.",
115
+ "matcher": {
116
+ "type": "regex",
117
+ "fileGlobs": ["**/*.astro"],
118
+ "pattern": "\\bhttp://",
119
+ "message": "http:// URL detected"
120
+ }
121
+ },
122
+ {
123
+ "id": "astro/iframe-present",
124
+ "severity": "low",
125
+ "title": "iframe embedded",
126
+ "description": "iframes can introduce clickjacking or untrusted content risks depending on source and sandboxing.",
127
+ "matcher": {
128
+ "type": "regex",
129
+ "fileGlobs": ["**/*.astro"],
130
+ "pattern": "<iframe\\b",
131
+ "message": "iframe tag detected"
132
+ }
133
+ },
134
+ {
135
+ "id": "astro/iframe-no-sandbox",
136
+ "severity": "high",
137
+ "title": "iframe without sandbox",
138
+ "description": "Unsandboxed iframes can run scripts and navigate the top-level page depending on origin.",
139
+ "matcher": {
140
+ "type": "regex",
141
+ "fileGlobs": ["**/*.astro"],
142
+ "pattern": "<iframe\\b(?![^>]*\\bsandbox=)",
143
+ "message": "iframe without sandbox detected"
144
+ }
145
+ },
146
+ {
147
+ "id": "astro/iframe-allow-scripts",
148
+ "severity": "medium",
149
+ "title": "iframe sandbox allows scripts",
150
+ "description": "sandbox=allow-scripts enables script execution inside the iframe. Validate content is trusted.",
151
+ "matcher": {
152
+ "type": "regex",
153
+ "fileGlobs": ["**/*.astro"],
154
+ "pattern": "\\bsandbox=\\\"[^\\\"]*allow-scripts",
155
+ "message": "iframe sandbox allows scripts"
156
+ }
157
+ },
158
+ {
159
+ "id": "astro/iframe-allow-same-origin",
160
+ "severity": "medium",
161
+ "title": "iframe sandbox allows same-origin",
162
+ "description": "sandbox=allow-same-origin can reduce sandbox isolation. Validate content is trusted.",
163
+ "matcher": {
164
+ "type": "regex",
165
+ "fileGlobs": ["**/*.astro"],
166
+ "pattern": "\\bsandbox=\\\"[^\\\"]*allow-same-origin",
167
+ "message": "iframe sandbox allows same-origin"
168
+ }
169
+ },
170
+ {
171
+ "id": "astro/iframe-allow-popups",
172
+ "severity": "low",
173
+ "title": "iframe sandbox allows popups",
174
+ "description": "allow-popups can allow the iframe to open new windows; review risk.",
175
+ "matcher": {
176
+ "type": "regex",
177
+ "fileGlobs": ["**/*.astro"],
178
+ "pattern": "\\bsandbox=\\\"[^\\\"]*allow-popups",
179
+ "message": "iframe sandbox allows popups"
180
+ }
181
+ },
182
+ {
183
+ "id": "astro/iframe-srcdoc",
184
+ "severity": "high",
185
+ "title": "iframe srcdoc used",
186
+ "description": "srcdoc embeds HTML directly and is an XSS sink if content can be influenced by untrusted input.",
187
+ "matcher": {
188
+ "type": "regex",
189
+ "fileGlobs": ["**/*.astro"],
190
+ "pattern": "\\bsrcdoc=",
191
+ "message": "iframe srcdoc detected"
192
+ }
193
+ },
194
+ {
195
+ "id": "astro/meta-refresh",
196
+ "severity": "medium",
197
+ "title": "Meta refresh redirect",
198
+ "description": "Meta refresh can be abused for phishing/redirects. Prefer server-side redirects.",
199
+ "matcher": {
200
+ "type": "regex",
201
+ "fileGlobs": ["**/*.astro"],
202
+ "pattern": "<meta\\s+http-equiv=\\\"refresh\\\"",
203
+ "message": "meta refresh detected"
204
+ }
205
+ },
206
+ {
207
+ "id": "astro/meta-csp-present",
208
+ "severity": "low",
209
+ "title": "CSP meta tag present",
210
+ "description": "CSP via meta can help reduce XSS but is less flexible than response headers.",
211
+ "matcher": {
212
+ "type": "regex",
213
+ "fileGlobs": ["**/*.astro"],
214
+ "pattern": "<meta\\s+http-equiv=\\\"Content-Security-Policy\\\"",
215
+ "message": "CSP meta tag detected"
216
+ }
217
+ },
218
+ {
219
+ "id": "astro/csp-unsafe-inline",
220
+ "severity": "high",
221
+ "title": "CSP allows unsafe-inline",
222
+ "description": "unsafe-inline weakens CSP and can permit inline script/style execution.",
223
+ "matcher": {
224
+ "type": "regex",
225
+ "fileGlobs": ["**/*.astro"],
226
+ "pattern": "unsafe-inline",
227
+ "message": "CSP contains unsafe-inline"
228
+ }
229
+ },
230
+ {
231
+ "id": "astro/csp-unsafe-eval",
232
+ "severity": "high",
233
+ "title": "CSP allows unsafe-eval",
234
+ "description": "unsafe-eval allows eval() and similar sinks, weakening CSP.",
235
+ "matcher": {
236
+ "type": "regex",
237
+ "fileGlobs": ["**/*.astro"],
238
+ "pattern": "unsafe-eval",
239
+ "message": "CSP contains unsafe-eval"
240
+ }
241
+ },
242
+ {
243
+ "id": "astro/window-message-listener",
244
+ "severity": "medium",
245
+ "title": "window message listener",
246
+ "description": "window.addEventListener('message') requires origin validation to avoid message spoofing.",
247
+ "matcher": {
248
+ "type": "regex",
249
+ "fileGlobs": ["**/*.astro"],
250
+ "pattern": "addEventListener\\s*\\(\\s*['\\\"]message['\\\"]",
251
+ "message": "message event listener detected"
252
+ }
253
+ },
254
+ {
255
+ "id": "astro/postmessage-usage",
256
+ "severity": "low",
257
+ "title": "postMessage usage",
258
+ "description": "postMessage requires strict origin checks when receiving messages.",
259
+ "matcher": {
260
+ "type": "regex",
261
+ "fileGlobs": ["**/*.astro"],
262
+ "pattern": "\\.postMessage\\s*\\(",
263
+ "message": "postMessage() usage detected"
264
+ }
265
+ },
266
+ {
267
+ "id": "astro/localstorage-usage",
268
+ "severity": "medium",
269
+ "title": "localStorage usage",
270
+ "description": "localStorage is accessible to JS and can leak secrets if XSS occurs.",
271
+ "matcher": {
272
+ "type": "regex",
273
+ "fileGlobs": ["**/*.astro"],
274
+ "pattern": "\\blocalStorage\\b",
275
+ "message": "localStorage referenced"
276
+ }
277
+ },
278
+ {
279
+ "id": "astro/sessionstorage-usage",
280
+ "severity": "low",
281
+ "title": "sessionStorage usage",
282
+ "description": "sessionStorage is accessible to JS and can leak data if XSS occurs.",
283
+ "matcher": {
284
+ "type": "regex",
285
+ "fileGlobs": ["**/*.astro"],
286
+ "pattern": "\\bsessionStorage\\b",
287
+ "message": "sessionStorage referenced"
288
+ }
289
+ },
290
+ {
291
+ "id": "astro/document-cookie",
292
+ "severity": "medium",
293
+ "title": "document.cookie usage",
294
+ "description": "Accessing document.cookie can lead to cookie leakage and suggests cookies may be readable by JS.",
295
+ "matcher": {
296
+ "type": "regex",
297
+ "fileGlobs": ["**/*.astro"],
298
+ "pattern": "document\\.cookie",
299
+ "message": "document.cookie referenced"
300
+ }
301
+ },
302
+ {
303
+ "id": "astro/dangerous-dom-innerhtml",
304
+ "severity": "high",
305
+ "title": "innerHTML assignment",
306
+ "description": "Assigning to innerHTML is an XSS sink if content can be influenced by untrusted input.",
307
+ "matcher": {
308
+ "type": "regex",
309
+ "fileGlobs": ["**/*.astro"],
310
+ "pattern": "\\.innerHTML\\s*=",
311
+ "message": "innerHTML assignment detected"
312
+ }
313
+ },
314
+ {
315
+ "id": "astro/dangerous-insertadjacenthtml",
316
+ "severity": "high",
317
+ "title": "insertAdjacentHTML usage",
318
+ "description": "insertAdjacentHTML is an XSS sink if content can be influenced by untrusted input.",
319
+ "matcher": {
320
+ "type": "regex",
321
+ "fileGlobs": ["**/*.astro"],
322
+ "pattern": "insertAdjacentHTML\\s*\\(",
323
+ "message": "insertAdjacentHTML usage detected"
324
+ }
325
+ },
326
+ {
327
+ "id": "astro/dangerous-document-write",
328
+ "severity": "high",
329
+ "title": "document.write usage",
330
+ "description": "document.write can inject HTML and is commonly unsafe.",
331
+ "matcher": {
332
+ "type": "regex",
333
+ "fileGlobs": ["**/*.astro"],
334
+ "pattern": "document\\.write\\s*\\(",
335
+ "message": "document.write usage detected"
336
+ }
337
+ },
338
+ {
339
+ "id": "astro/eval-usage",
340
+ "severity": "high",
341
+ "title": "eval() usage",
342
+ "description": "eval() is a dangerous sink and can enable code injection.",
343
+ "matcher": {
344
+ "type": "regex",
345
+ "fileGlobs": ["**/*.astro"],
346
+ "pattern": "\\beval\\s*\\(",
347
+ "message": "eval() usage detected"
348
+ }
349
+ },
350
+ {
351
+ "id": "astro/function-constructor",
352
+ "severity": "high",
353
+ "title": "Function constructor usage",
354
+ "description": "new Function() is similar to eval() and can enable code injection.",
355
+ "matcher": {
356
+ "type": "regex",
357
+ "fileGlobs": ["**/*.astro"],
358
+ "pattern": "new\\s+Function\\s*\\(",
359
+ "message": "Function constructor usage detected"
360
+ }
361
+ },
362
+ {
363
+ "id": "astro/domparser-parsefromstring",
364
+ "severity": "medium",
365
+ "title": "DOMParser.parseFromString usage",
366
+ "description": "Parsing HTML from strings can introduce injection risks if input is untrusted.",
367
+ "matcher": {
368
+ "type": "regex",
369
+ "fileGlobs": ["**/*.astro"],
370
+ "pattern": "parseFromString\\s*\\(",
371
+ "message": "DOMParser.parseFromString detected"
372
+ }
373
+ },
374
+ {
375
+ "id": "astro/unsafe-redirect-location",
376
+ "severity": "medium",
377
+ "title": "Potential open redirect",
378
+ "description": "Redirecting based on untrusted input can enable open redirect attacks.",
379
+ "matcher": {
380
+ "type": "regex",
381
+ "fileGlobs": ["**/*.astro"],
382
+ "pattern": "response\\.headers\\.set\\s*\\(\\s*['\\\"]Location['\\\"]",
383
+ "message": "Location header set detected"
384
+ }
385
+ },
386
+ {
387
+ "id": "astro/fetch-remote",
388
+ "severity": "medium",
389
+ "title": "Server fetch of remote URL",
390
+ "description": "Fetching remote URLs on the server can enable SSRF if the URL is influenced by untrusted input.",
391
+ "matcher": {
392
+ "type": "regex",
393
+ "fileGlobs": ["**/*.astro"],
394
+ "pattern": "\\bfetch\\s*\\(",
395
+ "message": "fetch() usage detected"
396
+ }
397
+ },
398
+ {
399
+ "id": "astro/unsafe-graphql-endpoint",
400
+ "severity": "low",
401
+ "title": "GraphQL endpoint referenced",
402
+ "description": "Ensure GraphQL endpoints are protected (auth, depth limits, rate limiting).",
403
+ "matcher": {
404
+ "type": "regex",
405
+ "fileGlobs": ["**/*.astro"],
406
+ "pattern": "\\/graphql\\b",
407
+ "message": "GraphQL endpoint reference detected"
408
+ }
409
+ },
410
+ {
411
+ "id": "astro/script-src-http",
412
+ "severity": "high",
413
+ "title": "Script loaded over HTTP",
414
+ "description": "Loading scripts over http:// can enable injection via MITM. Prefer https://.",
415
+ "matcher": {
416
+ "type": "regex",
417
+ "fileGlobs": ["**/*.astro"],
418
+ "pattern": "<script[^>]*\\bsrc=\\\"http://",
419
+ "message": "script src uses http://"
420
+ }
421
+ },
422
+ {
423
+ "id": "astro/script-src-data",
424
+ "severity": "medium",
425
+ "title": "Script loaded from data: URL",
426
+ "description": "data: scripts complicate CSP and can be abused for injection.",
427
+ "matcher": {
428
+ "type": "regex",
429
+ "fileGlobs": ["**/*.astro"],
430
+ "pattern": "<script[^>]*\\bsrc=\\\"data:",
431
+ "message": "script src uses data:"
432
+ }
433
+ },
434
+ {
435
+ "id": "astro/link-stylesheet-http",
436
+ "severity": "medium",
437
+ "title": "Stylesheet loaded over HTTP",
438
+ "description": "Loading CSS over http:// can enable UI redress or data exfiltration via CSS injection.",
439
+ "matcher": {
440
+ "type": "regex",
441
+ "fileGlobs": ["**/*.astro"],
442
+ "pattern": "<link[^>]*rel=\\\"stylesheet\\\"[^>]*href=\\\"http://",
443
+ "message": "stylesheet href uses http://"
444
+ }
445
+ },
446
+ {
447
+ "id": "astro/img-src-http",
448
+ "severity": "low",
449
+ "title": "Image loaded over HTTP",
450
+ "description": "Loading images over http:// can leak browsing behavior and enables tampering.",
451
+ "matcher": {
452
+ "type": "regex",
453
+ "fileGlobs": ["**/*.astro"],
454
+ "pattern": "<img[^>]*\\bsrc=\\\"http://",
455
+ "message": "img src uses http://"
456
+ }
457
+ },
458
+ {
459
+ "id": "astro/img-src-data",
460
+ "severity": "low",
461
+ "title": "Image loaded from data: URL",
462
+ "description": "data: images can embed executable SVG or unexpected content; validate sources.",
463
+ "matcher": {
464
+ "type": "regex",
465
+ "fileGlobs": ["**/*.astro"],
466
+ "pattern": "<img[^>]*\\bsrc=\\\"data:",
467
+ "message": "img src uses data:"
468
+ }
469
+ },
470
+ {
471
+ "id": "astro/video-src-http",
472
+ "severity": "low",
473
+ "title": "Video loaded over HTTP",
474
+ "description": "Loading media over http:// can leak browsing behavior and enables tampering.",
475
+ "matcher": {
476
+ "type": "regex",
477
+ "fileGlobs": ["**/*.astro"],
478
+ "pattern": "<video[^>]*\\bsrc=\\\"http://",
479
+ "message": "video src uses http://"
480
+ }
481
+ },
482
+ {
483
+ "id": "astro/audio-src-http",
484
+ "severity": "low",
485
+ "title": "Audio loaded over HTTP",
486
+ "description": "Loading media over http:// can leak browsing behavior and enables tampering.",
487
+ "matcher": {
488
+ "type": "regex",
489
+ "fileGlobs": ["**/*.astro"],
490
+ "pattern": "<audio[^>]*\\bsrc=\\\"http://",
491
+ "message": "audio src uses http://"
492
+ }
493
+ },
494
+ {
495
+ "id": "astro/anchor-target-blank",
496
+ "severity": "medium",
497
+ "title": "target=_blank link",
498
+ "description": "Links opened in a new tab can be vulnerable to reverse tabnabbing unless rel=\"noopener\" is used.",
499
+ "matcher": {
500
+ "type": "regex",
501
+ "fileGlobs": ["**/*.astro"],
502
+ "pattern": "target=\\\"_blank\\\"",
503
+ "message": "target=\"_blank\" detected"
504
+ }
505
+ },
506
+ {
507
+ "id": "astro/referrerpolicy-unsafe-url",
508
+ "severity": "medium",
509
+ "title": "referrerpolicy unsafe-url",
510
+ "description": "referrerpolicy=unsafe-url can leak full URLs (including query params) to third parties.",
511
+ "matcher": {
512
+ "type": "regex",
513
+ "fileGlobs": ["**/*.astro"],
514
+ "pattern": "referrerpolicy=\\\"unsafe-url\\\"",
515
+ "message": "referrerpolicy=\"unsafe-url\" detected"
516
+ }
517
+ },
518
+ {
519
+ "id": "astro/input-type-password",
520
+ "severity": "low",
521
+ "title": "Password input present",
522
+ "description": "Ensure password handling uses HTTPS, strong CSP, and avoids logging sensitive data.",
523
+ "matcher": {
524
+ "type": "regex",
525
+ "fileGlobs": ["**/*.astro"],
526
+ "pattern": "<input[^>]*\\btype=\\\"password\\\"",
527
+ "message": "password input detected"
528
+ }
529
+ },
530
+ {
531
+ "id": "astro/input-type-file",
532
+ "severity": "low",
533
+ "title": "File input present",
534
+ "description": "File uploads require validation, size limits, content-type checks, and storage hardening.",
535
+ "matcher": {
536
+ "type": "regex",
537
+ "fileGlobs": ["**/*.astro"],
538
+ "pattern": "<input[^>]*\\btype=\\\"file\\\"",
539
+ "message": "file input detected"
540
+ }
541
+ },
542
+ {
543
+ "id": "astro/object-tag",
544
+ "severity": "medium",
545
+ "title": "<object> embedded",
546
+ "description": "Embedding arbitrary content via <object> can increase clickjacking and plugin risks.",
547
+ "matcher": {
548
+ "type": "regex",
549
+ "fileGlobs": ["**/*.astro"],
550
+ "pattern": "<object\\b",
551
+ "message": "object tag detected"
552
+ }
553
+ },
554
+ {
555
+ "id": "astro/embed-tag",
556
+ "severity": "medium",
557
+ "title": "<embed> embedded",
558
+ "description": "Embedding arbitrary content via <embed> can increase clickjacking and plugin risks.",
559
+ "matcher": {
560
+ "type": "regex",
561
+ "fileGlobs": ["**/*.astro"],
562
+ "pattern": "<embed\\b",
563
+ "message": "embed tag detected"
564
+ }
565
+ },
566
+ {
567
+ "id": "astro/svg-tag",
568
+ "severity": "low",
569
+ "title": "Inline SVG present",
570
+ "description": "Inline SVG can contain scriptable content; treat untrusted SVG as potentially dangerous.",
571
+ "matcher": {
572
+ "type": "regex",
573
+ "fileGlobs": ["**/*.astro"],
574
+ "pattern": "<svg\\b",
575
+ "message": "svg tag detected"
576
+ }
577
+ },
578
+ {
579
+ "id": "astro/math-tag",
580
+ "severity": "low",
581
+ "title": "MathML present",
582
+ "description": "MathML can be abused in some contexts; ensure untrusted content is sanitized.",
583
+ "matcher": {
584
+ "type": "regex",
585
+ "fileGlobs": ["**/*.astro"],
586
+ "pattern": "<math\\b",
587
+ "message": "math tag detected"
588
+ }
589
+ },
590
+ {
591
+ "id": "astro/iframe-allow-top-navigation",
592
+ "severity": "medium",
593
+ "title": "iframe sandbox allows top navigation",
594
+ "description": "allow-top-navigation can enable the iframe to navigate the top-level page.",
595
+ "matcher": {
596
+ "type": "regex",
597
+ "fileGlobs": ["**/*.astro"],
598
+ "pattern": "\\bsandbox=\\\"[^\\\"]*allow-top-navigation",
599
+ "message": "iframe sandbox allows top navigation"
600
+ }
601
+ },
602
+ {
603
+ "id": "astro/iframe-allow-forms",
604
+ "severity": "low",
605
+ "title": "iframe sandbox allows forms",
606
+ "description": "allow-forms enables form submission from inside an iframe; review risk.",
607
+ "matcher": {
608
+ "type": "regex",
609
+ "fileGlobs": ["**/*.astro"],
610
+ "pattern": "\\bsandbox=\\\"[^\\\"]*allow-forms",
611
+ "message": "iframe sandbox allows forms"
612
+ }
613
+ },
614
+ {
615
+ "id": "astro/iframe-allow-popups-to-escape-sandbox",
616
+ "severity": "medium",
617
+ "title": "iframe sandbox allows popups to escape sandbox",
618
+ "description": "allow-popups-to-escape-sandbox weakens iframe isolation; avoid unless required.",
619
+ "matcher": {
620
+ "type": "regex",
621
+ "fileGlobs": ["**/*.astro"],
622
+ "pattern": "\\bsandbox=\\\"[^\\\"]*allow-popups-to-escape-sandbox",
623
+ "message": "iframe sandbox allows popups to escape sandbox"
624
+ }
625
+ },
626
+ {
627
+ "id": "astro/onmouseover-handler",
628
+ "severity": "medium",
629
+ "title": "onmouseover handler present",
630
+ "description": "Inline mouseover handlers can be abused for XSS and weaken CSP.",
631
+ "matcher": {
632
+ "type": "regex",
633
+ "fileGlobs": ["**/*.astro"],
634
+ "pattern": "\\bonmouseover\\s*=",
635
+ "message": "onmouseover handler detected"
636
+ }
637
+ },
638
+ {
639
+ "id": "astro/onfocus-handler",
640
+ "severity": "medium",
641
+ "title": "onfocus handler present",
642
+ "description": "Inline focus handlers can be abused for XSS and weaken CSP.",
643
+ "matcher": {
644
+ "type": "regex",
645
+ "fileGlobs": ["**/*.astro"],
646
+ "pattern": "\\bonfocus\\s*=",
647
+ "message": "onfocus handler detected"
648
+ }
649
+ },
650
+ {
651
+ "id": "astro/onblur-handler",
652
+ "severity": "medium",
653
+ "title": "onblur handler present",
654
+ "description": "Inline blur handlers can be abused for XSS and weaken CSP.",
655
+ "matcher": {
656
+ "type": "regex",
657
+ "fileGlobs": ["**/*.astro"],
658
+ "pattern": "\\bonblur\\s*=",
659
+ "message": "onblur handler detected"
660
+ }
661
+ },
662
+ {
663
+ "id": "astro/onchange-handler",
664
+ "severity": "low",
665
+ "title": "onchange handler present",
666
+ "description": "Inline change handlers can be abused for XSS and weaken CSP.",
667
+ "matcher": {
668
+ "type": "regex",
669
+ "fileGlobs": ["**/*.astro"],
670
+ "pattern": "\\bonchange\\s*=",
671
+ "message": "onchange handler detected"
672
+ }
673
+ },
674
+ {
675
+ "id": "astro/onsubmit-handler",
676
+ "severity": "low",
677
+ "title": "onsubmit handler present",
678
+ "description": "Inline submit handlers can be abused for XSS and weaken CSP.",
679
+ "matcher": {
680
+ "type": "regex",
681
+ "fileGlobs": ["**/*.astro"],
682
+ "pattern": "\\bonsubmit\\s*=",
683
+ "message": "onsubmit handler detected"
684
+ }
685
+ },
686
+ {
687
+ "id": "astro/onkeyup-handler",
688
+ "severity": "low",
689
+ "title": "onkeyup handler present",
690
+ "description": "Inline key handlers can be abused for XSS and weaken CSP.",
691
+ "matcher": {
692
+ "type": "regex",
693
+ "fileGlobs": ["**/*.astro"],
694
+ "pattern": "\\bonkeyup\\s*=",
695
+ "message": "onkeyup handler detected"
696
+ }
697
+ },
698
+ {
699
+ "id": "astro/onkeydown-handler",
700
+ "severity": "low",
701
+ "title": "onkeydown handler present",
702
+ "description": "Inline key handlers can be abused for XSS and weaken CSP.",
703
+ "matcher": {
704
+ "type": "regex",
705
+ "fileGlobs": ["**/*.astro"],
706
+ "pattern": "\\bonkeydown\\s*=",
707
+ "message": "onkeydown handler detected"
708
+ }
709
+ },
710
+ {
711
+ "id": "astro/onkeypress-handler",
712
+ "severity": "low",
713
+ "title": "onkeypress handler present",
714
+ "description": "Inline key handlers can be abused for XSS and weaken CSP.",
715
+ "matcher": {
716
+ "type": "regex",
717
+ "fileGlobs": ["**/*.astro"],
718
+ "pattern": "\\bonkeypress\\s*=",
719
+ "message": "onkeypress handler detected"
720
+ }
721
+ },
722
+ {
723
+ "id": "astro/onmouseenter-handler",
724
+ "severity": "low",
725
+ "title": "onmouseenter handler present",
726
+ "description": "Inline mouse handlers can be abused for XSS and weaken CSP.",
727
+ "matcher": {
728
+ "type": "regex",
729
+ "fileGlobs": ["**/*.astro"],
730
+ "pattern": "\\bonmouseenter\\s*=",
731
+ "message": "onmouseenter handler detected"
732
+ }
733
+ },
734
+ {
735
+ "id": "astro/onmouseleave-handler",
736
+ "severity": "low",
737
+ "title": "onmouseleave handler present",
738
+ "description": "Inline mouse handlers can be abused for XSS and weaken CSP.",
739
+ "matcher": {
740
+ "type": "regex",
741
+ "fileGlobs": ["**/*.astro"],
742
+ "pattern": "\\bonmouseleave\\s*=",
743
+ "message": "onmouseleave handler detected"
744
+ }
745
+ },
746
+ {
747
+ "id": "astro/astro-url-searchparams",
748
+ "severity": "medium",
749
+ "title": "Astro.url.searchParams usage",
750
+ "description": "Query parameter usage should be validated and sanitized before use to avoid injection and open redirects.",
751
+ "matcher": {
752
+ "type": "regex",
753
+ "fileGlobs": ["**/*.astro"],
754
+ "pattern": "Astro\\.url\\.searchParams\\.get",
755
+ "message": "Astro.url.searchParams.get referenced"
756
+ }
757
+ },
758
+ {
759
+ "id": "astro/astro-cookies-get",
760
+ "severity": "low",
761
+ "title": "Astro.cookies.get usage",
762
+ "description": "Reading cookies is normal, but ensure cookies are httpOnly/secure and values are validated.",
763
+ "matcher": {
764
+ "type": "regex",
765
+ "fileGlobs": ["**/*.astro"],
766
+ "pattern": "Astro\\.cookies\\.get",
767
+ "message": "Astro.cookies.get referenced"
768
+ }
769
+ },
770
+ {
771
+ "id": "astro/astro-cookies-set",
772
+ "severity": "medium",
773
+ "title": "Astro.cookies.set usage",
774
+ "description": "When setting cookies, ensure httpOnly, secure, and SameSite attributes are set appropriately.",
775
+ "matcher": {
776
+ "type": "regex",
777
+ "fileGlobs": ["**/*.astro"],
778
+ "pattern": "Astro\\.cookies\\.set",
779
+ "message": "Astro.cookies.set referenced"
780
+ }
781
+ },
782
+ {
783
+ "id": "astro/astro-redirect",
784
+ "severity": "medium",
785
+ "title": "Astro.redirect usage",
786
+ "description": "Redirects should not be built from untrusted input to avoid open redirect attacks.",
787
+ "matcher": {
788
+ "type": "regex",
789
+ "fileGlobs": ["**/*.astro"],
790
+ "pattern": "Astro\\.redirect",
791
+ "message": "Astro.redirect referenced"
792
+ }
793
+ },
794
+ {
795
+ "id": "astro/basic-auth-header",
796
+ "severity": "medium",
797
+ "title": "Basic Authorization header referenced",
798
+ "description": "Basic auth should only be used over HTTPS and with strong credential handling.",
799
+ "matcher": {
800
+ "type": "regex",
801
+ "fileGlobs": ["**/*.astro"],
802
+ "pattern": "Authorization:\\s*Basic",
803
+ "message": "Basic Authorization header reference"
804
+ }
805
+ },
806
+ {
807
+ "id": "astro/bearer-auth-header",
808
+ "severity": "low",
809
+ "title": "Bearer Authorization header referenced",
810
+ "description": "Treat bearer tokens as secrets; avoid logging and ensure HTTPS.",
811
+ "matcher": {
812
+ "type": "regex",
813
+ "fileGlobs": ["**/*.astro"],
814
+ "pattern": "Authorization:\\s*Bearer",
815
+ "message": "Bearer Authorization header reference"
816
+ }
25
817
  }
26
818
  ]