npm - @sun-asterisk/sunlint - Versions diffs - 1.0.5 - Mend

@sun-asterisk/sunlint 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

package/config/typescript/security-rules/s041-require-session-invalidate-on-logout.js ADDED Viewed

@@ -0,0 +1,211 @@
+/**
+ * Custom ESLint rule: S041 – Require session invalidation on logout
+ * Rule ID: custom/s041
+ * Purpose: Ensure logout handlers properly invalidate session tokens and clear cookies
+ * OWASP 3.3.1: Verify that logout and expiration invalidate the session token
+ */
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Ensure logout handlers properly invalidate session tokens and prevent session reuse",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingSessionInvalidation: "Logout method '{{method}}' must invalidate session token. Use session.invalidate(), req.session.destroy(), or equivalent session cleanup.",
+      missingCookieClear: "Logout method '{{method}}' should clear authentication cookies to prevent session reuse.",
+      missingCacheControl: "Logout method '{{method}}' should set cache-control headers to prevent back button authentication.",
+    },
+  },
+  create(context) {
+    // Keywords that indicate logout functionality
+    const logoutKeywords = [
+      "logout", "signout", "sign-out", "logoff", "signoff",
+      "disconnect", "terminate", "exit", "end-session"
+    ];
+    // Session invalidation methods
+    const sessionInvalidationMethods = [
+      "invalidate", "destroy", "remove", "clear", "delete",
+      "expire", "revoke", "blacklist"
+    ];
+    // Cookie clearing methods
+    const cookieClearMethods = [
+      "clearCookie", "removeCookie", "deleteCookie", "expireCookie"
+    ];
+    // Cache control methods
+    const cacheControlMethods = [
+      "setHeader", "header", "set", "no-cache", "no-store"
+    ];
+    function isLogoutMethod(name) {
+      if (!name) return false;
+      const lowerName = name.toLowerCase();
+      return logoutKeywords.some(keyword => lowerName.includes(keyword));
+    }
+    function checkLogoutMethodBody(node, methodName) {
+      let hasSessionInvalidation = false;
+      let hasCookieClearing = false;
+      let hasCacheControl = false;
+      function checkNode(n, visited = new Set()) {
+        if (!n || visited.has(n)) return;
+        visited.add(n);
+        // Check for session invalidation
+        if (n.type === "CallExpression") {
+          const callee = n.callee;
+          // session.invalidate(), req.session.destroy(), etc.
+          if (callee.type === "MemberExpression") {
+            const property = callee.property.name;
+            const object = callee.object;
+            if (sessionInvalidationMethods.includes(property)) {
+              // Check if it's session-related: session.invalidate(), req.session.destroy()
+              if (object.type === "Identifier" && object.name === "session") {
+                hasSessionInvalidation = true;
+              } else if (object.type === "MemberExpression" &&
+                        object.property && object.property.name === "session") {
+                hasSessionInvalidation = true;
+              }
+            }
+            // Check for cookie clearing: res.clearCookie()
+            if (cookieClearMethods.includes(property)) {
+              hasCookieClearing = true;
+            }
+            // Check for cache control headers
+            if (cacheControlMethods.includes(property)) {
+              const args = n.arguments;
+              if (args.length > 0) {
+                const firstArg = args[0];
+                if (firstArg.type === "Literal") {
+                  const header = firstArg.value;
+                  if (typeof header === "string" &&
+                      (header.toLowerCase().includes("cache-control") ||
+                       header.toLowerCase().includes("pragma"))) {
+                    hasCacheControl = true;
+                  }
+                }
+              }
+            }
+          }
+        }
+        // Recursively check specific node types to avoid infinite loops
+        const nodeTypesToCheck = [
+          'BlockStatement', 'ExpressionStatement', 'CallExpression',
+          'MemberExpression', 'ArrowFunctionExpression', 'FunctionExpression'
+        ];
+        for (const key in n) {
+          if (n[key] && typeof n[key] === "object" && key !== 'parent') {
+            if (Array.isArray(n[key])) {
+              n[key].forEach(child => {
+                if (child && child.type && nodeTypesToCheck.includes(child.type)) {
+                  checkNode(child, visited);
+                }
+              });
+            } else if (n[key].type && nodeTypesToCheck.includes(n[key].type)) {
+              checkNode(n[key], visited);
+            }
+          }
+        }
+      }
+      // Check method body
+      if (node.body) {
+        checkNode(node.body);
+      }
+      // Report missing requirements
+      if (!hasSessionInvalidation) {
+        context.report({
+          node,
+          messageId: "missingSessionInvalidation",
+          data: { method: methodName }
+        });
+      }
+      if (!hasCookieClearing) {
+        context.report({
+          node,
+          messageId: "missingCookieClear",
+          data: { method: methodName }
+        });
+      }
+      if (!hasCacheControl) {
+        context.report({
+          node,
+          messageId: "missingCacheControl",
+          data: { method: methodName }
+        });
+      }
+    }
+    return {
+      // Check class methods (NestJS controllers)
+      MethodDefinition(node) {
+        const methodName = node.key.name;
+        if (isLogoutMethod(methodName)) {
+          checkLogoutMethodBody(node.value, methodName);
+        }
+      },
+      // Check function declarations
+      FunctionDeclaration(node) {
+        const functionName = node.id?.name;
+        if (isLogoutMethod(functionName)) {
+          checkLogoutMethodBody(node, functionName);
+        }
+      },
+      // Check arrow functions and function expressions assigned to variables
+      VariableDeclarator(node) {
+        if (node.id.type === "Identifier" && node.init) {
+          const varName = node.id.name;
+          if (isLogoutMethod(varName)) {
+            if (node.init.type === "ArrowFunctionExpression" ||
+                node.init.type === "FunctionExpression") {
+              checkLogoutMethodBody(node.init, varName);
+            }
+          }
+        }
+      },
+      // Check route handlers with logout paths
+      CallExpression(node) {
+        const callee = node.callee;
+        // Express/NestJS route: app.post('/logout', handler)
+        if (callee.type === "MemberExpression" &&
+            ["post", "get", "put", "delete"].includes(callee.property.name) &&
+            node.arguments.length >= 2) {
+          const pathArg = node.arguments[0];
+          if (pathArg.type === "Literal" && typeof pathArg.value === "string") {
+            const path = pathArg.value.toLowerCase();
+            if (logoutKeywords.some(keyword => path.includes(keyword))) {
+              const handler = node.arguments[node.arguments.length - 1];
+              if (handler.type === "ArrowFunctionExpression" ||
+                  handler.type === "FunctionExpression") {
+                checkLogoutMethodBody(handler, `route handler for ${pathArg.value}`);
+              }
+            }
+          }
+        }
+      }
+    };
+  },
+};

package/config/typescript/security-rules/s042-require-periodic-reauthentication.js ADDED Viewed

@@ -0,0 +1,294 @@
+/**
+ * Custom ESLint rule: S042 – Require periodic re-authentication
+ * Rule ID: custom/s042
+ * Purpose: Verify that if authenticators permit users to remain logged in,
+ *          re-authentication occurs periodically both when actively used or after an idle period
+ * OWASP 3.3.2: If authenticators permit users to remain logged in, verify that
+ *              re-authentication occurs periodically both when actively used or after an idle period
+ */
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Ensure periodic re-authentication is implemented for long-lived sessions",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingReauthentication: "Authentication method '{{method}}' should implement periodic re-authentication for long-lived sessions.",
+      missingIdleTimeout: "Session configuration should include idle timeout mechanism for automatic logout.",
+      missingActiveTimeout: "Session configuration should include maximum active session duration (e.g., 12 hours).",
+      missing2FAForSensitive: "Sensitive operations should require two-factor authentication (2FA) regardless of session state.",
+      missingReauthForSensitive: "Sensitive operations should require re-authentication even for active sessions.",
+    },
+  },
+  create(context) {
+    // Keywords that indicate authentication/session functionality
+    const authKeywords = [
+      "auth", "login", "signin", "sign-in", "authenticate", "session",
+      "passport", "jwt", "token", "guard", "middleware"
+    ];
+    // Session configuration keywords
+    const sessionConfigKeywords = [
+      "session", "maxage", "expires", "timeout", "idle", "duration",
+      "lifetime", "ttl", "expiry"
+    ];
+    // Sensitive operation keywords
+    const sensitiveOperationKeywords = [
+      "payment", "transfer", "withdraw", "deposit", "transaction",
+      "delete", "remove", "destroy", "admin", "privilege", "role",
+      "password", "email", "profile", "settings", "config"
+    ];
+    // Two-factor authentication keywords
+    const tfaKeywords = ["2fa", "mfa", "totp", "otp", "authenticator"];
+    // Re-authentication keywords
+    const reauthKeywords = ["reauth", "re-auth", "verify", "confirm"];
+    function isAuthenticationRelated(name) {
+      if (!name) return false;
+      const lowerName = name.toLowerCase();
+      return authKeywords.some(keyword => lowerName.includes(keyword));
+    }
+    function isSensitiveOperation(name) {
+      if (!name) return false;
+      const lowerName = name.toLowerCase();
+      return sensitiveOperationKeywords.some(keyword => lowerName.includes(keyword));
+    }
+    function hasSessionConfiguration(node) {
+      let hasIdleTimeout = false;
+      let hasMaxAge = false;
+      function checkConfigObject(obj) {
+        if (obj.type === "ObjectExpression") {
+          obj.properties.forEach(prop => {
+            if (prop.key && prop.key.name) {
+              const keyName = prop.key.name.toLowerCase();
+              if (keyName.includes("idle") || keyName.includes("timeout")) {
+                hasIdleTimeout = true;
+              }
+              if (keyName.includes("maxage") || keyName.includes("expires") ||
+                  keyName.includes("duration") || keyName.includes("lifetime")) {
+                hasMaxAge = true;
+              }
+            }
+          });
+        }
+      }
+      // Check for session configuration in various patterns
+      if (node.type === "CallExpression") {
+        node.arguments.forEach(arg => {
+          checkConfigObject(arg);
+        });
+      }
+      return { hasIdleTimeout, hasMaxAge };
+    }
+    function hasReauthenticationLogic(node, visited = new Set()) {
+      if (!node || visited.has(node)) return { hasReauth: false, has2FA: false };
+      visited.add(node);
+      let hasReauth = false;
+      let has2FA = false;
+      function checkNode(n) {
+        if (!n || visited.has(n)) return;
+        visited.add(n);
+        // Check for re-authentication calls
+        if (n.type === "CallExpression" && n.callee && n.callee.type === "MemberExpression") {
+          const methodName = n.callee.property && n.callee.property.name;
+          if (methodName && reauthKeywords.some(keyword =>
+              methodName.toLowerCase().includes(keyword))) {
+            hasReauth = true;
+          }
+        }
+        // Check for 2FA implementation
+        if (n.type === "CallExpression") {
+          const callText = context.getSourceCode().getText(n).toLowerCase();
+          if (tfaKeywords.some(keyword => callText.includes(keyword))) {
+            has2FA = true;
+          }
+        }
+        // Check identifier names
+        if (n.type === "Identifier") {
+          const name = n.name.toLowerCase();
+          if (reauthKeywords.some(keyword => name.includes(keyword))) {
+            hasReauth = true;
+          }
+          if (tfaKeywords.some(keyword => name.includes(keyword))) {
+            has2FA = true;
+          }
+        }
+        // Only check direct children to avoid deep recursion
+        if (n.type === "BlockStatement" && n.body) {
+          n.body.forEach(stmt => checkNode(stmt));
+        } else if (n.type === "ExpressionStatement" && n.expression) {
+          checkNode(n.expression);
+        }
+      }
+      checkNode(node);
+      return { hasReauth, has2FA };
+    }
+    return {
+      // Check class methods (NestJS controllers/guards)
+      MethodDefinition(node) {
+        const methodName = node.key.name;
+        if (isAuthenticationRelated(methodName)) {
+          const { hasIdleTimeout, hasMaxAge } = hasSessionConfiguration(node);
+          if (!hasIdleTimeout) {
+            context.report({
+              node,
+              messageId: "missingIdleTimeout",
+            });
+          }
+          if (!hasMaxAge) {
+            context.report({
+              node,
+              messageId: "missingActiveTimeout",
+            });
+          }
+        }
+        if (isSensitiveOperation(methodName)) {
+          const { hasReauth, has2FA } = hasReauthenticationLogic(node.value);
+          if (!hasReauth) {
+            context.report({
+              node,
+              messageId: "missingReauthForSensitive",
+            });
+          }
+          if (!has2FA) {
+            context.report({
+              node,
+              messageId: "missing2FAForSensitive",
+            });
+          }
+        }
+      },
+      // Check function declarations
+      FunctionDeclaration(node) {
+        const functionName = node.id ? node.id.name : null;
+        if (isAuthenticationRelated(functionName)) {
+          const { hasIdleTimeout, hasMaxAge } = hasSessionConfiguration(node);
+          if (!hasIdleTimeout) {
+            context.report({
+              node,
+              messageId: "missingIdleTimeout",
+            });
+          }
+          if (!hasMaxAge) {
+            context.report({
+              node,
+              messageId: "missingActiveTimeout",
+            });
+          }
+        }
+        if (isSensitiveOperation(functionName)) {
+          const { hasReauth, has2FA } = hasReauthenticationLogic(node);
+          if (!hasReauth) {
+            context.report({
+              node,
+              messageId: "missingReauthForSensitive",
+            });
+          }
+        }
+      },
+      // Check arrow functions assigned to variables
+      VariableDeclarator(node) {
+        if (node.id.type === "Identifier" && node.init) {
+          const varName = node.id.name;
+          if (isAuthenticationRelated(varName) &&
+              (node.init.type === "ArrowFunctionExpression" ||
+               node.init.type === "FunctionExpression")) {
+            const { hasIdleTimeout, hasMaxAge } = hasSessionConfiguration(node.init);
+            if (!hasIdleTimeout) {
+              context.report({
+                node,
+                messageId: "missingIdleTimeout",
+              });
+            }
+            if (!hasMaxAge) {
+              context.report({
+                node,
+                messageId: "missingActiveTimeout",
+              });
+            }
+          }
+          if (isSensitiveOperation(varName) &&
+              (node.init.type === "ArrowFunctionExpression" ||
+               node.init.type === "FunctionExpression")) {
+            const { hasReauth, has2FA } = hasReauthenticationLogic(node.init);
+            if (!hasReauth) {
+              context.report({
+                node,
+                messageId: "missingReauthForSensitive",
+              });
+            }
+          }
+        }
+      },
+      // Check session configuration calls
+      CallExpression(node) {
+        const sourceCode = context.getSourceCode().getText(node).toLowerCase();
+        // Check for session middleware configuration
+        if (sourceCode.includes("session") &&
+            (sourceCode.includes("express") || sourceCode.includes("app.use"))) {
+          const { hasIdleTimeout, hasMaxAge } = hasSessionConfiguration(node);
+          if (!hasIdleTimeout) {
+            context.report({
+              node,
+              messageId: "missingIdleTimeout",
+            });
+          }
+          if (!hasMaxAge) {
+            context.report({
+              node,
+              messageId: "missingActiveTimeout",
+            });
+          }
+        }
+      }
+    };
+  },
+};