@sun-asterisk/sunlint 1.0.5

package/config/typescript/security-rules/s043-terminate-sessions-on-password-change.js

@@ -0,0 +1,254 @@
+/**
+ * Custom ESLint rule: S043 – Terminate all sessions on password change
+ * Rule ID: custom/s043 
+ * Purpose: Ensure password change methods terminate all other active sessions
+ * OWASP 3.3.3: Verify that the application gives the option to terminate all other active sessions 
+ * after a successful password change (including change via password reset/recovery)
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Ensure password change methods terminate all other active sessions and require re-authentication",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingSessionTermination: "Password change method '{{method}}' must terminate all other active sessions. Use sessionManager.terminateAllSessions(), tokenService.revokeAllTokens(), or equivalent session cleanup.",
+      missingReAuthRequirement: "Password change method '{{method}}' should require re-authentication after successful password change.",
+      incompleteImplementation: "Password change method '{{method}}' should both terminate existing sessions and require user re-authentication for security compliance.",
+    },
+  },
+
+  create(context) {
+    // Keywords that indicate password change functionality
+    const passwordChangeKeywords = [
+      "password", "passwd", "pwd", "changepassword", "change-password",
+      "updatepassword", "update-password", "resetpassword", "reset-password",
+      "newpassword", "new-password", "setpassword", "set-password"
+    ];
+
+    // Session termination methods
+    const sessionTerminationMethods = [
+      "terminateAllSessions", "revokeAllTokens", "invalidateAllSessions",
+      "destroyAllSessions", "clearAllSessions", "terminateOtherSessions",
+      "revokeOtherTokens", "logoutAllDevices", "signOutAllDevices",
+      "terminateAll", "revokeAll", "invalidateAll", "destroyAll"
+    ];
+
+    // Re-authentication requirement methods
+    const reAuthMethods = [
+      "requireReAuth", "forceReAuth", "requireLogin", "forceLogin",
+      "redirectToLogin", "requireAuthentication", "invalidateCurrentSession",
+      "logout", "signOut", "clearCurrentSession"
+    ];
+
+    function isPasswordChangeMethod(name) {
+      if (!name) return false;
+      const lowerName = name.toLowerCase();
+      return passwordChangeKeywords.some(keyword => lowerName.includes(keyword));
+    }
+
+    function checkPasswordChangeMethodBody(node, methodName) {
+      let hasSessionTermination = false;
+      let hasReAuthRequirement = false;
+
+      function checkNode(n, visited = new Set()) {
+        if (!n || visited.has(n)) return;
+        visited.add(n);
+
+        // Check for session termination calls
+        if (n.type === "CallExpression") {
+          const callee = n.callee;
+          
+          // Direct method calls: terminateAllSessions(), revokeAllTokens()
+          if (callee.type === "Identifier") {
+            if (sessionTerminationMethods.includes(callee.name)) {
+              hasSessionTermination = true;
+            }
+            if (reAuthMethods.includes(callee.name)) {
+              hasReAuthRequirement = true;
+            }
+          }
+          
+          // Member expressions: sessionManager.terminateAllSessions(), tokenService.revokeAllTokens()
+          else if (callee.type === "MemberExpression") {
+            const property = callee.property.name;
+            
+            if (sessionTerminationMethods.includes(property)) {
+              hasSessionTermination = true;
+            }
+            if (reAuthMethods.includes(property)) {
+              hasReAuthRequirement = true;
+            }
+
+            // Check for patterns like: sessionManager.terminateAll(), authService.revokeAll()
+            if (property && (
+              property.includes("terminate") || property.includes("revoke") ||
+              property.includes("invalidate") || property.includes("destroy") ||
+              property.includes("clear")
+            )) {
+              const methodCall = property.toLowerCase();
+              if (methodCall.includes("all") || methodCall.includes("other")) {
+                hasSessionTermination = true;
+              }
+            }
+          }
+
+          // Check function arguments and nested calls
+          if (n.arguments) {
+            n.arguments.forEach(arg => checkNode(arg, visited));
+          }
+        }
+
+        // Check await expressions
+        if (n.type === "AwaitExpression") {
+          checkNode(n.argument, visited);
+        }
+
+        // Recursively check nested structures
+        for (const key in n) {
+          if (n[key] && typeof n[key] === "object") {
+            if (Array.isArray(n[key])) {
+              n[key].forEach(child => checkNode(child, visited));
+            } else if (n[key].type) {
+              checkNode(n[key], visited);
+            }
+          }
+        }
+      }
+
+      // Analyze method body
+      if (node.body) {
+        if (node.body.type === "BlockStatement") {
+          node.body.body.forEach(stmt => checkNode(stmt));
+        } else {
+          checkNode(node.body);
+        }
+      }
+
+      return { hasSessionTermination, hasReAuthRequirement };
+    }
+
+    return {
+      // Check method definitions
+      MethodDefinition(node) {
+        const methodName = node.key.name;
+        if (isPasswordChangeMethod(methodName)) {
+          const analysis = checkPasswordChangeMethodBody(node.value, methodName);
+          
+          if (!analysis.hasSessionTermination && !analysis.hasReAuthRequirement) {
+            context.report({
+              node: node.key,
+              messageId: "incompleteImplementation",
+              data: { method: methodName }
+            });
+          } else if (!analysis.hasSessionTermination) {
+            context.report({
+              node: node.key,
+              messageId: "missingSessionTermination", 
+              data: { method: methodName }
+            });
+          } else if (!analysis.hasReAuthRequirement) {
+            context.report({
+              node: node.key,
+              messageId: "missingReAuthRequirement",
+              data: { method: methodName }
+            });
+          }
+        }
+      },
+
+      // Check function declarations
+      FunctionDeclaration(node) {
+        const functionName = node.id ? node.id.name : null;
+        if (isPasswordChangeMethod(functionName)) {
+          const analysis = checkPasswordChangeMethodBody(node, functionName);
+          
+          if (!analysis.hasSessionTermination && !analysis.hasReAuthRequirement) {
+            context.report({
+              node: node.id,
+              messageId: "incompleteImplementation",
+              data: { method: functionName }
+            });
+          } else if (!analysis.hasSessionTermination) {
+            context.report({
+              node: node.id,
+              messageId: "missingSessionTermination",
+              data: { method: functionName }
+            });
+          } else if (!analysis.hasReAuthRequirement) {
+            context.report({
+              node: node.id,
+              messageId: "missingReAuthRequirement", 
+              data: { method: functionName }
+            });
+          }
+        }
+      },
+
+      // Check function expressions and arrow functions assigned to variables
+      VariableDeclarator(node) {
+        if (node.init && (node.init.type === "FunctionExpression" || node.init.type === "ArrowFunctionExpression")) {
+          const varName = node.id.name;
+          if (isPasswordChangeMethod(varName)) {
+            const analysis = checkPasswordChangeMethodBody(node.init, varName);
+            
+            if (!analysis.hasSessionTermination && !analysis.hasReAuthRequirement) {
+              context.report({
+                node: node.id,
+                messageId: "incompleteImplementation",
+                data: { method: varName }
+              });
+            } else if (!analysis.hasSessionTermination) {
+              context.report({
+                node: node.id,
+                messageId: "missingSessionTermination",
+                data: { method: varName }
+              });
+            } else if (!analysis.hasReAuthRequirement) {
+              context.report({
+                node: node.id,
+                messageId: "missingReAuthRequirement",
+                data: { method: varName }
+              });
+            }
+          }
+        }
+      },
+
+      // Check property assignments (for object methods)
+      Property(node) {
+        if (node.value && (node.value.type === "FunctionExpression" || node.value.type === "ArrowFunctionExpression")) {
+          const propName = node.key.name;
+          if (isPasswordChangeMethod(propName)) {
+            const analysis = checkPasswordChangeMethodBody(node.value, propName);
+            
+            if (!analysis.hasSessionTermination && !analysis.hasReAuthRequirement) {
+              context.report({
+                node: node.key,
+                messageId: "incompleteImplementation",
+                data: { method: propName }
+              });
+            } else if (!analysis.hasSessionTermination) {
+              context.report({
+                node: node.key,
+                messageId: "missingSessionTermination",
+                data: { method: propName }
+              });
+            } else if (!analysis.hasReAuthRequirement) {
+              context.report({
+                node: node.key,
+                messageId: "missingReAuthRequirement",
+                data: { method: propName }
+              });
+            }
+          }
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s044-require-full-session-for-sensitive-operations.js

@@ -0,0 +1,292 @@
+/**
+ * Custom ESLint rule: S044 – Require full session for sensitive operations
+ * Rule ID: custom/s044 
+ * Purpose: Verify the application ensures a full, valid login session or requires re-authentication 
+ * or secondary verification before allowing any sensitive transactions or account modifications
+ * OWASP 3.7.1: Verify the application ensures a full, valid login session or requires re-authentication 
+ * or secondary verification before allowing any sensitive transactions or account modifications
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Require full session validation or re-authentication before sensitive operations",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingSensitiveOperationProtection: "Sensitive operation '{{method}}' requires full session validation or re-authentication. Use sessionManager.validateFullSession(), requireReAuth(), or 2FA verification.",
+      incompleteSessionValidation: "Method '{{method}}' should validate complete session state before allowing sensitive operations.",
+      missingSecondaryVerification: "Sensitive operation '{{method}}' should require secondary verification (2FA, password confirmation) for enhanced security.",
+      halfOpenSessionAccess: "Method '{{method}}' may allow access with incomplete session. Ensure full session validation before sensitive operations.",
+    },
+  },
+
+  create(context) {
+    // Keywords that indicate sensitive operations
+    const sensitiveOperationKeywords = [
+      // Account modifications
+      "password", "passwd", "pwd", "changepassword", "updatepassword", "resetpassword",
+      "email", "changeemail", "updateemail", "setemail",
+      "profile", "updateprofile", "changeprofile", "editprofile",
+      "account", "updateaccount", "changeaccount", "deleteaccount",
+      "user", "updateuser", "changeuser", "deleteuser",
+      
+      // Financial/Transaction operations
+      "payment", "pay", "transfer", "transaction", "withdraw", "deposit",
+      "purchase", "buy", "order", "checkout", "billing",
+      "balance", "fund", "money", "amount", "financial",
+      
+      // Security operations
+      "permission", "role", "access", "privilege", "authorization",
+      "security", "admin", "superuser", "root",
+      "settings", "config", "configuration", "sensitive",
+      
+      // Data operations
+      "delete", "remove", "destroy", "drop", "truncate",
+      "export", "import", "backup", "restore", "migration"
+    ];
+
+    // Session validation methods
+    const sessionValidationMethods = [
+      "validateFullSession", "checkFullSession", "ensureFullSession",
+      "validateSession", "checkSession", "ensureSession",
+      "isFullyAuthenticated", "hasFullSession", "isSessionValid",
+      "validateAuthState", "checkAuthState", "ensureAuthState",
+      "verifySession", "confirmSession", "validateUser"
+    ];
+
+    // Re-authentication methods
+    const reAuthMethods = [
+      "requireReAuth", "forceReAuth", "requireAuthentication",
+      "requestReAuth", "validateReAuth", "checkReAuth",
+      "confirmPassword", "verifyPassword", "validatePassword",
+      "requireLogin", "forceLogin", "redirectToLogin"
+    ];
+
+    // Secondary verification methods (2FA, etc.)
+    const secondaryVerificationMethods = [
+      "require2FA", "requireTwoFactor", "verifyTwoFactor",
+      "requireOTP", "verifyOTP", "validateOTP",
+      "requireMFA", "verifyMFA", "validateMFA",
+      "requireSMS", "verifySMS", "validateSMS",
+      "requireEmail", "verifyEmail", "validateEmail",
+      "requireSecondaryAuth", "verifySecondaryAuth"
+    ];
+
+    // Patterns indicating half-open or incomplete sessions
+    const halfOpenSessionPatterns = [
+      "partial", "incomplete", "temp", "temporary", "pending",
+      "halfopen", "half-open", "inprogress", "in-progress"
+    ];
+
+    function isSensitiveOperation(name) {
+      if (!name) return false;
+      const lowerName = name.toLowerCase();
+      return sensitiveOperationKeywords.some(keyword => 
+        lowerName.includes(keyword) || 
+        name.toLowerCase().includes(keyword)
+      );
+    }
+
+    function checkSensitiveOperationMethodBody(node, methodName) {
+      let hasSessionValidation = false;
+      let hasReAuthentication = false;
+      let hasSecondaryVerification = false;
+      let hasHalfOpenSessionCheck = false;
+
+      function analyzeNode(n, visited = new Set()) {
+        if (!n || visited.has(n)) return;
+        visited.add(n);
+
+        // Check for method calls
+        if (n.type === "CallExpression") {
+          const callee = n.callee;
+          
+          // Direct method calls
+          if (callee.type === "Identifier") {
+            const methodName = callee.name;
+            
+            if (sessionValidationMethods.includes(methodName)) {
+              hasSessionValidation = true;
+            }
+            if (reAuthMethods.includes(methodName)) {
+              hasReAuthentication = true;
+            }
+            if (secondaryVerificationMethods.includes(methodName)) {
+              hasSecondaryVerification = true;
+            }
+          }
+          
+          // Member expressions: sessionManager.validateFullSession()
+          else if (callee.type === "MemberExpression") {
+            const property = callee.property.name;
+            
+            if (sessionValidationMethods.includes(property)) {
+              hasSessionValidation = true;
+            }
+            if (reAuthMethods.includes(property)) {
+              hasReAuthentication = true;
+            }
+            if (secondaryVerificationMethods.includes(property)) {
+              hasSecondaryVerification = true;
+            }
+
+            // Check for session validation patterns
+            if (property && (
+              property.includes("validate") || property.includes("check") ||
+              property.includes("verify") || property.includes("ensure")
+            )) {
+              const methodCall = property.toLowerCase();
+              if (methodCall.includes("session") || methodCall.includes("auth")) {
+                hasSessionValidation = true;
+              }
+            }
+          }
+        }
+
+        // Check for conditional statements that might validate session
+        if (n.type === "IfStatement") {
+          const test = n.test;
+          if (test && test.type === "CallExpression") {
+            const callee = test.callee;
+            
+            // Check for session validation in if conditions
+            if (callee.type === "MemberExpression") {
+              const property = callee.property.name;
+              if (property && (
+                property.includes("isAuthenticated") ||
+                property.includes("hasSession") ||
+                property.includes("isValid")
+              )) {
+                hasSessionValidation = true;
+              }
+            }
+          }
+        }
+
+        // Check for guard clauses
+        if (n.type === "ThrowStatement" || n.type === "ReturnStatement") {
+          // Look for early returns/throws that might be session guards
+          if (n.argument && n.argument.type === "CallExpression") {
+            const callee = n.argument.callee;
+            if (callee.type === "Identifier" && callee.name === "Error") {
+              hasSessionValidation = true; // Assume error throwing is session validation
+            }
+          }
+        }
+
+        // Recursively check child nodes
+        for (const key in n) {
+          if (key === "parent" || key === "range" || key === "loc") continue;
+          const child = n[key];
+          
+          if (Array.isArray(child)) {
+            child.forEach(item => {
+              if (item && typeof item === "object") {
+                analyzeNode(item, visited);
+              }
+            });
+          } else if (child && typeof child === "object") {
+            analyzeNode(child, visited);
+          }
+        }
+      }
+
+      // Analyze the method body
+      if (node.body) {
+        analyzeNode(node.body);
+      }
+
+      return {
+        hasSessionValidation,
+        hasReAuthentication,
+        hasSecondaryVerification,
+        hasHalfOpenSessionCheck
+      };
+    }
+
+    function checkMethodDeclaration(node) {
+      if (!node.key || !node.key.name) return;
+      
+      const methodName = node.key.name;
+      
+      if (isSensitiveOperation(methodName)) {
+        const analysis = checkSensitiveOperationMethodBody(node, methodName);
+        
+        // Report if no session validation found
+        if (!analysis.hasSessionValidation && !analysis.hasReAuthentication) {
+          context.report({
+            node: node.key,
+            messageId: "missingSensitiveOperationProtection",
+            data: { method: methodName }
+          });
+        }
+        // Report if only partial validation found
+        else if (analysis.hasSessionValidation && !analysis.hasReAuthentication && !analysis.hasSecondaryVerification) {
+          context.report({
+            node: node.key,
+            messageId: "incompleteSessionValidation",
+            data: { method: methodName }
+          });
+        }
+      }
+    }
+
+    function checkFunctionDeclaration(node) {
+      if (!node.id || !node.id.name) return;
+      
+      const functionName = node.id.name;
+      
+      if (isSensitiveOperation(functionName)) {
+        const analysis = checkSensitiveOperationMethodBody(node, functionName);
+        
+        if (!analysis.hasSessionValidation && !analysis.hasReAuthentication) {
+          context.report({
+            node: node.id,
+            messageId: "missingSensitiveOperationProtection",
+            data: { method: functionName }
+          });
+        }
+        else if (analysis.hasSessionValidation && !analysis.hasReAuthentication && !analysis.hasSecondaryVerification) {
+          context.report({
+            node: node.id,
+            messageId: "incompleteSessionValidation",
+            data: { method: functionName }
+          });
+        }
+      }
+    }
+
+    function checkArrowFunction(node) {
+      // Check if arrow function is assigned to a variable with sensitive name
+      const parent = node.parent;
+      if (parent && parent.type === "VariableDeclarator" && parent.id && parent.id.name) {
+        const functionName = parent.id.name;
+        
+        if (isSensitiveOperation(functionName)) {
+          const analysis = checkSensitiveOperationMethodBody(node, functionName);
+          
+          if (!analysis.hasSessionValidation && !analysis.hasReAuthentication) {
+            context.report({
+              node: parent.id,
+              messageId: "missingSensitiveOperationProtection",
+              data: { method: functionName }
+            });
+          }
+        }
+      }
+    }
+
+    return {
+      MethodDefinition: checkMethodDeclaration,
+      Property: checkMethodDeclaration, // For object method properties
+      FunctionDeclaration: checkFunctionDeclaration,
+      ArrowFunctionExpression: checkArrowFunction,
+      FunctionExpression: checkArrowFunction
+    };
+  }
+};

package/config/typescript/security-rules/s045-anti-automation-controls.js

@@ -0,0 +1,46 @@
+"use strict";
+
+/**
+ * S045 – Anti Automation Controls
+ * OWASP ASVS 2.2.1
+ * Ensure that anti-automation controls are in place to mitigate brute force and automated attacks.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure anti-automation controls are in place (rate limiting, CAPTCHA, account lockout, etc.).",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      noAntiAutomation:
+        "Missing or ineffective anti-automation controls. Consider rate limiting, CAPTCHA, or account lockout.",
+    },
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        // Check for missing rate limiter middleware in Express apps (demo only)
+        if (
+          node.callee.type === "Identifier" &&
+          node.callee.name === "app" &&
+          node.parent &&
+          node.parent.type === "ExpressionStatement" &&
+          node.arguments.length &&
+          node.arguments[0].type === "Literal" &&
+          node.arguments[0].value === "/login"
+        ) {
+          // This is a simplified check; real implementation should be more robust
+          context.report({
+            node,
+            messageId: "noAntiAutomation",
+          });
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s046-secure-notification-on-auth-change.js

@@ -0,0 +1,44 @@
+"use strict";
+
+/**
+ * S046 – Secure Notification On Auth Change
+ * OWASP ASVS 2.2.3
+ * Ensure that users are securely notified after authentication changes.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure secure notification is sent on authentication changes (password reset, email/phone change, new device login, etc.).",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingNotification:
+        "Missing secure notification after authentication change. Notify users via secure channel when credentials or auth details change.",
+    },
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        // Example: after password change, should call sendNotification/sendMail/sendPushNotification
+        if (
+          node.callee.type === "Identifier" &&
+          (node.callee.name === "resetPassword" ||
+            node.callee.name === "changeEmail") &&
+          node.parent &&
+          node.parent.type === "ExpressionStatement"
+        ) {
+          // This is a simplified check; real implementation should be more robust
+          context.report({
+            node,
+            messageId: "missingNotification",
+          });
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s048-password-credential-recovery.js

@@ -0,0 +1,54 @@
+"use strict";
+
+/**
+ * S048 – Password Credential Recovery
+ * OWASP ASVS 2.4.3
+ * Ensure password credential recovery does not reveal the current password in any way.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure password recovery does not reveal the current password. Users must set a new password via a secure, one-time token.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      revealPassword:
+        "Never reveal or send the current password during recovery. Always require user to set a new password.",
+    },
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        // Example: sending current password in email (should not happen)
+        if (
+          node.callee.type === "Identifier" &&
+          node.callee.name === "sendMail" &&
+          node.arguments.length &&
+          node.arguments[0].type === "ObjectExpression"
+        ) {
+          const bodyProp = node.arguments[0].properties.find(
+            (prop) =>
+              prop.key &&
+              (prop.key.name === "text" || prop.key.name === "html") &&
+              prop.value.type === "Literal" &&
+              (prop.value.value
+                .toLowerCase()
+                .includes("your current password") ||
+                prop.value.value.toLowerCase().includes("mật khẩu hiện tại"))
+          );
+          if (bodyProp) {
+            context.report({
+              node: bodyProp.value,
+              messageId: "revealPassword",
+            });
+          }
+        }
+      },
+    };
+  },
+};