npm - @sun-asterisk/sunlint - Versions diffs - 1.0.5 - Mend

@sun-asterisk/sunlint 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

package/eslint-integration/eslint-plugin-custom/s003-no-unvalidated-redirect.js ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * Custom ESLint rule: S003 – Prevent unvalidated redirects
+ * Rule ID: custom/s003
+ */
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Prevent unvalidated redirects to user-controlled URLs",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      unvalidatedRedirect:
+        "Redirect to user-controlled URL '{{target}}' without validation. Use allow list or warning page.",
+    },
+  },
+  create(context) {
+    const userInputSources = [
+      "req.query",
+      "req.body",
+      "input",
+      "form",
+      "params",
+    ];
+    function isUserControlled(nodeText) {
+      return userInputSources.some((source) => nodeText.includes(source));
+    }
+    function reportIfUserControlled(node, nodeText) {
+      if (isUserControlled(nodeText)) {
+        context.report({
+          node,
+          messageId: "unvalidatedRedirect",
+          data: { target: nodeText },
+        });
+      }
+    }
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+        // res.redirect(...)
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "redirect" &&
+          node.arguments.length > 0
+        ) {
+          const argText = context.getSourceCode().getText(node.arguments[0]);
+          reportIfUserControlled(node, argText);
+        }
+      },
+      AssignmentExpression(node) {
+        const left = node.left;
+        const right = node.right;
+        if (
+          left.type === "MemberExpression" &&
+          left.object.name === "window" &&
+          ["location", "location.href"].includes(left.property.name || "") &&
+          right
+        ) {
+          const text = context.getSourceCode().getText(right);
+          reportIfUserControlled(node, text);
+        }
+        if (
+          left.type === "MemberExpression" &&
+          left.object.name === "location" &&
+          ["href", "replace"].includes(left.property.name || "") &&
+          right
+        ) {
+          const text = context.getSourceCode().getText(right);
+          reportIfUserControlled(node, text);
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s005-no-origin-auth.js ADDED Viewed

@@ -0,0 +1,95 @@
+/**
+ * ESLint rule: S005 – Do not use Origin header for authentication/access control
+ * Rule ID: custom/s005
+ * Description: Prevent usage of request.getHeader("Origin") for security decisions.
+ */
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Do not use the Origin header to make authentication or access control decisions.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      noOriginCheck:
+        "Do not use the Origin header for authentication or access control decisions. It can be easily spoofed.",
+    },
+  },
+  create(context) {
+    const trackedVariables = new Set();
+    function isOriginHeaderCall(node) {
+      // Match: request.getHeader("Origin")
+      return (
+        node.type === "CallExpression" &&
+        node.callee.type === "MemberExpression" &&
+        node.callee.property.name === "getHeader" &&
+        node.arguments.length &&
+        node.arguments[0].type === "Literal" &&
+        node.arguments[0].value === "Origin"
+      );
+    }
+    return {
+      VariableDeclarator(node) {
+        // Track: const origin = request.getHeader("Origin");
+        if (node.init && isOriginHeaderCall(node.init)) {
+          trackedVariables.add(node.id.name);
+        }
+      },
+      AssignmentExpression(node) {
+        // Track: origin = request.getHeader("Origin");
+        if (
+          node.left.type === "Identifier" &&
+          isOriginHeaderCall(node.right)
+        ) {
+          trackedVariables.add(node.left.name);
+        }
+      },
+      CallExpression(node) {
+        // Detect: origin.equals(...) or origin.includes(...) or "xyz" === origin
+        if (
+          node.callee.type === "MemberExpression" &&
+          ["includes", "startsWith", "endsWith", "indexOf", "equals"].includes(
+            node.callee.property.name
+          )
+        ) {
+          const arg = node.callee.object;
+          if (arg.type === "Identifier" && trackedVariables.has(arg.name)) {
+            context.report({ node, messageId: "noOriginCheck" });
+          }
+        }
+        // Detect: "admin" === origin (binary expression inside if)
+        if (
+          node.parent &&
+          node.parent.type === "IfStatement" &&
+          node.arguments.some(
+            (arg) =>
+              arg.type === "Identifier" && trackedVariables.has(arg.name)
+          )
+        ) {
+          context.report({ node, messageId: "noOriginCheck" });
+        }
+      },
+      BinaryExpression(node) {
+        // Detect: if (origin === "some-origin")
+        const ids = [node.left, node.right].filter(
+          (e) => e.type === "Identifier" && trackedVariables.has(e.name)
+        );
+        if (ids.length > 0) {
+          context.report({ node, messageId: "noOriginCheck" });
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s006-activation-recovery-secret-not-plaintext.js ADDED Viewed

@@ -0,0 +1,69 @@
+"use strict";
+/**
+ * S006 – Activation/Recovery Secret Not Plaintext
+ * OWASP ASVS 2.5.1
+ * Ensure that system-generated activation or recovery secrets are not sent in plaintext to the user.
+ */
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow sending activation or recovery secrets in plaintext to the user (e.g., via email/SMS). Use secure channels or one-time tokens.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      plaintextSecret:
+        "Do not send activation or recovery secrets in plaintext. Use a hashed or one-time token instead.",
+    },
+  },
+  create(context) {
+    function isActivationOrRecovery(text) {
+      if (!text || typeof text !== "string") return false;
+      const keywords = [
+        "activation code",
+        "activation token",
+        "recovery code",
+        "recovery token",
+      ];
+      return keywords.some((kw) => text.toLowerCase().includes(kw));
+    }
+    return {
+      CallExpression(node) {
+        // Check for sendMail({ text: ... }) or sendSMS(...)
+        if (
+          node.callee.type === "Identifier" &&
+          (node.callee.name === "sendMail" || node.callee.name === "sendSMS") &&
+          node.arguments.length
+        ) {
+          const arg = node.arguments[0];
+          if (arg.type === "ObjectExpression") {
+            const bodyProp = arg.properties.find(
+              (prop) =>
+                prop.key &&
+                (prop.key.name === "text" || prop.key.name === "html") &&
+                prop.value.type === "Literal"
+            );
+            if (bodyProp && isActivationOrRecovery(bodyProp.value.value)) {
+              context.report({
+                node: bodyProp.value,
+                messageId: "plaintextSecret",
+              });
+            }
+          }
+          if (arg.type === "Literal" && isActivationOrRecovery(arg.value)) {
+            context.report({
+              node: arg,
+              messageId: "plaintextSecret",
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s008-crypto-agility.js ADDED Viewed

@@ -0,0 +1,62 @@
+"use strict";
+/**
+ * S008 – Crypto Agility
+ * OWASP ASVS 6.2.4
+ * Ensure that cryptographic algorithms and their parameters can be reconfigured or upgraded.
+ */
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure cryptographic algorithms, key lengths, and modes are not hardcoded and can be configured or upgraded easily.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      hardcodedAlgo:
+        "Do not hardcode cryptographic algorithm or parameters. Use configurable values instead.",
+    },
+  },
+  create(context) {
+    function isHardcodedCrypto(node) {
+      if (node.type === "Literal" && typeof node.value === "string") {
+        const lower = node.value.toLowerCase();
+        const algos = [
+          "aes-128-cbc",
+          "aes-256-cbc",
+          "aes-256-gcm",
+          "sha1",
+          "sha256",
+          "sha512",
+          "md5",
+          "des",
+          "rc4",
+          "blowfish",
+        ];
+        return algos.some((algo) => lower.includes(algo));
+      }
+      return false;
+    }
+    return {
+      CallExpression(node) {
+        // Detect hardcoded crypto algorithm in common Node.js crypto calls
+        if (
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.name === "crypto" &&
+          node.arguments.length > 0 &&
+          isHardcodedCrypto(node.arguments[0])
+        ) {
+          context.report({
+            node: node.arguments[0],
+            messageId: "hardcodedAlgo",
+          });
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s009-no-insecure-crypto.js ADDED Viewed

@@ -0,0 +1,103 @@
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow use of insecure cryptographic algorithms, cipher modes, paddings, and hash functions",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      insecureCipher: "Do not use insecure cipher '{{algo}}'. Use AES with 128-bit block size or higher.",
+      insecureMode: "Do not use insecure cipher mode '{{mode}}'. Use CBC or GCM instead.",
+      insecurePadding: "Do not use insecure padding '{{padding}}'. Use OAEP or other secure paddings.",
+      weakHash: "Do not use weak hash function '{{hash}}'. Use SHA-256 or stronger.",
+    },
+  },
+  create(context) {
+    const insecureCiphers = ["DES", "DESede", "Blowfish"];
+    const insecureModes = ["ECB"];
+    const insecurePaddings = ["PKCS1Padding"];
+    const weakHashes = ["MD5", "SHA1", "SHA-1"];
+    function checkAlgorithmString(node, rawValue) {
+      const value = rawValue.toUpperCase();
+      for (const cipher of insecureCiphers) {
+        if (value.includes(cipher.toUpperCase())) {
+          context.report({
+            node,
+            messageId: "insecureCipher",
+            data: { algo: cipher },
+          });
+          return;
+        }
+      }
+      for (const mode of insecureModes) {
+        if (value.includes(mode.toUpperCase())) {
+          context.report({
+            node,
+            messageId: "insecureMode",
+            data: { mode },
+          });
+          return;
+        }
+      }
+      for (const padding of insecurePaddings) {
+        if (value.includes(padding.toUpperCase())) {
+          context.report({
+            node,
+            messageId: "insecurePadding",
+            data: { padding },
+          });
+          return;
+        }
+      }
+      for (const hash of weakHashes) {
+        if (value === hash.toUpperCase()) {
+          context.report({
+            node,
+            messageId: "weakHash",
+            data: { hash },
+          });
+          return;
+        }
+      }
+    }
+    return {
+      CallExpression(node) {
+        if (
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.name === "crypto"
+        ) {
+          const method = node.callee.property.name;
+          // Check hash functions
+          if (
+            method === "createHash" &&
+            node.arguments.length &&
+            node.arguments[0].type === "Literal"
+          ) {
+            checkAlgorithmString(node.arguments[0], node.arguments[0].value);
+          }
+          // Check ciphers and paddings
+          if (
+            (method === "createCipher" || method === "createCipheriv") &&
+            node.arguments.length &&
+            node.arguments[0].type === "Literal"
+          ) {
+            checkAlgorithmString(node.arguments[0], node.arguments[0].value);
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s010-no-insecure-random-in-sensitive-context.js ADDED Viewed

@@ -0,0 +1,123 @@
+/**
+ * Custom ESLint rule for: S010 – Insecure random generator used in sensitive context
+ * Rule ID: custom/s010
+ * Purpose: Disallow Math.random(), UUID, or insecure Random-like usage in sensitive variables (token, password, etc.)
+ */
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow insecure random generators (Math.random, UUID, etc.) for sensitive values like tokens, passwords",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      insecureRandom:
+        "Do not use insecure random generator '{{name}}' for sensitive values. Use crypto.randomBytes or a CSPRNG instead.",
+    },
+  },
+  create(context) {
+    const sensitiveKeywords = [
+      "token",
+      "otp",
+      "session",
+      "reset",
+      "password",
+      "link",
+      "key",
+      "auth",
+    ];
+    // Check if a string contains any sensitive keyword
+    function isSensitiveName(name) {
+      return sensitiveKeywords.some((kw) => name.toLowerCase().includes(kw));
+    }
+    function isInSensitiveContext(node) {
+      const variable = findNearestVariable(node);
+      const func = findNearestFunction(node);
+      return (
+        (variable && isSensitiveName(variable.name)) ||
+        (func && isSensitiveName(func.name))
+      );
+    }
+    function findNearestVariable(node) {
+      while (node) {
+        if (node.type === "VariableDeclarator" && node.id.type === "Identifier") {
+          return node.id;
+        }
+        node = node.parent;
+      }
+      return null;
+    }
+    function findNearestFunction(node) {
+      while (node) {
+        if (
+          (node.type === "FunctionDeclaration" || node.type === "FunctionExpression") &&
+          node.id
+        ) {
+          return node.id;
+        }
+        node = node.parent;
+      }
+      return null;
+    }
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+        // Math.random()
+        if (
+          callee.type === "MemberExpression" &&
+          callee.object.name === "Math" &&
+          callee.property.name === "random"
+        ) {
+          if (isInSensitiveContext(node)) {
+            context.report({
+              node,
+              messageId: "insecureRandom",
+              data: { name: "Math.random" },
+            });
+          }
+        }
+        // UUID.v4() or uuid()
+        if (
+          callee.type === "Identifier" &&
+          (callee.name === "uuid" || callee.name === "uuidv4")
+        ) {
+          if (isInSensitiveContext(node)) {
+            context.report({
+              node,
+              messageId: "insecureRandom",
+              data: { name: callee.name },
+            });
+          }
+        }
+      },
+      NewExpression(node) {
+        // new Random() – simulate Java-like pattern in JS context if exists
+        if (
+          node.callee.type === "Identifier" &&
+          node.callee.name === "Random" &&
+          isInSensitiveContext(node)
+        ) {
+          context.report({
+            node,
+            messageId: "insecureRandom",
+            data: { name: "Random" },
+          });
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s011-no-insecure-uuid.js ADDED Viewed

@@ -0,0 +1,66 @@
+/**
+ * Custom ESLint rule for: S011 – UUID must be version 4 and use CSPRNG
+ * Rule ID: custom/s011
+ * Purpose: Prevent usage of UUID.randomUUID() in security-sensitive contexts.
+ */
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow use of UUID.randomUUID() for sensitive identifiers. Use SecureRandom-based UUIDs instead.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      insecureUuid: "Do not use UUID.randomUUID() for '{{context}}'. Use a UUID v4 generator with SecureRandom instead.",
+    },
+  },
+  create(context) {
+    const sensitiveKeywords = [
+      "token", "session", "reset", "password", "link", "key", "auth", "uuid", "guid",
+    ];
+    function containsSensitiveKeyword(name = "") {
+      const lower = name.toLowerCase();
+      return sensitiveKeywords.some(keyword => lower.includes(keyword));
+    }
+    function getEnclosingFunctionOrVariableName(node) {
+      let current = node;
+      while (current) {
+        if (current.type === "FunctionDeclaration" || current.type === "FunctionExpression" || current.type === "ArrowFunctionExpression") {
+          return current.id?.name || "<anonymous>";
+        }
+        if (current.type === "VariableDeclarator" && current.id?.type === "Identifier") {
+          return current.id.name;
+        }
+        current = current.parent;
+      }
+      return "";
+    }
+    return {
+      CallExpression(node) {
+        if (
+          node.callee &&
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.name === "UUID" &&
+          node.callee.property.name === "randomUUID"
+        ) {
+          const contextName = getEnclosingFunctionOrVariableName(node);
+          if (containsSensitiveKeyword(contextName)) {
+            context.report({
+              node,
+              messageId: "insecureUuid",
+              data: { context: contextName },
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s012-hardcode-secret.js ADDED Viewed

@@ -0,0 +1,71 @@
+"use strict";
+/**
+ * S012 – Hardcoded Secret
+ * OWASP ASVS 1.6.2
+ * Ensure that secrets such as passwords, API keys, and cryptographic keys are not hardcoded in source code.
+ */
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Do not hardcode any secrets (API keys, passwords, cryptographic keys) in the source code.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      hardcodedSecret:
+        "Do not hardcode secrets (API keys, passwords, cryptographic keys) in source code.",
+    },
+  },
+  create(context) {
+    const secretKeywords = [
+      "SECRET",
+      "TOKEN",
+      "APIKEY",
+      "PASSWORD",
+      "PRIVATEKEY",
+      "JWT_SECRET",
+    ];
+    return {
+      VariableDeclarator(node) {
+        if (
+          node.id &&
+          node.id.type === "Identifier" &&
+          secretKeywords.some((kw) => node.id.name.toUpperCase().includes(kw))
+        ) {
+          if (
+            node.init &&
+            node.init.type === "Literal" &&
+            typeof node.init.value === "string" &&
+            node.init.value.length > 0
+          ) {
+            context.report({
+              node: node.init,
+              messageId: "hardcodedSecret",
+            });
+          }
+        }
+      },
+      AssignmentExpression(node) {
+        if (
+          node.left.type === "Identifier" &&
+          secretKeywords.some((kw) =>
+            node.left.name.toUpperCase().includes(kw)
+          ) &&
+          node.right.type === "Literal" &&
+          typeof node.right.value === "string" &&
+          node.right.value.length > 0
+        ) {
+          context.report({
+            node: node.right,
+            messageId: "hardcodedSecret",
+          });
+        }
+      },
+    };
+  },
+};