@sun-asterisk/sunlint 1.0.5

package/eslint-integration/eslint-plugin-custom/s047-secure-random-passwords.js

@@ -0,0 +1,108 @@
+"use strict";
+
+/**
+ * S047 – Verify system generated initial passwords or activation codes SHOULD be securely randomly generated
+ * OWASP ASVS 2.3.1
+ * Rule ID: custom/s047
+ * SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password.
+ */
+
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Initial passwords or activation codes must be securely generated, at least 6 characters, expire soon, and not reused long-term.",
+      recommended: false,
+    },
+    messages: {
+      weakInitialSecret:
+        "Initial secret (password or activation code) must be securely randomly generated, at least 6 characters, expire soon, and not reused long-term.",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    const SECRET_NAME_REGEX = /(initial|activation|temp).*?(password|code|token|secret)/i;
+
+    function isPotentialSecretName(name) {
+      return SECRET_NAME_REGEX.test(name);
+    }
+
+    function checkInsecureGeneration(node) {
+      const callee = node.callee;
+
+      // Check for Math.random()
+      if (
+        callee.type === "MemberExpression" &&
+        callee.object.type === "Identifier" &&
+        callee.object.name === "Math" &&
+        callee.property.type === "Identifier" &&
+        callee.property.name === "random"
+      ) {
+        context.report({ node, messageId: "weakInitialSecret" });
+      }
+
+      // Check for Date.now()
+      if (
+        callee.type === "MemberExpression" &&
+        callee.object.type === "Identifier" &&
+        callee.object.name === "Date" &&
+        callee.property.type === "Identifier" &&
+        callee.property.name === "now"
+      ) {
+        context.report({ node, messageId: "weakInitialSecret" });
+      }
+    }
+
+    return {
+      VariableDeclarator(node) {
+        if (
+          node.id.type === "Identifier" &&
+          isPotentialSecretName(node.id.name) &&
+          node.init
+        ) {
+          if (node.init.type === "Literal") {
+            const val = node.init.value;
+            if (typeof val === "string" && val.length < 6) {
+              context.report({ node, messageId: "weakInitialSecret" });
+            }
+          }
+
+          if (
+            node.init.type === "CallExpression" ||
+            node.init.type === "NewExpression"
+          ) {
+            checkInsecureGeneration(node.init);
+          }
+        }
+      },
+
+      AssignmentExpression(node) {
+        const left = node.left;
+        const right = node.right;
+
+        if (
+          left.type === "MemberExpression" &&
+          left.property.type === "Identifier" &&
+          isPotentialSecretName(left.property.name)
+        ) {
+          if (right.type === "Literal") {
+            const val = right.value;
+            if (typeof val === "string" && val.length < 6) {
+              context.report({ node, messageId: "weakInitialSecret" });
+            }
+          }
+
+          if (
+            right.type === "CallExpression" ||
+            right.type === "NewExpression"
+          ) {
+            checkInsecureGeneration(right);
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s048-password-credential-recovery.js

@@ -0,0 +1,54 @@
+"use strict";
+
+/**
+ * S048 – Password Credential Recovery
+ * OWASP ASVS 2.4.3
+ * Ensure password credential recovery does not reveal the current password in any way.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure password recovery does not reveal the current password. Users must set a new password via a secure, one-time token.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      revealPassword:
+        "Never reveal or send the current password during recovery. Always require user to set a new password.",
+    },
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        // Example: sending current password in email (should not happen)
+        if (
+          node.callee.type === "Identifier" &&
+          node.callee.name === "sendMail" &&
+          node.arguments.length &&
+          node.arguments[0].type === "ObjectExpression"
+        ) {
+          const bodyProp = node.arguments[0].properties.find(
+            (prop) =>
+              prop.key &&
+              (prop.key.name === "text" || prop.key.name === "html") &&
+              prop.value.type === "Literal" &&
+              (prop.value.value
+                .toLowerCase()
+                .includes("your current password") ||
+                prop.value.value.toLowerCase().includes("mật khẩu hiện tại"))
+          );
+          if (bodyProp) {
+            context.report({
+              node: bodyProp.value,
+              messageId: "revealPassword",
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s050-session-token-weak-hash.js

@@ -0,0 +1,94 @@
+/**
+ * ESLint Rule: S050 - Session Token Weak Entropy or Algorithm
+ * Rule ID: custom/s050
+ * Description: Ensure session tokens use secure algorithms and have at least 64-bit entropy.
+ */
+
+"use strict";
+
+const WEAK_HASH_ALGOS = new Set(["md5", "sha1"]);
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Avoid using weak hash algorithms or low entropy sources for session tokens. Use crypto.randomBytes(16), HMAC, or SHA-256.",
+      recommended: false,
+    },
+    messages: {
+      weakHash:
+        "Avoid using weak hash algorithm '{{algo}}' for session tokens. Use SHA-256, HMAC, or AES instead.",
+      lowEntropy:
+        "Session token should be generated with at least 64-bit entropy. Avoid using '{{func}}'.",
+      smallRandomBytes:
+        "Session token generated with crypto.randomBytes({{bytes}}) has insufficient entropy. Use at least 8 bytes (64-bit).",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Case 1: crypto.createHash("md5") or ("sha1")
+        if (
+          callee.type === "MemberExpression" &&
+          callee.object.name === "crypto" &&
+          callee.property.name === "createHash"
+        ) {
+          const [arg] = node.arguments;
+          if (
+            arg &&
+            arg.type === "Literal" &&
+            typeof arg.value === "string"
+          ) {
+            const algo = arg.value.toLowerCase();
+            if (WEAK_HASH_ALGOS.has(algo)) {
+              context.report({
+                node: arg,
+                messageId: "weakHash",
+                data: { algo },
+              });
+            }
+          }
+        }
+
+        // Case 2: crypto.randomBytes(n), n < 8
+        if (
+          callee.type === "MemberExpression" &&
+          callee.object.name === "crypto" &&
+          callee.property.name === "randomBytes"
+        ) {
+          const [arg] = node.arguments;
+          if (
+            arg &&
+            arg.type === "Literal" &&
+            typeof arg.value === "number" &&
+            arg.value < 8
+          ) {
+            context.report({
+              node: arg,
+              messageId: "smallRandomBytes",
+              data: { bytes: arg.value },
+            });
+          }
+        }
+
+        // Case 3: Math.random() or Date.now() used
+        if (
+          callee.type === "MemberExpression" &&
+          ((callee.object.name === "Math" && callee.property.name === "random") ||
+            (callee.object.name === "Date" && callee.property.name === "now"))
+        ) {
+          context.report({
+            node: callee,
+            messageId: "lowEntropy",
+            data: { func: `${callee.object.name}.${callee.property.name}` },
+          });
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s052-secure-random-authentication-code.js

@@ -0,0 +1,66 @@
+/**
+ * ESLint Rule: S052 - Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six-digit random number is sufficient).
+ * Rule ID: custom/s052
+ * Description: Ensure that the initial authentication code is generated using a secure random number generator with at least 20 bits of entropy.
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Ensure secure random number generation with sufficient entropy",
+      category: "Security",
+      recommended: true,
+    },
+    messages: {
+      insecureRandom: "Insecure random number generator detected.",
+      insufficientEntropy: "Insufficient entropy detected in crypto.randomInt. Ensure at least 20 bits of entropy.",
+    },
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        // Check for insufficient entropy in crypto.randomInt
+        if (
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.type === "Identifier" &&
+          node.callee.object.name === "crypto" &&
+          node.callee.property.type === "Identifier" &&
+          node.callee.property.name === "randomInt"
+        ) {
+          const args = node.arguments;
+          if (args.length === 2 && args[0].type === "Literal" && args[1].type === "Literal") {
+            const min = args[0].value;
+            const max = args[1].value;
+            const range = max - min;
+
+            // Check if the range provides at least 20 bits of entropy
+            if (range < Math.pow(2, 20)) {
+              context.report({
+                node,
+                messageId: "insufficientEntropy",
+              });
+            }
+          }
+        }
+
+        // Check for calls to Math.random()
+        if (
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.type === "Identifier" &&
+          node.callee.object.name === "Math" &&
+          node.callee.property.type === "Identifier" &&
+          node.callee.property.name === "random"
+        ) {
+          context.report({
+            node,
+            messageId: "insecureRandom",
+          });
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s054-verification-default-account.js

@@ -0,0 +1,109 @@
+/**
+ * ESLint Rule: S054 - Verify shared or default accounts are not present (e.g. "root", "admin", or "sa").
+ * Rule ID: custom/s054
+ * Description: Ensure that shared or default accounts like "root", "admin", or "sa" are not used in the codebase.
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow use of default accounts without value check",
+      category: "Best Practices",
+      recommended: false,
+    },
+    messages: {
+      missingValidation: "Default account used without validation.",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    const defaultAccounts = ["root", "admin", "sa"];
+    const sourceCode = context.getSourceCode();
+
+    function isAccountRelatedFunction(node) {
+      const name =
+        (node.type === "FunctionDeclaration" && node.id?.name) ||
+        (node.type === "MethodDefinition" && node.key?.name) ||
+        "";
+      return /account|user|login|access/i.test(name);
+    }
+
+    // Check if validation exists in code like: if (x === "admin")
+    function hasValidation(node) {
+      let validated = false;
+
+      context.getSourceCode().getTokens(node).forEach((token, idx, tokens) => {
+        const prev = tokens[idx - 1]?.value || "";
+        const next = tokens[idx + 1]?.value || "";
+
+        if (
+          token.type === "String" &&
+          defaultAccounts.includes(token.value.replace(/['"]/g, "")) &&
+          (prev === "===" || prev === "!==" || next === "===" || next === "!==")
+        ) {
+          validated = true;
+        }
+      });
+
+      return validated;
+    }
+
+    // Check if any default account string is used (directly or via const)
+    function hasDefaultAccountUsage(node) {
+      const tokens = context.getSourceCode().getTokens(node);
+      return tokens.some((token) => {
+        return (
+          token.type === "String" &&
+          defaultAccounts.includes(token.value.replace(/['"]/g, ""))
+        );
+      });
+    }
+
+    function hasDefaultConstantUsage(node) {
+      const scope = sourceCode.scopeManager.acquire(node);
+      if (!scope) return false;
+
+      const defaultVars = scope.variables.filter((v) => {
+        const def = v.defs[0];
+        return (
+          def &&
+          def.node.init &&
+          typeof def.node.init.value === "string" &&
+          defaultAccounts.includes(def.node.init.value)
+        );
+      });
+
+      const fnText = sourceCode.getText(node);
+      return defaultVars.some((v) => fnText.includes(v.name));
+    }
+
+    function checkFunction(node) {
+      const usesDefaultAccount =
+        hasDefaultAccountUsage(node) || hasDefaultConstantUsage(node);
+
+      if (usesDefaultAccount && !hasValidation(node)) {
+        context.report({
+          node,
+          messageId: "missingValidation",
+        });
+      }
+    }
+
+    return {
+      FunctionDeclaration(node) {
+        if (isAccountRelatedFunction(node)) {
+          checkFunction(node);
+        }
+      },
+      MethodDefinition(node) {
+        if (isAccountRelatedFunction(node)) {
+          checkFunction(node);
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s055-verification-rest-check-the-incoming-content-type.js

@@ -0,0 +1,143 @@
+"use strict";
+
+/**
+ * S055 – Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.
+ * OWASP ASVS 13.2.5
+ * Rule ID: custom/s055
+ * Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure REST request handlers validate Content-Type when using req.body",
+      recommended: false,
+    },
+    messages: {
+      missingCheck:
+        "Handler uses req.body but does not validate Content-Type.",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    function walkForReqBody(node, reqName = "req") {
+      const visited = new Set();
+      let found = false;
+
+      function walk(n) {
+        if (!n || typeof n !== "object" || visited.has(n) || found) return;
+        visited.add(n);
+
+        if (
+          n.type === "MemberExpression" &&
+          n.object.type === "Identifier" &&
+          n.object.name === reqName &&
+          n.property.type === "Identifier" &&
+          n.property.name === "body"
+        ) {
+          found = true;
+          return;
+        }
+
+        for (const key in n) {
+          if (!Object.prototype.hasOwnProperty.call(n, key)) continue;
+          const child = n[key];
+          if (Array.isArray(child)) child.forEach(walk);
+          else if (typeof child === "object" && child !== null) walk(child);
+        }
+      }
+
+      walk(node);
+      return found;
+    }
+
+    function walkForContentTypeCheck(node, reqName = "req") {
+      const visited = new Set();
+
+      function walk(n) {
+        if (!n || typeof n !== "object" || visited.has(n)) return false;
+        visited.add(n);
+
+        // req.is("application/json")
+        if (
+          n.type === "CallExpression" &&
+          n.callee.type === "MemberExpression" &&
+          n.callee.object.type === "Identifier" &&
+          n.callee.object.name === reqName &&
+          n.callee.property.name === "is" &&
+          n.arguments.length > 0 &&
+          n.arguments[0].type === "Literal" &&
+          typeof n.arguments[0].value === "string" &&
+          n.arguments[0].value.startsWith("application/")
+        ) {
+          return true;
+        }
+
+        // req.headers["content-type"]
+        if (
+          n.type === "MemberExpression" &&
+          n.object?.type === "MemberExpression" &&
+          n.object.object?.type === "Identifier" &&
+          n.object.object.name === reqName &&
+          n.object.property?.name === "headers" &&
+          (
+            (n.property.type === "Literal" && n.property.value === "content-type") ||
+            (n.property.type === "Identifier" && n.property.name === "content-type")
+          )
+        ) {
+          return true;
+        }
+
+        // Look through children
+        for (const key in n) {
+          if (!Object.prototype.hasOwnProperty.call(n, key)) continue;
+          const child = n[key];
+          if (Array.isArray(child)) {
+            if (child.some(walk)) return true;
+          } else if (typeof child === "object" && child !== null) {
+            if (walk(child)) return true;
+          }
+        }
+
+        return false;
+      }
+
+      return walk(node);
+    }
+
+    return {
+      CallExpression(node) {
+        // Match app.post("/path", handler)
+        if (
+          node.callee.type === "MemberExpression" &&
+          ["post", "put", "patch", "delete"].includes(
+            node.callee.property.name
+          )
+        ) {
+          const handler = node.arguments.find(
+            (arg) =>
+              arg.type === "FunctionExpression" ||
+              arg.type === "ArrowFunctionExpression"
+          );
+
+          if (!handler || !handler.body) return;
+
+          const reqName = handler.params[0]?.name || "req";
+
+          const usesBody = walkForReqBody(handler.body, reqName);
+          const hasValidation = walkForContentTypeCheck(handler.body, reqName);
+
+          if (usesBody && !hasValidation) {
+            context.report({
+              node: handler,
+              messageId: "missingCheck",
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s057-utc-logging.js

@@ -0,0 +1,54 @@
+/**
+ * Custom ESLint rule: S057 – Enforce UTC usage in time formatting/logging
+ * Rule ID: custom/s057
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description:
+        "Avoid using local time formatting in logs; prefer UTC for consistency",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      avoidLocalTime:
+        "Avoid using '{{method}}' for local time formatting. Prefer UTC methods like toISOString() or moment.utc().",
+    },
+  },
+
+  create(context) {
+    const forbiddenMethods = [
+      "toLocaleString",
+      "toLocaleDateString",
+      "toLocaleTimeString",
+      "format", // e.g., moment().format(...) → not utc by default
+    ];
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Match: date.toLocaleString(), moment().format()
+        if (callee.type === "MemberExpression") {
+          const method = callee.property.name;
+
+          if (forbiddenMethods.includes(method)) {
+            const objectText = context.getSourceCode().getText(callee.object);
+            // Optional enhancement: only warn for Date or moment() objects
+            if (/Date|moment/.test(objectText)) {
+              context.report({
+                node,
+                messageId: "avoidLocalTime",
+                data: { method },
+              });
+            }
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s058-no-ssrf.js

@@ -0,0 +1,73 @@
+/**
+ * Custom ESLint rule: S058 – Detect possible SSRF via unvalidated user-controlled URLs
+ * Rule ID: custom/s058
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Detect SSRF vulnerabilities via unvalidated user-controlled URLs",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      ssrfRisk:
+        "Possible SSRF: URL '{{url}}' comes from untrusted source. Validate or sanitize input.",
+    },
+  },
+
+  create(context) {
+    const riskySources = [
+      "req.body",
+      "req.query",
+      "req.params",
+      "input",
+      "form",
+    ];
+    const riskyFunctions = [
+      "fetch",
+      "axios.get",
+      "axios.post",
+      "axios.request",
+      "http.request",
+      "https.request",
+    ];
+
+    function isUserInput(nodeText) {
+      return riskySources.some((src) => nodeText.includes(src));
+    }
+
+    function isHttpFunction(callee) {
+      if (callee.type === "Identifier")
+        return riskyFunctions.includes(callee.name);
+      if (callee.type === "MemberExpression") {
+        const fullName = `${callee.object.name}.${callee.property.name}`;
+        return riskyFunctions.includes(fullName);
+      }
+      return false;
+    }
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+        if (!isHttpFunction(callee)) return;
+
+        const firstArg = node.arguments[0];
+        if (!firstArg) return;
+
+        const argText = context.getSourceCode().getText(firstArg);
+        if (isUserInput(argText)) {
+          context.report({
+            node: firstArg,
+            messageId: "ssrfRisk",
+            data: { url: argText },
+          });
+        }
+      },
+    };
+  },
+};