@sun-asterisk/sunlint 1.0.5

package/config/typescript/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "sunlint-eslint-typescript",
+  "version": "1.0.0",
+  "description": "ESLint integration for SunLint TypeScript analysis",
+  "dependencies": {
+    "eslint": "^9.16.0",
+    "@typescript-eslint/parser": "^8.15.0",
+    "@typescript-eslint/eslint-plugin": "^8.15.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.2"
+  }
+}

package/config/typescript/security-rules/index.js

@@ -0,0 +1,90 @@
+/**
+ * Custom ESLint plugin: custom rules index
+ * Export toàn bộ rule tự định nghĩa dùng cho plugin "custom"
+ */
+
+const s005 = require("./s005-no-origin-auth.js");
+const s006 = require("./s006-activation-recovery-secret-not-plaintext.js");
+const s008 = require("./s008-crypto-agility.js");
+const s009 = require("./s009-no-insecure-crypto.js");
+const s010 = require("./s010-no-insecure-random-in-sensitive-context.js");
+const s011 = require("./s011-no-insecure-uuid.js");
+const s012 = require("./s012-hardcode-secret.js");
+const s014 = require("./s014-insecure-tls-version.js");
+const s015 = require("./s015-insecure-tls-certificate.js");
+const s016 = require("./s016-sensitive-query-parameter.js");
+const s017 = require("./s017-no-sql-injection.js");
+const s018 = require("./s018-positive-input-validation.js");
+const s019 = require("./s019-no-raw-user-input-in-email.js");
+const s020 = require("./s020-no-eval-dynamic-execution.js");
+const s022 = require("./s022-output-encoding.js");
+const s023 = require("./s023-no-json-injection.js");
+const s025 = require("./s025-server-side-input-validation.js");
+const s026 = require("./s026-json-schema-validation.js");
+const s027 = require("./s027-no-hardcoded-secrets.js");
+const s029 = require("./s029-require-csrf-protection.js");
+const s030 = require("./s030-no-directory-browsing.js");
+const s033 = require("./s033-require-samesite-cookie.js");
+const s034 = require("./s034-require-host-cookie-prefix.js");
+const s035 = require("./s035-cookie-specific-path.js");
+const s036 = require("./s036-no-unsafe-file-include.js");
+const s037 = require("./s037-require-anti-cache-headers.js");
+const s038 = require("./s038-no-version-disclosure.js");
+const s039 = require("./s039-no-session-token-in-url.js");
+const s041 = require("./s041-require-session-invalidate-on-logout.js");
+const s042 = require("./s042-require-periodic-reauthentication.js");
+const s043 = require("./s043-terminate-sessions-on-password-change.js");
+const s044 = require("./s044-require-full-session-for-sensitive-operations.js");
+const s045 = require("./s045-anti-automation-controls.js");
+const s046 = require("./s046-secure-notification-on-auth-change.js");
+const s048 = require("./s048-password-credential-recovery.js");
+const s050 = require("./s050-session-token-weak-hash.js");
+const s052 = require("./s052-secure-random-authentication-code.js");
+const s054 = require("./s054-verification-default-account.js");
+const s057 = require("./s057-utc-logging.js");
+const s058 = require("./s058-no-ssrf.js");
+
+module.exports = {
+  rules: {
+    typescript_s005: s005,
+    typescript_s006: s006,
+    typescript_s008: s008,
+    typescript_s009: s009,
+    typescript_s010: s010,
+    typescript_s011: s011,
+    typescript_s012: s012,
+    typescript_s014: s014,
+    typescript_s015: s015,
+    typescript_s016: s016,
+    typescript_s017: s017,
+    typescript_s018: s018,
+    typescript_s019: s019,
+    typescript_s020: s020,
+    typescript_s022: s022,
+    typescript_s023: s023,
+    typescript_s025: s025,
+    typescript_s026: s026,
+    typescript_s027: s027,
+    typescript_s029: s029,
+    typescript_s030: s030,
+    typescript_s033: s033,
+    typescript_s034: s034,
+    typescript_s035: s035,
+    typescript_s036: s036,
+    typescript_s037: s037,
+    typescript_s038: s038,
+    typescript_s039: s039,
+    typescript_s041: s041,
+    typescript_s042: s042,
+    typescript_s043: s043,
+    typescript_s044: s044,
+    typescript_s045: s045,
+    typescript_s046: s046,
+    typescript_s048: s048,
+    typescript_s050: s050,
+    typescript_s052: s052,
+    typescript_s054: s054,
+    typescript_s057: s057,
+    typescript_s058: s058,
+  },
+};

package/config/typescript/security-rules/s005-no-origin-auth.js

@@ -0,0 +1,95 @@
+/**
+ * ESLint rule: S005 – Do not use Origin header for authentication/access control
+ * Rule ID: custom/s005
+ * Description: Prevent usage of request.getHeader("Origin") for security decisions.
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Do not use the Origin header to make authentication or access control decisions.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      noOriginCheck:
+        "Do not use the Origin header for authentication or access control decisions. It can be easily spoofed.",
+    },
+  },
+
+  create(context) {
+    const trackedVariables = new Set();
+
+    function isOriginHeaderCall(node) {
+      // Match: request.getHeader("Origin")
+      return (
+        node.type === "CallExpression" &&
+        node.callee.type === "MemberExpression" &&
+        node.callee.property.name === "getHeader" &&
+        node.arguments.length &&
+        node.arguments[0].type === "Literal" &&
+        node.arguments[0].value === "Origin"
+      );
+    }
+
+    return {
+      VariableDeclarator(node) {
+        // Track: const origin = request.getHeader("Origin");
+        if (node.init && isOriginHeaderCall(node.init)) {
+          trackedVariables.add(node.id.name);
+        }
+      },
+
+      AssignmentExpression(node) {
+        // Track: origin = request.getHeader("Origin");
+        if (
+          node.left.type === "Identifier" &&
+          isOriginHeaderCall(node.right)
+        ) {
+          trackedVariables.add(node.left.name);
+        }
+      },
+
+      CallExpression(node) {
+        // Detect: origin.equals(...) or origin.includes(...) or "xyz" === origin
+        if (
+          node.callee.type === "MemberExpression" &&
+          ["includes", "startsWith", "endsWith", "indexOf", "equals"].includes(
+            node.callee.property.name
+          )
+        ) {
+          const arg = node.callee.object;
+          if (arg.type === "Identifier" && trackedVariables.has(arg.name)) {
+            context.report({ node, messageId: "noOriginCheck" });
+          }
+        }
+
+        // Detect: "admin" === origin (binary expression inside if)
+        if (
+          node.parent &&
+          node.parent.type === "IfStatement" &&
+          node.arguments.some(
+            (arg) =>
+              arg.type === "Identifier" && trackedVariables.has(arg.name)
+          )
+        ) {
+          context.report({ node, messageId: "noOriginCheck" });
+        }
+      },
+
+      BinaryExpression(node) {
+        // Detect: if (origin === "some-origin")
+        const ids = [node.left, node.right].filter(
+          (e) => e.type === "Identifier" && trackedVariables.has(e.name)
+        );
+        if (ids.length > 0) {
+          context.report({ node, messageId: "noOriginCheck" });
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s006-activation-recovery-secret-not-plaintext.js

@@ -0,0 +1,69 @@
+"use strict";
+
+/**
+ * S006 – Activation/Recovery Secret Not Plaintext
+ * OWASP ASVS 2.5.1
+ * Ensure that system-generated activation or recovery secrets are not sent in plaintext to the user.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow sending activation or recovery secrets in plaintext to the user (e.g., via email/SMS). Use secure channels or one-time tokens.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      plaintextSecret:
+        "Do not send activation or recovery secrets in plaintext. Use a hashed or one-time token instead.",
+    },
+  },
+
+  create(context) {
+    function isActivationOrRecovery(text) {
+      if (!text || typeof text !== "string") return false;
+      const keywords = [
+        "activation code",
+        "activation token",
+        "recovery code",
+        "recovery token",
+      ];
+      return keywords.some((kw) => text.toLowerCase().includes(kw));
+    }
+
+    return {
+      CallExpression(node) {
+        // Check for sendMail({ text: ... }) or sendSMS(...)
+        if (
+          node.callee.type === "Identifier" &&
+          (node.callee.name === "sendMail" || node.callee.name === "sendSMS") &&
+          node.arguments.length
+        ) {
+          const arg = node.arguments[0];
+          if (arg.type === "ObjectExpression") {
+            const bodyProp = arg.properties.find(
+              (prop) =>
+                prop.key &&
+                (prop.key.name === "text" || prop.key.name === "html") &&
+                prop.value.type === "Literal"
+            );
+            if (bodyProp && isActivationOrRecovery(bodyProp.value.value)) {
+              context.report({
+                node: bodyProp.value,
+                messageId: "plaintextSecret",
+              });
+            }
+          }
+          if (arg.type === "Literal" && isActivationOrRecovery(arg.value)) {
+            context.report({
+              node: arg,
+              messageId: "plaintextSecret",
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s008-crypto-agility.js

@@ -0,0 +1,62 @@
+"use strict";
+
+/**
+ * S008 – Crypto Agility
+ * OWASP ASVS 6.2.4
+ * Ensure that cryptographic algorithms and their parameters can be reconfigured or upgraded.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure cryptographic algorithms, key lengths, and modes are not hardcoded and can be configured or upgraded easily.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      hardcodedAlgo:
+        "Do not hardcode cryptographic algorithm or parameters. Use configurable values instead.",
+    },
+  },
+
+  create(context) {
+    function isHardcodedCrypto(node) {
+      if (node.type === "Literal" && typeof node.value === "string") {
+        const lower = node.value.toLowerCase();
+        const algos = [
+          "aes-128-cbc",
+          "aes-256-cbc",
+          "aes-256-gcm",
+          "sha1",
+          "sha256",
+          "sha512",
+          "md5",
+          "des",
+          "rc4",
+          "blowfish",
+        ];
+        return algos.some((algo) => lower.includes(algo));
+      }
+      return false;
+    }
+
+    return {
+      CallExpression(node) {
+        // Detect hardcoded crypto algorithm in common Node.js crypto calls
+        if (
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.name === "crypto" &&
+          node.arguments.length > 0 &&
+          isHardcodedCrypto(node.arguments[0])
+        ) {
+          context.report({
+            node: node.arguments[0],
+            messageId: "hardcodedAlgo",
+          });
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s009-no-insecure-crypto.js

@@ -0,0 +1,103 @@
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow use of insecure cryptographic algorithms, cipher modes, paddings, and hash functions",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      insecureCipher: "Do not use insecure cipher '{{algo}}'. Use AES with 128-bit block size or higher.",
+      insecureMode: "Do not use insecure cipher mode '{{mode}}'. Use CBC or GCM instead.",
+      insecurePadding: "Do not use insecure padding '{{padding}}'. Use OAEP or other secure paddings.",
+      weakHash: "Do not use weak hash function '{{hash}}'. Use SHA-256 or stronger.",
+    },
+  },
+
+  create(context) {
+    const insecureCiphers = ["DES", "DESede", "Blowfish"];
+    const insecureModes = ["ECB"];
+    const insecurePaddings = ["PKCS1Padding"];
+    const weakHashes = ["MD5", "SHA1", "SHA-1"];
+
+    function checkAlgorithmString(node, rawValue) {
+      const value = rawValue.toUpperCase();
+
+      for (const cipher of insecureCiphers) {
+        if (value.includes(cipher.toUpperCase())) {
+          context.report({
+            node,
+            messageId: "insecureCipher",
+            data: { algo: cipher },
+          });
+          return;
+        }
+      }
+
+      for (const mode of insecureModes) {
+        if (value.includes(mode.toUpperCase())) {
+          context.report({
+            node,
+            messageId: "insecureMode",
+            data: { mode },
+          });
+          return;
+        }
+      }
+
+      for (const padding of insecurePaddings) {
+        if (value.includes(padding.toUpperCase())) {
+          context.report({
+            node,
+            messageId: "insecurePadding",
+            data: { padding },
+          });
+          return;
+        }
+      }
+
+      for (const hash of weakHashes) {
+        if (value === hash.toUpperCase()) {
+          context.report({
+            node,
+            messageId: "weakHash",
+            data: { hash },
+          });
+          return;
+        }
+      }
+    }
+
+    return {
+      CallExpression(node) {
+        if (
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.name === "crypto"
+        ) {
+          const method = node.callee.property.name;
+
+          // Check hash functions
+          if (
+            method === "createHash" &&
+            node.arguments.length &&
+            node.arguments[0].type === "Literal"
+          ) {
+            checkAlgorithmString(node.arguments[0], node.arguments[0].value);
+          }
+
+          // Check ciphers and paddings
+          if (
+            (method === "createCipher" || method === "createCipheriv") &&
+            node.arguments.length &&
+            node.arguments[0].type === "Literal"
+          ) {
+            checkAlgorithmString(node.arguments[0], node.arguments[0].value);
+          }
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s010-no-insecure-random-in-sensitive-context.js

@@ -0,0 +1,123 @@
+/**
+ * Custom ESLint rule for: S010 – Insecure random generator used in sensitive context
+ * Rule ID: custom/s010
+ * Purpose: Disallow Math.random(), UUID, or insecure Random-like usage in sensitive variables (token, password, etc.)
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow insecure random generators (Math.random, UUID, etc.) for sensitive values like tokens, passwords",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      insecureRandom:
+        "Do not use insecure random generator '{{name}}' for sensitive values. Use crypto.randomBytes or a CSPRNG instead.",
+    },
+  },
+
+  create(context) {
+    const sensitiveKeywords = [
+      "token",
+      "otp",
+      "session",
+      "reset",
+      "password",
+      "link",
+      "key",
+      "auth",
+    ];
+
+    // Check if a string contains any sensitive keyword
+    function isSensitiveName(name) {
+      return sensitiveKeywords.some((kw) => name.toLowerCase().includes(kw));
+    }
+
+    function isInSensitiveContext(node) {
+      const variable = findNearestVariable(node);
+      const func = findNearestFunction(node);
+
+      return (
+        (variable && isSensitiveName(variable.name)) ||
+        (func && isSensitiveName(func.name))
+      );
+    }
+
+    function findNearestVariable(node) {
+      while (node) {
+        if (node.type === "VariableDeclarator" && node.id.type === "Identifier") {
+          return node.id;
+        }
+        node = node.parent;
+      }
+      return null;
+    }
+
+    function findNearestFunction(node) {
+      while (node) {
+        if (
+          (node.type === "FunctionDeclaration" || node.type === "FunctionExpression") &&
+          node.id
+        ) {
+          return node.id;
+        }
+        node = node.parent;
+      }
+      return null;
+    }
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Math.random()
+        if (
+          callee.type === "MemberExpression" &&
+          callee.object.name === "Math" &&
+          callee.property.name === "random"
+        ) {
+          if (isInSensitiveContext(node)) {
+            context.report({
+              node,
+              messageId: "insecureRandom",
+              data: { name: "Math.random" },
+            });
+          }
+        }
+
+        // UUID.v4() or uuid()
+        if (
+          callee.type === "Identifier" &&
+          (callee.name === "uuid" || callee.name === "uuidv4")
+        ) {
+          if (isInSensitiveContext(node)) {
+            context.report({
+              node,
+              messageId: "insecureRandom",
+              data: { name: callee.name },
+            });
+          }
+        }
+      },
+      NewExpression(node) {
+        // new Random() – simulate Java-like pattern in JS context if exists
+        if (
+          node.callee.type === "Identifier" &&
+          node.callee.name === "Random" &&
+          isInSensitiveContext(node)
+        ) {
+          context.report({
+            node,
+            messageId: "insecureRandom",
+            data: { name: "Random" },
+          });
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s011-no-insecure-uuid.js

@@ -0,0 +1,66 @@
+/**
+ * Custom ESLint rule for: S011 – UUID must be version 4 and use CSPRNG
+ * Rule ID: custom/s011
+ * Purpose: Prevent usage of UUID.randomUUID() in security-sensitive contexts.
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow use of UUID.randomUUID() for sensitive identifiers. Use SecureRandom-based UUIDs instead.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      insecureUuid: "Do not use UUID.randomUUID() for '{{context}}'. Use a UUID v4 generator with SecureRandom instead.",
+    },
+  },
+
+  create(context) {
+    const sensitiveKeywords = [
+      "token", "session", "reset", "password", "link", "key", "auth", "uuid", "guid",
+    ];
+
+    function containsSensitiveKeyword(name = "") {
+      const lower = name.toLowerCase();
+      return sensitiveKeywords.some(keyword => lower.includes(keyword));
+    }
+
+    function getEnclosingFunctionOrVariableName(node) {
+      let current = node;
+      while (current) {
+        if (current.type === "FunctionDeclaration" || current.type === "FunctionExpression" || current.type === "ArrowFunctionExpression") {
+          return current.id?.name || "<anonymous>";
+        }
+        if (current.type === "VariableDeclarator" && current.id?.type === "Identifier") {
+          return current.id.name;
+        }
+        current = current.parent;
+      }
+      return "";
+    }
+
+    return {
+      CallExpression(node) {
+        if (
+          node.callee &&
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.name === "UUID" &&
+          node.callee.property.name === "randomUUID"
+        ) {
+          const contextName = getEnclosingFunctionOrVariableName(node);
+          if (containsSensitiveKeyword(contextName)) {
+            context.report({
+              node,
+              messageId: "insecureUuid",
+              data: { context: contextName },
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s012-hardcode-secret.js

@@ -0,0 +1,71 @@
+"use strict";
+
+/**
+ * S012 – Hardcoded Secret
+ * OWASP ASVS 1.6.2
+ * Ensure that secrets such as passwords, API keys, and cryptographic keys are not hardcoded in source code.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Do not hardcode any secrets (API keys, passwords, cryptographic keys) in the source code.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      hardcodedSecret:
+        "Do not hardcode secrets (API keys, passwords, cryptographic keys) in source code.",
+    },
+  },
+
+  create(context) {
+    const secretKeywords = [
+      "SECRET",
+      "TOKEN",
+      "APIKEY",
+      "PASSWORD",
+      "PRIVATEKEY",
+      "JWT_SECRET",
+    ];
+    return {
+      VariableDeclarator(node) {
+        if (
+          node.id &&
+          node.id.type === "Identifier" &&
+          secretKeywords.some((kw) => node.id.name.toUpperCase().includes(kw))
+        ) {
+          if (
+            node.init &&
+            node.init.type === "Literal" &&
+            typeof node.init.value === "string" &&
+            node.init.value.length > 0
+          ) {
+            context.report({
+              node: node.init,
+              messageId: "hardcodedSecret",
+            });
+          }
+        }
+      },
+      AssignmentExpression(node) {
+        if (
+          node.left.type === "Identifier" &&
+          secretKeywords.some((kw) =>
+            node.left.name.toUpperCase().includes(kw)
+          ) &&
+          node.right.type === "Literal" &&
+          typeof node.right.value === "string" &&
+          node.right.value.length > 0
+        ) {
+          context.report({
+            node: node.right,
+            messageId: "hardcodedSecret",
+          });
+        }
+      },
+    };
+  },
+};