@sun-asterisk/sunlint 1.2.2 → 1.3.1

package/rules/security/S005_no_origin_auth/ast-analyzer.js

@@ -0,0 +1,406 @@
+/**
+ * AST-based analyzer for S005 - No Origin Header Authentication
+ * Detects usage of Origin header for authentication/access control through AST analysis
+ */
+
+const babel = require('@babel/parser');
+const traverse = require('@babel/traverse').default;
+
+class S005ASTAnalyzer {
+  constructor() {
+    this.ruleId = 'S005';
+    this.ruleName = 'No Origin Header Authentication';
+    this.description = 'Do not use Origin header for authentication or access control';
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = await this.analyzeFile(content, filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ S005 AST analysis failed for ${filePath}: ${error.message}`);
+        }
+      }
+    }
+    
+    return violations;
+  }
+
+  async analyzeFile(content, filePath, options = {}) {
+    const violations = [];
+    
+    try {
+      // Parse with TypeScript/JavaScript support
+      const ast = babel.parse(content, {
+        sourceType: 'module',
+        allowImportExportEverywhere: true,
+        allowReturnOutsideFunction: true,
+        plugins: [
+          'typescript',
+          'jsx',
+          'objectRestSpread',
+          'functionBind',
+          'exportDefaultFrom',
+          'decorators-legacy',
+          'classProperties',
+          'asyncGenerators',
+          'dynamicImport'
+        ]
+      });
+
+      // Traverse AST to find Origin header usage in authentication contexts
+      traverse(ast, {
+        MemberExpression: (path) => {
+          this.checkOriginHeaderAccess(path, violations, filePath);
+        },
+        CallExpression: (path) => {
+          this.checkOriginHeaderMethods(path, violations, filePath);
+        },
+        IfStatement: (path) => {
+          this.checkConditionalOriginAuth(path, violations, filePath);
+        },
+        AssignmentExpression: (path) => {
+          this.checkOriginAssignment(path, violations, filePath);
+        }
+      });
+
+    } catch (parseError) {
+      if (options.verbose) {
+        console.warn(`⚠️ S005 parse failed for ${filePath}: ${parseError.message}`);
+      }
+      // Fall back to regex analysis if AST parsing fails
+      return this.analyzeWithRegex(content, filePath, options);
+    }
+
+    return violations;
+  }
+
+  checkOriginHeaderAccess(path, violations, filePath) {
+    const node = path.node;
+    
+    // Check for req.headers.origin, headers.origin, req.headers['origin']
+    if (this.isOriginHeaderAccess(node)) {
+      // Check if this is in an authentication context
+      if (this.isInAuthenticationContext(path)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: 'error',
+          message: 'Origin header should not be used for authentication. Origin can be spoofed and is not secure for access control.',
+          line: node.loc ? node.loc.start.line : 1,
+          column: node.loc ? node.loc.start.column + 1 : 1,
+          filePath: filePath,
+          type: 'origin_header_access'
+        });
+      }
+    }
+  }
+
+  checkOriginHeaderMethods(path, violations, filePath) {
+    const node = path.node;
+    
+    // Check for req.get('origin'), req.header('origin'), getHeader('origin')
+    if (this.isOriginHeaderMethod(node)) {
+      if (this.isInAuthenticationContext(path)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: 'error',
+          message: 'Origin header retrieval methods should not be used for authentication purposes.',
+          line: node.loc ? node.loc.start.line : 1,
+          column: node.loc ? node.loc.start.column + 1 : 1,
+          filePath: filePath,
+          type: 'origin_header_method'
+        });
+      }
+    }
+
+    // Check for CORS configuration with origin-based auth
+    if (this.isCORSOriginAuth(node)) {
+      violations.push({
+        ruleId: this.ruleId,
+        severity: 'warning',
+        message: 'CORS origin configuration should not replace proper authentication mechanisms.',
+        line: node.loc ? node.loc.start.line : 1,
+        column: node.loc ? node.loc.start.column + 1 : 1,
+        filePath: filePath,
+        type: 'cors_origin_auth'
+      });
+    }
+  }
+
+  checkConditionalOriginAuth(path, violations, filePath) {
+    const node = path.node;
+    
+    // Check if condition involves origin header and authentication
+    if (this.hasOriginInCondition(node.test) && this.hasAuthInBlock(node.consequent)) {
+      violations.push({
+        ruleId: this.ruleId,
+        severity: 'error',
+        message: 'Conditional authentication based on Origin header is insecure. Use proper authentication tokens.',
+        line: node.loc ? node.loc.start.line : 1,
+        column: node.loc ? node.loc.start.column + 1 : 1,
+        filePath: filePath,
+        type: 'conditional_origin_auth'
+      });
+    }
+  }
+
+  checkOriginAssignment(path, violations, filePath) {
+    const node = path.node;
+    
+    // Check for assignments involving origin header in auth context
+    if (this.isOriginRelatedAssignment(node) && this.isInAuthenticationContext(path)) {
+      violations.push({
+        ruleId: this.ruleId,
+        severity: 'warning',
+        message: 'Origin header values should not be assigned for authentication purposes.',
+        line: node.loc ? node.loc.start.line : 1,
+        column: node.loc ? node.loc.start.column + 1 : 1,
+        filePath: filePath,
+        type: 'origin_assignment_auth'
+      });
+    }
+  }
+
+  isOriginHeaderAccess(node) {
+    // req.headers.origin
+    if (node.type === 'MemberExpression' &&
+        node.object && node.object.type === 'MemberExpression' &&
+        node.object.property && node.object.property.name === 'headers' &&
+        node.property && (node.property.name === 'origin' || 
+        (node.property.type === 'StringLiteral' && node.property.value === 'origin'))) {
+      return true;
+    }
+    
+    // headers.origin or headers['origin']
+    if (node.type === 'MemberExpression' &&
+        node.object && node.object.name === 'headers' &&
+        node.property && (node.property.name === 'origin' ||
+        (node.property.type === 'StringLiteral' && node.property.value === 'origin'))) {
+      return true;
+    }
+    
+    return false;
+  }
+
+  isOriginHeaderMethod(node) {
+    if (node.type !== 'CallExpression' || !node.callee) return false;
+    
+    const callee = node.callee;
+    
+    // req.get('origin'), req.header('origin')
+    if (callee.type === 'MemberExpression' &&
+        callee.property && (callee.property.name === 'get' || callee.property.name === 'header') &&
+        node.arguments && node.arguments.length > 0 &&
+        node.arguments[0].type === 'StringLiteral' &&
+        node.arguments[0].value.toLowerCase() === 'origin') {
+      return true;
+    }
+    
+    // getHeader('origin')
+    if (callee.type === 'Identifier' && callee.name === 'getHeader' &&
+        node.arguments && node.arguments.length > 0 &&
+        node.arguments[0].type === 'StringLiteral' &&
+        node.arguments[0].value.toLowerCase() === 'origin') {
+      return true;
+    }
+    
+    return false;
+  }
+
+  isCORSOriginAuth(node) {
+    if (node.type !== 'CallExpression' || !node.callee) return false;
+    
+    // Check for CORS configuration calls
+    const callee = node.callee;
+    if (callee.type === 'Identifier' && callee.name === 'cors' ||
+        (callee.type === 'MemberExpression' && callee.property && callee.property.name === 'cors')) {
+      
+      // Check if arguments contain auth-related configuration
+      if (node.arguments && node.arguments.length > 0) {
+        const config = node.arguments[0];
+        if (config.type === 'ObjectExpression') {
+          return config.properties.some(prop => 
+            this.isPropertyWithAuthKeyword(prop) && this.hasOriginReference(prop)
+          );
+        }
+      }
+    }
+    
+    return false;
+  }
+
+  hasOriginInCondition(testNode) {
+    if (!testNode) return false;
+    
+    // Recursively check for origin references in condition
+    if (testNode.type === 'MemberExpression') {
+      return this.isOriginHeaderAccess(testNode);
+    }
+    
+    if (testNode.type === 'CallExpression') {
+      return this.isOriginHeaderMethod(testNode);
+    }
+    
+    if (testNode.type === 'BinaryExpression') {
+      return this.hasOriginInCondition(testNode.left) || this.hasOriginInCondition(testNode.right);
+    }
+    
+    if (testNode.type === 'LogicalExpression') {
+      return this.hasOriginInCondition(testNode.left) || this.hasOriginInCondition(testNode.right);
+    }
+    
+    return false;
+  }
+
+  hasAuthInBlock(blockNode) {
+    if (!blockNode) return false;
+    
+    const authKeywords = ['auth', 'login', 'token', 'session', 'user', 'permission', 'access'];
+    
+    // Simple check for auth-related identifiers in the block
+    let hasAuth = false;
+    
+    try {
+      traverse(blockNode, {
+        Identifier: (path) => {
+          if (path.node && path.node.name && authKeywords.some(keyword => 
+            path.node.name.toLowerCase().includes(keyword))) {
+            hasAuth = true;
+            path.stop();
+          }
+        },
+        StringLiteral: (path) => {
+          if (path.node && path.node.value && authKeywords.some(keyword => 
+            path.node.value.toLowerCase().includes(keyword))) {
+            hasAuth = true;
+            path.stop();
+          }
+        }
+      }, this);
+    } catch (error) {
+      // Ignore traverse errors, return false
+      return false;
+    }
+    
+    return hasAuth;
+  }
+
+  isInAuthenticationContext(path) {
+    // Check parent nodes for authentication context
+    let currentPath = path;
+    let depth = 0;
+    const maxDepth = 10;
+    
+    while (currentPath && depth < maxDepth) {
+      const node = currentPath.node;
+      
+      // Check function names
+      if (node.type === 'FunctionDeclaration' || node.type === 'FunctionExpression' || 
+          node.type === 'ArrowFunctionExpression') {
+        if (this.hasAuthInName(node.id?.name)) {
+          return true;
+        }
+      }
+      
+      // Check variable declarations
+      if (node.type === 'VariableDeclarator' && this.hasAuthInName(node.id?.name)) {
+        return true;
+      }
+      
+      // Check object property names
+      if (node.type === 'ObjectProperty' && this.hasAuthInName(node.key?.name || node.key?.value)) {
+        return true;
+      }
+      
+      currentPath = currentPath.parent;
+      depth++;
+    }
+    
+    return false;
+  }
+
+  hasAuthInName(name) {
+    if (!name) return false;
+    
+    const authKeywords = [
+      'auth', 'login', 'logout', 'authenticate', 'authorize',
+      'permission', 'access', 'token', 'session', 'user',
+      'verify', 'validate', 'check', 'guard', 'protect',
+      'middleware', 'passport', 'jwt', 'bearer'
+    ];
+    
+    const lowerName = name.toLowerCase();
+    return authKeywords.some(keyword => lowerName.includes(keyword));
+  }
+
+  isOriginRelatedAssignment(node) {
+    if (node.type !== 'AssignmentExpression') return false;
+    
+    // Check if right side involves origin header
+    return this.hasOriginReference(node.right);
+  }
+
+  hasOriginReference(node) {
+    if (!node) return false;
+    
+    if (node.type === 'MemberExpression') {
+      return this.isOriginHeaderAccess(node);
+    }
+    
+    if (node.type === 'CallExpression') {
+      return this.isOriginHeaderMethod(node);
+    }
+    
+    if (node.type === 'Identifier' && node.name.toLowerCase().includes('origin')) {
+      return true;
+    }
+    
+    if (node.type === 'StringLiteral' && node.value.toLowerCase().includes('origin')) {
+      return true;
+    }
+    
+    return false;
+  }
+
+  isPropertyWithAuthKeyword(prop) {
+    if (!prop || prop.type !== 'ObjectProperty') return false;
+    
+    const key = prop.key?.name || prop.key?.value;
+    if (!key) return false;
+    
+    return this.hasAuthInName(key);
+  }
+
+  // Fallback regex analysis
+  analyzeWithRegex(content, filePath, options = {}) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      
+      // Basic regex check for origin header in auth context
+      const originAuthPattern = /(?:req\.headers\.origin|req\.get\s*\(\s*['"`]origin['"`]\s*\)).*(?:auth|login|token|permission)/i;
+      if (originAuthPattern.test(line)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: 'error',
+          message: 'Origin header should not be used for authentication (detected via regex fallback).',
+          line: lineNumber,
+          column: line.search(/origin/i) + 1,
+          filePath: filePath,
+          type: 'origin_auth_regex'
+        });
+      }
+    });
+
+    return violations;
+  }
+}
+
+module.exports = S005ASTAnalyzer;

package/rules/security/S005_no_origin_auth/config.json

@@ -0,0 +1,85 @@
+{
+  "ruleId": "S005",
+  "name": "No Origin Header Authentication",
+  "description": "Do not use Origin header for authentication or access control",
+  "category": "security",
+  "severity": "error",
+  "languages": ["typescript", "javascript"],
+  "version": "1.0.0",
+  "status": "stable",
+  "tags": ["security", "authentication", "headers", "origin", "access-control"],
+  
+  "patterns": {
+    "vulnerable": [
+      "req.headers.origin in authentication context",
+      "req.get('origin') for access control",
+      "Origin-based conditional authentication",
+      "CORS origin configuration mixed with auth",
+      "Express middleware using origin for security"
+    ],
+    "secure": [
+      "JWT token authentication",
+      "Session-based authentication",
+      "API key authentication",
+      "OAuth 2.0 flows",
+      "Proper CORS configuration without auth reliance"
+    ]
+  },
+  
+  "configuration": {
+    "checkAuthContext": true,
+    "checkMiddleware": true,
+    "checkConditionals": true,
+    "checkCORSMixing": true,
+    "contextDepth": 3,
+    "ignoreComments": true
+  },
+  
+  "examples": {
+    "violations": [
+      {
+        "code": "if (req.headers.origin === 'trusted.com') { req.authenticated = true; }",
+        "reason": "Using Origin header for authentication is insecure"
+      },
+      {
+        "code": "const authMiddleware = (req, res, next) => { if (req.get('origin') === 'admin.com') next(); }",
+        "reason": "Middleware should not rely on Origin header for access control"
+      }
+    ],
+    "valid": [
+      {
+        "code": "const token = req.headers.authorization; jwt.verify(token, secret, callback);",
+        "reason": "Proper JWT token authentication"
+      },
+      {
+        "code": "console.log('Request from:', req.headers.origin);",
+        "reason": "Using Origin header for logging only, not authentication"
+      }
+    ]
+  },
+  
+  "remediation": {
+    "recommendations": [
+      "Use JWT tokens for authentication",
+      "Implement session-based authentication",
+      "Use API keys for service authentication",
+      "Implement OAuth 2.0 for third-party authentication",
+      "Use proper CORS configuration without relying on it for authentication"
+    ],
+    "resources": [
+      "https://owasp.org/www-community/vulnerabilities/CORS_OriginHeaderScrutiny",
+      "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin",
+      "https://auth0.com/docs/secure/tokens/json-web-tokens"
+    ]
+  },
+  
+  "performance": {
+    "complexity": "O(n)",
+    "accuracy": {
+      "ast": 95,
+      "regex": 85
+    },
+    "falsePositiveRate": "< 5%",
+    "coverage": "High for TypeScript/JavaScript"
+  }
+}

package/rules/security/S006_no_plaintext_recovery_codes/README.md

@@ -0,0 +1,139 @@
+# S006 - No Plaintext Recovery/Activation Codes
+
+## Overview
+Quy tắc này phát hiện việc gửi mã khôi phục (recovery codes), mã kích hoạt (activation codes), hoặc mã xác thực (verification codes) dưới dạng plaintext, có thể dẫn đến các lỗ hổng bảo mật nghiêm trọng.
+
+## OWASP Classification
+- **Category**: A02:2021 - Cryptographic Failures
+- **CWE**: CWE-319 - Cleartext Transmission of Sensitive Information
+- **Severity**: Error
+- **Impact**: High (Account takeover, unauthorized access)
+
+## Vấn đề
+Khi gửi các mã nhạy cảm như recovery codes, activation codes, hoặc OTP codes dưới dạng plaintext:
+
+1. **Nguy cơ bị chặn bắt**: Mã có thể bị đánh cắp qua các kênh không an toàn
+2. **Account takeover**: Kẻ tấn công có thể sử dụng mã để chiếm quyền điều khiển tài khoản
+3. **Lưu trữ không an toàn**: Mã có thể bị lưu trong logs hoặc cache
+4. **Man-in-the-middle attacks**: Mã có thể bị chặn bắt trong quá trình truyền tải
+
+## Các trường hợp vi phạm
+
+### 1. Gửi mã qua email không mã hóa
+```javascript
+// ❌ Vi phạm - gửi activation code dạng plaintext
+const activationCode = generateCode();
+await sendEmail(user.email, \`Your activation code is: \${activationCode}\`);
+
+// ❌ Vi phạm - trả về recovery code trong API response
+app.post('/forgot-password', (req, res) => {
+  const recoveryCode = generateRecoveryCode();
+  res.json({ 
+    message: 'Password reset initiated',
+    recoveryCode: recoveryCode  // Nguy hiểm!
+  });
+});
+```
+
+### 2. Lưu mã trong logs
+```javascript
+// ❌ Vi phạm - log OTP code
+const otpCode = generateOTP();
+console.log(\`Generated OTP for user \${userId}: \${otpCode}\`);
+logger.info(\`Sending verification code: \${verificationCode}\`);
+```
+
+### 3. Hiển thị mã trong response body
+```javascript
+// ❌ Vi phạm - trả về mã trong response
+const resetCode = await generateResetCode(userId);
+return {
+  success: true,
+  resetCode: resetCode,
+  message: 'Check your email'
+};
+```
+
+## Giải pháp an toàn
+
+### 1. Mã hóa mã trước khi gửi
+```javascript
+// ✅ An toàn - hash mã trước khi lưu trữ
+const activationCode = generateCode();
+const hashedCode = await bcrypt.hash(activationCode, 10);
+await saveToDatabase({ userId, hashedCode });
+
+// Chỉ gửi mã qua kênh an toàn
+await sendSecureEmail(user.email, activationCode);
+```
+
+### 2. Sử dụng token thay vì mã trực tiếp
+```javascript
+// ✅ An toàn - sử dụng secure token
+const resetToken = jwt.sign({ userId, purpose: 'reset' }, SECRET_KEY, { expiresIn: '15m' });
+const resetLink = \`https://app.com/reset?token=\${resetToken}\`;
+await sendEmail(user.email, \`Click here to reset: \${resetLink}\`);
+```
+
+### 3. Chỉ thông báo thành công, không trả về mã
+```javascript
+// ✅ An toàn - không expose mã
+app.post('/send-otp', async (req, res) => {
+  const otp = generateOTP();
+  await sendSMSOTP(user.phone, otp);
+  
+  res.json({ 
+    success: true,
+    message: 'OTP sent to your phone'
+    // Không trả về OTP
+  });
+});
+```
+
+### 4. Logging an toàn
+```javascript
+// ✅ An toàn - log mà không expose mã
+const verificationCode = generateCode();
+logger.info(\`Verification code sent to user \${userId}\`);
+// Không log mã thực tế
+```
+
+## Phương pháp phát hiện
+
+Rule này sử dụng heuristic analysis để phát hiện:
+
+1. **Pattern matching**: Tìm kiếm các từ khóa như `recovery`, `activation`, `reset`, `otp`, `verification` kết hợp với `send`, `email`, `response`
+2. **Variable analysis**: Phân tích tên biến có chứa từ khóa nhạy cảm
+3. **Context analysis**: Kiểm tra ngữ cảnh truyền tải (HTTP response, email, SMS)
+4. **String literal analysis**: Phát hiện mã được hardcode trong chuỗi
+
+## Cấu hình
+
+```json
+{
+  "S006": {
+    "enabled": true,
+    "severity": "error",
+    "excludePatterns": [
+      "test/**",
+      "**/*.test.js",
+      "**/*.spec.js"
+    ]
+  }
+}
+```
+
+## Best Practices
+
+1. **Luôn mã hóa**: Mã hóa tất cả mã nhạy cảm trước khi truyền tải
+2. **Sử dụng HTTPS**: Đảm bảo tất cả API endpoints sử dụng HTTPS
+3. **Time-limited tokens**: Sử dụng tokens có thời hạn thay vì mã tĩnh
+4. **Secure channels**: Sử dụng các kênh truyền tải an toàn (encrypted email, secure SMS)
+5. **No logging**: Không bao giờ log mã nhạy cảm
+6. **Hash storage**: Luôn hash mã trước khi lưu vào database
+
+## Tài liệu tham khảo
+
+- [OWASP A02:2021 - Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
+- [CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html)
+- [NIST Guidelines for Password Recovery](https://pages.nist.gov/800-63-3/sp800-63b.html)