@sun-asterisk/sunlint 1.2.2 → 1.3.1

package/rules/security/S006_no_plaintext_recovery_codes/analyzer.js

@@ -0,0 +1,306 @@
+/**
+ * Heuristic analyzer for S006 - No Plaintext Recovery/Activation Codes
+ * Purpose: Detect sending recovery codes, activation codes, or reset codes in plaintext
+ * Based on OWASP A02:2021 - Cryptographic Failures
+ */
+
+class S006Analyzer {
+  constructor() {
+    this.ruleId = 'S006';
+    this.ruleName = 'No Plaintext Recovery/Activation Codes';
+    this.description = 'Do not send recovery or activation codes in plaintext';
+    
+    // Keywords that indicate sensitive codes
+    this.sensitiveCodeKeywords = [
+      'recovery', 'activation', 'reset', 'verification', 'confirm', 'verify',
+      'otp', 'totp', 'code', 'pin', 'token', 'secret', 'key', 'password'
+    ];
+    
+    // Keywords that indicate code sending/transmission
+    this.sendingKeywords = [
+      'send', 'email', 'sms', 'text', 'message', 'mail', 'push', 'notify',
+      'transmit', 'deliver', 'dispatch', 'forward', 'post', 'put', 'create',
+      'response', 'body', 'content', 'payload', 'data'
+    ];
+    
+    // Patterns that indicate plaintext transmission
+    this.plaintextPatterns = [
+      // Email/SMS sending with codes
+      /(?:send|email|sms|text|message).*(?:recovery|activation|reset|verification|otp|code|pin)/i,
+      /(?:recovery|activation|reset|verification|otp|code|pin).*(?:send|email|sms|text|message)/i,
+      
+      // HTTP responses with codes in body
+      /(?:response|body|json|data|payload).*(?:recovery|activation|reset|verification|otp|code|pin)/i,
+      /(?:recovery|activation|reset|verification|otp|code|pin).*(?:response|body|json|data|payload)/i,
+      
+      // Direct code exposure in strings
+      /".*(?:recovery|activation|reset|verification|otp|code|pin).*"/i,
+      /'.*(?:recovery|activation|reset|verification|otp|code|pin).*'/i,
+      /`.*(?:recovery|activation|reset|verification|otp|code|pin).*`/i,
+      
+      // Template strings with codes
+      /\$\{.*(?:recovery|activation|reset|verification|otp|code|pin).*\}/i,
+      
+      // API endpoint responses
+      /return.*(?:recovery|activation|reset|verification|otp|code|pin)/i,
+      /res\.(?:send|json|end).*(?:recovery|activation|reset|verification|otp|code|pin)/i,
+    ];
+    
+    // Patterns that should be excluded (safe practices)
+    this.safePatterns = [
+      // Hashed or encrypted codes
+      /hash|encrypt|cipher|bcrypt|crypto|secure/i,
+      
+      // Environment variables or config
+      /process\.env|config\.|getenv/i,
+      
+      // Database storage (not transmission)
+      /save|store|insert|update|database|db\./i,
+      
+      // Logging patterns (depends on context but often acceptable for debugging)
+      /log|debug|trace|console/i,
+      
+      // Comments and documentation
+      /\/\/|\/\*|\*\/|@param|@return|@example/,
+      
+      // Type definitions and interfaces
+      /interface|type|enum|class.*\{/i,
+      
+      // Import/export statements
+      /import|export|require|module\.exports/i,
+      
+      // Safe message patterns (no actual codes exposed)
+      /instructions sent|sent to|check your|please enter|has been sent|successfully sent|we've sent|click the link|enter the code|will expire/i,
+      
+      // Configuration and constants
+      /const\s+\w+\s*=|enum\s+\w+|type\s+\w+/i,
+      
+      // Function definitions
+      /function\s+\w+|async\s+\w+|\w+\s*\(/i,
+      
+      // Return statements with safe messages
+      /return\s*\{[^}]*success[^}]*\}/i,
+    ];
+    
+    // Common safe variable names that might contain keywords
+    this.safeVariableNames = [
+      /^(is|has|can|should|will|enable|disable|show|hide|display).*code/i,
+      /^.*type$/i,
+      /^.*config$/i,
+      /^.*setting$/i,
+      /^.*option$/i,
+      /^.*flag$/i,
+    ];
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      // Skip test files, build directories, and node_modules
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+      
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+    
+    return violations;
+  }
+
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      'test/', 'tests/', '__tests__/', '.test.', '.spec.',
+      'node_modules/', 'build/', 'dist/', '.next/', 'coverage/',
+      'vendor/', 'mocks/', '.mock.'
+      // Removed 'fixtures/' to allow testing
+    ];
+    
+    return skipPatterns.some(pattern => filePath.includes(pattern));
+  }
+
+  analyzeFile(content, filePath, options = {}) {
+    const violations = [];
+    const lines = content.split('\n');
+    
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      const trimmedLine = line.trim();
+      
+      // Skip comments, imports, and empty lines
+      if (this.shouldSkipLine(trimmedLine)) {
+        return;
+      }
+      
+      // Check for potential plaintext code transmission
+      const violation = this.checkForPlaintextCodeTransmission(line, lineNumber, filePath);
+      if (violation) {
+        violations.push(violation);
+      }
+    });
+    
+    return violations;
+  }
+
+  shouldSkipLine(line) {
+    // Skip comments, imports, and other non-code lines
+    return (
+      line.length === 0 ||
+      line.startsWith('//') ||
+      line.startsWith('/*') ||
+      line.startsWith('*') ||
+      line.startsWith('import ') ||
+      line.startsWith('export ') ||
+      line.startsWith('require(') ||
+      line.includes('module.exports')
+    );
+  }
+
+  checkForPlaintextCodeTransmission(line, lineNumber, filePath) {
+    const lowerLine = line.toLowerCase();
+    
+    // First check if line contains safe patterns (early exit)
+    if (this.containsSafePattern(line)) {
+      return null;
+    }
+    
+    // Check for variable assignments with sensitive names
+    const sensitiveAssignment = this.checkSensitiveAssignment(line, lineNumber, filePath);
+    if (sensitiveAssignment) {
+      return sensitiveAssignment;
+    }
+    
+    // Check for direct plaintext patterns
+    for (const pattern of this.plaintextPatterns) {
+      if (pattern.test(line)) {
+        // Additional context check to reduce false positives
+        if (this.hasTransmissionContext(line)) {
+          return {
+            ruleId: this.ruleId,
+            severity: 'error',
+            message: 'Recovery/activation codes should not be transmitted in plaintext. Use encrypted channels or hash the codes.',
+            line: lineNumber,
+            column: this.findPatternColumn(line, pattern),
+            filePath: filePath,
+            type: 'plaintext_code_transmission',
+            details: 'Consider using encrypted communication or sending only hashed/masked versions of sensitive codes.'
+          };
+        }
+      }
+    }
+    
+    return null;
+  }
+
+  containsSafePattern(line) {
+    return this.safePatterns.some(pattern => pattern.test(line));
+  }
+
+  checkSensitiveAssignment(line, lineNumber, filePath) {
+    // Look for variable assignments that combine sensitive codes with transmission
+    const assignmentMatch = line.match(/(?:const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=\s*(.+)/);
+    if (!assignmentMatch) {
+      return null;
+    }
+    
+    const [, variableName, valueExpr] = assignmentMatch;
+    const lowerVarName = variableName.toLowerCase();
+    const lowerValueExpr = valueExpr.toLowerCase();
+    
+    // Skip safe variable names
+    if (this.safeVariableNames.some(pattern => pattern.test(lowerVarName))) {
+      return null;
+    }
+    
+    // Check if variable name suggests code transmission
+    const hasSensitiveCodeKeyword = this.sensitiveCodeKeywords.some(keyword => 
+      lowerVarName.includes(keyword)
+    );
+    
+    const hasSendingKeyword = this.sendingKeywords.some(keyword => 
+      lowerVarName.includes(keyword) || lowerValueExpr.includes(keyword)
+    );
+    
+    if (hasSensitiveCodeKeyword && hasSendingKeyword) {
+      // Check if the value looks like it contains actual codes or sensitive data
+      if (this.valueContainsCodes(valueExpr)) {
+        return {
+          ruleId: this.ruleId,
+          severity: 'warning',
+          message: `Variable '${variableName}' appears to handle sensitive codes for transmission. Ensure codes are encrypted or hashed.`,
+          line: lineNumber,
+          column: line.indexOf(variableName) + 1,
+          filePath: filePath,
+          type: 'sensitive_code_variable',
+          variableName: variableName,
+          details: 'Consider encrypting sensitive codes before transmission or use secure communication channels.'
+        };
+      }
+    }
+    
+    return null;
+  }
+
+  hasTransmissionContext(line) {
+    const transmissionIndicators = [
+      // HTTP response methods
+      /res\.(?:send|json|status|end)/i,
+      /response\.(?:send|json|status|end)/i,
+      /return.*(?:json|response|status)/i,
+      
+      // Email/SMS functions
+      /(?:sendEmail|sendSMS|sendMessage|notify|mail)/i,
+      
+      // Template rendering
+      /render|template|view|html|email/i,
+      
+      // API responses
+      /\.json\(|\.send\(|\.end\(/,
+      
+      // String concatenation or template literals with codes
+      /\+.*['"`]|['"`].*\+|\$\{.*\}/,
+    ];
+    
+    return transmissionIndicators.some(indicator => indicator.test(line));
+  }
+
+  valueContainsCodes(valueExpr) {
+    // Check if the value expression contains actual code patterns or user data
+    const codePatterns = [
+      // Template strings with variables
+      /\$\{[^}]+\}/,
+      
+      // String concatenation
+      /\+\s*[a-zA-Z_$]/,
+      
+      // Function calls that might return codes
+      /\w+\([^)]*\)/,
+      
+      // Property access that might be codes
+      /\w+\.\w+/,
+      
+      // Array/object access
+      /\[.*\]/,
+      
+      // Direct string literals that look like codes (6+ chars with mixed case/numbers)
+      /['"`][a-zA-Z0-9]{6,}['"`]/,
+    ];
+    
+    return codePatterns.some(pattern => pattern.test(valueExpr));
+  }
+
+  findPatternColumn(line, pattern) {
+    const match = pattern.exec(line);
+    return match ? match.index + 1 : 1;
+  }
+}
+
+module.exports = S006Analyzer;

package/rules/security/S006_no_plaintext_recovery_codes/config.json

@@ -0,0 +1,48 @@
+{
+  "ruleId": "S006",
+  "name": "No Plaintext Recovery/Activation Codes",
+  "description": "Do not send recovery or activation codes in plaintext",
+  "category": "security",
+  "severity": "error",
+  "languages": ["All languages"],
+  "tags": ["security", "owasp", "cryptographic-failures", "authentication"],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A02:2021 - Cryptographic Failures",
+    "cweId": "CWE-319",
+    "description": "Sending recovery codes, activation codes, or reset codes in plaintext over insecure channels can lead to account takeover attacks. These sensitive codes should be encrypted during transmission or sent through secure channels.",
+    "impact": "High - Account takeover, unauthorized access",
+    "likelihood": "Medium",
+    "remediation": "Use encrypted communication channels, hash codes before transmission, or implement time-limited secure tokens"
+  },
+  "patterns": {
+    "vulnerable": [
+      "Sending activation codes in email body as plaintext",
+      "Including reset codes in unencrypted API responses",
+      "Transmitting OTP codes without encryption",
+      "Exposing verification codes in logs or debug output"
+    ],
+    "secure": [
+      "Using encrypted email for code transmission",
+      "Hashing codes before database storage",
+      "Implementing secure token-based authentication",
+      "Using HTTPS for all code-related API endpoints"
+    ]
+  },
+  "examples": {
+    "violations": [
+      "res.json({ resetCode: user.resetCode });",
+      "await sendEmail(`Your activation code is: ${activationCode}`);",
+      "const message = `OTP: ${otp}`;",
+      "console.log('Recovery code:', recoveryCode);"
+    ],
+    "fixes": [
+      "res.json({ message: 'Reset code sent to email' });",
+      "await sendEncryptedEmail(activationCode);",
+      "const hashedOtp = await hash(otp);",
+      "logger.info('Recovery code sent successfully');"
+    ]
+  }
+}

package/rules/security/S007_no_plaintext_otp/README.md

@@ -0,0 +1,198 @@
+# S007: No Plaintext OTP
+
+## Mô tả
+
+Rule này phát hiện việc lưu trữ hoặc truyền tải OTP (One-Time Password) codes dưới dạng plaintext. Theo OWASP A02:2021 - Cryptographic Failures, việc lưu trữ OTP không được mã hóa có thể dẫn đến các cuộc tấn công chiếm quyền tài khoản.
+
+## Vấn đề bảo mật
+
+- **CWE-256**: Unprotected Storage of Credentials
+- **OWASP A02:2021**: Cryptographic Failures
+- **Impact**: Cao - Chiếm quyền tài khoản, truy cập trái phép vào các tài khoản được bảo vệ bằng 2FA
+- **Likelihood**: Trung bình
+
+## Các trường hợp vi phạm
+
+### 1. Lưu trữ OTP plaintext trong database
+
+❌ **Vi phạm:**
+```javascript
+const otpCode = '123456';
+await db.users.update({ userId }, { otpCode });
+
+// Hoặc
+const query = `INSERT INTO users (otp) VALUES ('${otp}')`;
+```
+
+✅ **Đúng cách:**
+```javascript
+const hashedOtp = await bcrypt.hash(otpCode, 10);
+await db.users.update({ userId }, { otpCode: hashedOtp });
+
+// Hoặc
+const salt = crypto.randomBytes(16).toString('hex');
+const hashedOtp = crypto.createHash('sha256').update(otp + salt).digest('hex');
+const query = `INSERT INTO users (otp_hash, salt) VALUES ('${hashedOtp}', '${salt}')`;
+```
+
+### 2. Trả về OTP trong API response
+
+❌ **Vi phạm:**
+```javascript
+res.json({ 
+  success: true, 
+  otp: user.otpCode,
+  verificationCode: generatedOtp
+});
+```
+
+✅ **Đúng cách:**
+```javascript
+res.json({ 
+  success: true, 
+  message: 'OTP sent to registered phone number',
+  otpSent: true
+});
+```
+
+### 3. Lưu trữ OTP trong localStorage/sessionStorage
+
+❌ **Vi phạm:**
+```javascript
+localStorage.setItem('otp', otpCode);
+sessionStorage.otpCode = generatedOtp;
+```
+
+✅ **Đúng cách:**
+```javascript
+const encryptedOtp = encrypt(otpCode);
+localStorage.setItem('otp', encryptedOtp);
+
+// Hoặc tốt hơn: không lưu OTP trong browser storage
+// Chỉ lưu token đã mã hóa hoặc session identifier
+```
+
+### 4. Ghi log OTP codes
+
+❌ **Vi phạm:**
+```javascript
+console.log('User OTP:', otpCode);
+logger.info(`Generated OTP: ${otp} for user ${userId}`);
+```
+
+✅ **Đúng cách:**
+```javascript
+console.log('OTP sent successfully to user');
+logger.info(`OTP generated and sent to user ${userId}`);
+```
+
+### 5. Gửi OTP qua email/SMS không mã hóa
+
+❌ **Vi phạm:**
+```javascript
+await sendSMS(`Your OTP is: ${otpCode}`);
+await sendEmail('OTP Verification', `Your code: ${otp}`);
+```
+
+✅ **Đúng cách:**
+```javascript
+await sendEncryptedSMS(otpCode); // Sử dụng kênh mã hóa
+await sendSecureEmail('OTP Verification', { otp: encryptedOtp });
+```
+
+## Cách khắc phục
+
+### 1. Mã hóa OTP trước khi lưu trữ
+
+```javascript
+// Sử dụng bcrypt
+const hashedOtp = await bcrypt.hash(otpCode, 10);
+
+// Sử dụng crypto với salt
+const salt = crypto.randomBytes(16).toString('hex');
+const hashedOtp = crypto.createHash('sha256').update(otp + salt).digest('hex');
+
+// Sử dụng HMAC
+const hmac = crypto.createHmac('sha256', secretKey);
+hmac.update(otp);
+const hashedOtp = hmac.digest('hex');
+```
+
+### 2. Sử dụng token thay vì OTP plaintext
+
+```javascript
+// Tạo encrypted token thay vì lưu OTP trực tiếp
+const otpToken = jwt.sign(
+  { userId, otp: hashedOtp, exp: Date.now() + 300000 }, // 5 phút
+  process.env.JWT_SECRET
+);
+
+// Lưu token thay vì OTP
+await db.otpTokens.create({ userId, token: otpToken });
+```
+
+### 3. Xác thực OTP an toàn
+
+```javascript
+// Thay vì so sánh plaintext
+async function verifyOtp(userId, inputOtp) {
+  const user = await db.users.findOne({ userId });
+  
+  // So sánh với hash
+  const isValid = await bcrypt.compare(inputOtp, user.otpHash);
+  
+  if (isValid) {
+    // Xóa OTP sau khi sử dụng
+    await db.users.update({ userId }, { otpHash: null });
+  }
+  
+  return isValid;
+}
+```
+
+### 4. Sử dụng thư viện OTP chuyên dụng
+
+```javascript
+const speakeasy = require('speakeasy');
+
+// Tạo TOTP (Time-based OTP)
+const secret = speakeasy.generateSecret({
+  name: 'Your App',
+  length: 20
+});
+
+// Xác thực TOTP
+const verified = speakeasy.totp.verify({
+  secret: user.secret,
+  encoding: 'base32',
+  token: userInputToken,
+  window: 2
+});
+```
+
+## Cấu hình rule
+
+```json
+{
+  "S007": {
+    "checkStorage": true,
+    "checkTransmission": true,
+    "checkLogging": true,
+    "checkResponses": true,
+    "checkLocalStorage": true,
+    "strictMode": false
+  }
+}
+```
+
+## Các rule liên quan
+
+- **S006**: No Plaintext Recovery/Activation Codes
+- **S012**: No Hardcoded Secrets  
+- **S027**: No Hardcoded Secrets Advanced
+
+## Tài liệu tham khảo
+
+- [OWASP Top 10 2021 - A02 Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
+- [CWE-256: Unprotected Storage of Credentials](https://cwe.mitre.org/data/definitions/256.html)
+- [NIST SP 800-63B Authentication Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)