@sun-asterisk/sunlint 1.3.0 → 1.3.2

package/rules/security/S009_no_insecure_encryption/analyzer.js

@@ -0,0 +1,319 @@
+/**
+ * Heuristic analyzer for S009 - No Insecure Encryption Modes, Padding, or Cryptographic Algorithms
+ * Purpose: Detect usage of insecure encryption algorithms, modes, and padding schemes
+ * Based on OWASP A02:2021 - Cryptographic Failures
+ */
+
+class S009Analyzer {
+  constructor() {
+    this.ruleId = 'S009';
+    this.ruleName = 'No Insecure Encryption Modes, Padding, or Cryptographic Algorithms';
+    this.description = 'Do not use insecure encryption modes, padding, or cryptographic algorithms';
+    
+    // Insecure symmetric encryption algorithms
+    this.insecureSymmetricAlgorithms = [
+      'des', 'des-cbc', 'des-ecb', 'des-cfb', 'des-ofb',
+      '3des', 'des-ede', 'des-ede-cbc', 'des-ede-cfb', 'des-ede-ofb',
+      'des-ede3', 'des-ede3-cbc', 'des-ede3-cfb', 'des-ede3-ofb',
+      'rc2', 'rc2-cbc', 'rc2-ecb', 'rc2-cfb', 'rc2-ofb',
+      'rc4', 'rc4-40', 'rc4-hmac-md5',
+      'blowfish', 'bf', 'bf-cbc', 'bf-ecb', 'bf-cfb', 'bf-ofb'
+    ];
+    
+    // Insecure block cipher modes
+    this.insecureModes = [
+      'ecb', 'electronic-codebook'
+    ];
+    
+    // Insecure padding schemes
+    this.insecurePadding = [
+      'pkcs1', 'pkcs1_5', 'pkcs1-padding', 'rsa_pkcs1_padding',
+      'no-padding', 'nopadding'
+    ];
+    
+    // Insecure hash algorithms
+    this.insecureHashAlgorithms = [
+      'md2', 'md4', 'md5',
+      'sha', 'sha1', 'sha-1',
+      'ripemd', 'ripemd128', 'ripemd160'
+    ];
+    
+    // Insecure key derivation functions
+    this.insecureKDFs = [
+      'pbkdf1', 'simple-hash', 'plain-hash'
+    ];
+    
+    // Common crypto libraries and their patterns
+    this.cryptoPatterns = [
+      // Node.js crypto module
+      /crypto\.createCipher\(['"`]([^'"`]+)['"`]/i,
+      /crypto\.createDecipher\(['"`]([^'"`]+)['"`]/i,
+      /crypto\.createHash\(['"`]([^'"`]+)['"`]/i,
+      /crypto\.createHmac\(['"`]([^'"`]+)['"`]/i,
+      /crypto\.pbkdf2\(['"`]([^'"`]+)['"`]/i,
+      
+      // CryptoJS patterns
+      /CryptoJS\.DES\./i,
+      /CryptoJS\.TripleDES\./i,
+      /CryptoJS\.RC4\./i,
+      /CryptoJS\.MD5\(/i,
+      /CryptoJS\.SHA1\(/i,
+      /CryptoJS\.mode\.ECB/i,
+      
+      // Java crypto patterns
+      /Cipher\.getInstance\(['"`]([^'"`]+)['"`]/i,
+      /MessageDigest\.getInstance\(['"`]([^'"`]+)['"`]/i,
+      /Mac\.getInstance\(['"`]([^'"`]+)['"`]/i,
+      /KeyGenerator\.getInstance\(['"`]([^'"`]+)['"`]/i,
+      
+      // .NET crypto patterns
+      /new\s+(DES|TripleDES|RC2|MD5|SHA1)CryptoServiceProvider/i,
+      /\.Create\(['"`](DES|TripleDES|RC2|MD5|SHA1)['"`]\)/i,
+      
+      // OpenSSL command patterns
+      /-des\b|-des3\b|-rc4\b|-md5\b|-sha1\b/i,
+      
+      // Generic algorithm references
+      /'(des|3des|rc4|md5|sha1|ecb)'/i,
+      /"(des|3des|rc4|md5|sha1|ecb)"/i,
+      /`(des|3des|rc4|md5|sha1|ecb)`/i,
+      
+      // Configuration patterns
+      /algorithm\s*[:=]\s*['"`]([^'"`]+)['"`]/i,
+      /cipher\s*[:=]\s*['"`]([^'"`]+)['"`]/i,
+      /hash\s*[:=]\s*['"`]([^'"`]+)['"`]/i,
+      /encryption\s*[:=]\s*['"`]([^'"`]+)['"`]/i,
+    ];
+    
+    // Safe patterns to avoid false positives
+    this.safePatterns = [
+      // Comments and documentation
+      /\/\/|\/\*|\*\/|@param|@return|@example|@deprecated|TODO|FIXME/i,
+      
+      // Import/export statements
+      /import|export|require|module\.exports/i,
+      
+      // Type definitions
+      /interface|type|enum|class.*\{/i,
+      
+      // Test files and mock data
+      /\.test\.|\.spec\.|mock|stub|fake|dummy/i,
+      
+      // Safe modern algorithms mentioned in context
+      /aes|rsa-oaep|sha256|sha384|sha512|bcrypt|scrypt|argon2|pbkdf2/i,
+      
+      // Configuration examples or documentation
+      /example|sample|demo|deprecated|legacy|old|insecure|weak|avoid|don't use|do not use/i,
+      
+      // Variable names that might contain keywords but are safe
+      /const\s+\w*[Nn]ame|let\s+\w*[Nn]ame|var\s+\w*[Nn]ame/i,
+      
+      // Safe usage in educational context
+      /educational|tutorial|learning|history|comparison/i,
+    ];
+    
+    // Context patterns that increase confidence of violations
+    this.violationContexts = [
+      // Direct algorithm usage
+      /encrypt|decrypt|cipher|hash|digest|sign|verify/i,
+      
+      // Configuration settings
+      /config|setting|option|parameter/i,
+      
+      // API calls
+      /\.create|\.get|\.set|\.use|\.apply/i,
+      
+      // Assignment patterns
+      /=\s*['"`]|:\s*['"`]/,
+      
+      // Function calls
+      /\([^)]*['"`][^'"`]*['"`][^)]*\)/,
+    ];
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      // Skip test files, build directories, and node_modules
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+      
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+    
+    return violations;
+  }
+
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      'test/', 'tests/', '__tests__/', '.test.', '.spec.',
+      'node_modules/', 'build/', 'dist/', '.next/', 'coverage/',
+      'vendor/', 'mocks/', '.mock.', 'docs/', 'documentation/'
+    ];
+    
+    return skipPatterns.some(pattern => filePath.includes(pattern));
+  }
+
+  analyzeFile(content, filePath, options = {}) {
+    const violations = [];
+    const lines = content.split('\n');
+    
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      const trimmedLine = line.trim();
+      
+      // Skip comments, imports, and empty lines
+      if (this.shouldSkipLine(trimmedLine)) {
+        return;
+      }
+      
+      // Check for insecure cryptographic usage
+      const violation = this.checkForInsecureCrypto(line, lineNumber, filePath);
+      if (violation) {
+        violations.push(violation);
+      }
+    });
+    
+    return violations;
+  }
+
+  shouldSkipLine(line) {
+    // Skip comments, imports, and other non-code lines
+    return (
+      line.length === 0 ||
+      line.startsWith('//') ||
+      line.startsWith('/*') ||
+      line.startsWith('*') ||
+      line.startsWith('import ') ||
+      line.startsWith('export ') ||
+      line.startsWith('require(') ||
+      line.includes('module.exports') ||
+      line.startsWith('#') // Python/shell comments
+    );
+  }
+
+  checkForInsecureCrypto(line, lineNumber, filePath) {
+    // First check if line contains safe patterns (early exit)
+    if (this.containsSafePattern(line)) {
+      return null;
+    }
+    
+    // Check each crypto pattern
+    for (const pattern of this.cryptoPatterns) {
+      const match = pattern.exec(line);
+      if (match) {
+        const algorithm = match[1] ? match[1].toLowerCase() : '';
+        const fullMatch = match[0];
+        
+        // Check if the algorithm is insecure
+        const insecureAlgorithm = this.identifyInsecureAlgorithm(algorithm, fullMatch);
+        if (insecureAlgorithm) {
+          // Additional context check to reduce false positives
+          if (this.hasViolationContext(line)) {
+            return {
+              ruleId: this.ruleId,
+              severity: 'error',
+              message: `Insecure cryptographic algorithm detected: ${insecureAlgorithm.algorithm}. ${insecureAlgorithm.reason}`,
+              line: lineNumber,
+              column: line.indexOf(fullMatch) + 1,
+              filePath: filePath,
+              type: insecureAlgorithm.type,
+              algorithm: insecureAlgorithm.algorithm,
+              details: insecureAlgorithm.recommendation
+            };
+          }
+        }
+      }
+    }
+    
+    return null;
+  }
+
+  containsSafePattern(line) {
+    return this.safePatterns.some(pattern => pattern.test(line));
+  }
+
+  identifyInsecureAlgorithm(algorithm, fullMatch) {
+    const lowerAlgorithm = algorithm.toLowerCase();
+    const lowerFullMatch = fullMatch.toLowerCase();
+    
+    // Check symmetric encryption algorithms
+    if (this.insecureSymmetricAlgorithms.some(alg => 
+        lowerAlgorithm.includes(alg) || lowerFullMatch.includes(alg))) {
+      const matchedAlg = this.insecureSymmetricAlgorithms.find(alg => 
+        lowerAlgorithm.includes(alg) || lowerFullMatch.includes(alg));
+      
+      return {
+        algorithm: matchedAlg.toUpperCase(),
+        type: 'insecure_symmetric_encryption',
+        reason: 'This algorithm is cryptographically weak and vulnerable to attacks.',
+        recommendation: 'Use AES-256-GCM or ChaCha20-Poly1305 for symmetric encryption.'
+      };
+    }
+    
+    // Check block cipher modes
+    if (this.insecureModes.some(mode => 
+        lowerAlgorithm.includes(mode) || lowerFullMatch.includes(mode))) {
+      return {
+        algorithm: 'ECB Mode',
+        type: 'insecure_cipher_mode',
+        reason: 'ECB mode reveals patterns in plaintext and is not semantically secure.',
+        recommendation: 'Use CBC, CTR, or GCM modes with proper initialization vectors.'
+      };
+    }
+    
+    // Check hash algorithms
+    if (this.insecureHashAlgorithms.some(hash => 
+        lowerAlgorithm.includes(hash) || lowerFullMatch.includes(hash))) {
+      const matchedHash = this.insecureHashAlgorithms.find(hash => 
+        lowerAlgorithm.includes(hash) || lowerFullMatch.includes(hash));
+      
+      return {
+        algorithm: matchedHash.toUpperCase(),
+        type: 'insecure_hash_algorithm',
+        reason: 'This hash algorithm is vulnerable to collision attacks.',
+        recommendation: 'Use SHA-256, SHA-384, or SHA-512 for cryptographic hashing.'
+      };
+    }
+    
+    // Check padding schemes
+    if (this.insecurePadding.some(padding => 
+        lowerAlgorithm.includes(padding) || lowerFullMatch.includes(padding))) {
+      return {
+        algorithm: 'PKCS#1 v1.5 Padding',
+        type: 'insecure_padding_scheme',
+        reason: 'PKCS#1 v1.5 padding is vulnerable to padding oracle attacks.',
+        recommendation: 'Use OAEP padding for RSA encryption.'
+      };
+    }
+    
+    // Check key derivation functions
+    if (this.insecureKDFs.some(kdf => 
+        lowerAlgorithm.includes(kdf) || lowerFullMatch.includes(kdf))) {
+      return {
+        algorithm: 'PBKDF1',
+        type: 'insecure_key_derivation',
+        reason: 'This key derivation function is weak and vulnerable to attacks.',
+        recommendation: 'Use PBKDF2 with high iteration count, scrypt, or Argon2.'
+      };
+    }
+    
+    return null;
+  }
+
+  hasViolationContext(line) {
+    return this.violationContexts.some(context => context.test(line));
+  }
+}
+
+module.exports = S009Analyzer;

package/rules/security/S009_no_insecure_encryption/config.json

@@ -0,0 +1,55 @@
+{
+  "ruleId": "S009",
+  "name": "No Insecure Encryption Modes, Padding, or Cryptographic Algorithms",
+  "description": "Do not use insecure encryption modes, padding, or cryptographic algorithms",
+  "category": "security",
+  "severity": "error",
+  "languages": ["All languages"],
+  "tags": ["security", "owasp", "cryptographic-failures", "encryption"],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A02:2021 - Cryptographic Failures",
+    "cweId": "CWE-327",
+    "description": "Using insecure cryptographic algorithms, cipher modes, or padding schemes can lead to data exposure and compromise. Weak algorithms like DES, 3DES, RC4, MD5, and SHA1 are vulnerable to various attacks including collision attacks, brute force, and cryptanalysis.",
+    "impact": "High - Data exposure, integrity compromise, authentication bypass",
+    "likelihood": "Medium",
+    "remediation": "Use strong cryptographic algorithms (AES-256, RSA-2048+, SHA-256+), secure cipher modes (GCM, CBC with IV), and proper padding schemes (OAEP)"
+  },
+  "patterns": {
+    "vulnerable": [
+      "Using DES or 3DES for encryption",
+      "Using RC4 stream cipher",
+      "Using ECB cipher mode",
+      "Using MD5 or SHA1 for cryptographic purposes",
+      "Using PKCS#1 v1.5 padding for RSA",
+      "Using weak key derivation functions"
+    ],
+    "secure": [
+      "Using AES-256-GCM for symmetric encryption",
+      "Using RSA with OAEP padding",
+      "Using SHA-256 or stronger hash algorithms",
+      "Using proper cipher modes with initialization vectors",
+      "Using PBKDF2, scrypt, or Argon2 for key derivation"
+    ]
+  },
+  "examples": {
+    "violations": [
+      "crypto.createCipher('des', key);",
+      "crypto.createHash('md5');",
+      "Cipher.getInstance('DES/ECB/PKCS5Padding');",
+      "CryptoJS.DES.encrypt(data, key);",
+      "algorithm: 'rc4'",
+      "new DESCryptoServiceProvider();"
+    ],
+    "fixes": [
+      "crypto.createCipher('aes-256-gcm', key);",
+      "crypto.createHash('sha256');",
+      "Cipher.getInstance('AES/GCM/NoPadding');",
+      "CryptoJS.AES.encrypt(data, key);",
+      "algorithm: 'aes-256-gcm'",
+      "new AesCryptoServiceProvider();"
+    ]
+  }
+}

package/rules/security/S010_no_insecure_encryption/README.md

@@ -0,0 +1,224 @@
+# S010 - Must use cryptographically secure random number generators (CSPRNG)
+
+## Overview
+Quy tắc này phát hiện việc sử dụng các hàm tạo số ngẫu nhiên không an toàn (như `Math.random()`) cho các mục đích bảo mật, có thể dẫn đến các lỗ hổng bảo mật nghiêm trọng do tính có thể dự đoán được.
+
+## OWASP Classification
+- **Category**: A02:2021 - Cryptographic Failures
+- **CWE**: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
+- **Severity**: Error
+- **Impact**: High (Predictable tokens, weak encryption keys, authentication bypass)
+
+## Vấn đề
+Khi sử dụng các hàm tạo số ngẫu nhiên không an toàn cho mục đích bảo mật:
+
+1. **Tính dự đoán**: `Math.random()` và các hàm tương tự có thể được dự đoán bởi kẻ tấn công
+2. **Weak entropy**: Không đủ entropy để tạo ra các giá trị thực sự ngẫu nhiên
+3. **Seed attacks**: Có thể bị tấn công thông qua việc dự đoán seed
+4. **Brute force**: Dễ dàng bị brute force do không gian giá trị hạn chế
+
+## Các trường hợp vi phạm
+
+### 1. Sử dụng Math.random() cho security tokens
+```javascript
+// ❌ Vi phạm - Math.random() không an toàn cho security
+const sessionToken = Math.random().toString(36).substring(2);
+const apiKey = Math.floor(Math.random() * 1000000);
+const resetCode = Math.random().toString().substring(2, 8);
+
+// ❌ Vi phạm - tạo password reset token
+function generateResetToken() {
+  return Math.random().toString(36).substring(2, 15) + 
+         Math.random().toString(36).substring(2, 15);
+}
+
+// ❌ Vi phạm - tạo JWT secret
+const jwtSecret = Math.random().toString(36);
+```
+
+### 2. Sử dụng timestamp cho random generation
+```javascript
+// ❌ Vi phạm - timestamp có thể dự đoán được
+const userId = Date.now().toString();
+const sessionId = new Date().getTime().toString();
+const nonce = performance.now().toString();
+
+// ❌ Vi phạm - kết hợp timestamp với Math.random()
+const token = Date.now() + '-' + Math.random().toString(36);
+```
+
+### 3. Sử dụng cho mã hóa và authentication
+```javascript
+// ❌ Vi phạm - tạo encryption key không an toàn
+const encryptionKey = Math.random().toString(36).repeat(3);
+
+// ❌ Vi phạm - tạo salt cho password hashing
+const salt = Math.random().toString(36).substring(2);
+bcrypt.hash(password, salt); // Nguy hiểm!
+
+// ❌ Vi phạm - tạo CSRF token
+const csrfToken = Math.floor(Math.random() * 1000000000);
+```
+
+### 4. Tạo unique identifiers không an toàn
+```javascript
+// ❌ Vi phạm - tạo user ID
+const generateUserId = () => Math.random().toString(36).substring(2);
+
+// ❌ Vi phạm - tạo file upload path
+const uploadPath = `/uploads/${Math.random().toString(36)}/file.jpg`;
+
+// ❌ Vi phạm - tạo temporary filename
+const tempFile = `temp_${Date.now()}_${Math.random()}.tmp`;
+```
+
+## Giải pháp an toàn
+
+### 1. Sử dụng crypto.randomBytes()
+```javascript
+// ✅ An toàn - sử dụng crypto.randomBytes()
+const crypto = require('crypto');
+
+const sessionToken = crypto.randomBytes(32).toString('hex');
+const apiKey = crypto.randomBytes(16).toString('base64');
+const resetCode = crypto.randomBytes(3).toString('hex'); // 6 hex chars
+```
+
+### 2. Sử dụng crypto.randomUUID()
+```javascript
+// ✅ An toàn - sử dụng crypto.randomUUID()
+const sessionId = crypto.randomUUID();
+const userId = crypto.randomUUID();
+const requestId = crypto.randomUUID();
+```
+
+### 3. Sử dụng crypto.randomInt()
+```javascript
+// ✅ An toàn - sử dụng crypto.randomInt()
+const otpCode = crypto.randomInt(100000, 999999); // 6-digit OTP
+const randomPort = crypto.randomInt(3000, 9000);
+const challengeNumber = crypto.randomInt(1, 1000000);
+```
+
+### 4. Sử dụng cho mã hóa an toàn
+```javascript
+// ✅ An toàn - tạo encryption key
+const encryptionKey = crypto.randomBytes(32); // 256-bit key
+
+// ✅ An toàn - tạo salt cho password hashing
+const saltRounds = 12;
+const hashedPassword = await bcrypt.hash(password, saltRounds);
+
+// ✅ An toàn - tạo IV cho encryption
+const iv = crypto.randomBytes(16);
+const cipher = crypto.createCipher('aes-256-cbc', key, iv);
+```
+
+### 5. Sử dụng thư viện an toàn
+```javascript
+// ✅ An toàn - sử dụng nanoid
+const { nanoid } = require('nanoid');
+const id = nanoid(); // URL-safe, secure ID
+
+// ✅ An toàn - sử dụng uuid v4
+const { v4: uuidv4 } = require('uuid');
+const userId = uuidv4();
+
+// ✅ An toàn - sử dụng secure-random
+const secureRandom = require('secure-random');
+const randomBytes = secureRandom(32, { type: 'Buffer' });
+```
+
+### 6. Express.js session security
+```javascript
+// ✅ An toàn - cấu hình Express session
+const session = require('express-session');
+
+app.use(session({
+  genid: () => crypto.randomUUID(), // Secure session ID
+  secret: crypto.randomBytes(64).toString('hex'), // Secure secret
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    secure: true, // HTTPS only
+    httpOnly: true,
+    maxAge: 1800000 // 30 minutes
+  }
+}));
+```
+
+### 7. JWT token generation
+```javascript
+// ✅ An toàn - tạo JWT với secure secret
+const jwtSecret = crypto.randomBytes(64).toString('hex');
+
+const token = jwt.sign(
+  { userId, exp: Math.floor(Date.now() / 1000) + 3600 },
+  jwtSecret,
+  { algorithm: 'HS256' }
+);
+```
+
+## Phương pháp phát hiện
+
+Rule này sử dụng heuristic analysis để phát hiện:
+
+1. **Pattern matching**: Tìm kiếm các pattern như `Math.random()`, `Date.now()`, `performance.now()`
+2. **Context analysis**: Phân tích ngữ cảnh để xác định có phải mục đích bảo mật không
+3. **Function analysis**: Kiểm tra tên function có chứa từ khóa bảo mật
+4. **Variable analysis**: Phân tích tên biến có liên quan đến bảo mật
+5. **Surrounding context**: Kiểm tra các dòng xung quanh để xác định context
+
+## Cấu hình
+
+```json
+{
+  "S010": {
+    "enabled": true,
+    "severity": "error",
+    "excludePatterns": [
+      "test/**",
+      "**/*.test.js",
+      "**/*.spec.js",
+      "**/demo/**",
+      "**/examples/**"
+    ]
+  }
+}
+```
+
+## Best Practices
+
+1. **Luôn sử dụng CSPRNG**: Sử dụng `crypto.randomBytes()`, `crypto.randomUUID()`, `crypto.randomInt()` cho mục đích bảo mật
+2. **Đủ entropy**: Đảm bảo đủ entropy cho các giá trị random (ít nhất 128 bits cho tokens)
+3. **Secure storage**: Lưu trữ các giá trị random một cách an toàn
+4. **Time-limited**: Sử dụng expiration time cho các tokens
+5. **Proper seeding**: Đảm bảo CSPRNG được seed đúng cách
+6. **Regular rotation**: Thường xuyên rotate các keys và secrets
+
+## Các trường hợp ngoại lệ
+
+Rule này sẽ KHÔNG báo lỗi trong các trường hợp sau:
+
+```javascript
+// ✅ Không báo lỗi - sử dụng cho UI/animation
+const animationDelay = Math.random() * 1000;
+const chartColor = `hsl(${Math.random() * 360}, 50%, 50%)`;
+
+// ✅ Không báo lỗi - game logic
+const diceRoll = Math.floor(Math.random() * 6) + 1;
+const enemySpawn = Math.random() < 0.3;
+
+// ✅ Không báo lỗi - demo/test data
+const mockData = Array.from({length: 10}, () => ({
+  value: Math.random() * 100
+}));
+```
+
+## Tài liệu tham khảo
+
+- [OWASP A02:2021 - Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
+- [CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator](https://cwe.mitre.org/data/definitions/338.html)
+- [Node.js Crypto Documentation](https://nodejs.org/api/crypto.html)
+- [NIST Guidelines for Random Number Generation](https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+- [Secure Random Number Generation Best Practices](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)