npm - @sun-asterisk/sunlint - Versions diffs - 1.3.0 → 1.3.2 - Mend

@sun-asterisk/sunlint 1.3.0 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (124) hide show

package/rules/security/S048_no_current_password_in_reset/analyzer.js ADDED Viewed

@@ -0,0 +1,366 @@
+/**
+ * Heuristic analyzer for S048 - No Current Password in Reset Process
+ * Purpose: Detect requiring current password during password reset process
+ * Based on OWASP A04:2021 - Insecure Design
+ */
+class S048Analyzer {
+  constructor() {
+    this.ruleId = 'S048';
+    this.ruleName = 'No Current Password in Reset Process';
+    this.description = 'Do not require current password during password reset process';
+    // Keywords that indicate password reset functionality
+    this.resetKeywords = [
+      'reset', 'forgot', 'recover', 'change', 'update', 'modify',
+      'resetpassword', 'forgotpassword', 'changepassword', 'updatepassword'
+    ];
+    // Keywords that indicate current password requirement
+    this.currentPasswordKeywords = [
+      'currentpassword', 'current_password', 'oldpassword', 'old_password',
+      'existingpassword', 'existing_password', 'presentpassword', 'present_password',
+      'previouspassword', 'previous_password', 'originalpassword', 'original_password'
+    ];
+    // API endpoint patterns for password reset
+    this.resetEndpointPatterns = [
+      /\/reset[-_]?password/i,
+      /\/forgot[-_]?password/i,
+      /\/change[-_]?password/i,
+      /\/update[-_]?password/i,
+      /\/password[-_]?reset/i,
+      /\/password[-_]?change/i,
+      /\/password[-_]?update/i,
+      /\/user\/password/i,
+      /\/auth\/reset/i,
+      /\/auth\/forgot/i
+    ];
+    // Function/method patterns related to password reset
+    this.resetFunctionPatterns = [
+      /resetpassword/i,
+      /forgotpassword/i,
+      /changepassword/i,
+      /updatepassword/i,
+      /passwordreset/i,
+      /passwordchange/i,
+      /passwordupdate/i,
+      /handlepasswordreset/i,
+      /handleforgotpassword/i,
+      /processpasswordreset/i
+    ];
+    // Patterns for requiring current password in reset context
+    this.violationPatterns = [
+      // Validation/requirement patterns
+      /(?:required?|validate|check|verify).*(?:current|old|existing|present|previous|original).*password/i,
+      /(?:current|old|existing|present|previous|original).*password.*(?:required?|validate|check|verify)/i,
+      // Form field patterns
+      /(?:input|field|param|body|request).*(?:current|old|existing|present|previous|original).*password/i,
+      /(?:current|old|existing|present|previous|original).*password.*(?:input|field|param|body|request)/i,
+      // Comparison patterns
+      /(?:compare|match|equal|verify).*(?:current|old|existing|present|previous|original).*password/i,
+      /(?:current|old|existing|present|previous|original).*password.*(?:compare|match|equal|verify)/i,
+      // Database lookup patterns
+      /(?:select|find|get|fetch|query).*(?:current|old|existing|present|previous|original).*password/i,
+      /(?:current|old|existing|present|previous|original).*password.*(?:select|find|get|fetch|query)/i,
+      // Error message patterns
+      /(?:current|old|existing|present|previous|original).*password.*(?:incorrect|wrong|invalid|mismatch)/i,
+      /(?:incorrect|wrong|invalid|mismatch).*(?:current|old|existing|present|previous|original).*password/i,
+      // Schema/model field patterns
+      /currentPassword|current_password|oldPassword|old_password|existingPassword|existing_password/,
+      // Template/HTML patterns
+      /"[^"]*(?:current|old|existing|present|previous|original)[^"]*password[^"]*"/i,
+      /'[^']*(?:current|old|existing|present|previous|original)[^']*password[^']*'/i,
+      /`[^`]*(?:current|old|existing|present|previous|original)[^`]*password[^`]*`/i
+    ];
+    // Safe patterns that should be excluded
+    this.safePatterns = [
+      // Comments and documentation
+      /\/\/|\/\*|\*\/|@param|@return|@example|@deprecated/,
+      // Import/export statements
+      /import|export|require|module\.exports/i,
+      // Type definitions
+      /interface|type|enum|class.*\{/i,
+      // Configuration files
+      /config|setting|option|constant|env/i,
+      // Test files patterns
+      /test|spec|mock|fixture|stub/i,
+      // Logging patterns (acceptable for debugging)
+      /log|debug|trace|console|logger/i,
+      // Historical/audit patterns (not current validation)
+      /history|audit|backup|archive|previous.*login/i,
+      // Password change (not reset) - legitimate to require current password
+      /changepassword.*current/i,
+      /updatepassword.*current/i,
+      // Safe messages about security
+      /for security|security purposes|secure|protection|best practice/i,
+      // Documentation patterns
+      /should not|avoid|don't|never|security risk|vulnerability/i
+    ];
+    // Context keywords that indicate password reset (not change)
+    this.resetContextKeywords = [
+      'reset', 'forgot', 'forgotten', 'recover', 'recovery', 'token', 'link', 'email',
+      'verification', 'verify', 'code', 'otp', 'temporary'
+    ];
+    // Keywords that indicate password change (legitimate to require current password)
+    this.changeContextKeywords = [
+      'profile', 'settings', 'account', 'preferences', 'dashboard', 'authenticated',
+      'logged', 'session'
+    ];
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      // Skip test files, build directories, and node_modules
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+    return violations;
+  }
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      'test/', 'tests/', '__tests__/', '.test.', '.spec.',
+      'node_modules/', 'build/', 'dist/', '.next/', 'coverage/',
+      'vendor/', 'mocks/', '.mock.'
+    ];
+    return skipPatterns.some(pattern => filePath.includes(pattern));
+  }
+  analyzeFile(content, filePath, options = {}) {
+    const violations = [];
+    const lines = content.split('\n');
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      const trimmedLine = line.trim();
+      // Skip comments, imports, and empty lines
+      if (this.shouldSkipLine(trimmedLine)) {
+        return;
+      }
+      // Check for password reset context
+      if (this.isPasswordResetContext(content, line, lineNumber)) {
+        // Check for current password requirement violation
+        const violation = this.checkForCurrentPasswordRequirement(line, lineNumber, filePath, content);
+        if (violation) {
+          violations.push(violation);
+        }
+      }
+    });
+    return violations;
+  }
+  shouldSkipLine(line) {
+    // Skip comments, imports, and other non-code lines
+    return (
+      line.length === 0 ||
+      line.startsWith('//') ||
+      line.startsWith('/*') ||
+      line.startsWith('*') ||
+      line.startsWith('import ') ||
+      line.startsWith('export ') ||
+      line.startsWith('require(') ||
+      line.includes('module.exports')
+    );
+  }
+  isPasswordResetContext(content, line, lineNumber) {
+    const lowerContent = content.toLowerCase();
+    const lowerLine = line.toLowerCase();
+    // Check if this is in a password reset context
+    const hasResetContext = (
+      // Check current line for reset keywords
+      this.resetKeywords.some(keyword => lowerLine.includes(keyword)) ||
+      // Check for reset endpoint patterns
+      this.resetEndpointPatterns.some(pattern => pattern.test(line)) ||
+      // Check for reset function patterns
+      this.resetFunctionPatterns.some(pattern => pattern.test(line)) ||
+      // Check surrounding context (within 10 lines)
+      this.hasResetContextNearby(content, lineNumber)
+    );
+    // Exclude if it's clearly a password change context (not reset)
+    const hasChangeContext = this.changeContextKeywords.some(keyword =>
+      lowerContent.includes(keyword) || lowerLine.includes(keyword)
+    );
+    return hasResetContext && !hasChangeContext;
+  }
+  hasResetContextNearby(content, lineNumber) {
+    const lines = content.split('\n');
+    const start = Math.max(0, lineNumber - 10);
+    const end = Math.min(lines.length, lineNumber + 10);
+    for (let i = start; i < end; i++) {
+      const nearbyLine = lines[i].toLowerCase();
+      // Check for reset context keywords
+      if (this.resetContextKeywords.some(keyword => nearbyLine.includes(keyword))) {
+        return true;
+      }
+      // Check for reset endpoints
+      if (this.resetEndpointPatterns.some(pattern => pattern.test(lines[i]))) {
+        return true;
+      }
+      // Check for reset function names
+      if (this.resetFunctionPatterns.some(pattern => pattern.test(lines[i]))) {
+        return true;
+      }
+    }
+    return false;
+  }
+  checkForCurrentPasswordRequirement(line, lineNumber, filePath, content) {
+    // First check if line contains safe patterns (early exit)
+    if (this.containsSafePattern(line)) {
+      return null;
+    }
+    // Check for direct violation patterns
+    for (const pattern of this.violationPatterns) {
+      if (pattern.test(line)) {
+        // Additional context validation to reduce false positives
+        if (this.isValidViolationContext(line, content, lineNumber)) {
+          return {
+            ruleId: this.ruleId,
+            severity: 'error',
+            message: 'Password reset process should not require current password. Use secure token-based reset instead.',
+            line: lineNumber,
+            column: this.findPatternColumn(line, pattern),
+            filePath: filePath,
+            type: 'current_password_in_reset',
+            details: 'Requiring current password during reset defeats the purpose of password reset and creates security issues. Use email/SMS verification with secure tokens instead.'
+          };
+        }
+      }
+    }
+    // Check for variable/field names that suggest current password requirement
+    const currentPasswordField = this.checkCurrentPasswordField(line, lineNumber, filePath);
+    if (currentPasswordField) {
+      return currentPasswordField;
+    }
+    return null;
+  }
+  containsSafePattern(line) {
+    return this.safePatterns.some(pattern => pattern.test(line));
+  }
+  isValidViolationContext(line, content, lineNumber) {
+    const lowerLine = line.toLowerCase();
+    // Check if this is actually about password reset (not change)
+    const hasResetIndicators = this.resetContextKeywords.some(keyword =>
+      content.toLowerCase().includes(keyword)
+    );
+    // Check if it's in a validation/requirement context
+    const hasRequirementContext = [
+      'required', 'validate', 'check', 'verify', 'input', 'field', 'param',
+      'body', 'request', 'schema', 'model', 'form'
+    ].some(keyword => lowerLine.includes(keyword));
+    // Check if it's actually requiring/validating current password
+    const hasCurrentPasswordRequirement = this.currentPasswordKeywords.some(keyword =>
+      lowerLine.includes(keyword)
+    );
+    return hasResetIndicators && hasRequirementContext && hasCurrentPasswordRequirement;
+  }
+  checkCurrentPasswordField(line, lineNumber, filePath) {
+    // Look for variable declarations, object properties, or field definitions
+    // that suggest current password fields in reset context
+    const fieldPatterns = [
+      // Variable declarations
+      /(?:const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=.*(?:current|old|existing).*password/i,
+      // Object properties
+      /['"']?(currentPassword|current_password|oldPassword|old_password|existingPassword|existing_password)['"']?\s*:/,
+      // Form field names
+      /name\s*=\s*['"](current|old|existing)[-_]?password['"]/i,
+      // Schema/model fields
+      /(?:currentPassword|current_password|oldPassword|old_password|existingPassword|existing_password)\s*:\s*(?:String|type|required)/i,
+      // Validation rules
+      /(?:currentPassword|current_password|oldPassword|old_password|existingPassword|existing_password).*(?:required|validate)/i
+    ];
+    for (const pattern of fieldPatterns) {
+      const match = line.match(pattern);
+      if (match) {
+        return {
+          ruleId: this.ruleId,
+          severity: 'warning',
+          message: `Field '${match[1] || match[0]}' suggests requiring current password in reset process. This should be avoided.`,
+          line: lineNumber,
+          column: line.indexOf(match[0]) + 1,
+          filePath: filePath,
+          type: 'current_password_field',
+          fieldName: match[1] || match[0],
+          details: 'Password reset should use token-based verification, not current password validation.'
+        };
+      }
+    }
+    return null;
+  }
+  findPatternColumn(line, pattern) {
+    const match = pattern.exec(line);
+    return match ? match.index + 1 : 1;
+  }
+}
+module.exports = S048Analyzer;

package/rules/security/S048_no_current_password_in_reset/config.json ADDED Viewed

@@ -0,0 +1,48 @@
+{
+  "ruleId": "S048",
+  "name": "No Current Password in Reset Process",
+  "description": "Do not require current password during password reset process",
+  "category": "security",
+  "severity": "error",
+  "languages": ["All languages"],
+  "tags": ["security", "owasp", "insecure-design", "authentication", "password-reset"],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A04:2021 - Insecure Design",
+    "cweId": "CWE-640",
+    "description": "Requiring the current password during password reset defeats the purpose of the reset process and creates security vulnerabilities. Users who have forgotten their password cannot complete the reset, and this practice can lead to account lockouts and security issues.",
+    "impact": "Medium - Account lockout, user frustration, security bypass attempts",
+    "likelihood": "High",
+    "remediation": "Use secure token-based password reset with email/SMS verification. Never require current password during reset process."
+  },
+  "patterns": {
+    "vulnerable": [
+      "Requiring current password in forgot password form",
+      "Validating old password during reset process",
+      "API endpoints that check current password for reset",
+      "Reset forms with current password fields"
+    ],
+    "secure": [
+      "Token-based password reset via email",
+      "SMS verification for password reset",
+      "Time-limited secure reset links",
+      "Multi-factor authentication for reset verification"
+    ]
+  },
+  "examples": {
+    "violations": [
+      "if (!validateCurrentPassword(currentPassword)) { return error; }",
+      "const resetData = { currentPassword, newPassword };",
+      "currentPassword: { type: String, required: true }",
+      "req.body.currentPassword === user.password"
+    ],
+    "fixes": [
+      "if (!validateResetToken(token)) { return error; }",
+      "const resetData = { token, newPassword };",
+      "resetToken: { type: String, required: true }",
+      "validateResetToken(req.body.token)"
+    ]
+  }
+}

package/rules/security/S055_content_type_validation/README.md ADDED Viewed

@@ -0,0 +1,176 @@
+# S055 - Content-Type Validation in REST Services
+## Mô tả
+Rule này kiểm tra xem các dịch vụ REST có xác thực Content-Type header của request đầu vào hay không. Việc thiếu xác thực Content-Type có thể dẫn đến các lỗ hổng bảo mật khi kẻ tấn công gửi dữ liệu độc hại với định dạng không mong muốn.
+## Mục tiêu
+- Đảm bảo các REST endpoint xác thực Content-Type trước khi xử lý request body
+- Ngăn chặn các cuộc tấn công thông qua dữ liệu có định dạng không mong muốn
+- Tuân thủ OWASP ASVS 13.2.5 về xác thực đầu vào
+## Chi tiết Rule
+### Phát hiện lỗi khi:
+1. **Express.js handlers** sử dụng `req.body` mà không kiểm tra Content-Type:
+   ```javascript
+   app.post('/api/users', (req, res) => {
+     const user = req.body; // ❌ Không kiểm tra Content-Type
+     // ...
+   });
+   ```
+2. **NestJS controllers** sử dụng `@Body()` mà không có validation:
+   ```typescript
+   @Post()
+   create(@Body() data: any) { // ❌ Không kiểm tra Content-Type
+     return this.service.create(data);
+   }
+   ```
+3. **Generic handlers** xử lý request body mà không xác thực:
+   ```javascript
+   function handlePost(req, res) {
+     processData(req.body); // ❌ Không kiểm tra Content-Type
+   }
+   ```
+### Cách khắc phục:
+1. **Sử dụng req.is() method**:
+   ```javascript
+   app.post('/api/users', (req, res) => {
+     if (!req.is('application/json')) {
+       return res.status(415).send('Unsupported Media Type');
+     }
+     const user = req.body; // ✅ An toàn
+   });
+   ```
+2. **Kiểm tra header trực tiếp**:
+   ```javascript
+   app.put('/api/data', (req, res) => {
+     if (req.headers['content-type'] !== 'application/json') {
+       return res.status(415).json({ error: 'Invalid Content-Type' });
+     }
+     processData(req.body); // ✅ An toàn
+   });
+   ```
+3. **Sử dụng middleware**:
+   ```javascript
+   app.use(express.json({ type: 'application/json' }));
+   // hoặc
+   app.use((req, res, next) => {
+     if (req.method !== 'GET' && !req.is('application/json')) {
+       return res.status(415).send('Unsupported Media Type');
+     }
+     next();
+   });
+   ```
+4. **NestJS với decorators**:
+   ```typescript
+   @Post()
+   @Header('Content-Type', 'application/json')
+   create(@Body() data: CreateDto) {
+     return this.service.create(data);
+   }
+   ```
+## Các trường hợp được bỏ qua
+Rule sẽ **KHÔNG** báo lỗi trong các trường hợp:
+1. **Có global middleware xử lý Content-Type**:
+   ```javascript
+   app.use(express.json()); // Đã xử lý Content-Type validation
+   ```
+2. **Test files**: Files có chứa `test`, `spec`, `__tests__`
+3. **Configuration files**: Files trong thư mục `config`, `configs`
+4. **Comments và documentation**
+5. **Import/export statements**
+## Mức độ nghiêm trọng
+- **Severity**: Error
+- **Impact**: Medium - Data injection, parsing errors, security bypass
+- **Likelihood**: Medium
+## Tham khảo
+- **OWASP ASVS 13.2.5**: Input Validation
+- **CWE-20**: Improper Input Validation
+- **Express.js Documentation**: [req.is()](https://expressjs.com/en/4x/api.html#req.is)
+- **NestJS Documentation**: [Validation](https://docs.nestjs.com/techniques/validation)
+## Ví dụ chi tiết
+### Express.js
+**Lỗi:**
+```javascript
+const express = require('express');
+const app = express();
+app.post('/api/users', (req, res) => {
+  const userData = req.body; // ❌ Thiếu Content-Type validation
+  // Xử lý userData...
+});
+```
+**Sửa:**
+```javascript
+const express = require('express');
+const app = express();
+app.post('/api/users', (req, res) => {
+  if (!req.is('application/json')) {
+    return res.status(415).json({ error: 'Content-Type must be application/json' });
+  }
+  const userData = req.body; // ✅ An toàn
+  // Xử lý userData...
+});
+```
+### NestJS
+**Lỗi:**
+```typescript
+@Controller('users')
+export class UsersController {
+  @Post()
+  create(@Body() createUserDto: any) { // ❌ Thiếu Content-Type validation
+    return this.usersService.create(createUserDto);
+  }
+}
+```
+**Sửa:**
+```typescript
+@Controller('users')
+export class UsersController {
+  @Post()
+  @Header('Content-Type', 'application/json')
+  create(@Body() createUserDto: CreateUserDto) { // ✅ An toàn với DTO validation
+    return this.usersService.create(createUserDto);
+  }
+}
+```
+## Cấu hình
+Rule này hỗ trợ các ngôn ngữ:
+- TypeScript
+- JavaScript
+Và tương thích với các framework:
+- Express.js
+- NestJS
+- Generic Node.js applications