npm - @sun-asterisk/sunlint - Versions diffs - 1.3.18 → 1.3.19 - Mend

@sun-asterisk/sunlint 1.3.18 → 1.3.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/rules/security/S045_brute_force_protection/config.json ADDED Viewed

@@ -0,0 +1,139 @@
+{
+  "rule": {
+    "id": "S045",
+    "name": "Brute-force Protection",
+    "description": "Implement protection against brute-force attacks on authentication endpoints. This rule detects missing rate limiting, account lockout mechanisms, and other brute-force protection measures in authentication flows.",
+    "category": "security",
+    "severity": "error",
+    "languages": ["typescript", "javascript"],
+    "frameworks": ["nestjs", "express", "node"],
+    "version": "1.0.0",
+    "status": "stable",
+    "tags": ["security", "authentication", "brute-force", "rate-limiting", "owasp"],
+    "references": [
+      "https://owasp.org/www-community/attacks/Brute_force_attack",
+      "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html",
+      "https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks",
+      "https://portswigger.net/web-security/authentication/password-based/brute-force"
+    ]
+  },
+  "configuration": {
+    "enableRateLimitDetection": true,
+    "enableAccountLockoutDetection": true,
+    "enableCaptchaDetection": true,
+    "checkAuthenticationEndpoints": [
+      "login",
+      "signin",
+      "authenticate",
+      "auth",
+      "password",
+      "reset",
+      "forgot"
+    ],
+    "rateLimitLibraries": [
+      "express-rate-limit",
+      "express-slow-down",
+      "@nestjs/throttler",
+      "rate-limiter-flexible",
+      "bottleneck",
+      "limiter"
+    ],
+    "accountLockoutLibraries": [
+      "express-slow-down",
+      "rate-limiter-flexible",
+      "express-brute",
+      "express-brute-mongo"
+    ],
+    "captchaLibraries": [
+      "recaptcha",
+      "hcaptcha",
+      "turnstile",
+      "captcha"
+    ],
+    "vulnerablePatterns": [
+      "login.*without.*rate.*limit",
+      "auth.*without.*throttle",
+      "password.*without.*lockout",
+      "signin.*without.*captcha"
+    ],
+    "protectionPatterns": [
+      "rate.*limit",
+      "throttle",
+      "lockout",
+      "captcha",
+      "brute.*force.*protection",
+      "max.*attempts",
+      "cooldown"
+    ],
+    "maxAttemptsThreshold": 5,
+    "timeWindowMinutes": 15
+  },
+  "examples": {
+    "violations": [
+      {
+        "description": "Login endpoint without rate limiting",
+        "code": "@Post('login')\nasync login(@Body() loginDto: LoginDto) {\n  return this.authService.validateUser(loginDto);\n}"
+      },
+      {
+        "description": "Authentication without account lockout",
+        "code": "app.post('/auth/login', (req, res) => {\n  const { username, password } = req.body;\n  // No rate limiting or lockout mechanism\n  authenticateUser(username, password);\n});"
+      },
+      {
+        "description": "Password reset without protection",
+        "code": "@Post('reset-password')\nasync resetPassword(@Body() resetDto: ResetPasswordDto) {\n  // No rate limiting or captcha\n  return this.authService.resetPassword(resetDto);\n}"
+      }
+    ],
+    "fixes": [
+      {
+        "description": "Login with rate limiting and account lockout",
+        "code": "@Post('login')\n@Throttle(5, 60) // 5 attempts per minute\nasync login(@Body() loginDto: LoginDto) {\n  return this.authService.validateUser(loginDto);\n}"
+      },
+      {
+        "description": "Express with rate limiting middleware",
+        "code": "const rateLimit = require('express-rate-limit');\n\nconst loginLimiter = rateLimit({\n  windowMs: 15 * 60 * 1000, // 15 minutes\n  max: 5, // limit each IP to 5 requests per windowMs\n  message: 'Too many login attempts'\n});\n\napp.post('/auth/login', loginLimiter, (req, res) => {\n  // authentication logic\n});"
+      },
+      {
+        "description": "NestJS with ThrottlerModule",
+        "code": "@Module({\n  imports: [\n    ThrottlerModule.forRoot([{\n      ttl: 60000,\n      limit: 5,\n    }]),\n  ],\n})\nexport class AuthModule {}"
+      }
+    ]
+  },
+  "testing": {
+    "testCases": [
+      {
+        "name": "login_without_rate_limit",
+        "type": "violation",
+        "description": "Login endpoint without rate limiting"
+      },
+      {
+        "name": "auth_without_throttle",
+        "type": "violation",
+        "description": "Authentication without throttling"
+      },
+      {
+        "name": "password_reset_unprotected",
+        "type": "violation",
+        "description": "Password reset without protection"
+      },
+      {
+        "name": "login_with_rate_limit",
+        "type": "clean",
+        "description": "Login with proper rate limiting"
+      },
+      {
+        "name": "auth_with_throttle",
+        "type": "clean",
+        "description": "Authentication with throttling"
+      },
+      {
+        "name": "password_reset_protected",
+        "type": "clean",
+        "description": "Password reset with protection"
+      }
+    ]
+  },
+  "performance": {
+    "complexity": "O(n)",
+    "description": "Linear complexity based on number of authentication endpoints and middleware usage"
+  }
+}