npm - @sun-asterisk/sunlint - Versions diffs - 1.3.18 → 1.3.19 - Mend

@sun-asterisk/sunlint 1.3.18 → 1.3.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/rules/security/S011_secure_guid_generation/README.md ADDED Viewed

@@ -0,0 +1,255 @@
+# S011 - Secure GUID Generation
+## Overview
+Quy tắc này phát hiện việc sử dụng các phương pháp yếu hoặc có thể dự đoán được để tạo GUIDs/UUIDs cho mục đích bảo mật. GUIDs dùng cho session tokens, API keys, reset tokens, hoặc các mục đích bảo mật khác phải được tạo theo chuẩn UUID v4 với CSPRNG (Cryptographically Secure Pseudo-Random Number Generator).
+## OWASP Classification
+- **Category**: A02:2021 - Cryptographic Failures
+- **CWE**: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
+- **Severity**: Error
+- **Impact**: High (Session hijacking, token prediction, unauthorized access)
+## Vấn đề
+Khi sử dụng các phương pháp yếu để tạo GUIDs cho mục đích bảo mật:
+1. **Dễ dự đoán**: Kẻ tấn công có thể dự đoán GUIDs tiếp theo
+2. **Session hijacking**: Session tokens yếu có thể bị đoán và chiếm quyền
+3. **Token collision**: Xác suất trùng lặp cao hơn với PRNG yếu
+4. **Brute force attacks**: Tokens dễ bị tấn công brute force
+## Các trường hợp vi phạm
+### 1. Sử dụng Math.random()
+```javascript
+// ❌ Vi phạm - Math.random() không an toàn cho mục đích bảo mật
+const sessionId = Math.random().toString(36).substring(2, 15);
+const apiKey = Math.random().toString(36) + Math.random().toString(36);
+const resetToken = `${Date.now()}-${Math.random()}`;
+// ❌ Vi phạm - Timestamp-based không đủ random
+const token = Date.now().toString(36);
+const userId = new Date().getTime();
+```
+### 2. Sử dụng UUID v1 (time-based)
+```javascript
+// ❌ Vi phạm - UUID v1 sử dụng timestamp và MAC address
+import { v1 as uuidv1 } from "uuid";
+const sessionToken = uuidv1(); // Time-based, có thể dự đoán
+const apiKey = uuidv1(); // Không an toàn cho security purposes
+```
+### 3. Custom GUID generation yếu
+```javascript
+// ❌ Vi phạm - Custom implementation không sử dụng CSPRNG
+function generateGuid() {
+  return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function (c) {
+    const r = (Math.random() * 16) | 0; // Math.random() không an toàn
+    const v = c === "x" ? r : (r & 0x3) | 0x8;
+    return v.toString(16);
+  });
+}
+const resetToken = generateGuid();
+const sessionId = generateGuid();
+```
+### 4. Sử dụng cho security-critical purposes
+```javascript
+// ❌ Vi phạm - Weak GUID cho authentication
+app.post("/login", (req, res) => {
+  const sessionToken = Math.random().toString(36);
+  req.session.token = sessionToken;
+});
+// ❌ Vi phạm - Weak GUID cho password reset
+const resetToken = Date.now() + "-" + Math.random();
+await sendPasswordResetEmail(user.email, resetToken);
+// ❌ Vi phạm - Weak GUID cho API key
+const apiKey = uuidv1(); // Time-based UUID
+await saveApiKey(userId, apiKey);
+```
+## Giải pháp an toàn
+### 1. Sử dụng crypto.randomUUID() (Node.js 14.17+)
+```javascript
+// ✅ An toàn - crypto.randomUUID() sử dụng CSPRNG
+import { randomUUID } from "crypto";
+const sessionId = randomUUID();
+const apiKey = randomUUID();
+const resetToken = randomUUID();
+```
+### 2. Sử dụng uuid v4 library
+```javascript
+// ✅ An toàn - uuid v4 sử dụng CSPRNG
+import { v4 as uuidv4 } from "uuid";
+const sessionToken = uuidv4();
+const apiKey = uuidv4();
+const resetToken = uuidv4();
+```
+### 3. Sử dụng crypto.randomBytes()
+```javascript
+// ✅ An toàn - crypto.randomBytes() cho custom implementation
+import { randomBytes } from "crypto";
+const sessionId = randomBytes(16).toString("hex");
+const apiKey = randomBytes(32).toString("base64url");
+const resetToken = randomBytes(48).toString("base64url");
+```
+### 4. Best practices cho security tokens
+```javascript
+// ✅ An toàn - Session management
+import { randomUUID } from "crypto";
+app.post("/login", async (req, res) => {
+  const sessionToken = randomUUID();
+  await redis.set(`session:${sessionToken}`, userId, "EX", 3600);
+  res.cookie("sessionId", sessionToken, { httpOnly: true, secure: true });
+});
+// ✅ An toàn - Password reset token
+import { randomBytes } from "crypto";
+async function generateResetToken() {
+  const token = randomBytes(32).toString("hex");
+  const hashedToken = await bcrypt.hash(token, 10);
+  await saveToDatabase({ token: hashedToken, expiresAt: Date.now() + 3600000 });
+  return token;
+}
+// ✅ An toàn - API key generation
+import { v4 as uuidv4 } from "uuid";
+const apiKey = `sk_${uuidv4().replace(/-/g, "")}`;
+const hashedKey = await bcrypt.hash(apiKey, 10);
+await saveApiKey(userId, hashedKey);
+```
+## Phương pháp phát hiện
+Rule này sử dụng symbol-based analysis để phát hiện:
+1. **Math.random() usage**: Detect `Math.random()` trong context tạo tokens/IDs
+2. **Timestamp-based IDs**: Detect `Date.now()`, `new Date().getTime()` cho security purposes
+3. **UUID v1 usage**: Detect `uuidv1()` hoặc `uuid.v1()` cho authentication/authorization
+4. **Weak GUID patterns**: Detect custom implementations không sử dụng CSPRNG
+5. **Variable naming context**: Phân tích tên biến như `sessionId`, `token`, `apiKey`, `resetToken`
+### Detection patterns:
+- Variable names: `session`, `token`, `api`, `key`, `reset`, `auth`, `secret`
+- Unsafe methods: `Math.random()`, `Date.now()`, `getTime()`, `uuidv1()`
+- Secure methods: `crypto.randomUUID()`, `crypto.randomBytes()`, `uuidv4()`
+## Safe contexts (không báo lỗi)
+```javascript
+// ✅ OK - Sử dụng Math.random() cho non-security purposes
+const displayId = Math.random().toString(36); // UI display ID
+const tempId = Date.now(); // Temporary client-side ID
+const orderId = `ORD-${Date.now()}`; // Business identifier, not security token
+// ✅ OK - UUID v1 cho non-security purposes
+const recordId = uuidv1(); // Database record ID (không dùng cho authentication)
+const traceId = uuidv1(); // Distributed tracing ID
+```
+## Cấu hình
+```json
+{
+  "S011": {
+    "enabled": true,
+    "severity": "error",
+    "excludePatterns": ["test/**", "**/*.test.js", "**/*.spec.js"],
+    "securityKeywords": [
+      "session",
+      "token",
+      "api",
+      "key",
+      "reset",
+      "auth",
+      "secret",
+      "credential"
+    ]
+  }
+}
+```
+## Best Practices
+1. **Luôn dùng CSPRNG**: Sử dụng `crypto.randomUUID()` hoặc `crypto.randomBytes()` cho security tokens
+2. **UUID v4 only**: Chỉ sử dụng UUID v4 cho security purposes, tránh UUID v1
+3. **Sufficient entropy**: Đảm bảo đủ entropy (ít nhất 128 bits cho tokens)
+4. **No predictable patterns**: Tránh patterns có thể dự đoán (timestamp, sequential IDs)
+5. **Token expiration**: Luôn set thời hạn cho security tokens
+6. **Hash before storage**: Hash tokens trước khi lưu vào database
+## Platform-specific implementations
+### Node.js
+```javascript
+import { randomUUID, randomBytes } from "crypto";
+const token = randomUUID(); // UUID v4 với CSPRNG
+const key = randomBytes(32).toString("hex");
+```
+### Python
+```python
+import secrets
+import uuid
+token = str(uuid.uuid4())  # UUID v4 với CSPRNG
+key = secrets.token_urlsafe(32)  # Secure random token
+```
+### Java
+```java
+import java.security.SecureRandom;
+import java.util.UUID;
+UUID token = UUID.randomUUID(); // UUID v4 với CSPRNG
+SecureRandom random = new SecureRandom();
+byte[] bytes = new byte[32];
+random.nextBytes(bytes);
+```
+### .NET/C#
+```csharp
+using System;
+using System.Security.Cryptography;
+var token = Guid.NewGuid(); // GUID với CSPRNG
+var bytes = RandomNumberGenerator.GetBytes(32); // Secure random
+```
+## Tài liệu tham khảo
+- [OWASP A02:2021 - Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
+- [CWE-338: Use of Cryptographically Weak PRNG](https://cwe.mitre.org/data/definitions/338.html)
+- [RFC 4122: UUID Standard](https://www.rfc-editor.org/rfc/rfc4122)
+- [Node.js Crypto Documentation](https://nodejs.org/api/crypto.html)
+- [NIST SP 800-90A: Random Number Generation](https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)

package/rules/security/S011_secure_guid_generation/analyzer.js ADDED Viewed

@@ -0,0 +1,135 @@
+/**
+ * S011 - Secure GUID Generation
+ *
+ * Main analyzer using symbol-based analysis to detect weak GUID/UUID generation
+ * for security purposes.
+ *
+ * Based on:
+ * - OWASP A02:2021 - Cryptographic Failures
+ * - CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator
+ */
+// Command: node cli.js --rule=S011 --input=examples/rule-test-fixtures/rules/S011_secure_guid_generation --engine=heuristic
+const S011SymbolBasedAnalyzer = require("./symbol-based-analyzer");
+class S011Analyzer {
+  constructor(options = {}) {
+    this.ruleId = "S011";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    try {
+      this.symbolAnalyzer = new S011SymbolBasedAnalyzer(this.semanticEngine);
+    } catch (e) {
+      console.warn(`⚠ [S011] Failed to create symbol analyzer: ${e.message}`);
+    }
+  }
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.symbolAnalyzer && this.symbolAnalyzer.initialize) {
+      await this.symbolAnalyzer.initialize(semanticEngine);
+    }
+  }
+  analyzeSingle(filePath, options = {}) {
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        const vs = await this.analyzeFile(filePath, options);
+        violations.push(...vs);
+      } catch (e) {
+        console.warn(`⚠ [S011] Analysis error for ${filePath}: ${e.message}`);
+      }
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    const violationMap = new Map();
+    if (!this.symbolAnalyzer) {
+      return [];
+    }
+    // Skip test files, build directories, and node_modules
+    if (this.shouldSkipFile(filePath)) {
+      return [];
+    }
+    try {
+      let sourceFile = null;
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      }
+      if (!sourceFile) {
+        // Create temporary ts-morph source file
+        const fs = require("fs");
+        const path = require("path");
+        const { Project } = require("ts-morph");
+        if (!fs.existsSync(filePath)) {
+          throw new Error(`File not found: ${filePath}`);
+        }
+        const content = fs.readFileSync(filePath, "utf8");
+        const tmp = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: { allowJs: true },
+        });
+        sourceFile = tmp.createSourceFile(path.basename(filePath), content);
+      }
+      if (sourceFile) {
+        const symbolViolations = await this.symbolAnalyzer.analyze(
+          sourceFile,
+          filePath
+        );
+        symbolViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+      }
+    } catch (e) {
+      console.warn(`⚠ [S011] Symbol analysis failed: ${e.message}`);
+    }
+    return Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+  }
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      "test/",
+      "tests/",
+      "__tests__/",
+      ".test.",
+      ".spec.",
+      "node_modules/",
+      "build/",
+      "dist/",
+      ".next/",
+      "coverage/",
+      "vendor/",
+      "mocks/",
+      ".mock.",
+    ];
+    return skipPatterns.some((pattern) => filePath.includes(pattern));
+  }
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+  }
+}
+module.exports = S011Analyzer;

package/rules/security/S011_secure_guid_generation/config.json ADDED Viewed

@@ -0,0 +1,56 @@
+{
+  "ruleId": "S011",
+  "name": "Secure GUID Generation",
+  "description": "GUIDs used for security purposes must be generated according to UUID v4 standard with CSPRNG",
+  "category": "security",
+  "severity": "error",
+  "languages": ["All languages"],
+  "tags": [
+    "security",
+    "owasp",
+    "cryptographic-failures",
+    "uuid",
+    "guid",
+    "randomness"
+  ],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A02:2021 - Cryptographic Failures",
+    "cweId": "CWE-338",
+    "description": "Using weak or predictable methods to generate GUIDs/UUIDs for security purposes (session tokens, API keys, reset tokens) can lead to security vulnerabilities. Security-critical GUIDs must be generated using UUID v4 with Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).",
+    "impact": "High - Session hijacking, token prediction, unauthorized access",
+    "likelihood": "Medium",
+    "remediation": "Use UUID v4 with CSPRNG libraries: crypto.randomUUID() (Node.js 14.17+), uuid v4, or equivalent secure random generators"
+  },
+  "patterns": {
+    "vulnerable": [
+      "Using Math.random() for GUID generation",
+      "Using Date.now() or timestamp-based GUIDs for security tokens",
+      "Using non-cryptographic UUID libraries",
+      "Using UUID v1 (time-based) for security purposes",
+      "Custom GUID generation without CSPRNG"
+    ],
+    "secure": [
+      "crypto.randomUUID() for Node.js 14.17+",
+      "uuid v4 library with proper CSPRNG",
+      "crypto.randomBytes() for custom implementation",
+      "Platform-specific secure random: SecureRandom (Java), secrets (Python)"
+    ]
+  },
+  "examples": {
+    "violations": [
+      "const sessionId = Math.random().toString(36);",
+      "const token = Date.now() + '-' + Math.random();",
+      "const apiKey = uuidv1(); // Time-based UUID",
+      "const resetToken = generateGuid(); // Custom weak implementation"
+    ],
+    "fixes": [
+      "const sessionId = crypto.randomUUID();",
+      "const token = require('uuid').v4();",
+      "const apiKey = crypto.randomBytes(32).toString('hex');",
+      "const resetToken = crypto.randomUUID();"
+    ]
+  }
+}