npm - @sun-asterisk/sunlint - Versions diffs - 1.3.18 → 1.3.19 - Mend

@sun-asterisk/sunlint 1.3.18 → 1.3.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/rules/security/S028_file_upload_size_limits/README.md ADDED Viewed

@@ -0,0 +1,537 @@
+# S028 - Limit Upload File Size and Number of Files Per User
+## 📋 Tổng quan
+**Rule ID:** S028
+**Mức độ:** Medium (⚠️)
+**Danh mục:** Security
+**OWASP:** A04:2021 - Insecure Design
+**CWE:** CWE-400 - Uncontrolled Resource Consumption
+### Mục đích
+Ngăn chặn các cuộc tấn công **Denial of Service (DoS)** và lạm dụng tài nguyên bằng cách đảm bảo rằng mọi file upload endpoint đều có giới hạn:
+- **Kích thước file** (file size limit)
+- **Số lượng file** (file count limit)
+- **Tổng kích thước request** (request size limit)
+### Tại sao quan trọng?
+1. **Ngăn chặn DoS attacks**: Attacker có thể upload file cực lớn (vài GB) để làm cạn kiệt:
+   - Disk space
+   - Memory
+   - Network bandwidth
+   - Processing power
+2. **Ngăn storage abuse**: User có thể upload hàng nghìn file nhỏ để chiếm dụng storage
+3. **Bảo vệ service availability**: Đảm bảo server không bị quá tải bởi upload requests
+---
+## 🎯 Phạm vi áp dụng
+### Framework hỗ trợ:
+- ✅ **Node.js**: multer, express
+- ✅ **NestJS**: FileInterceptor, FilesInterceptor
+- ✅ **Java/Spring Boot**: multipart configuration
+- ⚠️ **Python/Flask**: (Future support)
+- ⚠️ **PHP**: (Future support)
+### File types:
+- `.ts`, `.js`, `.tsx`, `.jsx` (TypeScript/JavaScript)
+- `.java` (Java - properties files)
+---
+## 🚨 Các vi phạm phát hiện
+### 1. Multer không có limits (HIGH)
+```javascript
+// ❌ VIOLATION: Multer thiếu giới hạn hoàn toàn
+const upload = multer({ dest: "uploads/" });
+// ❌ VIOLATION: Multer thiếu limits object
+const upload = multer({
+  storage: diskStorage({ destination: "./uploads" }),
+});
+// ❌ VIOLATION: Multer có limits nhưng thiếu fileSize
+const upload = multer({
+  limits: {
+    files: 5, // Chỉ giới hạn số lượng, không giới hạn size
+  },
+});
+```
+**Severity:** ERROR
+**Message:** "Multer configuration missing size limits - add limits.fileSize and limits.files"
+---
+### 2. File size limit quá cao (HIGH/MEDIUM)
+```javascript
+// ❌ HIGH RISK: File size > 50MB
+const upload = multer({
+  limits: {
+    fileSize: 100 * 1024 * 1024, // 100MB - QUÁ CAO!
+  },
+});
+// ⚠️ MEDIUM RISK: File size > 20MB
+const upload = multer({
+  limits: {
+    fileSize: 30 * 1024 * 1024, // 30MB - CAO HƠN KHUYẾN NGHỊ
+  },
+});
+```
+**Severity:** ERROR (> 50MB), WARNING (> 20MB)
+**Message:** "File size limit too high (100MB) - recommend ≤ 10MB"
+---
+### 3. FileInterceptor thiếu limits (HIGH)
+```typescript
+// ❌ VIOLATION: FileInterceptor không có limits
+@Post('/upload')
+@UseInterceptors(FileInterceptor('file'))
+uploadFile(@UploadedFile() file: Express.Multer.File) {
+  return this.fileService.save(file);
+}
+// ❌ VIOLATION: FilesInterceptor không có limits
+@Post('/gallery')
+@UseInterceptors(FilesInterceptor('images'))
+uploadGallery(@UploadedFiles() files: Array<Express.Multer.File>) {
+  return this.galleryService.save(files);
+}
+```
+**Severity:** ERROR
+**Message:** "FileInterceptor missing 'limits' configuration - add { limits: { fileSize: 10485760 } }"
+---
+### 4. Express middleware thiếu body limit (MEDIUM)
+```javascript
+// ⚠️ WARNING: express.json() không giới hạn
+app.use(express.json());
+// ⚠️ WARNING: express.urlencoded() không giới hạn
+app.use(express.urlencoded({ extended: true }));
+```
+**Severity:** WARNING
+**Message:** "express.json() missing body size limit - add { limit: '10mb' }"
+---
+## ✅ Cách sửa đúng
+### 1. Multer với limits hợp lý
+```javascript
+// ✅ GOOD: Multer với limits đầy đủ
+const upload = multer({
+  dest: "uploads/",
+  limits: {
+    fileSize: 10 * 1024 * 1024, // 10MB
+    files: 5, // Tối đa 5 files
+  },
+});
+// ✅ GOOD: Multer với fileFilter validation
+const upload = multer({
+  storage: diskStorage({
+    destination: "./uploads",
+    filename: (req, file, cb) => {
+      const uniqueName = `${Date.now()}-${file.originalname}`;
+      cb(null, uniqueName);
+    },
+  }),
+  limits: {
+    fileSize: 5 * 1024 * 1024, // 5MB per file
+    files: 3, // Max 3 files
+  },
+  fileFilter: (req, file, cb) => {
+    // Additional validation
+    const allowedTypes = ["image/jpeg", "image/png"];
+    if (allowedTypes.includes(file.mimetype)) {
+      cb(null, true);
+    } else {
+      cb(new Error("Invalid file type"), false);
+    }
+  },
+});
+```
+---
+### 2. NestJS FileInterceptor với limits
+```typescript
+// ✅ GOOD: FileInterceptor với limits
+@Post('/avatar')
+@UseInterceptors(FileInterceptor('file', {
+  limits: {
+    fileSize: 5 * 1024 * 1024  // 5MB
+  }
+}))
+uploadAvatar(@UploadedFile() file: Express.Multer.File) {
+  return this.userService.updateAvatar(file);
+}
+// ✅ GOOD: FilesInterceptor với limits
+@Post('/documents')
+@UseInterceptors(FilesInterceptor('documents', 10, {
+  limits: {
+    fileSize: 10 * 1024 * 1024,  // 10MB per file
+    files: 10                     // Max 10 files (also in decorator)
+  }
+}))
+uploadDocuments(@UploadedFiles() files: Array<Express.Multer.File>) {
+  return this.documentService.save(files);
+}
+// ✅ GOOD: FileFieldsInterceptor với limits
+@Post('/profile')
+@UseInterceptors(FileFieldsInterceptor([
+  { name: 'avatar', maxCount: 1 },
+  { name: 'documents', maxCount: 5 }
+], {
+  limits: {
+    fileSize: 5 * 1024 * 1024
+  }
+}))
+updateProfile(
+  @UploadedFiles() files: { avatar?: Express.Multer.File[], documents?: Express.Multer.File[] }
+) {
+  return this.profileService.update(files);
+}
+```
+---
+### 3. Express middleware với body limit
+```javascript
+// ✅ GOOD: express.json với limit
+app.use(express.json({ limit: "10mb" }));
+// ✅ GOOD: express.urlencoded với limit
+app.use(
+  express.urlencoded({
+    limit: "10mb",
+    extended: true,
+  })
+);
+// ✅ GOOD: Custom limit cho specific routes
+const uploadRouter = express.Router();
+uploadRouter.use(express.json({ limit: "5mb" }));
+uploadRouter.post("/images", upload.single("image"), (req, res) => {
+  // Handle upload
+});
+```
+---
+### 4. Spring Boot configuration
+```properties
+# ✅ GOOD: application.properties
+spring.servlet.multipart.max-file-size=10MB
+spring.servlet.multipart.max-request-size=20MB
+spring.servlet.multipart.enabled=true
+```
+```yaml
+# ✅ GOOD: application.yml
+spring:
+  servlet:
+    multipart:
+      max-file-size: 10MB
+      max-request-size: 20MB
+      enabled: true
+```
+---
+## 📊 Ngưỡng khuyến nghị
+| Loại             | Khuyến nghị | Medium Risk | High Risk  |
+| ---------------- | ----------- | ----------- | ---------- |
+| **File size**    | ≤ 10MB      | > 20MB      | > 50MB     |
+| **File count**   | ≤ 10 files  | > 20 files  | > 50 files |
+| **Request size** | ≤ 20MB      | > 40MB      | > 100MB    |
+### Giải thích:
+- **10MB per file**: Đủ cho hầu hết use cases (images, documents, PDFs)
+- **10 files**: Ngăn bulk upload abuse
+- **20MB total request**: Cho phép multiple files nhưng không quá lớn
+### Các trường hợp đặc biệt:
+```javascript
+// Video uploads - có thể cao hơn nhưng cần validation
+const videoUpload = multer({
+  limits: {
+    fileSize: 50 * 1024 * 1024, // 50MB for video
+    files: 1, // Only 1 video
+  },
+  fileFilter: (req, file, cb) => {
+    if (file.mimetype.startsWith("video/")) {
+      cb(null, true);
+    } else {
+      cb(new Error("Only video files allowed"), false);
+    }
+  },
+});
+// Archive files - cần kiểm tra content
+const archiveUpload = multer({
+  limits: {
+    fileSize: 20 * 1024 * 1024, // 20MB for zip/tar
+  },
+  fileFilter: (req, file, cb) => {
+    const allowedTypes = ["application/zip", "application/x-tar"];
+    if (allowedTypes.includes(file.mimetype)) {
+      cb(null, true);
+    } else {
+      cb(new Error("Only archive files allowed"), false);
+    }
+  },
+});
+```
+---
+## 🔍 Chi tiết kỹ thuật
+### Pattern detection:
+1. **Multer initialization:**
+   ```javascript
+   multer({ limits: { fileSize, files } });
+   ```
+2. **FileInterceptor decorator:**
+   ```typescript
+   @UseInterceptors(FileInterceptor('field', { limits }))
+   ```
+3. **Express middleware:**
+   ```javascript
+   express.json({ limit: "10mb" });
+   ```
+### AST nodes checked:
+- `SyntaxKind.CallExpression` - multer(), express.json()
+- `SyntaxKind.Decorator` - @UseInterceptors()
+- Object literals - configuration objects
+### Deduplication:
+Rule sử dụng `reportedLines` Set để tránh báo duplicate errors trên cùng một dòng.
+---
+## 🎯 Best Practices
+### 1. Layered defense
+```typescript
+// ✅ Multiple layers of protection
+@Post('/upload')
+@UseGuards(AuthGuard)  // 1. Authentication
+@UseInterceptors(FileInterceptor('file', {
+  limits: {
+    fileSize: 10 * 1024 * 1024  // 2. Size limit
+  },
+  fileFilter: (req, file, cb) => {
+    // 3. Type validation
+    const allowedTypes = ['image/jpeg', 'image/png'];
+    if (!allowedTypes.includes(file.mimetype)) {
+      return cb(new Error('Invalid file type'), false);
+    }
+    cb(null, true);
+  }
+}))
+async uploadFile(
+  @UploadedFile() file: Express.Multer.File,
+  @Req() req
+) {
+  // 4. Additional server-side validation
+  if (!file) {
+    throw new BadRequestException('No file uploaded');
+  }
+  // 5. Magic number validation
+  const isValid = await this.fileService.validateFileContent(file);
+  if (!isValid) {
+    await this.fileService.deleteFile(file.path);
+    throw new BadRequestException('Invalid file content');
+  }
+  // 6. User quota check
+  const userStorage = await this.userService.getStorageUsage(req.user.id);
+  if (userStorage + file.size > USER_STORAGE_QUOTA) {
+    await this.fileService.deleteFile(file.path);
+    throw new BadRequestException('Storage quota exceeded');
+  }
+  return this.fileService.save(file, req.user.id);
+}
+```
+---
+### 2. Logging and monitoring
+```typescript
+// ✅ Log upload attempts and rejections
+@Post('/upload')
+@UseInterceptors(FileInterceptor('file', {
+  limits: { fileSize: 10 * 1024 * 1024 }
+}))
+async uploadFile(@UploadedFile() file, @Req() req) {
+  try {
+    this.logger.log({
+      event: 'file_upload_attempt',
+      userId: req.user.id,
+      filename: file.originalname,
+      size: file.size,
+      mimetype: file.mimetype,
+      ip: req.ip
+    });
+    const result = await this.fileService.save(file);
+    this.logger.log({
+      event: 'file_upload_success',
+      userId: req.user.id,
+      fileId: result.id
+    });
+    return result;
+  } catch (error) {
+    this.logger.error({
+      event: 'file_upload_failed',
+      userId: req.user.id,
+      filename: file?.originalname,
+      size: file?.size,
+      error: error.message,
+      ip: req.ip
+    });
+    throw error;
+  }
+}
+```
+---
+### 3. Rate limiting
+```typescript
+// ✅ Combine with rate limiting
+import { Throttle } from "@nestjs/throttler";
+@Controller("upload")
+export class UploadController {
+  @Post("/avatar")
+  @Throttle(5, 60) // Max 5 uploads per 60 seconds
+  @UseInterceptors(
+    FileInterceptor("file", {
+      limits: { fileSize: 5 * 1024 * 1024 },
+    })
+  )
+  uploadAvatar(@UploadedFile() file) {
+    return this.userService.updateAvatar(file);
+  }
+}
+```
+---
+## 🔗 Liên quan
+### Rules liên quan:
+- **S025** - Server-side Validation: Validate file type, content
+- **S055** - Content-Type Validation: Validate Content-Type header
+### OWASP Top 10:
+- **A04:2021** - Insecure Design
+- **A05:2021** - Security Misconfiguration
+### CWE:
+- **CWE-400** - Uncontrolled Resource Consumption
+- **CWE-770** - Allocation of Resources Without Limits or Throttling
+---
+## 📚 Tài liệu tham khảo
+1. **OWASP File Upload Cheat Sheet**
+   https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+2. **Multer Documentation**
+   https://github.com/expressjs/multer
+3. **NestJS File Upload**
+   https://docs.nestjs.com/techniques/file-upload
+4. **CWE-400: Uncontrolled Resource Consumption**
+   https://cwe.mitre.org/data/definitions/400.html
+---
+## 🚀 Testing
+### Test với SunLint:
+```bash
+# Test rule trên một file
+node cli.js --rule=S028 --input=src/upload/upload.controller.ts --engine=heuristic
+# Test trên toàn bộ project
+node cli.js --rule=S028 --input=src --engine=heuristic
+# Test với verbose output
+SUNLINT_DEBUG=1 node cli.js --rule=S028 --input=src --engine=heuristic
+```
+### Expected violations:
+- ❌ Multer thiếu limits
+- ❌ FileInterceptor thiếu limits
+- ⚠️ Express middleware thiếu limit
+- ❌ File size > 50MB (high risk)
+- ⚠️ File size > 20MB (medium risk)
+---
+## ✨ Version History
+- **v1.0** (2025-01-23): Initial release
+  - Support Node.js/NestJS file upload detection
+  - Multer configuration checking
+  - FileInterceptor validation
+  - Express middleware checking
+  - Threshold validation (10MB/20MB/50MB)