npm - @sun-asterisk/sunlint - Versions diffs - 1.3.26 → 1.3.27 - Mend

@sun-asterisk/sunlint 1.3.26 → 1.3.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/rules/security/S003_open_redirect_protection/README.md ADDED Viewed

@@ -0,0 +1,371 @@
+# S003 - Open Redirect Protection
+## Overview
+Quy tắc này phát hiện lỗ hổng Open Redirect - nơi ứng dụng chuyển hướng người dùng đến URL được cung cấp từ đầu vào mà không xác thực. Kẻ tấn công có thể lợi dụng để chuyển hướng nạn nhân đến trang độc hại (phishing, malware) thông qua link có vẻ hợp lệ.
+## OWASP Classification
+- **Category**: A03:2021 - Injection
+- **CWE**: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
+- **Severity**: Warning
+- **Impact**: Medium (Phishing attacks, credential theft, malware distribution)
+## Vấn đề
+Khi ứng dụng chuyển hướng người dùng đến URL từ đầu vào mà không xác thực:
+1. **Phishing attacks**: Kẻ tấn công có thể tạo link hợp lệ dẫn đến trang giả mạo
+2. **Credential theft**: Người dùng tin tưởng domain gốc và nhập thông tin nhạy cảm
+3. **Malware distribution**: Chuyển hướng đến trang chứa malware
+4. **Bypass security controls**: Vượt qua whitelist/blacklist dựa trên domain
+## Các trường hợp vi phạm
+### 1. Redirect trực tiếp từ query parameter
+```javascript
+// ❌ Vi phạm - Redirect trực tiếp không kiểm tra
+app.get('/redirect', (req, res) => {
+  const url = req.query.url;
+  res.redirect(url); // Nguy hiểm!
+});
+// ❌ Vi phạm - Express redirect
+router.get('/goto', (req, res) => {
+  res.redirect(req.query.redirect_url);
+});
+// ❌ Vi phạm - Location header
+app.get('/forward', (req, res) => {
+  res.setHeader('Location', req.query.next);
+  res.status(302).send();
+});
+```
+### 2. Client-side redirect không validate
+```javascript
+// ❌ Vi phạm - window.location redirect
+const redirectUrl = new URLSearchParams(window.location.search).get('redirect');
+window.location = redirectUrl;
+// ❌ Vi phạm - window.location.href
+const next = getQueryParam('next');
+window.location.href = next;
+// ❌ Vi phạm - window.location.replace
+window.location.replace(req.params.url);
+```
+### 3. NestJS redirects
+```typescript
+// ❌ Vi phạm - NestJS @Redirect decorator
+@Controller('redirect')
+export class RedirectController {
+  @Get()
+  @Redirect()
+  redirect(@Query('url') url: string) {
+    return { url }; // Nguy hiểm!
+  }
+}
+// ❌ Vi phạm - NestJS res.redirect
+@Get()
+goto(@Query('target') target: string, @Res() res: Response) {
+  res.redirect(target);
+}
+```
+### 4. Next.js redirects (App Router)
+```typescript
+// ❌ Vi phạm - Next.js redirect
+import { redirect } from 'next/navigation';
+export default async function Page({ searchParams }) {
+  redirect(searchParams.url); // Nguy hiểm!
+}
+// ❌ Vi phạm - Next.js permanentRedirect
+import { permanentRedirect } from 'next/navigation';
+export default function RedirectPage({ searchParams }) {
+  permanentRedirect(searchParams.target);
+}
+// ❌ Vi phạm - Next.js router.push
+'use client';
+export default function ClientRedirect() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+  const url = searchParams.get('url');
+  router.push(url); // Nguy hiểm!
+}
+```
+### 5. Nuxt.js redirects
+```typescript
+// ❌ Vi phạm - Nuxt.js navigateTo
+export default defineComponent({
+  setup() {
+    const route = useRoute();
+    const url = route.query.url;
+    navigateTo(url); // Nguy hiểm!
+  }
+});
+// ❌ Vi phạm - Nuxt.js sendRedirect
+export default defineEventHandler((event) => {
+  const { url } = getQuery(event);
+  return sendRedirect(event, url);
+});
+```
+### 6. Spring Boot/Java redirects
+```java
+// ❌ Vi phạm - Spring RedirectView
+@GetMapping("/redirect")
+public RedirectView redirect(@RequestParam String url) {
+    return new RedirectView(url);
+}
+// ❌ Vi phạm - sendRedirect
+@GetMapping("/forward")
+public void forward(@RequestParam String target, HttpServletResponse response) {
+    response.sendRedirect(target);
+}
+```
+## Giải pháp an toàn
+### 1. Sử dụng Allow List (Whitelist)
+```javascript
+// ✅ An toàn - Allow list
+const ALLOWED_DOMAINS = [
+  'https://example.com',
+  'https://app.example.com'
+];
+app.get('/redirect', (req, res) => {
+  const url = req.query.url;
+  if (!ALLOWED_DOMAINS.includes(url)) {
+    return res.status(400).send('Invalid redirect URL');
+  }
+  res.redirect(url);
+});
+// ✅ An toàn - Domain validation
+function isAllowedUrl(urlString) {
+  try {
+    const url = new URL(urlString);
+    const allowedHosts = ['example.com', 'app.example.com'];
+    return allowedHosts.includes(url.hostname);
+  } catch (e) {
+    return false;
+  }
+}
+```
+### 2. Relative URL only
+```javascript
+// ✅ An toàn - Chỉ cho phép relative URLs
+function isRelativeUrl(url) {
+  return url && url.startsWith('/') && !url.startsWith('//');
+}
+app.get('/redirect', (req, res) => {
+  const path = req.query.next;
+  if (!isRelativeUrl(path)) {
+    return res.status(400).send('Only relative URLs allowed');
+  }
+  res.redirect(path);
+});
+```
+### 3. Indirect redirect mapping
+```javascript
+// ✅ An toàn - Mapping key
+const REDIRECT_MAP = {
+  'home': '/',
+  'dashboard': '/dashboard',
+  'profile': '/user/profile'
+};
+app.get('/redirect', (req, res) => {
+  const key = req.query.destination;
+  const url = REDIRECT_MAP[key];
+  if (!url) {
+    return res.status(400).send('Invalid destination');
+  }
+  res.redirect(url);
+});
+```
+### 4. Framework-specific solutions
+#### NestJS
+```typescript
+// ✅ An toàn - NestJS với DTO validation
+import { IsIn } from 'class-validator';
+class RedirectDto {
+  @IsIn(['home', 'dashboard', 'profile'])
+  destination: string;
+}
+@Controller('redirect')
+export class SafeController {
+  @Get()
+  redirect(@Query() query: RedirectDto) {
+    const urlMap = {
+      home: '/',
+      dashboard: '/dashboard',
+      profile: '/profile'
+    };
+    return { url: urlMap[query.destination] }; // Safe
+  }
+}
+// ✅ An toàn - NestJS với custom validation
+@Controller('goto')
+export class ValidatedController {
+  private readonly allowedUrls = ['https://example.com'];
+  @Get()
+  goto(@Query('url') url: string, @Res() res: Response) {
+    if (this.allowedUrls.includes(url)) {
+      res.redirect(url); // Safe
+    } else {
+      throw new BadRequestException('Invalid URL');
+    }
+  }
+}
+```
+#### Next.js (App Router)
+```typescript
+// ✅ An toàn - Next.js với allowlist
+const ALLOWED_PATHS = ['/home', '/dashboard', '/profile'];
+export default function SafeRedirect({ searchParams }) {
+  const path = searchParams.path;
+  if (ALLOWED_PATHS.includes(path)) {
+    redirect(path); // Safe
+  } else {
+    redirect('/'); // Safe default
+  }
+}
+// ✅ An toàn - Next.js với mapping
+const REDIRECT_MAP = {
+  'success': '/success',
+  'error': '/error'
+};
+export default function MappedRedirect({ searchParams }) {
+  const key = searchParams.destination;
+  redirect(REDIRECT_MAP[key] || '/'); // Safe
+}
+// ✅ An toàn - Next.js router với validation
+'use client';
+export default function SafeClientRedirect() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+  const handleRedirect = () => {
+    const path = searchParams.get('path');
+    const safePaths = ['/home', '/about'];
+    if (safePaths.includes(path)) {
+      router.push(path); // Safe
+    }
+  };
+}
+```
+#### Nuxt.js
+```typescript
+// ✅ An toàn - Nuxt.js với validation
+const ALLOWED_PATHS = ['/home', '/dashboard'];
+export default defineEventHandler((event) => {
+  const { path } = getQuery(event);
+  if (ALLOWED_PATHS.includes(path)) {
+    return navigateTo(path); // Safe
+  }
+  return navigateTo('/'); // Safe default
+});
+// ✅ An toàn - Nuxt.js với mapping
+const ROUTE_MAP = {
+  'profile': '/user/profile',
+  'settings': '/settings'
+};
+export default defineComponent({
+  setup() {
+    const route = useRoute();
+    const redirect = () => {
+      const key = route.query.destination;
+      const url = ROUTE_MAP[key] || '/';
+      navigateTo(url); // Safe
+    };
+  }
+});
+// ✅ An toàn - Nuxt.js với domain validation
+export default defineEventHandler((event) => {
+  const { url } = getQuery(event);
+  const allowedDomains = ['example.com'];
+  try {
+    const parsed = new URL(url);
+    if (allowedDomains.includes(parsed.hostname)) {
+      return sendRedirect(event, url); // Safe
+    }
+  } catch {
+    throw createError({ statusCode: 400 });
+  }
+});
+```
+## Phương pháp phát hiện
+Rule này sử dụng symbol-based analysis để phát hiện:
+1. **Redirect functions**:
+   - Express: `res.redirect()`
+   - NestJS: `@Redirect()`, `res.redirect()`
+   - Next.js: `redirect()`, `permanentRedirect()`, `router.push()`
+   - Nuxt.js: `navigateTo()`, `sendRedirect()`
+   - Spring: `response.sendRedirect()`
+   - Generic: `window.location`, `setHeader('Location')`
+2. **User input sources**:
+   - `req.query`, `req.params`, `req.body`
+   - `@Query()`, `@Param()`, `@Body()` (NestJS)
+   - `searchParams`, `useSearchParams()` (Next.js)
+   - `useRoute()`, `getQuery()`, `event.query` (Nuxt.js)
+   - `URLSearchParams.get()`
+3. **Dataflow analysis**: Track từ user input đến redirect function
+4. **Validation check**: Kiểm tra có whitelist/validation hay không
+## Tài liệu tham khảo
+- [OWASP A03:2021 - Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [CWE-601: URL Redirection to Untrusted Site](https://cwe.mitre.org/data/definitions/601.html)
+- [OWASP Unvalidated Redirects Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)

package/rules/security/S003_open_redirect_protection/analyzer.js ADDED Viewed

@@ -0,0 +1,135 @@
+/**
+ * S003 - Open Redirect Protection
+ *
+ * Main analyzer using symbol-based analysis to detect unvalidated URL redirects
+ * from user input.
+ *
+ * Based on:
+ * - OWASP A03:2021 - Injection
+ * - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
+ */
+// Command: node cli.js --rule=S003 --input=examples/rule-test-fixtures/rules/S003_open_redirect_protection --engine=heuristic
+const S003SymbolBasedAnalyzer = require("./symbol-based-analyzer");
+class S003Analyzer {
+  constructor(options = {}) {
+    this.ruleId = "S003";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    try {
+      this.symbolAnalyzer = new S003SymbolBasedAnalyzer(this.semanticEngine);
+    } catch (e) {
+      console.warn(`⚠ [S003] Failed to create symbol analyzer: ${e.message}`);
+    }
+  }
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.symbolAnalyzer && this.symbolAnalyzer.initialize) {
+      await this.symbolAnalyzer.initialize(semanticEngine);
+    }
+  }
+  analyzeSingle(filePath, options = {}) {
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        const vs = await this.analyzeFile(filePath, options);
+        violations.push(...vs);
+      } catch (e) {
+        console.warn(`⚠ [S003] Analysis error for ${filePath}: ${e.message}`);
+      }
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    const violationMap = new Map();
+    if (!this.symbolAnalyzer) {
+      return [];
+    }
+    // Skip test files, build directories, and node_modules
+    if (this.shouldSkipFile(filePath)) {
+      return [];
+    }
+    try {
+      let sourceFile = null;
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      }
+      if (!sourceFile) {
+        // Create temporary ts-morph source file
+        const fs = require("fs");
+        const path = require("path");
+        const { Project } = require("ts-morph");
+        if (!fs.existsSync(filePath)) {
+          throw new Error(`File not found: ${filePath}`);
+        }
+        const content = fs.readFileSync(filePath, "utf8");
+        const tmp = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: { allowJs: true },
+        });
+        sourceFile = tmp.createSourceFile(path.basename(filePath), content);
+      }
+      if (sourceFile) {
+        const symbolViolations = await this.symbolAnalyzer.analyze(
+          sourceFile,
+          filePath
+        );
+        symbolViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+      }
+    } catch (e) {
+      console.warn(`⚠ [S003] Symbol analysis failed: ${e.message}`);
+    }
+    return Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+  }
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      "test/",
+      "tests/",
+      "__tests__/",
+      ".test.",
+      ".spec.",
+      "node_modules/",
+      "build/",
+      "dist/",
+      ".next/",
+      "coverage/",
+      "vendor/",
+      "mocks/",
+      ".mock.",
+    ];
+    return skipPatterns.some((pattern) => filePath.includes(pattern));
+  }
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+  }
+}
+module.exports = S003Analyzer;

package/rules/security/S003_open_redirect_protection/config.json ADDED Viewed

@@ -0,0 +1,58 @@
+{
+  "ruleId": "S003",
+  "name": "Open Redirect Protection",
+  "description": "URL redirects must validate against an allow list to prevent open redirect vulnerabilities",
+  "category": "security",
+  "severity": "warning",
+  "languages": ["All languages"],
+  "tags": [
+    "security",
+    "owasp",
+    "injection",
+    "open-redirect",
+    "phishing",
+    "url-validation"
+  ],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A03:2021 - Injection",
+    "cweId": "CWE-601",
+    "description": "Applications that redirect users to URLs from untrusted input without validation are vulnerable to phishing attacks. Attackers can create legitimate-looking links that redirect victims to malicious sites.",
+    "impact": "Medium - Phishing attacks, credential theft, malware distribution",
+    "likelihood": "High",
+    "remediation": "Use allow list (whitelist) to validate redirect URLs, or only allow relative URLs within the same domain"
+  },
+  "patterns": {
+    "vulnerable": [
+      "res.redirect(req.query.*) without validation",
+      "res.redirect(req.params.*) without validation",
+      "window.location = userInput without validation",
+      "response.sendRedirect(request.getParameter(*)) without validation",
+      "new RedirectView(userInput) without validation",
+      "res.setHeader('Location', req.query.*) without validation"
+    ],
+    "secure": [
+      "Validate against allow list (whitelist) of trusted domains",
+      "Only allow relative URLs (startsWith('/') && !startsWith('//'))",
+      "Use indirect mapping (key -> URL mapping)",
+      "Parse and validate URL with new URL() and check hostname",
+      "Use framework validation (e.g., @IsIn(['home', 'dashboard']))"
+    ]
+  },
+  "examples": {
+    "violations": [
+      "res.redirect(req.query.url);",
+      "window.location.href = params.get('redirect');",
+      "response.sendRedirect(request.getParameter('next'));",
+      "new RedirectView(request.getParameter('url'));"
+    ],
+    "fixes": [
+      "const url = req.query.url; if (ALLOWED_URLS.includes(url)) res.redirect(url);",
+      "if (isAllowedDomain(url)) window.location.href = url;",
+      "const destination = REDIRECT_MAP[req.query.key]; res.redirect(destination);",
+      "if (url.startsWith('/') && !url.startsWith('//')) res.redirect(url);"
+    ]
+  }
+}