@sun-asterisk/sunlint 1.3.35 → 1.3.37

package/rules/security/S026_tls_all_connections/config.json

@@ -0,0 +1,30 @@
+{
+    "id": "S026",
+    "name": "Use TLS encryption for all inbound and outbound connections",
+    "description": "Ensure all application connections use encrypted TLS protocol, with no fallback to insecure or unencrypted protocols. All inbound (API endpoints, webhooks) and outbound (external APIs, databases, partner systems) connections must use TLS 1.2 minimum.",
+    "category": "security",
+    "severity": "critical",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "tls", "encryption", "https", "network", "connections"],
+    "examples": {
+        "valid": [
+            "const client = new Client({ ssl: true });",
+            "fetch('https://api.example.com/data');",
+            "mongoose.connect('mongodb+srv://...');",
+            "const redis = new Redis({ tls: {} });"
+        ],
+        "invalid": [
+            "fetch('http://api.example.com/data');",
+            "const client = new Client({ ssl: false });",
+            "mongoose.connect('mongodb://localhost:27017');",
+            "const redis = new Redis({ host: 'redis.example.com' }); // No TLS"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures all application connections use TLS encryption. Covers inbound connections (API endpoints, web interfaces, webhooks), outbound connections (external APIs, databases, partner systems), and internal connections (monitoring, management tools, middleware, message queues). TLS 1.2 minimum required, prefer TLS 1.3. No fallback to HTTP or unencrypted protocols allowed.",
+        "url": "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
+    }
+}

package/rules/security/S026_tls_all_connections/typescript/analyzer.js

@@ -0,0 +1,339 @@
+/**
+ * S026 – Use TLS encryption for all inbound and outbound connections
+ *
+ * Detects insecure connections that don't use TLS/SSL encryption:
+ * - HTTP URLs instead of HTTPS
+ * - Database connections without SSL/TLS
+ * - Redis/cache connections without TLS
+ * - WebSocket ws:// instead of wss://
+ * - SSL/TLS explicitly disabled
+ */
+// Command: node cli.js --rule=S026 --input=examples/rule-test-fixtures/rules/S026_tls_all_connections --engine=heuristic
+
+const fs = require("fs");
+const path = require("path");
+
+class S026Analyzer {
+  constructor() {
+    this.ruleId = "S026";
+    this.ruleName =
+      "Use TLS encryption for all inbound and outbound connections";
+    this.description =
+      "Ensure all connections use TLS encryption, no fallback to unencrypted protocols";
+
+    // Patterns for insecure connections
+    this.insecurePatterns = [
+      // HTTP URLs (excluding localhost for dev)
+      {
+        pattern:
+          /['"`](http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)[^'"`]+)['"`]/g,
+        message: "Insecure HTTP connection detected. Use HTTPS instead",
+        type: "http_url",
+      },
+      // WebSocket without TLS
+      {
+        pattern: /['"`](ws:\/\/(?!localhost|127\.0\.0\.1)[^'"`]+)['"`]/g,
+        message: "Insecure WebSocket connection detected. Use WSS instead",
+        type: "ws_url",
+      },
+      // MongoDB without TLS
+      {
+        pattern: /['"`](mongodb:\/\/(?!localhost|127\.0\.0\.1)[^'"`]+)['"`]/g,
+        message:
+          "MongoDB connection without TLS. Use mongodb+srv:// or add ssl=true",
+        type: "mongodb_url",
+      },
+      // Redis without TLS (rediss:// is secure)
+      {
+        pattern: /['"`](redis:\/\/(?!localhost|127\.0\.0\.1)[^'"`]+)['"`]/g,
+        message: "Redis connection without TLS. Use rediss:// or configure TLS",
+        type: "redis_url",
+      },
+      // FTP instead of SFTP
+      {
+        pattern: /['"`](ftp:\/\/[^'"`]+)['"`]/g,
+        message: "Insecure FTP connection detected. Use SFTP instead",
+        type: "ftp_url",
+      },
+      // AMQP without TLS
+      {
+        pattern: /['"`](amqp:\/\/(?!localhost|127\.0\.0\.1)[^'"`]+)['"`]/g,
+        message: "AMQP connection without TLS. Use amqps:// instead",
+        type: "amqp_url",
+      },
+    ];
+
+    // Patterns for explicitly disabled SSL/TLS
+    this.disabledSslPatterns = [
+      {
+        pattern: /ssl\s*:\s*false/gi,
+        message:
+          "SSL explicitly disabled. Enable SSL/TLS for secure connections",
+        type: "ssl_disabled",
+      },
+      {
+        pattern: /tls\s*:\s*false/gi,
+        message: "TLS explicitly disabled. Enable TLS for secure connections",
+        type: "tls_disabled",
+      },
+      {
+        pattern: /rejectUnauthorized\s*:\s*false/gi,
+        message:
+          "TLS certificate validation disabled. This allows MITM attacks",
+        type: "reject_unauthorized_false",
+      },
+      {
+        pattern: /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"`]?0['"`]?/gi,
+        message:
+          "NODE_TLS_REJECT_UNAUTHORIZED=0 disables certificate validation",
+        type: "node_tls_reject",
+      },
+      {
+        pattern: /verify\s*=\s*False/g,
+        message: "SSL verification disabled in Python requests",
+        type: "python_verify_false",
+      },
+      {
+        pattern: /InsecureSkipVerify\s*:\s*true/gi,
+        message: "InsecureSkipVerify disables TLS certificate validation in Go",
+        type: "go_insecure_skip",
+      },
+    ];
+
+    // Files/paths to skip
+    this.skipPatterns = [
+      /\.test\./i,
+      /\.spec\./i,
+      /test\//i,
+      /tests\//i,
+      /__tests__\//i,
+      /mock/i,
+      /fixture/i,
+      /example/i,
+      /\.md$/i,
+      /node_modules/i,
+    ];
+  }
+
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some((pattern) => pattern.test(filePath));
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, "utf8");
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split("\n");
+
+    // Check for insecure URL patterns
+    for (const { pattern, message, type } of this.insecurePatterns) {
+      // Reset regex lastIndex
+      pattern.lastIndex = 0;
+
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const url = match[1];
+
+        // Skip if it's in a comment
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+        if (
+          this.isComment(
+            line,
+            match.index - this.getLineStartIndex(content, lineNum),
+          )
+        ) {
+          continue;
+        }
+
+        // Skip localhost/dev URLs
+        if (this.isLocalhost(url)) {
+          continue;
+        }
+
+        // Skip excluded URLs (namespaces, examples, documentation)
+        if (this.isExcludedUrl(url, line)) {
+          continue;
+        }
+
+        // Skip URLs guarded by localhost/emulator checks
+        if (this.isLocalhostGuarded(lines, lineNum)) {
+          continue;
+        }
+
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: `${message}: "${url}"`,
+          severity: "warning",
+          ruleId: this.ruleId,
+          type: type,
+          insecureUrl: url,
+        });
+      }
+    }
+
+    // Check for disabled SSL/TLS patterns
+    for (const { pattern, message, type } of this.disabledSslPatterns) {
+      pattern.lastIndex = 0;
+
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+
+        // Skip if it's in a comment
+        if (
+          this.isComment(
+            line,
+            match.index - this.getLineStartIndex(content, lineNum),
+          )
+        ) {
+          continue;
+        }
+
+        // Skip test/development context
+        if (this.isTestContext(lines, lineNum)) {
+          continue;
+        }
+
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: message,
+          severity: "warning",
+          ruleId: this.ruleId,
+          type: type,
+        });
+      }
+    }
+
+    return violations;
+  }
+
+  isComment(line, column) {
+    const trimmed = line.trim();
+    if (
+      trimmed.startsWith("//") ||
+      trimmed.startsWith("*") ||
+      trimmed.startsWith("/*")
+    ) {
+      return true;
+    }
+    // Check if the match is after a // in the line
+    const beforeMatch = line.substring(0, column);
+    return beforeMatch.includes("//");
+  }
+
+  isLocalhost(url) {
+    return /localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\]/i.test(url);
+  }
+
+  isExcludedUrl(url, line) {
+    // XML/SVG namespaces - not actual connections
+    if (/w3\.org\/\d{4}\//.test(url)) {
+      return true;
+    }
+
+    // Schema.org - metadata schemas
+    if (/schema\.org/i.test(url)) {
+      return true;
+    }
+
+    // Example/placeholder URLs in documentation
+    if (/example\.(com|org|net)/i.test(url)) {
+      return true;
+    }
+
+    // URLs in @ApiProperty example, @example, or similar documentation decorators
+    if (
+      /@(ApiProperty|example|Example)\s*\(/.test(line) ||
+      /example\s*[:=]/i.test(line)
+    ) {
+      return true;
+    }
+
+    // XML namespace declarations
+    if (/xmlns\s*[:=]/i.test(line)) {
+      return true;
+    }
+
+    // HTML meta tags - not actual connections
+    if (/<meta\s+[^>]*content\s*=/i.test(line)) {
+      return true;
+    }
+
+    // URL parsing/validation - new URL() used for validation, not connection
+    if (/new\s+URL\s*\(/i.test(line)) {
+      return true;
+    }
+
+    return false;
+  }
+
+  isLocalhostGuarded(lines, lineNum) {
+    // Check if the code is guarded by localhost/emulator check
+    const start = Math.max(0, lineNum - 10);
+    const context = lines.slice(start, lineNum).join("\n").toLowerCase();
+
+    return (
+      /if\s*\([^)]*localhost[^)]*\)/i.test(context) ||
+      /if\s*\([^)]*islocal[^)]*\)/i.test(context) ||
+      /if\s*\([^)]*emulator[^)]*\)/i.test(context) ||
+      /hostname\s*===?\s*['"`]localhost['"`]/i.test(context)
+    );
+  }
+
+  isTestContext(lines, lineNum) {
+    // Check surrounding lines for test context
+    const start = Math.max(0, lineNum - 5);
+    const end = Math.min(lines.length, lineNum + 2);
+    const context = lines.slice(start, end).join("\n").toLowerCase();
+
+    return /describe\(|it\(|test\(|jest|mocha|beforeeach|aftereach|mock|stub|fake/i.test(
+      context,
+    );
+  }
+
+  getLineNumber(content, index) {
+    return content.substring(0, index).split("\n").length;
+  }
+
+  getColumnNumber(content, index) {
+    const lastNewline = content.lastIndexOf("\n", index - 1);
+    return index - lastNewline;
+  }
+
+  getLineStartIndex(content, lineNum) {
+    const lines = content.split("\n");
+    let index = 0;
+    for (let i = 0; i < lineNum - 1; i++) {
+      index += lines[i].length + 1;
+    }
+    return index;
+  }
+}
+
+module.exports = S026Analyzer;

package/rules/security/S027_mtls_certificate_validation/config.json

@@ -0,0 +1,30 @@
+{
+    "id": "S027",
+    "name": "Validate mTLS client certificates before authentication",
+    "description": "Ensure mTLS client certificates are properly validated and trusted before using certificate identity for authentication or authorization decisions. Verify certificate is signed by trusted CA, not expired, not revoked, and subject/SAN matches expected identity.",
+    "category": "security",
+    "severity": "critical",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "mtls", "certificates", "authentication", "tls"],
+    "examples": {
+        "valid": [
+            "const cert = req.socket.getPeerCertificate(); if (!cert.valid_to || !cert.issuer) throw new Error('Invalid cert');",
+            "// Check certificate chain validation",
+            "// Verify certificate not expired: cert.valid_to > Date.now()",
+            "// Check certificate revocation via OCSP/CRL"
+        ],
+        "invalid": [
+            "const cert = req.socket.getPeerCertificate(); processRequest(cert.subject.CN); // No validation",
+            "// Accepting any valid certificate without identity check",
+            "// Skipping revocation checks",
+            "// Using certificate CN without proper validation"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures mTLS client certificates are properly validated before trusting certificate identity. Validation includes: verify certificate is signed by trusted CA, check certificate has not expired, validate certificate is not revoked (CRL/OCSP), confirm certificate subject/SAN matches expected identity, full chain validation up to root CA, check Extended Key Usage for client authentication.",
+        "url": "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+    }
+}

package/rules/security/S027_mtls_certificate_validation/typescript/analyzer.js

@@ -0,0 +1,225 @@
+/**
+ * S027 – Validate mTLS client certificates before authentication
+ *
+ * Detects improper mTLS certificate validation:
+ * - Using certificate identity without validation
+ * - Missing expiration checks
+ * - Missing revocation checks (CRL/OCSP)
+ * - Missing CA chain validation
+ * - Accepting any certificate without identity verification
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+class S027Analyzer {
+  constructor() {
+    this.ruleId = 'S027';
+    this.ruleName = 'Validate mTLS client certificates before authentication';
+    this.description = 'Ensure mTLS client certificates are properly validated before trusting certificate identity';
+
+    // Patterns for certificate usage without validation
+    this.unsafePatterns = [
+      // Using certificate subject/CN directly without validation
+      {
+        pattern: /getPeerCertificate\(\)[^}]*\.subject\.CN/g,
+        message: 'Using certificate CN without proper validation. Verify certificate chain, expiration, and revocation first',
+        type: 'direct_cn_usage'
+      },
+      {
+        pattern: /getPeerCertificate\(\)[^}]*\.subject/g,
+        message: 'Using certificate subject without validation. Verify certificate is trusted before using identity',
+        type: 'direct_subject_usage'
+      },
+      // Certificate usage without checking authorized property
+      {
+        pattern: /socket\.authorized\s*!==\s*true|socket\.authorized\s*===\s*false/g,
+        message: 'Certificate authorization check failed but connection may continue',
+        type: 'auth_check_failed'
+      }
+    ];
+
+    // Patterns that indicate proper validation
+    this.validationPatterns = [
+      /\.authorized\s*===?\s*true/i,
+      /\.valid_to\s*[<>]/i,
+      /new Date\([^)]*valid/i,
+      /checkCRL|checkOCSP|ocsp|crl/i,
+      /verify.*chain|chain.*verify/i,
+      /issuer.*verify|verify.*issuer/i,
+      /ca.*verify|verify.*ca/i
+    ];
+
+    // Patterns for disabled certificate validation (critical issues)
+    this.disabledValidationPatterns = [
+      {
+        pattern: /rejectUnauthorized\s*:\s*false/gi,
+        message: 'Certificate validation disabled. This allows any certificate including self-signed and expired',
+        type: 'reject_unauthorized_false'
+      },
+      {
+        pattern: /requestCert\s*:\s*false/gi,
+        message: 'Client certificate not required. Enable requestCert for mTLS',
+        type: 'request_cert_disabled'
+      },
+      {
+        pattern: /checkServerIdentity\s*:\s*\(\)\s*=>\s*(undefined|null|true)/gi,
+        message: 'Server identity check bypassed. Implement proper hostname verification',
+        type: 'identity_check_bypassed'
+      }
+    ];
+
+    // Files to skip
+    this.skipPatterns = [
+      /\.test\./i,
+      /\.spec\./i,
+      /test\//i,
+      /tests\//i,
+      /__tests__\//i,
+      /mock/i,
+      /fixture/i,
+      /example/i,
+      /node_modules/i
+    ];
+  }
+
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(pattern => pattern.test(filePath));
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    // Check if file deals with certificates/mTLS
+    if (!this.isCertificateRelatedFile(content)) {
+      return violations;
+    }
+
+    // Check for disabled validation patterns (most critical)
+    for (const { pattern, message, type } of this.disabledValidationPatterns) {
+      pattern.lastIndex = 0;
+
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+
+        if (this.isComment(line)) {
+          continue;
+        }
+
+        if (this.isTestContext(lines, lineNum)) {
+          continue;
+        }
+
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: message,
+          severity: 'error',
+          ruleId: this.ruleId,
+          type: type
+        });
+      }
+    }
+
+    // Check for unsafe certificate usage patterns
+    for (const { pattern, message, type } of this.unsafePatterns) {
+      pattern.lastIndex = 0;
+
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+
+        if (this.isComment(line)) {
+          continue;
+        }
+
+        // Check if there's proper validation nearby
+        const contextStart = Math.max(0, lineNum - 10);
+        const contextEnd = Math.min(lines.length, lineNum + 5);
+        const context = lines.slice(contextStart, contextEnd).join('\n');
+
+        const hasValidation = this.validationPatterns.some(vp => vp.test(context));
+
+        if (!hasValidation) {
+          violations.push({
+            file: filePath,
+            line: lineNum,
+            column: this.getColumnNumber(content, match.index),
+            message: message,
+            severity: 'warning',
+            ruleId: this.ruleId,
+            type: type
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  isCertificateRelatedFile(content) {
+    const certPatterns = [
+      /getPeerCertificate/i,
+      /requestCert/i,
+      /rejectUnauthorized/i,
+      /tls\.|https\./i,
+      /\.crt|\.pem|\.key/i,
+      /certificate|cert\b/i,
+      /mTLS|mtls/i,
+      /client.*cert|cert.*client/i
+    ];
+
+    return certPatterns.some(pattern => pattern.test(content));
+  }
+
+  isComment(line) {
+    const trimmed = line.trim();
+    return trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('*');
+  }
+
+  isTestContext(lines, lineNum) {
+    const start = Math.max(0, lineNum - 5);
+    const end = Math.min(lines.length, lineNum + 2);
+    const context = lines.slice(start, end).join('\n').toLowerCase();
+
+    return /describe\(|it\(|test\(|jest|mocha|mock|stub|fake/i.test(context);
+  }
+
+  getLineNumber(content, index) {
+    return content.substring(0, index).split('\n').length;
+  }
+
+  getColumnNumber(content, index) {
+    const lastNewline = content.lastIndexOf('\n', index - 1);
+    return index - lastNewline;
+  }
+}
+
+module.exports = S027Analyzer;

package/rules/security/S035_separate_app_hostnames/config.json

@@ -0,0 +1,28 @@
+{
+    "id": "S035",
+    "name": "Host separate applications on different hostnames",
+    "description": "Leverage same-origin policy restrictions by hosting separate applications on different hostnames to isolate resources, cookies, and prevent cross-application attacks. Each application should have its own hostname/subdomain.",
+    "category": "security",
+    "severity": "medium",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "same-origin", "isolation", "cors", "hostname", "architecture"],
+    "examples": {
+        "valid": [
+            "// Good: Separate hostnames for different apps",
+            "// app1.example.com, app2.example.com, admin.example.com",
+            "// API: api.example.com, Frontend: www.example.com"
+        ],
+        "invalid": [
+            "// Bad: Same origin for multiple apps",
+            "// example.com/app1, example.com/app2",
+            "// Shared cookies and localStorage between apps"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures applications are hosted on separate hostnames to leverage same-origin policy benefits. Same-origin policy prevents scripts from one origin accessing resources from another, isolates cookies and storage per hostname, and limits impact of XSS to single application. Avoid hosting multiple apps on same origin with path-based routing (example.com/app1, example.com/app2).",
+        "url": "https://owasp.org/www-community/attacks/Cross-site_Scripting_(XSS)"
+    }
+}