npm - @sun-asterisk/sunlint - Versions diffs - 1.3.35 → 1.3.37 - Mend

@sun-asterisk/sunlint 1.3.35 → 1.3.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/rules/security/S046_jwt_algorithm_allowlist/typescript/analyzer.js ADDED Viewed

@@ -0,0 +1,235 @@
+/**
+ * S046 – Use algorithm allowlist for self-contained tokens
+ *
+ * Detects JWT/token verification without algorithm restriction:
+ * - Missing algorithms option in jwt.verify()
+ * - 'none' algorithm allowed
+ * - Using jwt.decode() for security-sensitive operations
+ * - Algorithm taken from untrusted token header
+ */
+const fs = require('fs');
+const path = require('path');
+class S046Analyzer {
+  constructor() {
+    this.ruleId = 'S046';
+    this.ruleName = 'Use algorithm allowlist for self-contained tokens';
+    this.description = 'Prevent algorithm confusion attacks by restricting token algorithms';
+    // Critical patterns - dangerous practices
+    this.criticalPatterns = [
+      // 'none' algorithm explicitly allowed
+      {
+        pattern: /algorithms\s*:\s*\[[^\]]*['"`]none['"`]/gi,
+        message: "Algorithm 'none' is explicitly allowed - this disables signature verification",
+        type: 'none_algorithm_allowed'
+      },
+      // Algorithm from token header (algorithm confusion)
+      {
+        pattern: /(?:header|decoded|payload)\.alg(?:orithm)?(?!\s*===)/gi,
+        message: 'Algorithm from token header used without validation - vulnerable to algorithm confusion',
+        type: 'header_algorithm_used'
+      },
+      // jwt.decode for auth decisions
+      {
+        pattern: /jwt\.decode\s*\([^)]*\)(?:\s*\.|\s*\[)/gi,
+        message: 'jwt.decode() used - this does not verify signature. Use jwt.verify() with algorithm allowlist',
+        type: 'decode_without_verify'
+      }
+    ];
+    // Warning patterns - potential issues
+    this.warningPatterns = [
+      // jwt.verify without algorithms option
+      {
+        pattern: /jwt\.verify\s*\(\s*\w+\s*,\s*\w+\s*\)(?!\s*\.)/gi,
+        message: 'jwt.verify() called without algorithms option - specify allowed algorithms explicitly',
+        type: 'verify_no_algorithms'
+      },
+      // jsonwebtoken verify without third argument
+      {
+        pattern: /verify\s*\(\s*token\s*,\s*(?:secret|key|publicKey)\s*\)/gi,
+        message: 'Token verification without algorithm restriction - add { algorithms: [...] }',
+        type: 'verify_missing_options'
+      },
+      // jose/node-jose without algorithm check
+      {
+        pattern: /jws\.verify\s*\([^)]*\)(?![^{]*algorithms)/gi,
+        message: 'JWS verification may need algorithm validation',
+        type: 'jws_no_algorithm'
+      }
+    ];
+    // Files to analyze (JWT-related)
+    this.targetPatterns = [
+      /jwt/i,
+      /token/i,
+      /auth/i,
+      /verify/i,
+      /jose/i
+    ];
+    // Files to skip
+    this.skipPatterns = [
+      /\.test\./i,
+      /\.spec\./i,
+      /test\//i,
+      /tests\//i,
+      /__tests__\//i,
+      /node_modules/i,
+      /\.md$/i
+    ];
+  }
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(pattern => pattern.test(filePath));
+  }
+  isJWTRelatedFile(filePath, content) {
+    // Check content for JWT patterns
+    const jwtIndicators = [
+      /jwt\./i,
+      /jsonwebtoken/i,
+      /jose/i,
+      /jws\./i,
+      /Bearer\s+/i,
+      /algorithms\s*:/i,
+      /\.verify\s*\([^)]*token/i
+    ];
+    return jwtIndicators.some(pattern => pattern.test(content));
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        // Only analyze JWT-related files
+        if (!this.isJWTRelatedFile(filePath, content)) {
+          continue;
+        }
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+    return violations;
+  }
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    // Check critical patterns (errors)
+    for (const { pattern, message, type } of this.criticalPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+        if (this.isComment(line)) {
+          continue;
+        }
+        if (this.isTestContext(lines, lineNum)) {
+          continue;
+        }
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: message,
+          severity: 'error',
+          ruleId: this.ruleId,
+          type: type,
+          matchedText: match[0]
+        });
+      }
+    }
+    // Check warning patterns
+    for (const { pattern, message, type } of this.warningPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+        if (this.isComment(line)) {
+          continue;
+        }
+        if (this.isTestContext(lines, lineNum)) {
+          continue;
+        }
+        // Check if algorithms are specified in options nearby
+        if (this.hasAlgorithmNearby(lines, lineNum)) {
+          continue;
+        }
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: message,
+          severity: 'warning',
+          ruleId: this.ruleId,
+          type: type,
+          matchedText: match[0]
+        });
+      }
+    }
+    return violations;
+  }
+  hasAlgorithmNearby(lines, lineNum) {
+    const start = Math.max(0, lineNum - 5);
+    const end = Math.min(lines.length, lineNum + 5);
+    const context = lines.slice(start, end).join('\n');
+    return /algorithms\s*:\s*\[/.test(context);
+  }
+  isComment(line) {
+    const trimmed = line.trim();
+    return trimmed.startsWith('//') || trimmed.startsWith('#') ||
+           trimmed.startsWith('/*') || trimmed.startsWith('*');
+  }
+  isTestContext(lines, lineNum) {
+    const start = Math.max(0, lineNum - 5);
+    const end = Math.min(lines.length, lineNum + 2);
+    const context = lines.slice(start, end).join('\n').toLowerCase();
+    return /describe\(|it\(|test\(|jest|mocha|mock|stub|fake/i.test(context);
+  }
+  getLineNumber(content, index) {
+    return content.substring(0, index).split('\n').length;
+  }
+  getColumnNumber(content, index) {
+    const lastNewline = content.lastIndexOf('\n', index - 1);
+    return index - lastNewline;
+  }
+}
+module.exports = S046Analyzer;

package/rules/security/S047_oauth_pkce_protection/config.json ADDED Viewed

@@ -0,0 +1,31 @@
+{
+    "id": "S047",
+    "name": "Protect OAuth code flow against CSRF attacks",
+    "description": "Implement PKCE (Proof Key for Code Exchange) or state parameter validation to protect OAuth authorization code flow against CSRF attacks. Required for public clients, recommended for confidential clients.",
+    "category": "security",
+    "severity": "high",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "oauth", "pkce", "csrf", "authorization"],
+    "examples": {
+        "valid": [
+            "// PKCE implementation",
+            "const codeVerifier = crypto.randomBytes(32).toString('base64url');",
+            "const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');",
+            "// State parameter",
+            "const state = crypto.randomBytes(32).toString('hex');"
+        ],
+        "invalid": [
+            "// No PKCE or state parameter",
+            "const authUrl = `${authServer}/authorize?client_id=${clientId}&redirect_uri=${redirectUri}`;",
+            "// Static state value",
+            "const state = 'fixed-state-value';"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures OAuth authorization code flow is protected against CSRF attacks using PKCE or state parameter. PKCE is mandatory for public clients (SPAs, mobile apps). Both code_challenge and code_verifier must be cryptographically random. State parameter must be unique per request and validated on callback.",
+        "url": "https://datatracker.ietf.org/doc/html/rfc7636"
+    }
+}

package/rules/security/S047_oauth_pkce_protection/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * S047 Dart Analyzer - OAuth PKCE Protection
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S047_oauth_pkce_protection.dart
+ *
+ * Rule: Protect OAuth code flow against CSRF attacks using PKCE
+ */
+class DartS047Analyzer {
+  constructor() {
+    this.ruleId = 'S047';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S047',
+      name: 'OAuth PKCE Protection',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Protect OAuth code flow against CSRF attacks using PKCE or state parameter'
+    };
+  }
+  getConfig() {
+    return {
+      checkPkce: true,
+      checkStateParameter: true,
+      severity: 'high'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS047Analyzer;

package/rules/security/S047_oauth_pkce_protection/index.js ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * S047 Rule Router - OAuth PKCE Protection
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Protect OAuth code flow against CSRF attacks using PKCE or state parameter
+ */
+const path = require('path');
+class S047Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S047';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+module.exports = new S047Router();

package/rules/security/S047_oauth_pkce_protection/typescript/analyzer.js ADDED Viewed

@@ -0,0 +1,78 @@
+/**
+ * S047 – Protect OAuth code flow against CSRF attacks
+ *
+ * Detects OAuth implementations without PKCE or state parameter:
+ * - Authorization URLs without code_challenge
+ * - Missing state parameter validation
+ * - Static/hardcoded state values
+ */
+const fs = require('fs');
+class S047Analyzer {
+  constructor() {
+    this.ruleId = 'S047';
+    this.ruleName = 'Protect OAuth code flow against CSRF attacks';
+    this.description = 'Implement PKCE or state parameter validation for OAuth';
+    this.warningPatterns = [
+      // OAuth URL without code_challenge or state
+      {
+        pattern: /authorize\?[^"'`]*client_id(?![^"'`]*(?:code_challenge|state))/gi,
+        message: 'OAuth authorize URL missing PKCE code_challenge or state parameter',
+        type: 'missing_pkce_state'
+      },
+      // Static state values
+      {
+        pattern: /state\s*[=:]\s*['"`][a-zA-Z0-9_-]{1,20}['"`](?!\s*\|\|)/gi,
+        message: 'OAuth state parameter appears hardcoded - use cryptographically random value',
+        type: 'static_state'
+      }
+    ];
+    this.skipPatterns = [
+      /\.test\./i, /\.spec\./i, /test\//i, /__tests__\//i, /node_modules/i
+    ];
+  }
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(p => p.test(filePath));
+  }
+  isOAuthFile(content) {
+    return /oauth|authorize|client_id|redirect_uri/i.test(content);
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) continue;
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        if (!this.isOAuthFile(content)) continue;
+        violations.push(...this.analyzeFile(content, filePath));
+      } catch (e) { /* skip */ }
+    }
+    return violations;
+  }
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    for (const { pattern, message, type } of this.warningPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        violations.push({
+          file: filePath, line: lineNum, column: 1,
+          message, severity: 'warning', ruleId: this.ruleId, type
+        });
+      }
+    }
+    return violations;
+  }
+}
+module.exports = S047Analyzer;

package/rules/security/S048_oauth_redirect_uri_validation/config.json ADDED Viewed

@@ -0,0 +1,30 @@
+{
+    "id": "S048",
+    "name": "Validate OAuth redirect URIs with exact string comparison",
+    "description": "Prevent OAuth redirect attacks by validating redirect URIs against a client-specific allowlist using exact string comparison, not pattern matching. Each OAuth client must have pre-registered URIs validated during authorization.",
+    "category": "security",
+    "severity": "critical",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "oauth", "redirect", "validation", "authorization"],
+    "examples": {
+        "valid": [
+            "// Exact match against pre-registered URIs",
+            "if (registeredUris.includes(redirectUri)) { allow(); }",
+            "const isValid = clientConfig.redirectUris.some(uri => uri === requestedUri);"
+        ],
+        "invalid": [
+            "// Wildcard redirect (dangerous)",
+            "if (redirectUri.startsWith('https://example.com')) { allow(); }",
+            "if (redirectUri.includes('example.com')) { allow(); }",
+            "// Pattern matching (dangerous)",
+            "if (/^https:\\/\\/.*\\.example\\.com/.test(redirectUri)) { allow(); }"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures OAuth redirect URIs are validated using exact string comparison against pre-registered URIs. DO NOT allow wildcard redirects (*.example.com), partial matching, or pattern matching. Each OAuth client should have its own allowlist of redirect URIs registered during client creation. This prevents subdomain takeover attacks, path traversal in redirects, and parameter injection.",
+        "url": "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+    }
+}