npm - @sun-asterisk/sunlint - Versions diffs - 1.3.36 → 1.3.38 - Mend

@sun-asterisk/sunlint 1.3.36 → 1.3.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/rules/security/S048_oauth_redirect_uri_validation/typescript/analyzer.js ADDED Viewed

@@ -0,0 +1,278 @@
+/**
+ * S048 – Validate OAuth redirect URIs with exact string comparison
+ *
+ * Detects insecure OAuth redirect URI validation:
+ * - Wildcard redirects (*.example.com)
+ * - Partial string matching (startsWith, includes, contains)
+ * - Regex pattern matching instead of exact comparison
+ * - Missing redirect URI validation entirely
+ */
+const fs = require('fs');
+const path = require('path');
+class S048Analyzer {
+  constructor() {
+    this.ruleId = 'S048';
+    this.ruleName = 'Validate OAuth redirect URIs with exact string comparison';
+    this.description = 'Prevent OAuth redirect attacks by using exact string comparison for redirect URIs';
+    // Patterns for insecure redirect URI validation
+    this.insecurePatterns = [
+      // Partial string matching (dangerous)
+      {
+        pattern: /redirect[_-]?uri.*\.startsWith\s*\(/gi,
+        message: 'Redirect URI validated with startsWith() - use exact string comparison instead',
+        type: 'startswith_validation'
+      },
+      {
+        pattern: /redirect[_-]?uri.*\.includes\s*\(/gi,
+        message: 'Redirect URI validated with includes() - use exact string comparison instead',
+        type: 'includes_validation'
+      },
+      {
+        pattern: /redirect[_-]?uri.*\.indexOf\s*\([^)]+\)\s*[>!=]/gi,
+        message: 'Redirect URI validated with indexOf() - use exact string comparison instead',
+        type: 'indexof_validation'
+      },
+      // Regex pattern matching
+      {
+        pattern: /redirect[_-]?uri.*\.match\s*\(/gi,
+        message: 'Redirect URI validated with regex match() - use exact string comparison instead',
+        type: 'regex_match'
+      },
+      {
+        pattern: /redirect[_-]?uri.*\.test\s*\(/gi,
+        message: 'Redirect URI validated with regex test() - use exact string comparison instead',
+        type: 'regex_test'
+      },
+      {
+        pattern: /new RegExp\([^)]*redirect/gi,
+        message: 'Dynamic regex for redirect URI validation - use exact string comparison',
+        type: 'dynamic_regex'
+      },
+      // Wildcard patterns in strings
+      {
+        pattern: /['"`]\*\.[\w.-]+['"`].*redirect/gi,
+        message: 'Wildcard domain pattern for redirect URI detected. Use exact URIs only',
+        type: 'wildcard_domain'
+      },
+      {
+        pattern: /redirect.*['"`]\*\.[\w.-]+['"`]/gi,
+        message: 'Wildcard domain pattern for redirect URI detected. Use exact URIs only',
+        type: 'wildcard_domain'
+      },
+      // URL parsing without exact comparison
+      {
+        pattern: /new URL\([^)]*redirect[^)]*\).*\.host(name)?.*===?\s*[^=]/gi,
+        message: 'Comparing only hostname of redirect URI - validate full URI with exact comparison',
+        type: 'hostname_only'
+      },
+      {
+        pattern: /\.origin\s*===?\s*['"`][^'"`]+['"`].*redirect/gi,
+        message: 'Comparing only origin - validate full redirect URI with exact comparison',
+        type: 'origin_only'
+      }
+    ];
+    // Warning patterns
+    this.warningPatterns = [
+      // Dynamic/configurable redirect without validation mention
+      {
+        pattern: /redirect[_-]?uri\s*=\s*(?:req|request|params|query|body)\./gi,
+        message: 'Redirect URI from user input - ensure validation against pre-registered allowlist',
+        type: 'user_input_redirect'
+      },
+      // Redirect without any validation check nearby
+      {
+        pattern: /callback[_-]?url\s*=\s*(?:req|request|params|query|body)\./gi,
+        message: 'OAuth callback URL from user input - ensure validation against pre-registered allowlist',
+        type: 'user_input_callback'
+      }
+    ];
+    // Files to analyze (OAuth-related)
+    this.targetPatterns = [
+      /oauth/i,
+      /auth/i,
+      /login/i,
+      /callback/i,
+      /redirect/i,
+      /authorize/i,
+      /token/i
+    ];
+    // Files to skip
+    this.skipPatterns = [
+      /\.test\./i,
+      /\.spec\./i,
+      /test\//i,
+      /tests\//i,
+      /__tests__\//i,
+      /node_modules/i,
+      /\.md$/i
+    ];
+  }
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(pattern => pattern.test(filePath));
+  }
+  isOAuthRelatedFile(filePath, content) {
+    // Check filename
+    if (this.targetPatterns.some(pattern => pattern.test(filePath))) {
+      return true;
+    }
+    // Check content for OAuth patterns
+    const oauthIndicators = [
+      /oauth/i,
+      /redirect[_-]?uri/i,
+      /callback[_-]?url/i,
+      /authorization[_-]?code/i,
+      /client[_-]?id/i,
+      /client[_-]?secret/i,
+      /access[_-]?token/i
+    ];
+    return oauthIndicators.some(pattern => pattern.test(content));
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        // Only analyze OAuth-related files
+        if (!this.isOAuthRelatedFile(filePath, content)) {
+          continue;
+        }
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+    return violations;
+  }
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    // Check insecure patterns (errors)
+    for (const { pattern, message, type } of this.insecurePatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+        if (this.isComment(line)) {
+          continue;
+        }
+        if (this.isTestContext(lines, lineNum)) {
+          continue;
+        }
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: message,
+          severity: 'error',
+          ruleId: this.ruleId,
+          type: type,
+          matchedText: match[0]
+        });
+      }
+    }
+    // Check warning patterns
+    for (const { pattern, message, type } of this.warningPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+        if (this.isComment(line)) {
+          continue;
+        }
+        // Check if there's validation nearby
+        if (this.hasValidationNearby(lines, lineNum)) {
+          continue;
+        }
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: message,
+          severity: 'warning',
+          ruleId: this.ruleId,
+          type: type,
+          matchedText: match[0]
+        });
+      }
+    }
+    return violations;
+  }
+  hasValidationNearby(lines, lineNum) {
+    const start = Math.max(0, lineNum - 5);
+    const end = Math.min(lines.length, lineNum + 5);
+    const context = lines.slice(start, end).join('\n').toLowerCase();
+    // Check for validation patterns
+    const validationPatterns = [
+      /allowlist|allow[_-]?list|whitelist|white[_-]?list/i,
+      /registered[_-]?uri/i,
+      /valid[_-]?redirect/i,
+      /validate.*redirect/i,
+      /===\s*['"]/,  // Exact comparison
+      /\.has\(/,     // Set/Map has
+      /\.includes\(.*===/ // Array includes with exact check
+    ];
+    return validationPatterns.some(pattern => pattern.test(context));
+  }
+  isComment(line) {
+    const trimmed = line.trim();
+    return trimmed.startsWith('//') || trimmed.startsWith('#') ||
+           trimmed.startsWith('/*') || trimmed.startsWith('*');
+  }
+  isTestContext(lines, lineNum) {
+    const start = Math.max(0, lineNum - 5);
+    const end = Math.min(lines.length, lineNum + 2);
+    const context = lines.slice(start, end).join('\n').toLowerCase();
+    return /describe\(|it\(|test\(|jest|mocha|mock|stub|fake/i.test(context);
+  }
+  getLineNumber(content, index) {
+    return content.substring(0, index).split('\n').length;
+  }
+  getColumnNumber(content, index) {
+    const lastNewline = content.lastIndexOf('\n', index - 1);
+    return index - lastNewline;
+  }
+}
+module.exports = S048Analyzer;

package/rules/security/S049_short_validity_tokens/typescript/config.json CHANGED Viewed

@@ -84,15 +84,22 @@
       "never-expire",
       "permanent",
       "forever",
-      "infinite",
-      "unlimited"
+      "infinite[_-]?(?:token|expir|ttl|validity)",
+      "(?:token|expir|ttl|validity)[_-]?infinite",
+      "unlimited[_-]?(?:token|expir|ttl)",
+      "(?:token|expir|ttl)[_-]?unlimited"
     ],
     "exemptedScenarios": [
       "test",
       "testing",
       "mock",
       "development",
-      "dev"
+      "dev",
+      "infinitescroll",
+      "infinitequery",
+      "useinfinite",
+      "infiniteloading",
+      "infinitelist"
     ]
   },
   "examples": {

package/rules/security/S050_reference_tokens_entropy/config.json ADDED Viewed

@@ -0,0 +1,28 @@
+{
+    "id": "S050",
+    "name": "Reference tokens must be unique with 128-bit entropy using CSPRNG",
+    "description": "Reference tokens (session IDs, authorization codes, access tokens) must have at least 128 bits of entropy generated using a cryptographically secure pseudo-random number generator (CSPRNG).",
+    "category": "security",
+    "severity": "high",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "tokens", "entropy", "csprng", "session"],
+    "examples": {
+        "valid": [
+            "crypto.randomBytes(16).toString('hex'); // 128-bit",
+            "crypto.randomBytes(32).toString('base64'); // 256-bit",
+            "uuid.v4(); // UUIDv4 has 122 bits of randomness"
+        ],
+        "invalid": [
+            "Math.random().toString(36); // Not cryptographically secure",
+            "Date.now().toString(); // Predictable",
+            "userId + timestamp; // Low entropy"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures reference tokens have sufficient entropy. Minimum 128 bits recommended, 256 bits preferred for high-security applications. Use CSPRNG: crypto.randomBytes() in Node.js, SecureRandom in Java, secrets module in Python. Avoid Math.random(), timestamps, or sequential IDs.",
+        "url": "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
+    }
+}

package/rules/security/S050_reference_tokens_entropy/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * S050 Dart Analyzer - Reference Tokens Entropy
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S050_reference_tokens_entropy.dart
+ *
+ * Rule: Reference tokens must be unique with 128-bit entropy using CSPRNG
+ */
+class DartS050Analyzer {
+  constructor() {
+    this.ruleId = 'S050';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S050',
+      name: 'Reference Tokens Entropy',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Reference tokens must be unique with 128-bit entropy using CSPRNG'
+    };
+  }
+  getConfig() {
+    return {
+      checkCsprng: true,
+      checkMathRandom: true,
+      minEntropyBits: 128,
+      severity: 'high'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS050Analyzer;

package/rules/security/S050_reference_tokens_entropy/index.js ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * S050 Rule Router - Reference Tokens Entropy
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Reference tokens must be unique with 128-bit entropy using CSPRNG
+ */
+const path = require('path');
+class S050Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S050';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+module.exports = new S050Router();

package/rules/security/S050_reference_tokens_entropy/typescript/analyzer.js ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+ * S050 – Reference tokens must be unique with 128-bit entropy using CSPRNG
+ *
+ * Detects weak token generation:
+ * - Math.random() for tokens
+ * - Date/timestamp-based tokens
+ * - Sequential/predictable tokens
+ */
+const fs = require('fs');
+class S050Analyzer {
+  constructor() {
+    this.ruleId = 'S050';
+    this.ruleName = 'Reference tokens must have 128-bit entropy using CSPRNG';
+    this.description = 'Use cryptographically secure random generation for tokens';
+    this.criticalPatterns = [
+      {
+        pattern: /(?:token|session|id)\s*=\s*Math\.random\(\)/gi,
+        message: 'Math.random() is not cryptographically secure - use crypto.randomBytes()',
+        type: 'math_random_token'
+      },
+      {
+        pattern: /(?:token|session|id)\s*=\s*Date\.now\(\)/gi,
+        message: 'Timestamp-based tokens are predictable - use CSPRNG',
+        type: 'timestamp_token'
+      },
+      {
+        pattern: /(?:token|session|id)\s*=\s*\+\+\w+|(?:token|session|id)\s*=\s*\w+\+\+/gi,
+        message: 'Sequential tokens are predictable - use CSPRNG with 128-bit entropy',
+        type: 'sequential_token'
+      }
+    ];
+    this.skipPatterns = [
+      /\.test\./i, /\.spec\./i, /test\//i, /__tests__\//i, /node_modules/i
+    ];
+  }
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(p => p.test(filePath));
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) continue;
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        violations.push(...this.analyzeFile(content, filePath));
+      } catch (e) { /* skip */ }
+    }
+    return violations;
+  }
+  analyzeFile(content, filePath) {
+    const violations = [];
+    for (const { pattern, message, type } of this.criticalPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        violations.push({
+          file: filePath, line: lineNum, column: 1,
+          message, severity: 'error', ruleId: this.ruleId, type
+        });
+      }
+    }
+    return violations;
+  }
+}
+module.exports = S050Analyzer;

package/rules/security/S053_generic_error_messages/config.json ADDED Viewed

@@ -0,0 +1,28 @@
+{
+    "id": "S053",
+    "name": "Return generic error messages, hide internal details",
+    "description": "Return generic error messages to users while logging detailed errors server-side. Do not expose stack traces, database errors, SQL queries, file paths, or internal system details in API responses.",
+    "category": "security",
+    "severity": "medium",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "error-handling", "information-disclosure", "api"],
+    "examples": {
+        "valid": [
+            "res.status(500).json({ error: 'An unexpected error occurred' });",
+            "logger.error('Database error', { error, query }); // Log details",
+            "throw new HttpException('Invalid request', 400);"
+        ],
+        "invalid": [
+            "res.status(500).json({ error: error.stack });",
+            "res.send(error.message); // May contain internal details",
+            "res.json({ sql: query, error: dbError }); // Exposes SQL"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule prevents information disclosure through error messages. Internal details to hide: stack traces, database error messages, SQL queries, file paths, internal IPs, configuration values, library versions. Log full details server-side with correlation IDs. Return generic messages to clients.",
+        "url": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
+    }
+}

package/rules/security/S053_generic_error_messages/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * S053 Dart Analyzer - Generic Error Messages
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S053_generic_error_messages.dart
+ *
+ * Rule: Return generic error messages, hide internal details
+ */
+class DartS053Analyzer {
+  constructor() {
+    this.ruleId = 'S053';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S053',
+      name: 'Generic Error Messages',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Return generic error messages, hide internal details from users'
+    };
+  }
+  getConfig() {
+    return {
+      checkStackTraceExposure: true,
+      checkSqlExposure: true,
+      checkPathExposure: true,
+      severity: 'medium'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS053Analyzer;