npm - @sun-asterisk/sunlint - Versions diffs - 1.3.39 → 1.3.40 - Mend

@sun-asterisk/sunlint 1.3.39 → 1.3.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (422) hide show

package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md ADDED Viewed

@@ -0,0 +1,52 @@
+---
+title: Set Anti-cache Headers
+impact: MEDIUM
+impactDescription: prevents sensitive data caching
+tags: headers, cache, sensitive-data, security
+---
+## Set Anti-cache Headers
+Sensitive pages cached in browsers or proxies can be accessed by other users.
+**Incorrect (no cache control):**
+```typescript
+app.get('/account', (req, res) => {
+  res.json(sensitiveData);  // May be cached!
+});
+```
+**Correct (anti-cache headers):**
+```typescript
+// For sensitive pages
+app.get('/account', (req, res) => {
+  res.set({
+    'Cache-Control': 'no-store, no-cache, must-revalidate, private',
+    'Pragma': 'no-cache',
+    'Expires': '0'
+  });
+  res.json(sensitiveData);
+});
+// Middleware for all authenticated routes
+const noCacheMiddleware = (req, res, next) => {
+  res.set({
+    'Cache-Control': 'no-store, no-cache, must-revalidate, private',
+    'Pragma': 'no-cache',
+    'Expires': '0'
+  });
+  next();
+};
+app.use('/api/user', authMiddleware, noCacheMiddleware, userRoutes);
+```
+**When to use anti-cache:**
+- Account pages
+- Financial data
+- Personal information
+- Any authenticated content
+**Tools:** helmet.js, Security Headers

package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md ADDED Viewed

@@ -0,0 +1,51 @@
+---
+title: TLS Clients Must Validate Server Certificates
+impact: CRITICAL
+impactDescription: prevents man-in-the-middle attacks
+tags: tls, certificates, validation, mitm, security
+---
+## TLS Clients Must Validate Server Certificates
+Disabling certificate validation makes TLS useless - attackers can intercept all traffic with self-signed certificates.
+**Incorrect (disabled validation):**
+```typescript
+// Node.js - DANGEROUS
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+// Axios - DANGEROUS
+axios.get('https://api.example.com', {
+  httpsAgent: new https.Agent({ rejectUnauthorized: false })
+});
+// Python - DANGEROUS
+requests.get('https://api.example.com', verify=False)
+```
+**Correct (proper validation):**
+```typescript
+// Default behavior - validates certificates
+axios.get('https://api.example.com');
+// Custom CA for internal services
+const agent = new https.Agent({
+  ca: fs.readFileSync('/path/to/internal-ca.pem'),
+  rejectUnauthorized: true
+});
+axios.get('https://internal-api.example.com', { httpsAgent: agent });
+```
+```python
+# Python - with custom CA
+import certifi
+requests.get('https://api.example.com', verify=certifi.where())
+# Or with internal CA
+requests.get('https://internal.example.com', verify='/path/to/ca.pem')
+```
+**Tools:** SSL Labs, testssl.sh, OWASP ZAP

package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md ADDED Viewed

@@ -0,0 +1,58 @@
+---
+title: Invalidate Session On Logout
+impact: MEDIUM
+impactDescription: ensures logout actually terminates access
+tags: session, logout, invalidation, security
+---
+## Invalidate Session On Logout
+If sessions persist after logout, stolen tokens remain valid.
+**Incorrect (client-only logout):**
+```typescript
+// Frontend-only logout (token still valid!)
+const logout = () => {
+  localStorage.removeItem('token');
+  navigate('/login');
+};
+// Server doesn't invalidate session
+app.post('/logout', (req, res) => {
+  res.json({ success: true });  // Session still active!
+});
+```
+**Correct (server-side invalidation):**
+```typescript
+app.post('/logout', async (req, res) => {
+  // Destroy server-side session
+  await sessionStore.destroy(req.sessionId);
+  // For JWT - add to blacklist
+  await tokenBlacklist.add(req.token, req.tokenExpiry);
+  // Clear cookie
+  res.clearCookie('session', {
+    httpOnly: true,
+    secure: true,
+    sameSite: 'strict'
+  });
+  // Prevent caching
+  res.set('Cache-Control', 'no-store');
+  res.json({ success: true });
+});
+// Frontend - clear all storage
+const logout = async () => {
+  await fetch('/api/logout', { method: 'POST' });
+  localStorage.clear();
+  sessionStorage.clear();
+  window.location.href = '/login';  // Full reload
+};
+```
+**Tools:** Session Libraries, Security Audit

package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md ADDED Viewed

@@ -0,0 +1,55 @@
+---
+title: Re-authenticate For Long-lived Sessions
+impact: MEDIUM
+impactDescription: ensures continuous user identity verification
+tags: session, authentication, timeout, reauthentication, security
+---
+## Re-authenticate For Long-lived Sessions
+Long-running sessions may be hijacked. Periodic re-authentication ensures the original user is still present.
+**Incorrect (sessions never expire):**
+```typescript
+// Session lasts forever
+app.use(session({
+  cookie: { maxAge: null }  // Never expires
+}));
+```
+**Correct (periodic re-authentication):**
+```typescript
+const SESSION_MAX_AGE = 24 * 60 * 60 * 1000; // 24 hours
+const REAUTH_INTERVAL = 4 * 60 * 60 * 1000;  // 4 hours
+app.use((req, res, next) => {
+  if (!req.session.userId) return next();
+  const lastAuth = req.session.lastAuthenticated || 0;
+  const now = Date.now();
+  // Check if re-authentication needed
+  if (now - lastAuth > REAUTH_INTERVAL) {
+    req.session.requiresReauth = true;
+  }
+  next();
+});
+// Middleware for sensitive operations
+const requireRecentAuth = (req, res, next) => {
+  if (req.session.requiresReauth) {
+    return res.status(401).json({
+      error: 'Re-authentication required',
+      code: 'REAUTH_REQUIRED'
+    });
+  }
+  next();
+};
+app.post('/sensitive-action', requireRecentAuth, handler);
+```
+**Tools:** Session Management Libraries, Manual Review

package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md ADDED Viewed

@@ -0,0 +1,69 @@
+---
+title: Re-authenticate Before Critical Changes
+impact: MEDIUM
+impactDescription: prevents unauthorized critical operations
+tags: authentication, critical, reauthentication, security
+---
+## Re-authenticate Before Critical Changes
+Critical actions like password change, email change, or account deletion require fresh authentication.
+**Incorrect (no re-authentication):**
+```typescript
+// Dangerous - no password confirmation
+app.post('/account/delete', async (req, res) => {
+  await deleteAccount(req.user.id);
+  res.json({ success: true });
+});
+```
+**Correct (require password confirmation):**
+```typescript
+app.post('/account/delete', async (req, res) => {
+  const { currentPassword } = req.body;
+  // Verify current password
+  const isValid = await verifyPassword(req.user.id, currentPassword);
+  if (!isValid) {
+    return res.status(401).json({ error: 'Invalid password' });
+  }
+  // Rate limit this endpoint
+  await rateLimiter.checkLimit(req.user.id, 'critical-action');
+  // Perform critical action
+  await deleteAccount(req.user.id);
+  // Log the action
+  logger.security('Account deleted', { userId: req.user.id });
+  res.json({ success: true });
+});
+// For 2FA-enabled accounts
+app.post('/account/change-email', async (req, res) => {
+  const { newEmail, totpCode } = req.body;
+  // Verify 2FA code
+  const isValidTotp = await verify2FA(req.user.id, totpCode);
+  if (!isValidTotp) {
+    return res.status(401).json({ error: 'Invalid 2FA code' });
+  }
+  await updateEmail(req.user.id, newEmail);
+  res.json({ success: true });
+});
+```
+**Critical actions requiring re-auth:**
+- Password change
+- Email change
+- Phone number change
+- Account deletion
+- Payment method changes
+- Security settings changes
+**Tools:** Manual Review, Security Audit

package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md ADDED Viewed

@@ -0,0 +1,59 @@
+---
+title: Implement Brute-force Protection
+impact: MEDIUM
+impactDescription: prevents password guessing attacks
+tags: brute-force, rate-limiting, authentication, security
+---
+## Implement Brute-force Protection
+Without rate limiting, attackers can try millions of password combinations.
+**Incorrect (no protection):**
+```typescript
+app.post('/login', async (req, res) => {
+  const user = await authenticate(req.body);
+  // No limit on attempts!
+});
+```
+**Correct (rate limiting):**
+```typescript
+import rateLimit from 'express-rate-limit';
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,  // 15 minutes
+  max: 5,  // 5 attempts per window
+  message: 'Too many login attempts, try again later',
+  keyGenerator: (req) => req.body.email || req.ip,
+});
+app.post('/login', loginLimiter, async (req, res) => {
+  const user = await authenticate(req.body);
+});
+// Progressive delays
+const failedAttempts = new Map();
+async function handleLogin(email: string, password: string) {
+  const attempts = failedAttempts.get(email) || 0;
+  if (attempts >= 5) {
+    const lockoutTime = Math.min(Math.pow(2, attempts - 5) * 60, 3600);
+    throw new Error(`Account locked for ${lockoutTime} seconds`);
+  }
+  try {
+    const user = await authenticate(email, password);
+    failedAttempts.delete(email);
+    return user;
+  } catch {
+    failedAttempts.set(email, attempts + 1);
+    throw new Error('Invalid credentials');
+  }
+}
+```
+**Tools:** express-rate-limit, Redis, WAF

package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md ADDED Viewed

@@ -0,0 +1,60 @@
+---
+title: Protect OAuth Code Flow Vs CSRF
+impact: HIGH
+impactDescription: prevents OAuth authorization code theft
+tags: oauth, csrf, state, authorization, security
+---
+## Protect OAuth Code Flow Vs CSRF
+Without state parameter validation, attackers can use their own authorization codes to link their accounts.
+**Incorrect (no state parameter):**
+```typescript
+// Initiating OAuth without state
+app.get('/auth/google', (req, res) => {
+  res.redirect(`https://accounts.google.com/oauth/authorize?
+    client_id=${CLIENT_ID}&
+    redirect_uri=${REDIRECT_URI}&
+    response_type=code`);
+  // No state parameter - vulnerable to CSRF!
+});
+```
+**Correct (state parameter validation):**
+```typescript
+import { randomBytes } from 'crypto';
+app.get('/auth/google', (req, res) => {
+  // Generate random state
+  const state = randomBytes(32).toString('hex');
+  // Store in session
+  req.session.oauthState = state;
+  res.redirect(`https://accounts.google.com/oauth/authorize?
+    client_id=${CLIENT_ID}&
+    redirect_uri=${REDIRECT_URI}&
+    response_type=code&
+    state=${state}`);
+});
+app.get('/auth/google/callback', (req, res) => {
+  const { code, state } = req.query;
+  // Validate state
+  if (state !== req.session.oauthState) {
+    return res.status(403).json({ error: 'Invalid state parameter' });
+  }
+  // Clear used state
+  delete req.session.oauthState;
+  // Exchange code for tokens
+  const tokens = await exchangeCodeForTokens(code);
+});
+```
+**Tools:** OAuth Libraries, Security Audit

package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md ADDED Viewed

@@ -0,0 +1,59 @@
+---
+title: Validate OAuth Redirect URIs Exactly
+impact: CRITICAL
+impactDescription: prevents OAuth redirect hijacking
+tags: oauth, redirect, uri, validation, security
+---
+## Validate OAuth Redirect URIs Exactly
+Loose redirect URI validation allows attackers to steal authorization codes by redirecting users to malicious sites.
+**Incorrect (partial validation):**
+```typescript
+// Dangerous - substring match
+if (redirectUri.includes('example.com')) {
+  // Allows evil.com?example.com
+}
+// Dangerous - prefix match only
+if (redirectUri.startsWith('https://example.com')) {
+  // Allows https://example.com.evil.com
+}
+```
+**Correct (exact match against registered URIs):**
+```typescript
+const REGISTERED_REDIRECT_URIS = [
+  'https://app.example.com/callback',
+  'https://mobile.example.com/oauth/callback'
+];
+function validateRedirectUri(uri: string): boolean {
+  // Exact match required
+  return REGISTERED_REDIRECT_URIS.includes(uri);
+}
+app.get('/oauth/authorize', (req, res) => {
+  const { redirect_uri, client_id } = req.query;
+  // Get registered URIs for this client
+  const client = await getClient(client_id);
+  if (!client.redirectUris.includes(redirect_uri)) {
+    return res.status(400).json({ error: 'invalid_redirect_uri' });
+  }
+  // Proceed with authorization
+});
+```
+**Requirements:**
+- Exact string match for redirect URIs
+- Pre-registered URIs per client
+- No wildcards or pattern matching
+- HTTPS required for production
+**Tools:** OAuth Security Testing, Manual Review

package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md ADDED Viewed

@@ -0,0 +1,73 @@
+---
+title: Authentication Codes Must Expire Quickly
+impact: MEDIUM
+impactDescription: limits window for code interception attacks
+tags: authentication, codes, expiry, otp, security
+---
+## Authentication Codes Must Expire Quickly
+Long-lived codes give attackers more time to intercept and use them. Short expiry limits the attack window.
+**Incorrect (codes never expire or last too long):**
+```typescript
+// Code valid for 24 hours - too long!
+const code = generateCode();
+await storeCode(userId, code, { expiresIn: '24h' });
+// No expiry at all
+await storeCode(userId, code);  // Lives forever!
+```
+**Correct (short expiry with proper handling):**
+```typescript
+const CODE_EXPIRY_MS = 5 * 60 * 1000;  // 5 minutes
+async function generateAuthCode(userId: string): Promise<string> {
+  const code = generateSecureOTP();
+  await redis.setex(
+    `auth_code:${userId}`,
+    300,  // 5 minutes in seconds
+    JSON.stringify({
+      code,
+      createdAt: Date.now(),
+      attempts: 0
+    })
+  );
+  return code;
+}
+async function verifyAuthCode(userId: string, inputCode: string): Promise<boolean> {
+  const stored = await redis.get(`auth_code:${userId}`);
+  if (!stored) return false;
+  const { code, attempts } = JSON.parse(stored);
+  // Rate limit attempts
+  if (attempts >= 3) {
+    await redis.del(`auth_code:${userId}`);
+    throw new Error('Too many attempts');
+  }
+  await redis.incr(`auth_code:${userId}:attempts`);
+  if (code === inputCode) {
+    await redis.del(`auth_code:${userId}`);  // Single use
+    return true;
+  }
+  return false;
+}
+```
+**Recommended expiry times:**
+- Email verification: 24 hours
+- Password reset: 1 hour
+- 2FA codes: 5-10 minutes
+- Magic links: 15 minutes
+**Tools:** Manual Review, Security Audit

package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md ADDED Viewed

@@ -0,0 +1,48 @@
+---
+title: Reference Tokens 128-bit Entropy CSPRNG
+impact: HIGH
+impactDescription: prevents token brute-forcing
+tags: tokens, entropy, csprng, session, security
+---
+## Reference Tokens 128-bit Entropy CSPRNG
+Low-entropy tokens can be brute-forced. 128 bits of entropy makes attacks computationally infeasible.
+**Incorrect (low entropy tokens):**
+```typescript
+// Low entropy - only 53 bits
+const token = Math.random().toString(36);
+// Sequential - predictable
+const token = `session_${++counter}`;
+// Short token - insufficient entropy
+const token = randomBytes(4).toString('hex');  // Only 32 bits
+```
+**Correct (high entropy tokens):**
+```typescript
+import { randomBytes } from 'crypto';
+// 128-bit minimum (16 bytes = 128 bits)
+const sessionToken = randomBytes(16).toString('hex');
+// 256-bit for extra security (32 bytes)
+const refreshToken = randomBytes(32).toString('base64url');
+// API keys - 256+ bits
+const apiKey = `sk_${randomBytes(32).toString('base64url')}`;
+```
+**Entropy levels:**
+| Bytes | Bits | Security Level |
+|-------|------|----------------|
+| 8 | 64 | Weak |
+| 16 | 128 | Minimum |
+| 32 | 256 | Recommended |
+**Tools:** Static Analysis, Security Audit

package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md ADDED Viewed

@@ -0,0 +1,60 @@
+---
+title: Support 12-64 Character Passwords
+impact: MEDIUM
+impactDescription: enables secure passphrase usage
+tags: password, length, passphrase, security
+---
+## Support 12-64 Character Passwords
+Long passwords/passphrases are more secure than complex short ones. Don't impose restrictive limits.
+**Incorrect (restrictive limits):**
+```typescript
+const passwordSchema = z.string()
+  .min(8)
+  .max(16);  // Too restrictive!
+```
+**Correct (reasonable limits):**
+```typescript
+const passwordSchema = z.string()
+  .min(12, 'Password must be at least 12 characters')
+  .max(64, 'Password cannot exceed 64 characters');
+// Or with complexity options
+const passwordOptions = {
+  minLength: 12,
+  maxLength: 64,
+  // Complexity is optional with long passwords
+  requireUppercase: password.length < 16,
+  requireNumber: password.length < 16,
+  requireSpecial: password.length < 16,
+};
+function validatePassword(password: string): boolean {
+  if (password.length < 12 || password.length > 64) {
+    return false;
+  }
+  // Long passphrases don't need symbol requirements
+  if (password.length >= 16) {
+    return true;
+  }
+  // Shorter passwords need complexity
+  return hasUppercase(password) &&
+         hasNumber(password) &&
+         hasSpecial(password);
+}
+```
+**NIST Guidelines:**
+- Minimum 8 characters (12+ recommended)
+- Maximum 64+ characters
+- No complexity requirements for long passwords
+- Allow all printable ASCII + Unicode
+**Tools:** Password Policy, Manual Review

package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md ADDED Viewed

@@ -0,0 +1,49 @@
+---
+title: OTPs Must Have 20-bit Entropy Minimum
+impact: MEDIUM
+impactDescription: prevents OTP brute-forcing
+tags: otp, entropy, authentication, 2fa, security
+---
+## OTPs Must Have 20-bit Entropy Minimum
+Low-entropy OTPs can be brute-forced. 20 bits = ~1 million possibilities, requiring rate limiting.
+**Incorrect (low entropy OTPs):**
+```typescript
+// Only 4 digits = ~13 bits entropy
+const otp = Math.floor(1000 + Math.random() * 9000).toString();
+// Non-random - predictable
+const otp = Date.now().toString().slice(-4);
+```
+**Correct (high entropy OTPs):**
+```typescript
+import { randomBytes } from 'crypto';
+// 6-digit numeric OTP (≈20 bits entropy)
+function generateOTP(): string {
+  const bytes = randomBytes(4);
+  const num = bytes.readUInt32BE(0) % 1000000;
+  return num.toString().padStart(6, '0');
+}
+// 8-digit for higher security (≈26 bits)
+function generateStrongOTP(): string {
+  const bytes = randomBytes(4);
+  const num = bytes.readUInt32BE(0) % 100000000;
+  return num.toString().padStart(8, '0');
+}
+```
+**OTP requirements:**
+- CSPRNG generation
+- ≥20 bits entropy (6+ digits)
+- Short expiry (5-10 minutes)
+- Single use
+- Rate limiting on verification
+**Tools:** Manual Review, Unit Test