npm - @sun-asterisk/sunlint - Versions diffs - 1.3.7 → 1.3.8 - Mend

@sun-asterisk/sunlint 1.3.7 → 1.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/rules/security/S052_weak_otp_entropy/analyzer.js ADDED Viewed

@@ -0,0 +1,403 @@
+const fs = require('fs');
+const path = require('path');
+/**
+ * S052: OTP must have ≥20-bit entropy (≥6 digits) and use CSPRNG
+ *
+ * Detects:
+ * 1. Weak RNG APIs (Math.random, Random()) in OTP context
+ * 2. Short OTP codes (4 digits)
+ * 3. Non-CSPRNG usage in OTP generation
+ * 4. Policy violations (logging OTP, no TTL, etc.)
+ *
+ * Uses hybrid approach: AST for context-aware detection + regex for patterns
+ */
+class S052WeakOtpEntropyAnalyzer {
+  constructor(config = null) {
+    this.ruleId = 'S052';
+    this.loadConfig(config);
+    // Compile regex patterns for performance
+    this.compiledPatterns = this.compilePatterns();
+    this.verbose = false;
+  }
+  loadConfig(config) {
+    try {
+      if (config && config.options) {
+        this.config = config;
+        this.otpIdentifiers = config.options.otpIdentifiers || [];
+        this.bannedRngApis = config.options.bannedRngApis || {};
+        this.allowedRngApis = config.options.allowedRngApis || {};
+        this.lengthChecks = config.options.lengthChecks || {};
+        this.policy = config.options.policy || {};
+        this.detectionHeuristics = config.options.detectionHeuristics || {};
+        this.allowlist = config.options.allowlist || { paths: [] };
+        this.thresholds = config.options.thresholds || {};
+      } else {
+        // Load from config file
+        const configPath = path.join(__dirname, 'config.json');
+        const configData = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+        this.loadConfig(configData);
+      }
+    } catch (error) {
+      console.warn(`[S052] Failed to load config: ${error.message}`);
+      this.initializeDefaultConfig();
+    }
+  }
+  initializeDefaultConfig() {
+    this.otpIdentifiers = ['otp', 'oneTime', 'passcode', 'verificationCode', 'pin'];
+    this.bannedRngApis = {
+      typescript: ['Math\\.random\\s*\\('],
+      javascript: ['Math\\.random\\s*\\(']
+    };
+    this.allowedRngApis = {
+      node: ['crypto\\.randomInt\\s*\\(', 'crypto\\.randomBytes\\s*\\(']
+    };
+    this.lengthChecks = {
+      numericMinDigits: 6,
+      regexBadNumeric4: '\\\\b\\\\d{4}\\\\b'
+    };
+    this.policy = {
+      requireCsprng: true,
+      forbidNonCryptoRng: true,
+      forbidFourDigitOtp: true
+    };
+    this.detectionHeuristics = {
+      variableNameMatchBoost: true,
+      builderFunctions: ['generateOtp', 'issueOtp', 'createCode']
+    };
+    this.allowlist = { paths: ['test/', 'tests/', '__tests__/'] };
+    this.thresholds = { maxBannedRngUsages: 0, maxShortOtpPatterns: 0 };
+  }
+  compilePatterns() {
+    const patterns = {
+      bannedRng: {},
+      allowedRng: {},
+      otpContext: new RegExp(`\\b(${this.otpIdentifiers.join('|')})\\b`, 'gi'),
+      fourDigitOtp: /\b\d{4}\b/g,
+      shortAlphanumeric: /\b[a-zA-Z0-9]{1,5}\b/g,
+      builderFunctions: new RegExp(`\\b(${this.detectionHeuristics.builderFunctions?.join('|') || 'generateOtp'})\\s*\\(`, 'gi')
+    };
+    // Compile banned RNG patterns by language
+    for (const [lang, regexes] of Object.entries(this.bannedRngApis)) {
+      patterns.bannedRng[lang] = regexes.map(regex => new RegExp(regex, 'gi'));
+    }
+    // Compile allowed RNG patterns by language
+    for (const [lang, regexes] of Object.entries(this.allowedRngApis)) {
+      patterns.allowedRng[lang] = regexes.map(regex => new RegExp(regex, 'gi'));
+    }
+    return patterns;
+  }
+  analyze(files, language, options = {}) {
+    this.verbose = options.verbose || false;
+    const violations = [];
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S052 ANALYZE: Starting OTP entropy analysis`);
+    }
+    if (!Array.isArray(files)) {
+      files = [files];
+    }
+    for (const filePath of files) {
+      if (this.verbose) {
+        console.log(`[DEBUG] 🎯 S052: Analyzing ${filePath.split('/').pop()}`);
+      }
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileExtension = path.extname(filePath);
+        const fileName = path.basename(filePath);
+        const fileViolations = this.analyzeFile(filePath, content, fileExtension, fileName);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`[S052] Error analyzing ${filePath}: ${error.message}`);
+      }
+    }
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S052: Found ${violations.length} OTP entropy violations`);
+    }
+    return violations;
+  }
+  // Alias methods for different engines
+  run(filePath, content, options = {}) {
+    this.verbose = options.verbose || false;
+    const fileExtension = path.extname(filePath);
+    const fileName = path.basename(filePath);
+    return this.analyzeFile(filePath, content, fileExtension, fileName);
+  }
+  runAnalysis(filePath, content, options = {}) {
+    return this.run(filePath, content, options);
+  }
+  runEnhancedAnalysis(filePath, content, language, options = {}) {
+    return this.run(filePath, content, options);
+  }
+  analyzeFile(filePath, content, fileExtension, fileName) {
+    const language = this.detectLanguage(fileExtension, fileName);
+    if (!language) {
+      return [];
+    }
+    // Check if file is exempted
+    const isExempted = this.isExemptedFile(filePath);
+    if (isExempted && this.verbose) {
+      console.log(`[DEBUG] 🔍 S052: Analyzing exempted file: ${fileName}`);
+    }
+    return this.analyzeWithHybridApproach(filePath, content, language, isExempted);
+  }
+  detectLanguage(fileExtension, fileName) {
+    const extensions = {
+      '.ts': 'typescript',
+      '.tsx': 'typescript',
+      '.js': 'javascript',
+      '.jsx': 'javascript',
+      '.mjs': 'javascript',
+      '.java': 'java',
+      '.kt': 'kotlin',
+      '.dart': 'dart'
+    };
+    return extensions[fileExtension] || null;
+  }
+  isExemptedFile(filePath) {
+    const allowedPaths = this.allowlist.paths || [];
+    return allowedPaths.some(path => filePath.includes(path));
+  }
+  analyzeWithHybridApproach(filePath, content, language, isExempted) {
+    const violations = [];
+    const lines = content.split('\n');
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S052: Starting hybrid analysis (AST + regex) of ${lines.length} lines`);
+    }
+    // Step 1: Quick regex scan for obvious patterns
+    const regexViolations = this.scanWithRegex(content, lines, filePath, language, isExempted);
+    violations.push(...regexViolations);
+    // Step 2: Context-aware AST analysis (for TypeScript/JavaScript)
+    if (['typescript', 'javascript'].includes(language)) {
+      const astViolations = this.scanWithAst(content, lines, filePath, isExempted);
+      violations.push(...astViolations);
+    }
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S052: Found ${violations.length} total violations (regex + AST)`);
+    }
+    return violations;
+  }
+  scanWithRegex(content, lines, filePath, language, isExempted) {
+    const violations = [];
+    // 1. Check for banned RNG APIs
+    if (this.policy.forbidNonCryptoRng && this.compiledPatterns.bannedRng[language]) {
+      for (const pattern of this.compiledPatterns.bannedRng[language]) {
+        const matches = [...content.matchAll(pattern)];
+        for (const match of matches) {
+          const lineNumber = this.getLineNumber(content, match.index);
+          // Check if in OTP context
+          const lineContent = lines[lineNumber - 1];
+          const isOtpContext = this.isInOtpContext(lineContent, lines, lineNumber);
+          if (isOtpContext) {
+            violations.push({
+              ruleId: this.ruleId,
+              message: `Weak RNG "${match[0]}" detected in OTP context - use CSPRNG instead`,
+              severity: 'error',
+              line: lineNumber,
+              column: this.getColumnNumber(content, match.index),
+              filePath: filePath,
+              context: {
+                violationType: 'weak_rng_in_otp',
+                evidence: lineContent.trim(),
+                recommendation: 'Use crypto.randomInt() or crypto.randomBytes() for OTP generation'
+              }
+            });
+          }
+        }
+      }
+    }
+    // 2. Check for 4-digit OTP patterns
+    if (this.policy.forbidFourDigitOtp) {
+      const fourDigitMatches = [...content.matchAll(this.compiledPatterns.fourDigitOtp)];
+      for (const match of fourDigitMatches) {
+        const lineNumber = this.getLineNumber(content, match.index);
+        const lineContent = lines[lineNumber - 1];
+        // Check if this looks like an OTP (not just any 4 digits)
+        const isOtpContext = this.isInOtpContext(lineContent, lines, lineNumber);
+        const looks4DigitOtp = /\b(otp|code|pin).*\d{4}|\d{4}.*(otp|code|pin)/i.test(lineContent);
+        if (isOtpContext && looks4DigitOtp) {
+          violations.push({
+            ruleId: this.ruleId,
+            message: `4-digit OTP detected - insufficient entropy, use ≥6 digits`,
+            severity: 'error',
+            line: lineNumber,
+            column: this.getColumnNumber(content, match.index),
+            filePath: filePath,
+            context: {
+              violationType: 'insufficient_otp_entropy',
+              evidence: lineContent.trim(),
+              recommendation: 'Use at least 6 digits for OTP to achieve ≥20-bit entropy'
+            }
+          });
+        }
+      }
+    }
+    return violations;
+  }
+  scanWithAst(content, lines, filePath, isExempted) {
+    // AST analysis for TypeScript/JavaScript
+    // This would be more sophisticated context-aware detection
+    const violations = [];
+    // For now, implement simple variable/function name based detection
+    // TODO: Integrate with ts-morph for full AST analysis if needed
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+      // Check for OTP generation functions with weak patterns
+      const otpFunctionMatch = line.match(/function\s+(\w*(?:otp|code|pin)\w*)\s*\(/i);
+      if (otpFunctionMatch) {
+        // Look ahead for Math.random usage in function body
+        const functionBody = this.extractFunctionBody(lines, i);
+        if (functionBody && /Math\.random\s*\(/.test(functionBody)) {
+          violations.push({
+            ruleId: this.ruleId,
+            message: `OTP generation function "${otpFunctionMatch[1]}" uses weak Math.random()`,
+            severity: 'error',
+            line: lineNumber,
+            column: otpFunctionMatch.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'weak_rng_in_otp_function',
+              evidence: line.trim(),
+              recommendation: 'Replace Math.random() with crypto.randomInt() or crypto.randomBytes()'
+            }
+          });
+        }
+      }
+    }
+    return violations;
+  }
+  isInOtpContext(lineContent, lines, lineNumber) {
+    // Skip if it's clearly not OTP context (e.g., generateSessionId, generateRequestId)
+    if (/generate(Session|Request|Unique|Random)Id/i.test(lineContent)) {
+      return false;
+    }
+    // Skip if it's in a comment
+    if (/^\s*\/\//.test(lineContent.trim()) || /\/\*.*\*\//.test(lineContent)) {
+      return false;
+    }
+    // Skip if it's dummy/test data (static values in objects)
+    if (/:\s*['"`]\d+['"`]\s*[,}]/.test(lineContent)) {
+      return false; // Static hardcoded values like pin: '1000'
+    }
+    // Skip if it's object property assignment with literal values
+    if (/\w+\s*:\s*['"`]\w*['"`]/.test(lineContent)) {
+      return false;
+    }
+    // Check current line for direct OTP context (must be variable assignment or function call)
+    const directOtpMatch = /\b(otp|oneTime|one_time|passcode|verificationCode|verifyCode|confirmCode|pin|totp|hotp|resetCode|activationCode)\s*[:=]/.test(lineContent);
+    if (directOtpMatch && !/:\s*['"`]/.test(lineContent)) {
+      // Only if it's NOT a static value assignment
+      return true;
+    }
+    // Check for OTP function definition
+    const otpFunctionMatch = /function\s+\w*(otp|passcode|pin|code|verify|confirm|reset|activation)\w*/i.test(lineContent);
+    if (otpFunctionMatch) {
+      return true;
+    }
+    // Check surrounding lines for context (more restrictive)
+    const contextRange = 2; // Reduced from 3
+    const start = Math.max(0, lineNumber - contextRange - 1);
+    const end = Math.min(lines.length, lineNumber + contextRange);
+    for (let i = start; i < end; i++) {
+      const contextLine = lines[i];
+      // Look for actual OTP assignment or return statements (not static values)
+      if (/\b(otp|passcode|pin)\s*[:=]|\breturn\s+\w*(otp|passcode|pin)/i.test(contextLine) &&
+          !/:\s*['"`]\w*['"`]/.test(contextLine)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  extractFunctionBody(lines, startLine) {
+    // Simple function body extraction (could be improved with proper parsing)
+    let braceCount = 0;
+    let inFunction = false;
+    let body = '';
+    for (let i = startLine; i < Math.min(lines.length, startLine + 20); i++) {
+      const line = lines[i];
+      for (const char of line) {
+        if (char === '{') {
+          braceCount++;
+          inFunction = true;
+        } else if (char === '}') {
+          braceCount--;
+          if (braceCount === 0 && inFunction) {
+            return body;
+          }
+        }
+      }
+      if (inFunction) {
+        body += line + '\n';
+      }
+    }
+    return body;
+  }
+  getLineNumber(content, index) {
+    return content.substring(0, index).split('\n').length;
+  }
+  getColumnNumber(content, index) {
+    const beforeIndex = content.substring(0, index);
+    const lastNewlineIndex = beforeIndex.lastIndexOf('\n');
+    return index - lastNewlineIndex;
+  }
+}
+module.exports = S052WeakOtpEntropyAnalyzer;

package/rules/security/S052_weak_otp_entropy/config.json ADDED Viewed

@@ -0,0 +1,57 @@
+{
+  "ruleId": "S052",
+  "name": "OTP must have ≥20-bit entropy (≥6 digits) and use CSPRNG",
+  "description": "Prevent guessable OTP by enforcing CSPRNG and minimal entropy. Ban non-crypto RNG and too-short codes.",
+  "category": "security",
+  "severity": "error",
+  "options": {
+    "otpIdentifiers": [
+      "otp","oneTime","one_time","passcode","verificationCode","verifyCode",
+      "confirmCode","pin","totp","hotp","resetCode","activationCode"
+    ],
+    "bannedRngApis": {
+      "typescript": ["Math\\.random\\s*\\("],
+      "javascript": ["Math\\.random\\s*\\("],
+      "node": ["crypto\\.pseudoRandomBytes\\s*\\("],
+      "java": ["new\\s+Random\\s*\\(","ThreadLocalRandom\\.current\\s*\\("],
+      "kotlin": ["kotlin\\.random\\.Random(\\.Default)?"],
+      "dart": ["new\\s+Random\\s*\\(","Random\\s*\\("]
+    },
+    "allowedRngApis": {
+      "node": ["crypto\\.randomInt\\s*\\(","crypto\\.randomBytes\\s*\\("],
+      "java": ["new\\s+SecureRandom\\s*\\("],
+      "kotlin": ["java\\.security\\.SecureRandom"],
+      "dart": ["Random\\.secure\\s*\\("]
+    },
+    "lengthChecks": {
+      "numericMinDigits": 6,
+      "alphanumericMinLength": 6,
+      "regexBadNumeric4": "\\\\b\\\\d{4}\\\\b"
+    },
+    "totpHotpHints": {
+      "requireStandardLib": true,
+      "minSecretBits": 128,
+      "maxTimeStepSeconds": 30,
+      "maxWindow": 1
+    },
+    "policy": {
+      "requireCsprng": true,
+      "forbidNonCryptoRng": true,
+      "forbidFourDigitOtp": true,
+      "requireNoLoggingOfOtp": true,
+      "requireSingleUseAndTtl": true
+    },
+    "detectionHeuristics": {
+      "variableNameMatchBoost": true,
+      "builderFunctions": ["generateOtp","issueOtp","createCode","sendOtp","totp","hotp"]
+    },
+    "allowlist": {
+      "paths": ["test/","tests/","__tests__/","fixtures/","mocks/"],
+      "notes": "Trong test vẫn cấm 4-digit OTP nếu test chạy e2e với hệ thật."
+    },
+    "thresholds": {
+      "maxBannedRngUsages": 0,
+      "maxShortOtpPatterns": 0
+    }
+  }
+}

package/rules/security/S054_no_default_accounts/README.md ADDED Viewed

@@ -0,0 +1,129 @@
+# Rule S054 - Disallow Default/Built-in Accounts
+## Mục tiêu
+Ngăn chặn tấn công brute-force và đảm bảo tính truy vết, minh bạch trong kiểm toán. Tránh các tài khoản dễ đoán và dùng chung không rõ danh tính.
+## Chi tiết
+- Không sử dụng tài khoản mặc định hoặc tài khoản có tên phổ biến (admin, root, sa, test, guest, ...)
+- Mỗi người dùng phải có tài khoản riêng biệt với quyền hạn được giới hạn theo vai trò
+- Bắt buộc đổi mật khẩu mặc định khi khởi tạo hệ thống hoặc khi user được tạo mới
+- Hệ thống cần log mọi lần đăng nhập và truy cập tài nguyên theo từng user cụ thể
+## Phạm vi kiểm tra
+### 1. SQL/Seeder/Migration
+- `INSERT INTO users/accounts` with blocked usernames
+- `CREATE USER` statements
+- `GRANT/REVOKE` permissions to default accounts
+### 2. Code/Application
+- `createUser()`, `new User()`, `addUser()` with blocked usernames
+- User registration/creation functions
+- Authentication/authorization code
+### 3. Infrastructure as Code (IaC)
+- **Terraform**: `username = "admin"`, `user = "root"`
+- **Helm/Values**: `adminUser:`, `defaultPass:`
+- **Docker/Compose**: `POSTGRES_USER=postgres`, `ENV USER=admin`
+- **Kubernetes**: `serviceAccount: default`, `user: admin`
+### 4. Configuration Files
+- Database configs: `db.username=admin`
+- Application configs: `auth.user=root`
+- Environment files: `.env` with default credentials
+### 5. Documentation
+- README/docs with exposed default credentials
+- Login examples with real default accounts
+## Blocked Usernames
+```
+admin, root, sa, test, guest, operator, super, superuser, sys,
+postgres, mysql, mssql, oracle, elastic, kibana, grafana,
+administrator, demo, example, default, public, anonymous,
+user, password, service, support, backup, monitor
+```
+## Password Smells
+```
+password, 123456, admin, Admin@123, Password1, changeme,
+default, qwerty, letmein, welcome, secret, pass123,
+root, toor, administrator, guest
+```
+## Exemptions
+- Test directories: `test/`, `tests/`, `__tests__/`, `e2e/`, `spec/`
+- Mock/fixture data
+- Documentation examples (with warnings)
+## Examples
+### ❌ Violations
+**SQL:**
+```sql
+INSERT INTO users (username, password) VALUES ('admin', 'password123');
+CREATE USER 'root'@'localhost' IDENTIFIED BY 'admin';
+```
+**Code:**
+```javascript
+createUser({ username: 'admin', password: 'default' });
+const user = new User('test', 'password');
+```
+**Terraform:**
+```hcl
+username = "admin"
+admin_username = "root"
+```
+**Docker:**
+```dockerfile
+ENV POSTGRES_USER=postgres
+ENV MYSQL_USER=root
+```
+**Config:**
+```properties
+spring.datasource.username=admin
+db.username=root
+```
+### ✅ Correct Usage
+**SQL:**
+```sql
+INSERT INTO users (username, password) VALUES ('john.doe', '${HASHED_PASSWORD}');
+CREATE USER '${DB_USERNAME}'@'localhost' IDENTIFIED BY '${DB_PASSWORD}';
+```
+**Code:**
+```javascript
+createUser({ username: userInput.username, password: hashedPassword });
+const user = new User(registrationForm.username, securePassword);
+```
+**Terraform:**
+```hcl
+username = var.database_username
+admin_username = var.admin_user
+```
+**Docker:**
+```dockerfile
+ENV POSTGRES_USER=${DB_USERNAME}
+ENV MYSQL_USER=${DATABASE_USER}
+```
+## Policy Requirements
+- ✅ `requirePerUserAccount`: true
+- ✅ `requireInitialPasswordChange`: true
+- ✅ `forbidWellKnownServiceAccountsInAppDB`: true
+- ✅ `allowOnlyInEphemeralTests`: true
+- ✅ `mustDisableBuiltInsOnInfra`: true
+## Thresholds
+- Production: `maxFindings = 0`
+- Test paths: `maxInAllowedPaths = 2`
+- Password smells: `maxPasswordSmells = 0`