npm - @sun-asterisk/sunlint - Versions diffs - 1.3.7 → 1.3.9 - Mend

@sun-asterisk/sunlint 1.3.7 → 1.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/rules/security/S049_short_validity_tokens/config.json ADDED Viewed

@@ -0,0 +1,124 @@
+{
+  "rule": {
+    "id": "S049",
+    "name": "Authentication tokens should have short validity periods",
+    "description": "Authentication tokens (JWT, session tokens, etc.) should have appropriately short validity periods to minimize the risk of token compromise. Long-lived tokens increase the attack surface and potential impact of token theft.",
+    "category": "security",
+    "severity": "error",
+    "languages": ["typescript", "javascript"],
+    "frameworks": ["express", "nestjs", "node"],
+    "version": "1.0.0",
+    "status": "stable",
+    "tags": ["security", "authentication", "tokens", "jwt", "session", "owasp"],
+    "references": [
+      "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel",
+      "https://owasp.org/www-project-application-security-verification-standard/",
+      "https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html",
+      "https://tools.ietf.org/html/rfc7519#section-4.1.4"
+    ]
+  },
+  "configuration": {
+    "enableJWTValidityCheck": true,
+    "enableSessionTokenCheck": true,
+    "enableOAuthTokenCheck": true,
+    "maxValidityPeriods": {
+      "accessToken": 3600,
+      "refreshToken": 86400,
+      "sessionToken": 1800,
+      "idToken": 3600,
+      "authToken": 3600
+    },
+    "jwtProperties": [
+      "exp",
+      "expiresIn",
+      "expiry",
+      "expires",
+      "ttl",
+      "maxAge",
+      "lifetime"
+    ],
+    "tokenMethods": [
+      "sign",
+      "create",
+      "generate",
+      "issue",
+      "encode"
+    ],
+    "jwtLibraries": [
+      "jsonwebtoken",
+      "jose",
+      "@nestjs/jwt",
+      "jwt-simple",
+      "node-jsonwebtoken",
+      "passport-jwt"
+    ],
+    "sessionMethods": [
+      "session",
+      "cookie",
+      "maxAge",
+      "expires"
+    ],
+    "sessionLibraries": [
+      "express-session",
+      "connect-session",
+      "cookie-session",
+      "client-sessions"
+    ],
+    "oauthProperties": [
+      "access_token_lifetime",
+      "refresh_token_lifetime",
+      "token_lifetime",
+      "expires_in"
+    ],
+    "timeUnits": {
+      "seconds": 1,
+      "minutes": 60,
+      "hours": 3600,
+      "days": 86400,
+      "weeks": 604800,
+      "months": 2592000,
+      "years": 31536000
+    },
+    "dangerousPatterns": [
+      "no-expire",
+      "never-expire",
+      "permanent",
+      "forever",
+      "infinite",
+      "unlimited"
+    ],
+    "exemptedScenarios": [
+      "test",
+      "testing",
+      "mock",
+      "development",
+      "dev"
+    ]
+  },
+  "examples": {
+    "violations": [
+      {
+        "description": "JWT token with excessive expiration time",
+        "code": "jwt.sign(payload, secret, { expiresIn: '30d' })"
+      },
+      {
+        "description": "Session with very long max age",
+        "code": "session({ maxAge: 30 * 24 * 60 * 60 * 1000 })"
+      },
+      {
+        "description": "Token with no expiration",
+        "code": "jwt.sign(payload, secret)"
+      }
+    ],
+    "clean": [
+      {
+        "description": "JWT token with appropriate expiration",
+        "code": "jwt.sign(payload, secret, { expiresIn: '1h' })"
+      },
+      {
+        "description": "Session with reasonable max age",
+        "code": "session({ maxAge: 30 * 60 * 1000 })"
+      }
+    ]
+  }
+}

package/rules/security/S049_short_validity_tokens/regex-based-analyzer.js ADDED Viewed

@@ -0,0 +1,295 @@
+/**
+ * S049 Regex-based Analyzer - Authentication tokens should have short validity periods
+ * Fallback analyzer using regex patterns when AST parsing is not available
+ */
+const fs = require("fs");
+const path = require("path");
+class S049RegexBasedAnalyzer {
+  constructor() {
+    this.ruleId = "S049";
+    // Load configuration
+    const configPath = path.join(__dirname, 'config.json');
+    this.config = JSON.parse(fs.readFileSync(configPath, 'utf8')).configuration;
+    this.initializePatterns();
+  }
+  async initialize(semanticEngine) {
+    // Regex analyzer doesn't need semantic engine
+  }
+  /**
+   * Initialize regex patterns for detection
+   */
+  initializePatterns() {
+    // JWT token creation patterns
+    this.jwtPatterns = [
+      // jwt.sign(payload, secret, { expiresIn: 'long-time' }) - handles multiline
+      /jwt\.sign\s*\([^)]*,\s*[^)]*,\s*\{[^}]*?expiresIn\s*:\s*['"]\s*([^'"]+)\s*['"][^}]*?\}/gs,
+      // jwt.sign(payload, secret, { exp: timestamp })
+      /jwt\.sign\s*\([^)]*,\s*[^)]*,\s*\{[^}]*?exp\s*:\s*(\d+)[^}]*?\}/gs,
+      // Token creation without expiration - matches jwt.sign with exactly 2 parameters
+      /jwt\.sign\s*\(\s*[^,)]+\s*,\s*[^,)]+\s*\)/g,
+      // Other JWT libraries
+      /(?:jsonwebtoken|jose|@nestjs\/jwt).*\.(?:sign|create|generate)\s*\([^)]*?\)/g
+    ];
+    // Session configuration patterns
+    this.sessionPatterns = [
+      // session({ maxAge: long-time }) - handles multiline
+      /session\s*\(\s*\{[^}]*?maxAge\s*:\s*(\d+)[^}]*?\}/gs,
+      // cookie({ maxAge: long-time })
+      /cookie\s*\(\s*\{[^}]*?maxAge\s*:\s*(\d+)[^}]*?\}/gs,
+      // express-session configuration
+      /require\s*\(\s*['"]\s*express-session\s*['"]\s*\)\s*\(\s*\{[^}]*?maxAge\s*:\s*(\d+)[^}]*?\}/gs
+    ];
+    // OAuth token patterns
+    this.oauthPatterns = [
+      // OAuth configuration with lifetime
+      /(?:access_token_lifetime|refresh_token_lifetime|token_lifetime|expires_in)\s*[:=]\s*(\d+)/g
+    ];
+    // Dangerous patterns (never expire, etc.)
+    this.dangerousPatterns = this.config.dangerousPatterns.map(pattern =>
+      new RegExp(pattern, 'gi')
+    );
+  }
+  /**
+   * Analyze file for authentication token validity issues
+   */
+  async analyze(filePath, language = "typescript", options = {}) {
+    try {
+      const sourceCode = fs.readFileSync(filePath, "utf8");
+      const lines = sourceCode.split('\n');
+      const violations = [];
+      // Check for JWT token issues
+      this.checkJWTPatterns(sourceCode, lines, filePath, violations);
+      // Check for session configuration issues
+      this.checkSessionPatterns(sourceCode, lines, filePath, violations);
+      // Check for OAuth token issues
+      this.checkOAuthPatterns(sourceCode, lines, filePath, violations);
+      // Check for dangerous patterns
+      this.checkDangerousPatterns(sourceCode, lines, filePath, violations);
+      return violations;
+    } catch (error) {
+      console.error(`🔧 [S049] Error in regex-based analysis:`, error);
+      return [];
+    }
+  }
+  /**
+   * Check JWT patterns for violations
+   */
+  checkJWTPatterns(sourceCode, lines, filePath, violations) {
+    for (const pattern of this.jwtPatterns) {
+      let match;
+      const globalPattern = new RegExp(pattern.source, 'g');
+      while ((match = globalPattern.exec(sourceCode)) !== null) {
+        const lineInfo = this.getLineInfo(sourceCode, match.index);
+        if (this.isInExemptedContext(lines[lineInfo.line - 1])) {
+          continue;
+        }
+        // Check if this is a token creation without expiration
+        if (!match[1]) {
+          this.addViolation(violations, filePath, lineInfo, lines[lineInfo.line - 1],
+            'JWT token created without expiration time',
+            'missing-expiration');
+          continue;
+        }
+        // Check if expiration time is too long
+        const expirationValue = match[1];
+        const seconds = this.parseTimeValue(expirationValue);
+        if (seconds > this.config.maxValidityPeriods.accessToken) {
+          this.addViolation(violations, filePath, lineInfo, lines[lineInfo.line - 1],
+            `JWT token expiration time (${expirationValue}) exceeds recommended maximum of ${this.config.maxValidityPeriods.accessToken} seconds`,
+            'long-expiration');
+        }
+      }
+    }
+  }
+  /**
+   * Check session patterns for violations
+   */
+  checkSessionPatterns(sourceCode, lines, filePath, violations) {
+    for (const pattern of this.sessionPatterns) {
+      let match;
+      const globalPattern = new RegExp(pattern.source, 'g');
+      while ((match = globalPattern.exec(sourceCode)) !== null) {
+        const lineInfo = this.getLineInfo(sourceCode, match.index);
+        if (this.isInExemptedContext(lines[lineInfo.line - 1])) {
+          continue;
+        }
+        const maxAgeValue = match[1];
+        if (maxAgeValue) {
+          // Session values are often in milliseconds
+          const seconds = Math.floor(parseInt(maxAgeValue) / 1000);
+          if (seconds > this.config.maxValidityPeriods.sessionToken) {
+            this.addViolation(violations, filePath, lineInfo, lines[lineInfo.line - 1],
+              `Session maxAge (${maxAgeValue}ms) exceeds recommended maximum of ${this.config.maxValidityPeriods.sessionToken} seconds`,
+              'long-session');
+          }
+        }
+      }
+    }
+  }
+  /**
+   * Check OAuth patterns for violations
+   */
+  checkOAuthPatterns(sourceCode, lines, filePath, violations) {
+    for (const pattern of this.oauthPatterns) {
+      let match;
+      const globalPattern = new RegExp(pattern.source, 'g');
+      while ((match = globalPattern.exec(sourceCode)) !== null) {
+        const lineInfo = this.getLineInfo(sourceCode, match.index);
+        if (this.isInExemptedContext(lines[lineInfo.line - 1])) {
+          continue;
+        }
+        const tokenValue = match[1];
+        if (tokenValue) {
+          const seconds = parseInt(tokenValue);
+          if (seconds > this.config.maxValidityPeriods.accessToken) {
+            this.addViolation(violations, filePath, lineInfo, lines[lineInfo.line - 1],
+              `OAuth token lifetime (${tokenValue}s) exceeds recommended maximum of ${this.config.maxValidityPeriods.accessToken} seconds`,
+              'long-oauth-token');
+          }
+        }
+      }
+    }
+  }
+  /**
+   * Check for dangerous patterns (never expire, etc.)
+   */
+  checkDangerousPatterns(sourceCode, lines, filePath, violations) {
+    for (const pattern of this.dangerousPatterns) {
+      let match;
+      while ((match = pattern.exec(sourceCode)) !== null) {
+        const lineInfo = this.getLineInfo(sourceCode, match.index);
+        if (this.isInExemptedContext(lines[lineInfo.line - 1])) {
+          continue;
+        }
+        this.addViolation(violations, filePath, lineInfo, lines[lineInfo.line - 1],
+          `Dangerous token configuration detected: "${match[0]}" suggests tokens that never expire`,
+          'dangerous-pattern');
+      }
+    }
+  }
+  /**
+   * Check if line is in exempted context (test, mock, etc.)
+   */
+  isInExemptedContext(line) {
+    if (!line) return false;
+    const lowerLine = line.toLowerCase();
+    return this.config.exemptedScenarios.some(scenario =>
+      lowerLine.includes(scenario)
+    );
+  }
+  /**
+   * Parse time value to seconds
+   */
+  parseTimeValue(value) {
+    if (typeof value === 'number') {
+      return value;
+    }
+    if (typeof value === 'string') {
+      // Handle string formats like '1h', '30d', '2w'
+      const match = value.match(/^(\d+)\s*([a-zA-Z]+)?$/);
+      if (match) {
+        const num = parseInt(match[1]);
+        const unit = match[2]?.toLowerCase() || 's';
+        // Map common units
+        const multiplier = this.config.timeUnits[unit] ||
+                          this.config.timeUnits[unit + 's'] || 1;
+        return num * multiplier;
+      }
+      // Handle pure numbers as strings
+      const numValue = parseInt(value);
+      if (!isNaN(numValue)) {
+        return numValue;
+      }
+    }
+    return 0;
+  }
+  /**
+   * Get line information from source position
+   */
+  getLineInfo(sourceCode, index) {
+    const beforeMatch = sourceCode.substring(0, index);
+    const line = beforeMatch.split('\n').length;
+    const lineStart = beforeMatch.lastIndexOf('\n') + 1;
+    const column = index - lineStart;
+    return { line, column };
+  }
+  /**
+   * Add violation to results
+   */
+  addViolation(violations, filePath, lineInfo, sourceLine, message, subType) {
+    violations.push({
+      ruleId: this.ruleId,
+      message,
+      severity: "error",
+      line: lineInfo.line,
+      column: lineInfo.column,
+      endLine: lineInfo.line,
+      endColumn: lineInfo.column + (sourceLine?.length || 0),
+      source: sourceLine || "",
+      filePath,
+      type: "regex-based",
+      subType,
+      context: {
+        matchType: "pattern-based",
+        pattern: subType
+      }
+    });
+  }
+  cleanup() {
+    // Cleanup resources if needed
+  }
+}
+module.exports = S049RegexBasedAnalyzer;