getdoorman 1.0.0

package/src/rules/security/csrf.js

@@ -0,0 +1,193 @@
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+const isTest = (f) => f.includes('test') || f.includes('spec') || f.includes('mock') || f.includes('fixture');
+
+const rules = [
+  // SEC-CSRF-001
+  {
+    id: 'SEC-CSRF-001', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Missing CSRF protection',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.framework === 'nextjs') return findings; // Next.js server actions have built-in CSRF
+      if (stack.runtime !== 'node') return findings;
+
+      const hasCsrf = Object.keys(stack.dependencies || {}).some(d =>
+        ['csurf', 'csrf', 'csrf-csrf', 'lusca'].includes(d)
+      );
+      if (hasCsrf) return findings;
+
+      const hasForms = [...files.values()].some(c =>
+        c.includes('<form') && (c.includes('method="POST"') || c.includes("method='POST'") || c.includes('method="post"'))
+      );
+      if (hasForms) {
+        findings.push({
+          ruleId: 'SEC-CSRF-001', category: 'security', severity: 'high',
+          title: 'No CSRF protection on forms with POST method',
+          description: 'Forms without CSRF tokens can be exploited by attackers to submit requests on behalf of users.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CSRF-002
+  {
+    id: 'SEC-CSRF-002', category: 'security', severity: 'critical', confidence: 'definite',
+    title: 'CSRF token not validated on server',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        if (content.includes('csrf') && content.includes('token')) {
+          // Token is referenced but no middleware validates it
+          if (!content.includes('csrfProtection') && !content.includes('verifyCsrf') && !content.includes('csrf()')) {
+            // Check if it's just being set but never verified
+            if (content.includes('csrfToken') && !content.includes('validate') && !content.includes('verify')) {
+              findings.push({
+                ruleId: 'SEC-CSRF-002', category: 'security', severity: 'critical',
+                title: 'CSRF token generated but may not be validated server-side',
+                file: fp, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CSRF-003
+  {
+    id: 'SEC-CSRF-003', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Cookie without SameSite attribute',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/(?:cookie|session).*(?:httpOnly|secure|maxAge)/i) && !lines[i].includes('sameSite') && !content.includes('sameSite')) {
+            findings.push({
+              ruleId: 'SEC-CSRF-003', category: 'security', severity: 'high',
+              title: 'Cookie configured without SameSite attribute',
+              description: 'Set SameSite=Lax or SameSite=Strict to prevent CSRF attacks.',
+              file: fp, line: i + 1, fix: null,
+            });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CSRF-004
+  {
+    id: 'SEC-CSRF-004', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Cookie without Secure flag',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        if (content.match(/cookie.*httpOnly/i) || content.match(/session.*cookie/i)) {
+          if (content.includes('secure: false') || (!content.includes('secure:') && !content.includes('secure :'))) {
+            findings.push({
+              ruleId: 'SEC-CSRF-004', category: 'security', severity: 'high',
+              title: 'Session cookie missing Secure flag — will be sent over HTTP',
+              file: fp, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CSRF-005
+  {
+    id: 'SEC-CSRF-005', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Cookie without HttpOnly flag',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        if (content.match(/(?:res\.cookie|setCookie|set-cookie)/i)) {
+          if (content.includes('httpOnly: false')) {
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+              if (lines[i].includes('httpOnly: false')) {
+                findings.push({
+                  ruleId: 'SEC-CSRF-005', category: 'security', severity: 'high',
+                  title: 'Cookie with httpOnly explicitly set to false — accessible to JavaScript',
+                  file: fp, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CSRF-006
+  {
+    id: 'SEC-CSRF-006', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'State-changing GET request',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Flag GET routes where the inline handler body performs a state-changing DB operation.
+          // Check the route line + next 8 lines for actual mutations (deleteOne, destroy, UPDATE, etc.)
+          if (lines[i].match(/\.get\s*\(.*['"`]\/[^'"` ]+['"`]/i) &&
+              !lines[i].trim().startsWith('//')) {
+            const window = lines.slice(i, i + 9).join('\n');
+            const stateChange = /\.(?:deleteOne|deleteMany|findByIdAndDelete|destroy|remove|drop)\s*\(|db\.(?:query|run)\s*\(\s*['"`]\s*(?:DELETE|UPDATE|INSERT)/i;
+            if (stateChange.test(window)) {
+              findings.push({
+                ruleId: 'SEC-CSRF-006', category: 'security', severity: 'medium',
+                title: 'State-changing operation on GET endpoint — should be POST/PUT/DELETE',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CSRF-007
+  {
+    id: 'SEC-CSRF-007', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Missing Origin/Referer validation',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const hasOriginCheck = [...files.values()].some(c =>
+        c.includes('origin') && (c.includes('req.headers') || c.includes('request.headers'))
+      );
+      const hasCors = Object.keys(stack.dependencies || {}).some(d => d === 'cors');
+      if (!hasOriginCheck && !hasCors) {
+        const hasMutations = [...files.values()].some(c =>
+          c.match(/\.(post|put|patch|delete)\s*\(/)
+        );
+        if (hasMutations) {
+          findings.push({
+            ruleId: 'SEC-CSRF-007', category: 'security', severity: 'medium',
+            title: 'No Origin or Referer header validation on state-changing endpoints',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;