getdoorman 1.0.0

package/src/rules/security/deserialization.js

@@ -0,0 +1,291 @@
+/**
+ * Insecure Deserialization Detection Rules (SEC-DES-001 through SEC-DES-010)
+ *
+ * Detects patterns where untrusted data is deserialized in ways that
+ * can lead to remote code execution, prototype pollution, or DoS.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+const isPy = (f) => f.endsWith('.py');
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|#|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-DES-001: eval-based deserialization
+  {
+    id: 'SEC-DES-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'eval() Used for Deserialization',
+    description:
+      'Using eval() to parse data (JSON, config, etc.) allows arbitrary code execution. An attacker can inject executable code into the serialized payload.',
+    fix: { suggestion: 'Use JSON.parse() for JSON data. Never use eval() for deserialization.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /eval\s*\(\s*(?:req\.body|req\.query|data|payload|input|content|message|response|text)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DES-002: Function constructor for deserialization
+  {
+    id: 'SEC-DES-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Function Constructor Used for Deserialization',
+    description:
+      'new Function() with untrusted input is equivalent to eval() and allows arbitrary code execution.',
+    fix: { suggestion: 'Use JSON.parse() or a safe parsing library. Never construct functions from user data.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /new\s+Function\s*\(\s*(?:req\.body|req\.query|data|payload|input|content|message|text)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DES-003: YAML unsafe load
+  {
+    id: 'SEC-DES-003',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Unsafe YAML Load (Code Execution Risk)',
+    description:
+      'yaml.load() without SafeLoader in Python or js-yaml.load() without safe schema can execute arbitrary code via YAML tags like !!python/object.',
+    fix: { suggestion: 'Use yaml.safe_load() in Python or yaml.load(data, { schema: yaml.SAFE_SCHEMA }) in js-yaml.' },
+    check({ files }) {
+      const findings = [];
+      const jsPattern = /yaml\.load\s*\([^)]*(?!.*(?:safe|SAFE_SCHEMA|JSON_SCHEMA|FAILSAFE_SCHEMA))/;
+      const pyPattern = /yaml\.load\s*\((?![^)]*(?:SafeLoader|safe_load|CSafeLoader))/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, jsPattern, path, this));
+        } else if (isPy(path)) {
+          findings.push(...scanLines(content, pyPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DES-004: node-serialize / serialize-javascript with untrusted data
+  {
+    id: 'SEC-DES-004',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'node-serialize Unserialize with Untrusted Data (RCE)',
+    description:
+      'node-serialize.unserialize() can execute arbitrary code via IIFE patterns in serialized data (CVE-2017-5941).',
+    fix: { suggestion: 'Remove node-serialize. Use JSON.parse() for structured data exchange.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:serialize\.unserialize|unserialize)\s*\(\s*(?:req\.body|req\.query|data|payload|input|cookie)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DES-005: JSON.parse of large/untrusted input without size limit
+  {
+    id: 'SEC-DES-005',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'JSON.parse on Untrusted Input Without Size Limit',
+    description:
+      'Parsing large JSON payloads from user input without size limits can cause DoS via memory exhaustion or CPU-intensive parsing.',
+    fix: { suggestion: 'Limit request body size (e.g., express.json({ limit: "1mb" })) and validate input structure with a schema.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /JSON\.parse\s*\(\s*(?:req\.body|req\.query\.\w+|rawBody|body|payload)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DES-006: Python pickle with untrusted data
+  {
+    id: 'SEC-DES-006',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Python pickle.loads with Untrusted Data (RCE)',
+    description:
+      'pickle.loads() can execute arbitrary Python code during deserialization. Never unpickle data from untrusted sources.',
+    fix: { suggestion: 'Use JSON, MessagePack, or Protocol Buffers instead of pickle for untrusted data.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /pickle\.(?:loads?|Unpickler)\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isPy(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DES-007: vm/vm2 module with untrusted code
+  {
+    id: 'SEC-DES-007',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Node.js vm Module with Untrusted Code (Sandbox Escape)',
+    description:
+      'The Node.js vm module does not provide a secure sandbox. Untrusted code can escape via prototype chain access. vm2 also has known escapes (CVE-2023-37466).',
+    fix: { suggestion: 'Use isolated-vm or run untrusted code in a separate process/container with seccomp/AppArmor.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:vm\.runInNewContext|vm\.runInContext|vm\.runInThisContext|vm\.createContext|vm\.Script|new\s+VM\s*\()\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DES-008: XML external entity processing (XXE)
+  {
+    id: 'SEC-DES-008',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'XML Parser Without XXE Protection',
+    description:
+      'XML parsers that process external entities can be exploited to read local files, perform SSRF, or cause DoS. Disable external entity processing.',
+    fix: { suggestion: 'Disable external entities: use libxmljs with noent: false, or xml2js (safe by default). For fast-xml-parser, set processEntities: false.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:libxmljs\.parseXml|DOMParser|xml2js\.parseString|parseXml|XMLParser)\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (COMMENT_LINE.test(lines[i])) continue;
+          if (pattern.test(lines[i])) {
+            // Check if noent is explicitly set or entities are disabled
+            if (/noent\s*:\s*true|processEntities\s*:\s*true|resolveExternals/.test(content)) {
+              findings.push({
+                ruleId: this.id,
+                category: this.category,
+                severity: this.severity,
+                title: this.title,
+                description: this.description,
+                confidence: this.confidence,
+                file: path,
+                line: i + 1,
+                fix: this.fix || null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DES-009: MessagePack / BSON deserialization of untrusted data
+  {
+    id: 'SEC-DES-009',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Binary Format Deserialization of Untrusted Input',
+    description:
+      'Deserializing binary formats (MessagePack, BSON, protobuf) from untrusted input without schema validation can lead to type confusion or memory issues.',
+    fix: { suggestion: 'Validate deserialized data against a strict schema using Zod, Joi, or Protocol Buffers with defined .proto files.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:msgpack\.decode|msgpack\.unpack|BSON\.deserialize|bson\.deserialize)\s*\(\s*(?:req\.body|buffer|data|payload|input)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DES-010: Cookie deserialization without signature verification
+  {
+    id: 'SEC-DES-010',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Cookie Value Deserialized Without Signature Verification',
+    description:
+      'Deserializing cookie values (JSON.parse of cookie, unserialize of cookie) without verifying a cryptographic signature (HMAC) allows cookie tampering and injection.',
+    fix: { suggestion: 'Use signed cookies (cookie-signature or express signed cookies) and verify the HMAC before parsing.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /JSON\.parse\s*\(\s*(?:req\.cookies|cookie|cookies)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/security/file-upload.js

@@ -0,0 +1,187 @@
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+const isTest = (f) => f.includes('test') || f.includes('spec') || f.includes('mock');
+
+const rules = [
+  // SEC-UPL-001
+  {
+    id: 'SEC-UPL-001', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'No file type validation on upload',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        if (content.includes('multer') || content.includes('formidable') || content.includes('busboy')) {
+          if (!content.includes('fileFilter') && !content.includes('mimetype') && !content.includes('mimeType') &&
+              !content.includes('allowedTypes') && !content.includes('accept')) {
+            findings.push({
+              ruleId: 'SEC-UPL-001', category: 'security', severity: 'high',
+              title: 'File uploads without MIME type or extension validation',
+              description: 'Validate file types to prevent malicious file uploads.',
+              file: fp, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-UPL-002
+  {
+    id: 'SEC-UPL-002', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'No file size limit on upload',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        if (content.includes('multer') || content.includes('formidable') || content.includes('busboy')) {
+          if (!content.includes('limits') && !content.includes('maxFileSize') && !content.includes('fileSize') && !content.includes('maxSize')) {
+            findings.push({
+              ruleId: 'SEC-UPL-002', category: 'security', severity: 'high',
+              title: 'File uploads without size limit — DoS via large file uploads',
+              file: fp, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-UPL-003
+  {
+    id: 'SEC-UPL-003', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Files stored in web-accessible directory',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        if (content.match(/destination\s*:\s*['"](?:\.\/)?(?:public|static|uploads)(?:\/|['"])/)) {
+          findings.push({
+            ruleId: 'SEC-UPL-003', category: 'security', severity: 'high',
+            title: 'Uploaded files stored in publicly accessible directory',
+            description: 'Store uploads outside webroot and serve through a controller with auth.',
+            file: fp, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-UPL-004
+  {
+    id: 'SEC-UPL-004', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Original filename used for storage',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        if (content.match(/(?:file|req\.file)\.originalname/) || content.match(/(?:file|req\.file)\.name/)) {
+          if (!content.includes('sanitize') && !content.includes('uuid') && !content.includes('crypto.random')) {
+            findings.push({
+              ruleId: 'SEC-UPL-004', category: 'security', severity: 'medium',
+              title: 'Using user-provided filename for storage — path traversal risk',
+              description: 'Generate a random filename (UUID) instead of using the original.',
+              file: fp, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-UPL-005
+  {
+    id: 'SEC-UPL-005', category: 'security', severity: 'critical', confidence: 'definite',
+    title: 'Executable file upload allowed',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        if (content.includes('multer') || content.includes('upload')) {
+          // If there's a fileFilter, check if it blocks executables
+          if (content.includes('fileFilter')) {
+            if (!content.match(/(?:exe|sh|bat|cmd|php|jsp|asp|py|rb|pl)\b/i)) {
+              // File filter exists but doesn't seem to block executables
+            }
+          }
+          // Check for accept-all patterns
+          if (content.match(/fileFilter.*return\s+cb\s*\(\s*null\s*,\s*true\s*\)/)) {
+            findings.push({
+              ruleId: 'SEC-UPL-005', category: 'security', severity: 'critical',
+              title: 'File upload accepts all file types including executables',
+              file: fp, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-UPL-006
+  {
+    id: 'SEC-UPL-006', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'No antivirus scanning on uploads',
+    check({ files, stack }) {
+      const findings = [];
+      const hasUpload = [...files.values()].some(c =>
+        c.includes('multer') || c.includes('formidable') || c.includes('busboy')
+      );
+      if (!hasUpload) return findings;
+
+      const hasAV = Object.keys(stack.dependencies || {}).some(d =>
+        ['clamav', 'clamscan', 'node-clam', 'virus-scan'].includes(d)
+      );
+      const hasAVCode = [...files.values()].some(c =>
+        c.includes('clamav') || c.includes('clamscan') || c.includes('virusScan')
+      );
+      // If an explicit MIME type allowlist check is present in the upload handler, skip AV warning
+      // Detect: content has MIME type strings + an .includes(mimetype) check (may span lines)
+      const hasMimeAllowlist = [...files.values()].some(c =>
+        (c.includes('multer') || c.includes('formidable') || c.includes('busboy')) &&
+        /['"]\w+\/[\w.+-]+['"]/.test(c) &&
+        /\.includes\s*\(\s*(?:file|req\.file|f)\.mimetype|mimetype\s*===\s*['"]/.test(c)
+      );
+      if (!hasAV && !hasAVCode && !hasMimeAllowlist) {
+        findings.push({
+          ruleId: 'SEC-UPL-006', category: 'security', severity: 'medium',
+          title: 'Uploaded files not scanned for malware — consider ClamAV integration',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // SEC-UPL-007
+  {
+    id: 'SEC-UPL-007', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Image upload without re-encoding',
+    check({ files, stack }) {
+      const findings = [];
+      const hasImageUpload = [...files.values()].some(c =>
+        c.match(/(?:image|img|photo|avatar|thumbnail).*(?:upload|multer)/i)
+      );
+      if (!hasImageUpload) return findings;
+
+      const hasImageProcessing = Object.keys(stack.dependencies || {}).some(d =>
+        ['sharp', 'jimp', 'gm', 'imagemagick', 'canvas'].includes(d)
+      );
+      if (!hasImageProcessing) {
+        findings.push({
+          ruleId: 'SEC-UPL-007', category: 'security', severity: 'medium',
+          title: 'Image uploads served without re-encoding — may contain embedded scripts',
+          description: 'Use sharp or similar to re-encode images before serving.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;