getdoorman 1.0.0

package/src/rules/security/misconfiguration.js

@@ -0,0 +1,660 @@
+/**
+ * Doorman CLI - Security Misconfiguration Rules
+ * SEC-MISC-001 through SEC-MISC-015
+ *
+ * Detects insecure defaults, open services, exposed admin panels,
+ * debug modes, and permissive access controls.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some((ext) => f.endsWith(ext));
+const isConfig = (f) =>
+  f.endsWith('.json') ||
+  f.endsWith('.yml') ||
+  f.endsWith('.yaml') ||
+  f.endsWith('.toml');
+const isTestFile = (f) =>
+  f.includes('test') ||
+  f.includes('spec') ||
+  f.includes('mock') ||
+  f.includes('fixture') ||
+  f.includes('__tests__');
+
+function shouldSkipLine(line) {
+  const trimmed = line.trim();
+  return (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*')
+  );
+}
+
+function scanLines(filePath, content, regex, message, confidence) {
+  const findings = [];
+  if (isTestFile(filePath)) return findings;
+  if (!content) return findings;
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (shouldSkipLine(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        file: filePath,
+        line: i + 1,
+        message: typeof message === 'function' ? message(line) : message,
+        confidence,
+        snippet: line.trim().substring(0, 120),
+      });
+    }
+  }
+  return findings;
+}
+
+// Helper: convert scanLines calls from old file-object API to new (filePath, content) API
+// (Already done inline below)
+
+const rules = [
+  // SEC-MISC-001: Public S3 bucket
+  {
+    id: 'SEC-MISC-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Public S3 bucket configuration detected',
+    check({ files }) {
+      const findings = [];
+      const aclPattern = /ACL\s*:\s*['"]public-read['"]/;
+      const blockPattern = /PublicAccessBlock\s*:\s*false/i;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, aclPattern, 'S3 bucket configured with public-read ACL. Restrict access unless public hosting is intentional.', 'definite')
+        );
+        findings.push(
+          ...scanLines(filePath, content, blockPattern, 'S3 PublicAccessBlock is disabled. Enable it to prevent accidental public exposure.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-002: Database open to all interfaces
+  {
+    id: 'SEC-MISC-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Database bound to all network interfaces',
+    check({ files }) {
+      const findings = [];
+      const hostPattern = /(?:host|bind_address|bindIp)\s*[:=]\s*['"]?0\.0\.0\.0['"]?/i;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!isJS(filePath) && !isConfig(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (hostPattern.test(line)) {
+            const context = content.substring(
+              Math.max(0, content.indexOf(line) - 200),
+              content.indexOf(line) + line.length + 200
+            );
+            if (/(?:postgres|mysql|mongo|redis|database|sequelize|knex|prisma|typeorm)/i.test(context)) {
+              findings.push({
+                file: filePath,
+                line: i + 1,
+                message: 'Database is bound to 0.0.0.0 (all interfaces). Bind to 127.0.0.1 or a private network interface.',
+                confidence: 'likely',
+                snippet: line.trim().substring(0, 120),
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-003: Exposed .git directory via static serving
+  {
+    id: 'SEC-MISC-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Static file serving may expose .git directory',
+    check({ files }) {
+      const findings = [];
+      const staticPattern = /(?:express\.static|serveStatic)\s*\(\s*['"](?:\.\/?\s*|\/?\s*)['"]/;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (staticPattern.test(line)) {
+            const nearby = lines.slice(Math.max(0, i - 3), i + 4).join('\n');
+            if (/dotfiles\s*:\s*['"]deny['"]/i.test(nearby)) continue;
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: 'Static serving of root directory may expose .git folder. Use dotfiles: "deny" or serve from a public/ subdirectory.',
+              confidence: 'definite',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-004: Debug mode in production
+  {
+    id: 'SEC-MISC-004',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Debug mode enabled in production configuration',
+    check({ files }) {
+      const findings = [];
+      const debugPatterns = [
+        { regex: /DEBUG\s*[:=]\s*['"]?(?:true|True|1|yes)['"]?/, msg: 'DEBUG is set to true.' },
+        { regex: /NODE_ENV\s*[:=]\s*['"]development['"]/, msg: 'NODE_ENV is set to development.' },
+        { regex: /debug\s*:\s*true/, msg: 'debug flag is set to true.' },
+      ];
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        const isProdConfig =
+          filePath.includes('prod') ||
+          filePath.includes('deploy') ||
+          filePath.includes('docker-compose') ||
+          filePath.endsWith('Dockerfile') ||
+          (filePath.includes('.github/workflows/') && (filePath.endsWith('.yml') || filePath.endsWith('.yaml')));
+        if (!isProdConfig) continue;
+        if (!content) continue;
+        for (const { regex, msg } of debugPatterns) {
+          findings.push(
+            ...scanLines(filePath, content, regex, `${msg} Ensure debug mode is disabled in production configurations.`, 'likely')
+          );
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-005: GraphQL introspection enabled
+  {
+    id: 'SEC-MISC-005',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'GraphQL introspection enabled',
+    check({ files }) {
+      const findings = [];
+      const introspectionTrue = /introspection\s*:\s*true/;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (introspectionTrue.test(line)) {
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: 'GraphQL introspection is explicitly enabled. Disable in production to prevent schema disclosure.',
+              confidence: 'likely',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+        if (/new ApolloServer\s*\(/.test(content) && !/introspection\s*:/.test(content)) {
+          findings.push({
+            file: filePath,
+            line: 1,
+            message: 'ApolloServer created without explicit introspection setting. Set introspection: false for production.',
+            confidence: 'suggestion',
+            snippet: 'ApolloServer missing introspection config',
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-006: Exposed admin panel without auth
+  {
+    id: 'SEC-MISC-006',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Admin route without authentication middleware',
+    check({ files }) {
+      const findings = [];
+      const adminRoutePattern = /(?:app|router)\.(?:get|post|put|delete|use)\s*\(\s*['"]\/admin/;
+      const authMiddlewareNames = /(?:auth|authenticate|isAuthenticated|requireAuth|ensureAuth|protect|guard|requireLogin|isLoggedIn|verifyToken|checkAuth)/i;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (adminRoutePattern.test(line)) {
+            if (!authMiddlewareNames.test(line)) {
+              findings.push({
+                file: filePath,
+                line: i + 1,
+                message: 'Admin route registered without visible auth middleware. Protect admin endpoints with authentication and authorization.',
+                confidence: 'likely',
+                snippet: line.trim().substring(0, 120),
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-007: Open Firebase / Supabase rules
+  {
+    id: 'SEC-MISC-007',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Permissive database security rules',
+    check({ files }) {
+      const findings = [];
+      const openFirebase = /allow\s+read\s*,\s*write\s*:\s*if\s+true/;
+      const openFirebaseAlt = /["']\.read['"]\s*:\s*['"]?true['"]?/;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!content) continue;
+        if (
+          filePath.includes('.rules') ||
+          filePath.includes('firestore') ||
+          filePath.includes('database') ||
+          filePath.includes('storage.rules')
+        ) {
+          findings.push(
+            ...scanLines(
+              filePath, content,
+              openFirebase,
+              'Firebase/Firestore rules allow unrestricted read and write. Implement proper access control rules.',
+              'definite'
+            )
+          );
+          findings.push(
+            ...scanLines(
+              filePath, content,
+              openFirebaseAlt,
+              'Realtime Database rules are fully open. Restrict access based on authentication.',
+              'definite'
+            )
+          );
+        }
+        if (filePath.endsWith('.sql') || filePath.includes('migration')) {
+          const rlsDisabledPattern = /ALTER\s+TABLE\s+\S+\s+DISABLE\s+ROW\s+LEVEL\s+SECURITY/i;
+          findings.push(
+            ...scanLines(
+              filePath, content,
+              rlsDisabledPattern,
+              'Row Level Security is disabled on a table. Enable RLS and add appropriate policies.',
+              'definite'
+            )
+          );
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-008: Directory listing enabled
+  {
+    id: 'SEC-MISC-008',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Directory listing enabled',
+    check({ files }) {
+      const findings = [];
+      const autoIndexPattern = /autoIndex\s*:\s*true/;
+      const apachePattern = /Options\s+\+?Indexes/;
+      const nginxPattern = /autoindex\s+on/i;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!content) continue;
+        findings.push(
+          ...scanLines(filePath, content, autoIndexPattern, 'Directory listing is enabled (autoIndex: true). Disable to prevent file enumeration.', 'definite')
+        );
+        if (filePath.includes('.htaccess') || filePath.includes('httpd.conf') || filePath.includes('apache')) {
+          findings.push(
+            ...scanLines(filePath, content, apachePattern, 'Apache directory listing enabled via Options +Indexes. Use "Options -Indexes" instead.', 'definite')
+          );
+        }
+        if (filePath.includes('nginx') || filePath.endsWith('.conf')) {
+          findings.push(
+            ...scanLines(filePath, content, nginxPattern, 'Nginx directory listing enabled. Set "autoindex off" to prevent file enumeration.', 'definite')
+          );
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-009: Default error pages (no custom error handler)
+  {
+    id: 'SEC-MISC-009',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'No custom error handler detected',
+    check({ files }) {
+      const findings = [];
+      // Look for Express apps without error-handling middleware
+      let isNextProject = false;
+      let hasErrorPage = false;
+      for (const [filePath, content] of files) {
+        if (isJS(filePath) && !isTestFile(filePath) && content && /(?:express\(\)|createServer)/.test(content)) {
+          const hasErrorHandler = /app\.use\s*\(\s*(?:function\s*\(\s*\w+\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+|.*\(\s*\w+\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*\)\s*=>)/.test(content);
+          // Only flag files that define real application routes (not just
+          // health/status endpoints or pure app setup files)
+          const hasRoutes = /\.(?:get|post|put|patch|delete)\s*\(\s*['"]\//.test(content);
+          const onlyHealthRoutes = /\.(?:get|post)\s*\(\s*['"]\/(?:health|status|ping|ready|live)['"]/.test(content) &&
+            (content.match(/\.(?:get|post|put|patch|delete)\s*\(\s*['"]\/[^'"]+['"]/g) || []).length <= 1;
+          if (!hasErrorHandler && hasRoutes && !onlyHealthRoutes) {
+            findings.push({
+              file: filePath,
+              line: 1,
+              message: 'Express app without a custom error handler. Default error pages leak stack traces. Add a 4-argument error middleware.',
+              confidence: 'suggestion',
+              snippet: 'No (err, req, res, next) handler found',
+            });
+          }
+        }
+        if (filePath.endsWith('next.config.js') || filePath.endsWith('next.config.mjs')) {
+          isNextProject = true;
+        }
+        if (
+          filePath.includes('pages/_error') ||
+          filePath.includes('pages/500') ||
+          filePath.includes('app/error') ||
+          filePath.includes('app/global-error')
+        ) {
+          hasErrorPage = true;
+        }
+      }
+      if (isNextProject && !hasErrorPage) {
+        findings.push({
+          file: 'next.config.js',
+          line: 1,
+          message: 'Next.js project without custom error page. Add pages/_error.js or app/error.tsx to avoid leaking internal details.',
+          confidence: 'suggestion',
+          snippet: 'No custom error page found',
+        });
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-010: Exposed env vars in Next.js via NEXT_PUBLIC_
+  {
+    id: 'SEC-MISC-010',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Sensitive environment variable exposed via NEXT_PUBLIC_',
+    check({ files }) {
+      const findings = [];
+      const sensitiveNames = /NEXT_PUBLIC_(?:.*(?:SECRET|PASSWORD|PRIVATE|SERVICE_ROLE|ADMIN|DATABASE|DB_|SUPABASE_SERVICE|STRIPE_SECRET|API_SECRET))/i;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!content) continue;
+        if (!isJS(filePath) && !isConfig(filePath) && !filePath.endsWith('.env.example')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (sensitiveNames.test(line)) {
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: 'Sensitive-looking variable prefixed with NEXT_PUBLIC_ will be exposed to the browser. Remove the prefix for server-only vars.',
+              confidence: 'likely',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-011: Public Docker registry push
+  {
+    id: 'SEC-MISC-011',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Docker image pushed to public registry',
+    check({ files }) {
+      const findings = [];
+      const pushPattern = /docker\s+push\s+(?!.*(?:\.azurecr\.io|\.ecr\.|gcr\.io|ghcr\.io|registry\.|localhost))/;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!content) continue;
+        if (
+          !filePath.endsWith('.yml') &&
+          !filePath.endsWith('.yaml') &&
+          !filePath.endsWith('.sh') &&
+          !filePath.includes('Makefile') &&
+          !isJS(filePath)
+        ) {
+          continue;
+        }
+        findings.push(
+          ...scanLines(
+            filePath, content,
+            pushPattern,
+            'Docker image appears to be pushed to a public registry (Docker Hub). Use a private registry for proprietary images.',
+            'likely'
+          )
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-012: Open Redis/Memcached without auth
+  {
+    id: 'SEC-MISC-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Redis/Memcached connection without authentication',
+    check({ files }) {
+      const findings = [];
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        if (/(?:createClient|new Redis|ioredis)/i.test(content)) {
+          const hasAuth =
+            /(?:password|auth|requirepass|authPass)/i.test(content) ||
+            /rediss?:\/\/[^:]+:[^@]+@/.test(content);
+          if (!hasAuth) {
+            for (let i = 0; i < lines.length; i++) {
+              if (/(?:createClient|new Redis)\s*\(/.test(lines[i])) {
+                findings.push({
+                  file: filePath,
+                  line: i + 1,
+                  message: 'Redis client created without authentication. Set a password to prevent unauthorized access.',
+                  confidence: 'suggestion',
+                  snippet: lines[i].trim().substring(0, 120),
+                });
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-013: Exposed Swagger/API docs without auth
+  {
+    id: 'SEC-MISC-013',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'API documentation exposed without authentication',
+    check({ files }) {
+      const findings = [];
+      const swaggerPattern = /(?:swagger-ui|swaggerUi|openapi|\/api-docs|\/swagger|\/docs)/;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (swaggerPattern.test(line) && /app\.use\s*\(/.test(line)) {
+            const authPattern = /(?:auth|authenticate|protect|guard|requireLogin|verifyToken)/i;
+            if (!authPattern.test(line)) {
+              const nearby = lines.slice(Math.max(0, i - 2), i + 1).join('\n');
+              if (!authPattern.test(nearby)) {
+                findings.push({
+                  file: filePath,
+                  line: i + 1,
+                  message: 'Swagger/OpenAPI docs served without authentication. Protect API docs in production behind auth middleware.',
+                  confidence: 'likely',
+                  snippet: line.trim().substring(0, 120),
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-014: Open WebSocket without auth
+  {
+    id: 'SEC-MISC-014',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'WebSocket connection handler without authentication',
+    check({ files }) {
+      const findings = [];
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        const wsServerPattern = /(?:new WebSocket\.Server|new WebSocketServer|wss\.on\s*\(\s*['"]connection['"]|io\.on\s*\(\s*['"]connection['"])/;
+        if (!wsServerPattern.test(content)) continue;
+        const authPattern = /(?:auth|authenticate|token|verify|jwt|session|cookie|handshake\.(?:auth|query))/i;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (/(?:\.on\s*\(\s*['"]connection['"]|\.on\s*\(\s*['"]connect['"])/.test(line)) {
+            const handlerBody = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+            if (!authPattern.test(handlerBody)) {
+              findings.push({
+                file: filePath,
+                line: i + 1,
+                message: 'WebSocket connection handler lacks authentication. Verify tokens/sessions in the connection or upgrade handler.',
+                confidence: 'suggestion',
+                snippet: line.trim().substring(0, 120),
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-MISC-015: Overly permissive IAM policy
+  {
+    id: 'SEC-MISC-015',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Overly permissive IAM policy detected',
+    check({ files }) {
+      const findings = [];
+      const wildActionPattern = /Action\s*[:=]\s*['"]?\*['"]?/;
+      const wildResourcePattern = /Resource\s*[:=]\s*['"]?\*['"]?/;
+      const allowEffect = /Effect\s*[:=]\s*['"]Allow['"]/;
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        if (!content) continue;
+        if (
+          !isJS(filePath) &&
+          !isConfig(filePath) &&
+          !filePath.endsWith('.tf') &&
+          !filePath.endsWith('.hcl')
+        ) {
+          continue;
+        }
+        const lines = content.split('\n');
+        // Check for Allow + Action: * combination
+        if (allowEffect.test(content) && wildActionPattern.test(content)) {
+          for (let i = 0; i < lines.length; i++) {
+            if (wildActionPattern.test(lines[i])) {
+              // Verify this is in the same policy block as Allow
+              const blockStart = Math.max(0, i - 10);
+              const blockEnd = Math.min(lines.length, i + 10);
+              const block = lines.slice(blockStart, blockEnd).join('\n');
+              if (allowEffect.test(block)) {
+                findings.push({
+                  file: filePath,
+                  line: i + 1,
+                  message: 'IAM policy with Action: * and Effect: Allow grants full access. Follow least-privilege principle.',
+                  confidence: 'definite',
+                  snippet: lines[i].trim().substring(0, 120),
+                });
+              }
+            }
+          }
+        }
+        // Check for Allow + Resource: * combination
+        if (allowEffect.test(content) && wildResourcePattern.test(content)) {
+          for (let i = 0; i < lines.length; i++) {
+            if (wildResourcePattern.test(lines[i])) {
+              const blockStart = Math.max(0, i - 10);
+              const blockEnd = Math.min(lines.length, i + 10);
+              const block = lines.slice(blockStart, blockEnd).join('\n');
+              if (allowEffect.test(block)) {
+                findings.push({
+                  file: filePath,
+                  line: i + 1,
+                  message: 'IAM policy with Resource: * and Effect: Allow is overly permissive. Scope to specific resource ARNs.',
+                  confidence: 'definite',
+                  snippet: lines[i].trim().substring(0, 120),
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;