getdoorman 1.0.0

package/src/rules/security/oauth-jwt.js

@@ -0,0 +1,329 @@
+/**
+ * OAuth/JWT Vulnerability Detection Rules (SEC-JWT-001 through SEC-JWT-010)
+ *
+ * Detects insecure JWT configurations, OAuth implementation flaws,
+ * and token handling vulnerabilities.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|#|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-JWT-001: JWT algorithm "none" allowed
+  {
+    id: 'SEC-JWT-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'JWT Algorithm "none" Allowed',
+    description:
+      'Allowing the "none" algorithm in JWT verification means tokens can be forged without any signature. This completely bypasses authentication.',
+    fix: { suggestion: 'Always specify the allowed algorithms explicitly: jwt.verify(token, secret, { algorithms: ["HS256"] })' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /algorithms\s*:\s*\[.*['"]none['"]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-JWT-002: JWT verification without algorithm specification
+  {
+    id: 'SEC-JWT-002',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'JWT Verification Without Explicit Algorithm',
+    description:
+      'Not specifying allowed algorithms in jwt.verify() can lead to algorithm confusion attacks where an attacker switches from RS256 to HS256 using the public key as the HMAC secret.',
+    fix: { suggestion: 'Always pass { algorithms: ["RS256"] } (or your specific algorithm) to jwt.verify().' },
+    check({ files }) {
+      const findings = [];
+      const verifyPattern = /jwt\.verify\s*\(\s*\w+\s*,\s*\w+\s*\)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, verifyPattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-JWT-003: JWT token in URL query parameter
+  {
+    id: 'SEC-JWT-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'JWT Token Passed in URL Query Parameter',
+    description:
+      'Passing JWT tokens in URL query parameters exposes them in browser history, server logs, referer headers, and proxy logs.',
+    fix: { suggestion: 'Send tokens in the Authorization header (Bearer scheme) or in HTTP-only secure cookies.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:req\.query\.token|req\.query\.jwt|req\.query\.access_token|req\.query\.auth_token|url.*[?&]token=|[?&]jwt=)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-JWT-004: Weak JWT signing secret
+  {
+    id: 'SEC-JWT-004',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Weak JWT Signing Secret',
+    description:
+      'Using a short or common string as a JWT signing secret allows brute-force attacks to recover the secret and forge tokens.',
+    fix: { suggestion: 'Use a cryptographically random secret of at least 256 bits (32 bytes). Better yet, use asymmetric keys (RS256/ES256).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /jwt\.sign\s*\([^)]*,\s*['"](?:secret|password|key|123|test|jwt|token|auth|mysecret|changeme)['"]/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-JWT-005: Missing JWT expiration
+  {
+    id: 'SEC-JWT-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'JWT Signed Without Expiration Claim',
+    description:
+      'JWTs without an expiration (exp) claim remain valid forever. If stolen, they grant permanent access.',
+    fix: { suggestion: 'Always set an expiresIn option: jwt.sign(payload, secret, { expiresIn: "1h" })' },
+    check({ files }) {
+      const findings = [];
+      const signPattern = /jwt\.sign\s*\(\s*\{[^}]*\}\s*,\s*\w+\s*\)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (COMMENT_LINE.test(lines[i])) continue;
+          if (signPattern.test(lines[i])) {
+            // Check if expiresIn or exp is set nearby
+            const ctx = lines.slice(Math.max(0, i - 2), Math.min(i + 3, lines.length)).join('\n');
+            if (!/(?:expiresIn|exp\s*:|maxAge)/.test(ctx)) {
+              findings.push({
+                ruleId: this.id,
+                category: this.category,
+                severity: this.severity,
+                title: this.title,
+                description: this.description,
+                confidence: this.confidence,
+                file: path,
+                line: i + 1,
+                fix: this.fix || null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-JWT-006: JWT stored in localStorage
+  {
+    id: 'SEC-JWT-006',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'JWT Token Stored in localStorage (XSS Accessible)',
+    description:
+      'Storing JWT tokens in localStorage makes them accessible to any JavaScript on the page, including XSS payloads.',
+    fix: { suggestion: 'Store tokens in HTTP-only, Secure, SameSite cookies instead of localStorage.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /localStorage\.setItem\s*\(\s*['"](?:token|jwt|access_token|auth_token|id_token|authToken|accessToken)['"]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-JWT-007: Missing audience/issuer validation
+  {
+    id: 'SEC-JWT-007',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'JWT Verification Without Audience or Issuer Validation',
+    description:
+      'Not validating the audience (aud) and issuer (iss) claims allows tokens issued for other services to be reused, enabling cross-service token confusion.',
+    fix: { suggestion: 'Add audience and issuer validation: jwt.verify(token, secret, { audience: "my-app", issuer: "auth-server" })' },
+    check({ files }) {
+      const findings = [];
+      const verifyPattern = /jwt\.verify\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        if (verifyPattern.test(content)) {
+          if (!/(?:audience|issuer|aud|iss)/.test(content)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: this.title,
+              description: this.description,
+              confidence: this.confidence,
+              file: path,
+              fix: this.fix || null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-JWT-008: OAuth state parameter not validated
+  {
+    id: 'SEC-JWT-008',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'OAuth State Parameter Not Validated (CSRF Risk)',
+    description:
+      'Not validating the OAuth state parameter allows CSRF attacks where an attacker can force a victim to authenticate with the attacker\'s account.',
+    fix: { suggestion: 'Generate a cryptographic random state, store it in the session, and verify it matches on callback.' },
+    check({ files }) {
+      const findings = [];
+      const callbackPattern = /(?:\/callback|\/oauth\/callback|\/auth\/callback)/;
+      const tokenExchange = /(?:getToken|requestToken|exchangeCode|code.*token|grant_type.*authorization_code)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        if (callbackPattern.test(content) && tokenExchange.test(content)) {
+          if (!/(?:state|csrf|nonce)/.test(content)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: this.title,
+              description: this.description,
+              confidence: this.confidence,
+              file: path,
+              fix: this.fix || null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-JWT-009: Refresh token without rotation
+  {
+    id: 'SEC-JWT-009',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Refresh Token Reuse Without Rotation',
+    description:
+      'Reusing the same refresh token without issuing a new one on each refresh allows stolen refresh tokens to be used indefinitely.',
+    fix: { suggestion: 'Implement refresh token rotation: issue a new refresh token on each use and invalidate the old one.' },
+    check({ files }) {
+      const findings = [];
+      const refreshPattern = /(?:refreshToken|refresh_token)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        if (refreshPattern.test(content) && /jwt\.sign/.test(content)) {
+          // Check if there is token rotation logic
+          if (!/(?:rotate|revoke|invalidate|delete.*refresh|remove.*refresh|new.*refreshToken|replace.*refresh)/.test(content)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: this.title,
+              description: this.description,
+              confidence: this.confidence,
+              file: path,
+              fix: this.fix || null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-JWT-010: JWT payload used without verification
+  {
+    id: 'SEC-JWT-010',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'JWT Payload Decoded Without Verification',
+    description:
+      'Using jwt.decode() instead of jwt.verify() reads the JWT payload without checking the signature, allowing forged tokens to pass.',
+    fix: { suggestion: 'Always use jwt.verify() to validate the signature before trusting the payload.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /jwt\.decode\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          // Only flag if jwt.verify is not also used (decode-only usage)
+          if (!/jwt\.verify\s*\(/.test(content)) {
+            findings.push(...scanLines(content, pattern, path, this));
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/security/path-traversal.js

@@ -0,0 +1,295 @@
+/**
+ * Path Traversal Detection Rules (SEC-PT-001 through SEC-PT-010)
+ *
+ * Detects patterns where user-controlled input is used in file system
+ * operations without proper validation, enabling directory traversal attacks.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|#|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-PT-001: fs.readFile with user-controlled path
+  {
+    id: 'SEC-PT-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'fs.readFile with User-Controlled Path (Path Traversal)',
+    description:
+      'Using fs.readFile/readFileSync with user-controlled file paths allows attackers to read arbitrary files (e.g., /etc/passwd, .env) via ../ sequences.',
+    fix: { suggestion: 'Use path.resolve() and verify the resolved path starts with the expected base directory. Never pass user input directly to fs operations.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /fs\.readFile(?:Sync)?\s*\(\s*(?:req\.body|req\.query|req\.params|filePath|fileName|userPath|inputPath|file)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PT-002: fs.writeFile with user-controlled path
+  {
+    id: 'SEC-PT-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'fs.writeFile with User-Controlled Path (Path Traversal)',
+    description:
+      'Using fs.writeFile/writeFileSync with user-controlled paths allows attackers to overwrite arbitrary files, potentially replacing config files or injecting code.',
+    fix: { suggestion: 'Resolve the path and verify it is within the allowed directory. Use a whitelist of allowed file extensions.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /fs\.writeFile(?:Sync)?\s*\(\s*(?:req\.body|req\.query|req\.params|filePath|fileName|userPath|inputPath|file)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PT-003: path.join with unsanitized user input
+  {
+    id: 'SEC-PT-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'path.join with Unsanitized User Input',
+    description:
+      'path.join does NOT prevent directory traversal — path.join("/uploads", "../../../etc/passwd") resolves to "/etc/passwd". Always validate the resolved path.',
+    fix: { suggestion: 'After path.join, use path.resolve and verify the result starts with the intended base directory.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /path\.join\s*\([^)]*(?:req\.body|req\.query|req\.params|fileName|userPath|inputPath|input)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PT-004: Express static file serving with dynamic path
+  {
+    id: 'SEC-PT-004',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Dynamic File Serving Endpoint (Path Traversal Risk)',
+    description:
+      'Express route that serves files based on URL parameters without path validation enables directory traversal to read any file on the server.',
+    fix: { suggestion: 'Use express.static() for serving files. If dynamic paths are needed, resolve and validate against the base directory.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /res\.sendFile\s*\(\s*(?:req\.params|req\.query|req\.body|filePath|fileName|path\.join\s*\([^)]*req\.)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PT-005: Directory traversal pattern in string
+  {
+    id: 'SEC-PT-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insufficient Directory Traversal Filtering',
+    description:
+      'Simple string replacement of "../" is insufficient as it can be bypassed with "....//", URL encoding (%2e%2e%2f), or double encoding.',
+    fix: { suggestion: 'Use path.resolve() to normalize the path, then verify it starts with the allowed base directory. Do not rely on string filtering.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\.replace\s*\(\s*['"]\.\.[\\/]['"]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PT-006: createReadStream with user input
+  {
+    id: 'SEC-PT-006',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'fs.createReadStream with User-Controlled Path',
+    description:
+      'Creating a read stream from a user-controlled path enables reading arbitrary files, potentially exfiltrating sensitive data.',
+    fix: { suggestion: 'Validate and resolve the path against an allowed base directory before creating the stream.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /fs\.createReadStream\s*\(\s*(?:req\.body|req\.query|req\.params|filePath|fileName|userPath|inputPath|file)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PT-007: Zip extraction without path validation (Zip Slip)
+  {
+    id: 'SEC-PT-007',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Zip Extraction Without Path Validation (Zip Slip)',
+    description:
+      'Extracting zip/tar archives without validating extracted file paths allows Zip Slip attacks (CVE-2018-1002200) where malicious archives overwrite files outside the target directory.',
+    fix: { suggestion: 'Validate that each extracted file path, after resolution, starts with the intended extraction directory.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:unzip|extract|decompress|tar\.extract|AdmZip|yauzl|archiver|node-tar)\s*[\(.]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        if (pattern.test(content)) {
+          // Check if there is path validation
+          if (!/(?:startsWith|resolve.*includes|normalize.*startsWith|zipSlip|sanitize)/.test(content)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: this.title,
+              description: this.description,
+              confidence: this.confidence,
+              file: path,
+              fix: this.fix || null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PT-008: fs.unlink/rm with user-controlled path
+  {
+    id: 'SEC-PT-008',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'fs.unlink/rm with User-Controlled Path (Arbitrary File Deletion)',
+    description:
+      'Using fs.unlink or fs.rm with user-controlled paths allows attackers to delete arbitrary files on the server.',
+    fix: { suggestion: 'Resolve and validate the path against an allowed directory before deletion. Implement proper access controls.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /fs\.(?:unlink|unlinkSync|rm|rmSync)\s*\(\s*(?:req\.body|req\.query|req\.params|filePath|fileName|userPath|inputPath|file)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PT-009: Symlink following in file operations
+  {
+    id: 'SEC-PT-009',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'File Operation Without Symlink Check',
+    description:
+      'File operations that follow symlinks can be exploited by creating symlinks pointing to sensitive files outside the intended directory.',
+    fix: { suggestion: 'Use fs.lstat() to check for symlinks before file operations, or use O_NOFOLLOW flag.' },
+    check({ files }) {
+      const findings = [];
+      const uploadPattern = /(?:multer|upload|formidable|busboy)/i;
+      const fsPattern = /fs\.(?:readFile|writeFile|createReadStream|createWriteStream|access|stat)\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        if (uploadPattern.test(content) && fsPattern.test(content)) {
+          if (!/(?:lstat|isSymbolicLink|O_NOFOLLOW|realpath)/.test(content)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: this.title,
+              description: this.description,
+              confidence: this.confidence,
+              file: path,
+              fix: this.fix || null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PT-010: Template file inclusion with user input
+  {
+    id: 'SEC-PT-010',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Template/View File Inclusion with User Input (LFI)',
+    description:
+      'Rendering templates based on user-controlled view names allows Local File Inclusion (LFI) to read arbitrary files or execute server-side templates.',
+    fix: { suggestion: 'Use a whitelist of allowed template names. Never pass user input directly to res.render() or template engines.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /res\.render\s*\(\s*(?:req\.body|req\.query|req\.params|templateName|viewName|page|input)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;