getdoorman 1.0.0

package/src/rules/security/prototype-pollution.js

@@ -0,0 +1,283 @@
+/**
+ * Prototype Pollution Detection Rules (SEC-PP-001 through SEC-PP-010)
+ *
+ * Detects patterns that allow attackers to inject properties into
+ * Object.prototype, leading to DoS, property injection, or RCE.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|#|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-PP-001: Direct __proto__ assignment
+  {
+    id: 'SEC-PP-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Direct __proto__ Property Access',
+    description:
+      'Accessing or assigning __proto__ can modify the prototype chain of all objects, leading to prototype pollution.',
+    fix: { suggestion: 'Use Object.create(null) for lookup objects and validate property names against a deny list.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\.__proto__\s*[=\[]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PP-002: Object.assign from user input
+  {
+    id: 'SEC-PP-002',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Object.assign with User-Controlled Source',
+    description:
+      'Object.assign merges all enumerable properties including __proto__. If the source is user-controlled (req.body, req.query), an attacker can pollute the prototype.',
+    fix: { suggestion: 'Sanitize input before merging or use a safe merge utility that skips __proto__ and constructor.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Object\.assign\s*\([^)]*(?:req\.body|req\.query|req\.params|userInput|userData|payload|input)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PP-003: Recursive merge without prototype guard
+  {
+    id: 'SEC-PP-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Recursive/Deep Merge Without Prototype Pollution Guard',
+    description:
+      'Custom deep merge or lodash.merge with user-controlled input can set properties on Object.prototype via __proto__ or constructor.prototype paths.',
+    fix: { suggestion: 'Use lodash >=4.17.12 or add explicit checks for __proto__, constructor, and prototype keys.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:deepMerge|merge|deepExtend|extend|defaultsDeep)\s*\([^)]*(?:req\.body|req\.query|req\.params|userInput|userData|payload|input)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PP-004: constructor.prototype access
+  {
+    id: 'SEC-PP-004',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Constructor Prototype Access Pattern',
+    description:
+      'Accessing constructor.prototype allows modification of the prototype chain, similar to __proto__ pollution.',
+    fix: { suggestion: 'Deny "constructor" as a valid property key in user input validation.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\[['"]constructor['"]\]\s*\[\s*['"]prototype['"]\s*\]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PP-005: Dynamic property assignment from user input
+  {
+    id: 'SEC-PP-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Dynamic Property Assignment from User Input',
+    description:
+      'Setting object properties using bracket notation with user-controlled keys (obj[key] = value) can lead to prototype pollution if key is "__proto__".',
+    fix: { suggestion: 'Validate that property keys are not "__proto__", "constructor", or "prototype" before assignment.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\w+\[(?:req\.body|req\.query|req\.params|key|prop|name|field|attr)\s*(?:\.\w+)?\s*\]\s*=/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PP-006: Spread operator with unsanitized user input
+  {
+    id: 'SEC-PP-006',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Spread Operator with Unsanitized User Input',
+    description:
+      'Using the spread operator (...req.body) to create new objects can carry over __proto__ properties from malicious input in some environments.',
+    fix: { suggestion: 'Destructure only known properties or use a schema validation library like Zod or Joi.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\.\.\.(?:req\.body|req\.query|req\.params|userInput|userData|payload)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PP-007: JSON.parse without prototype sanitization
+  {
+    id: 'SEC-PP-007',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'JSON.parse Result Used in Object Merge Without Sanitization',
+    description:
+      'JSON.parse preserves __proto__ keys in parsed objects. Merging the result into existing objects can pollute prototypes.',
+    fix: { suggestion: 'Use a JSON.parse reviver to strip dangerous keys, or use a safe-merge utility.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Object\.assign\s*\([^)]*JSON\.parse|(?:merge|extend|defaults)\s*\([^)]*JSON\.parse/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PP-008: Lodash vulnerable merge functions
+  {
+    id: 'SEC-PP-008',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Lodash Merge/DefaultsDeep with External Input',
+    description:
+      'lodash.merge, _.defaultsDeep, and _.set are known prototype pollution vectors (CVE-2018-16487, CVE-2019-10744). Ensure lodash >= 4.17.12.',
+    fix: { suggestion: 'Update lodash to >= 4.17.12 and validate input before passing to merge functions.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:_\.merge|_\.defaultsDeep|_\.set|lodash\.merge|lodash\.defaultsDeep)\s*\([^)]*(?:req\.|input|body|query|params|payload|userData)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PP-009: Object.defineProperty with user-controlled descriptor
+  {
+    id: 'SEC-PP-009',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Object.defineProperty with User-Controlled Descriptor',
+    description:
+      'Object.defineProperty with user-controlled property name or descriptor can be used to modify prototype properties.',
+    fix: { suggestion: 'Validate property names and descriptors against an allowlist before using Object.defineProperty.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Object\.definePropert(?:y|ies)\s*\([^)]*(?:req\.body|req\.query|req\.params|userInput|input|payload)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-PP-010: Missing Object.freeze on prototype-sensitive objects
+  {
+    id: 'SEC-PP-010',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Prototype-Sensitive Config Object Not Frozen',
+    description:
+      'Configuration or default objects used as prototypes should be frozen with Object.freeze() to prevent prototype pollution.',
+    fix: { suggestion: 'Use Object.freeze() on configuration/defaults objects, or use Object.create(null) for dictionary objects.' },
+    check({ files }) {
+      const findings = [];
+      const configPattern = /(?:const|let|var)\s+(?:defaults|config|options|settings|baseConfig)\s*=\s*\{/;
+      const freezePattern = /Object\.freeze\s*\(\s*(?:defaults|config|options|settings|baseConfig)\s*\)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        if (configPattern.test(content) && !freezePattern.test(content)) {
+          // Check if these objects are later merged with user input
+          if (/(?:merge|assign|extend|defaults)\s*\(/.test(content) && /(?:req\.|input|body|query|params)/.test(content)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: this.title,
+              description: this.description,
+              confidence: this.confidence,
+              file: path,
+              fix: this.fix || null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/security/rate-limiting.js

@@ -0,0 +1,208 @@
+const rules = [
+  // SEC-RL-001
+  {
+    id: 'SEC-RL-001', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'No rate limiting on API',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const deps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasRateLimiter = Object.keys(deps).some(d =>
+        ['express-rate-limit', 'rate-limiter-flexible', '@upstash/ratelimit', 'bottleneck', 'express-slow-down'].includes(d)
+      );
+      if (hasRateLimiter) return findings;
+
+      const hasApiRoutes = [...files.keys()].some(f => f.includes('/api/') || f.includes('routes'));
+      const hasRateLimitCode = [...files.values()].some(c =>
+        c.includes('rateLimit') || c.includes('rateLimiter') || c.includes('rate-limit') || c.includes('throttle')
+      );
+      if (hasApiRoutes && !hasRateLimitCode) {
+        findings.push({
+          ruleId: 'SEC-RL-001', category: 'security', severity: 'high',
+          title: 'No rate limiting detected on API — vulnerable to abuse and DDoS',
+          description: 'Add express-rate-limit, @upstash/ratelimit, or similar.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // SEC-RL-002
+  {
+    id: 'SEC-RL-002', category: 'security', severity: 'critical', confidence: 'definite',
+    title: 'No rate limiting on login endpoint',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+
+      for (const [fp, content] of files) {
+        if (fp.includes('test') || fp.includes('spec')) continue;
+        if (content.match(/(?:\/api\/(?:auth\/)?login|\/login|\/signin|\/sign-in)/i) &&
+            content.match(/\.(post|all)\s*\(/) &&
+            !content.includes('rateLimit') && !content.includes('rateLimiter') && !content.includes('throttle')) {
+          findings.push({
+            ruleId: 'SEC-RL-002', category: 'security', severity: 'critical',
+            title: 'Login endpoint without rate limiting — brute force attacks possible',
+            file: fp, fix: null,
+          });
+          break;
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-RL-003
+  {
+    id: 'SEC-RL-003', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'No rate limiting on registration',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+
+      for (const [fp, content] of files) {
+        if (fp.includes('test') || fp.includes('spec')) continue;
+        if (content.match(/(?:\/api\/(?:auth\/)?(?:register|signup|sign-up))/i) &&
+            content.match(/\.(post|all)\s*\(/) &&
+            !content.includes('rateLimit') && !content.includes('rateLimiter')) {
+          findings.push({
+            ruleId: 'SEC-RL-003', category: 'security', severity: 'high',
+            title: 'Registration endpoint without rate limiting — spam account creation possible',
+            file: fp, fix: null,
+          });
+          break;
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-RL-004
+  {
+    id: 'SEC-RL-004', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'No rate limiting on password reset',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+
+      for (const [fp, content] of files) {
+        if (fp.includes('test') || fp.includes('spec')) continue;
+        if (content.match(/(?:\/api\/(?:auth\/)?(?:reset|forgot|password))/i) &&
+            content.match(/\.(post|all)\s*\(/) &&
+            !content.includes('rateLimit') && !content.includes('rateLimiter')) {
+          findings.push({
+            ruleId: 'SEC-RL-004', category: 'security', severity: 'high',
+            title: 'Password reset endpoint without rate limiting — email bombing possible',
+            file: fp, fix: null,
+          });
+          break;
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-RL-005
+  {
+    id: 'SEC-RL-005', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Rate limit too high',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (fp.includes('test')) continue;
+        const match = content.match(/(?:max|limit)\s*[:=]\s*(\d+)/);
+        if (match && parseInt(match[1]) > 1000) {
+          findings.push({
+            ruleId: 'SEC-RL-005', category: 'security', severity: 'medium',
+            title: `Rate limit set very high (${match[1]} requests) — may not effectively prevent abuse`,
+            file: fp, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-RL-006
+  {
+    id: 'SEC-RL-006', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Rate limit by IP only',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (fp.includes('test')) continue;
+        if (content.includes('rateLimit') || content.includes('RateLimit')) {
+          if (content.includes('keyGenerator') || content.includes('key:')) {
+            // Custom key generator — likely not just IP
+          } else if (content.includes('express-rate-limit')) {
+            // express-rate-limit is a standard, accepted IP-based rate limiter — don't flag
+          } else if (content.includes('rateLimit(') || content.includes('new RateLimiter')) {
+            findings.push({
+              ruleId: 'SEC-RL-006', category: 'security', severity: 'medium',
+              title: 'Rate limiting appears to be IP-only — bypassable with proxies/VPNs',
+              description: 'Consider adding user ID, API key, or fingerprint to the rate limit key.',
+              file: fp, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-RL-007
+  {
+    id: 'SEC-RL-007', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'No rate limiting on file upload',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const hasUpload = [...files.values()].some(c =>
+        c.includes('multer') || c.includes('upload') || c.includes('formidable') || c.includes('busboy')
+      );
+      if (hasUpload) {
+        const hasRateLimitOnUpload = [...files.values()].some(c =>
+          (c.includes('upload') || c.includes('multer')) && (c.includes('rateLimit') || c.includes('rateLimiter'))
+        );
+        // If upload routes are protected by auth middleware, rate limiting is handled at auth layer
+        const hasAuthOnUpload = [...files.values()].some(c =>
+          (c.includes('upload') || c.includes('multer')) &&
+          /(?:authenticate|auth|verifyToken|protect|isAuthenticated|requireAuth|ensureAuth|passport\.authenticate|requireLogin|checkAuth)/i.test(c)
+        );
+        if (!hasRateLimitOnUpload && !hasAuthOnUpload) {
+          findings.push({
+            ruleId: 'SEC-RL-007', category: 'security', severity: 'high',
+            title: 'File upload endpoints without rate limiting — storage abuse possible',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-RL-008
+  {
+    id: 'SEC-RL-008', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'No rate limiting on API key generation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (fp.includes('test')) continue;
+        if (content.match(/(?:generate|create).*(?:apiKey|api_key|token)/i) &&
+            content.match(/\.(post|all)\s*\(/) &&
+            !content.includes('rateLimit')) {
+          findings.push({
+            ruleId: 'SEC-RL-008', category: 'security', severity: 'medium',
+            title: 'API key generation endpoint without rate limiting',
+            file: fp, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;