oauthlint-rules 0.2.5 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/package.json +1 -1
  2. package/rules/cookie/no-httponly.yml +5 -1
  3. package/rules/cookie/no-samesite.yml +5 -1
  4. package/rules/cookie/no-secure.yml +8 -5
  5. package/rules/flow/oauth-credential-in-log.yml +97 -0
  6. package/rules/flow/secret-in-response.yml +70 -0
  7. package/rules/go/cookie/insecure.yml +15 -6
  8. package/rules/go/flow/oauth-credential-in-log.yml +90 -0
  9. package/rules/go/flow/secret-in-response.yml +69 -0
  10. package/rules/go/jwt/untrusted-verify-key.yml +68 -0
  11. package/rules/go/oauth/insecure-token-endpoint.yml +39 -0
  12. package/rules/go/oauth/ropc-grant.yml +49 -0
  13. package/rules/go/oauth/static-state.yml +39 -0
  14. package/rules/go/tls/insecure-skip-verify.yml +14 -3
  15. package/rules/go/tls/min-version.yml +12 -3
  16. package/rules/java/cors/credentialed-wildcard.yml +44 -0
  17. package/rules/java/jwt/none-algorithm.yml +37 -0
  18. package/rules/java/jwt/untrusted-verify-key.yml +54 -0
  19. package/rules/java/oauth/insecure-token-endpoint.yml +39 -0
  20. package/rules/java/oauth/ropc-grant.yml +45 -0
  21. package/rules/java/oauth/static-state.yml +38 -0
  22. package/rules/java/web/permit-all-actuator.yml +43 -0
  23. package/rules/jwt/ignore-expiration.yml +21 -11
  24. package/rules/jwt/untrusted-verify-key.yml +77 -0
  25. package/rules/oauth/insecure-token-endpoint.yml +41 -0
  26. package/rules/oauth/ropc-grant.yml +43 -0
  27. package/rules/oauth/static-state.yml +49 -0
  28. package/rules/py/flow/oauth-credential-in-log.yml +91 -0
  29. package/rules/py/flow/secret-in-response.yml +88 -0
  30. package/rules/py/jwt/algorithm-confusion.yml +48 -0
  31. package/rules/py/jwt/untrusted-verify-key.yml +75 -0
  32. package/rules/py/oauth/insecure-token-endpoint.yml +40 -0
  33. package/rules/py/oauth/insecure-transport-env.yml +43 -0
  34. package/rules/py/oauth/ropc-grant.yml +50 -0
  35. package/rules/py/oauth/static-state.yml +45 -0
  36. package/rules/py/oauth/token-request-verify-disabled.yml +41 -0
  37. package/rules/rust/jwt/algorithm-confusion.yml +50 -0
  38. package/rules/rust/oauth/insecure-token-endpoint.yml +39 -0
  39. package/rules/rust/oauth/ropc-grant.yml +40 -0
  40. package/rules/rust/oauth/static-state.yml +38 -0
@@ -0,0 +1,38 @@
1
+ rules:
2
+ - id: auth.rust.oauth.static-state
3
+ languages:
4
+ - rust
5
+ severity: WARNING
6
+ message: |
7
+ OAuth authorization request is built with a hardcoded, constant `state`
8
+ value (`CsrfToken::new("literal")`). A static `state` provides ZERO CSRF
9
+ protection — the whole point is an unguessable, per-request value that
10
+ you store and then compare on the callback. A literal that ships in your
11
+ source is known to everyone and identical on every request, so an
12
+ attacker can forge a matching callback.
13
+
14
+ Use `CsrfToken::new_random` (the `oauth2` crate's CSPRNG-backed
15
+ generator), pass it to `authorize_url`, persist it in the session, and
16
+ verify it when the provider redirects back.
17
+ # `CsrfToken::new` with a STRING LITERAL is a constant state baked into the
18
+ # source. The four conversion forms below match only when the literal is the
19
+ # direct argument, so `CsrfToken::new(generate())` or a variable is never
20
+ # flagged. `CsrfToken::new_random()` is a different method and is not
21
+ # matched.
22
+ pattern-either:
23
+ - pattern: CsrfToken::new("...".to_string())
24
+ - pattern: CsrfToken::new("...".to_owned())
25
+ - pattern: CsrfToken::new("...".into())
26
+ - pattern: CsrfToken::new(String::from("..."))
27
+ metadata:
28
+ oauthlint-rule-id: AUTH-RUST-OAUTH-003
29
+ oauthlint-doc-url: https://oauthlint.dev/rules/rust-oauth-static-state
30
+ category: security
31
+ cwe: CWE-330
32
+ owasp: API1:2023
33
+ llm-prevalence: MEDIUM
34
+ technology:
35
+ - oauth2
36
+ references:
37
+ - https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
38
+ - https://cwe.mitre.org/data/definitions/330.html