oauthlint-rules 0.2.6 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/schema.d.ts +60 -0
- package/dist/schema.d.ts.map +1 -1
- package/dist/schema.js +12 -0
- package/dist/schema.js.map +1 -1
- package/package.json +1 -1
- package/rules/cookie/no-httponly.yml +5 -1
- package/rules/cookie/no-samesite.yml +5 -1
- package/rules/cookie/no-secure.yml +8 -5
- package/rules/cookie/samesite-none-insecure.yml +22 -0
- package/rules/flow/oauth-credential-in-log.yml +97 -0
- package/rules/flow/open-redirect.yml +11 -0
- package/rules/flow/ssrf.yml +19 -0
- package/rules/flow/timing-unsafe-compare.yml +19 -0
- package/rules/go/cookie/insecure.yml +15 -6
- package/rules/go/flow/oauth-credential-in-log.yml +90 -0
- package/rules/go/jwt/untrusted-verify-key.yml +68 -0
- package/rules/go/oauth/insecure-token-endpoint.yml +39 -0
- package/rules/go/oauth/ropc-grant.yml +64 -0
- package/rules/go/oauth/static-state.yml +39 -0
- package/rules/go/tls/insecure-skip-verify.yml +14 -3
- package/rules/go/tls/min-version.yml +12 -3
- package/rules/java/cors/credentialed-wildcard.yml +44 -0
- package/rules/java/jwt/none-algorithm.yml +37 -0
- package/rules/java/jwt/untrusted-verify-key.yml +54 -0
- package/rules/java/oauth/insecure-token-endpoint.yml +39 -0
- package/rules/java/oauth/ropc-grant.yml +45 -0
- package/rules/java/oauth/static-state.yml +38 -0
- package/rules/java/web/permit-all-actuator.yml +43 -0
- package/rules/jwt/ignore-expiration.yml +21 -11
- package/rules/jwt/untrusted-verify-key.yml +77 -0
- package/rules/oauth/insecure-token-endpoint.yml +41 -0
- package/rules/oauth/ropc-grant.yml +48 -0
- package/rules/oauth/static-state.yml +49 -0
- package/rules/py/flow/oauth-credential-in-log.yml +91 -0
- package/rules/py/jwt/untrusted-verify-key.yml +75 -0
- package/rules/py/oauth/insecure-token-endpoint.yml +40 -0
- package/rules/py/oauth/insecure-transport-env.yml +43 -0
- package/rules/py/oauth/ropc-grant.yml +58 -0
- package/rules/py/oauth/static-state.yml +45 -0
- package/rules/py/oauth/token-request-verify-disabled.yml +41 -0
- package/rules/rust/oauth/insecure-token-endpoint.yml +39 -0
- package/rules/rust/oauth/ropc-grant.yml +57 -0
- package/rules/rust/oauth/static-state.yml +58 -0
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: auth.rust.oauth.static-state
|
|
3
|
+
languages:
|
|
4
|
+
- rust
|
|
5
|
+
severity: WARNING
|
|
6
|
+
message: |
|
|
7
|
+
OAuth authorization request is built with a hardcoded, constant `state`
|
|
8
|
+
value (`CsrfToken::new("literal")`). A static `state` provides ZERO CSRF
|
|
9
|
+
protection — the whole point is an unguessable, per-request value that
|
|
10
|
+
you store and then compare on the callback. A literal that ships in your
|
|
11
|
+
source is known to everyone and identical on every request, so an
|
|
12
|
+
attacker can forge a matching callback.
|
|
13
|
+
|
|
14
|
+
Use `CsrfToken::new_random` (the `oauth2` crate's CSPRNG-backed
|
|
15
|
+
generator), pass it to `authorize_url`, persist it in the session, and
|
|
16
|
+
verify it when the provider redirects back.
|
|
17
|
+
# `CsrfToken::new` with a STRING LITERAL is a constant state baked into the
|
|
18
|
+
# source. The four conversion forms below match only when the literal is the
|
|
19
|
+
# direct argument, so `CsrfToken::new(generate())` or a variable is never
|
|
20
|
+
# flagged. `CsrfToken::new_random()` is a different method and is not
|
|
21
|
+
# matched.
|
|
22
|
+
patterns:
|
|
23
|
+
- pattern-either:
|
|
24
|
+
- pattern: CsrfToken::new("...".to_string())
|
|
25
|
+
- pattern: CsrfToken::new("...".to_owned())
|
|
26
|
+
- pattern: CsrfToken::new("...".into())
|
|
27
|
+
- pattern: CsrfToken::new(String::from("..."))
|
|
28
|
+
# Unit tests routinely pass a fixed `state` to assert on the URL — that is
|
|
29
|
+
# the test asserting determinism, not an app shipping a constant CSRF
|
|
30
|
+
# token. The `#[cfg(test)] mod tests { ... }` block is the canonical Rust
|
|
31
|
+
# idiom (e.g. oauth2-rs' own crate tests), so suppress matches inside it.
|
|
32
|
+
- pattern-not-inside: mod tests {...}
|
|
33
|
+
# Belt-and-suspenders: never fire on test/example/vendored/generated trees.
|
|
34
|
+
# `tests.rs` is Rust's sibling test-module file convention.
|
|
35
|
+
paths:
|
|
36
|
+
exclude:
|
|
37
|
+
- "**/test/**"
|
|
38
|
+
- "**/tests.rs"
|
|
39
|
+
- "**/*_test.*"
|
|
40
|
+
- "**/*.test.*"
|
|
41
|
+
- "**/example/**"
|
|
42
|
+
- "**/examples/**"
|
|
43
|
+
- "**/mock*/**"
|
|
44
|
+
- "**/vendor/**"
|
|
45
|
+
- "**/node_modules/**"
|
|
46
|
+
- "**/target/**"
|
|
47
|
+
metadata:
|
|
48
|
+
oauthlint-rule-id: AUTH-RUST-OAUTH-003
|
|
49
|
+
oauthlint-doc-url: https://oauthlint.dev/rules/rust-oauth-static-state
|
|
50
|
+
category: security
|
|
51
|
+
cwe: CWE-330
|
|
52
|
+
owasp: API1:2023
|
|
53
|
+
llm-prevalence: MEDIUM
|
|
54
|
+
technology:
|
|
55
|
+
- oauth2
|
|
56
|
+
references:
|
|
57
|
+
- https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
|
|
58
|
+
- https://cwe.mitre.org/data/definitions/330.html
|