oauthlint-rules 0.2.6 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/dist/schema.d.ts +60 -0
  2. package/dist/schema.d.ts.map +1 -1
  3. package/dist/schema.js +12 -0
  4. package/dist/schema.js.map +1 -1
  5. package/package.json +1 -1
  6. package/rules/cookie/no-httponly.yml +5 -1
  7. package/rules/cookie/no-samesite.yml +5 -1
  8. package/rules/cookie/no-secure.yml +8 -5
  9. package/rules/cookie/samesite-none-insecure.yml +22 -0
  10. package/rules/flow/oauth-credential-in-log.yml +97 -0
  11. package/rules/flow/open-redirect.yml +11 -0
  12. package/rules/flow/ssrf.yml +19 -0
  13. package/rules/flow/timing-unsafe-compare.yml +19 -0
  14. package/rules/go/cookie/insecure.yml +15 -6
  15. package/rules/go/flow/oauth-credential-in-log.yml +90 -0
  16. package/rules/go/jwt/untrusted-verify-key.yml +68 -0
  17. package/rules/go/oauth/insecure-token-endpoint.yml +39 -0
  18. package/rules/go/oauth/ropc-grant.yml +64 -0
  19. package/rules/go/oauth/static-state.yml +39 -0
  20. package/rules/go/tls/insecure-skip-verify.yml +14 -3
  21. package/rules/go/tls/min-version.yml +12 -3
  22. package/rules/java/cors/credentialed-wildcard.yml +44 -0
  23. package/rules/java/jwt/none-algorithm.yml +37 -0
  24. package/rules/java/jwt/untrusted-verify-key.yml +54 -0
  25. package/rules/java/oauth/insecure-token-endpoint.yml +39 -0
  26. package/rules/java/oauth/ropc-grant.yml +45 -0
  27. package/rules/java/oauth/static-state.yml +38 -0
  28. package/rules/java/web/permit-all-actuator.yml +43 -0
  29. package/rules/jwt/ignore-expiration.yml +21 -11
  30. package/rules/jwt/untrusted-verify-key.yml +77 -0
  31. package/rules/oauth/insecure-token-endpoint.yml +41 -0
  32. package/rules/oauth/ropc-grant.yml +48 -0
  33. package/rules/oauth/static-state.yml +49 -0
  34. package/rules/py/flow/oauth-credential-in-log.yml +91 -0
  35. package/rules/py/jwt/untrusted-verify-key.yml +75 -0
  36. package/rules/py/oauth/insecure-token-endpoint.yml +40 -0
  37. package/rules/py/oauth/insecure-transport-env.yml +43 -0
  38. package/rules/py/oauth/ropc-grant.yml +58 -0
  39. package/rules/py/oauth/static-state.yml +45 -0
  40. package/rules/py/oauth/token-request-verify-disabled.yml +41 -0
  41. package/rules/rust/oauth/insecure-token-endpoint.yml +39 -0
  42. package/rules/rust/oauth/ropc-grant.yml +57 -0
  43. package/rules/rust/oauth/static-state.yml +58 -0
@@ -0,0 +1,58 @@
1
+ rules:
2
+ - id: auth.rust.oauth.static-state
3
+ languages:
4
+ - rust
5
+ severity: WARNING
6
+ message: |
7
+ OAuth authorization request is built with a hardcoded, constant `state`
8
+ value (`CsrfToken::new("literal")`). A static `state` provides ZERO CSRF
9
+ protection — the whole point is an unguessable, per-request value that
10
+ you store and then compare on the callback. A literal that ships in your
11
+ source is known to everyone and identical on every request, so an
12
+ attacker can forge a matching callback.
13
+
14
+ Use `CsrfToken::new_random` (the `oauth2` crate's CSPRNG-backed
15
+ generator), pass it to `authorize_url`, persist it in the session, and
16
+ verify it when the provider redirects back.
17
+ # `CsrfToken::new` with a STRING LITERAL is a constant state baked into the
18
+ # source. The four conversion forms below match only when the literal is the
19
+ # direct argument, so `CsrfToken::new(generate())` or a variable is never
20
+ # flagged. `CsrfToken::new_random()` is a different method and is not
21
+ # matched.
22
+ patterns:
23
+ - pattern-either:
24
+ - pattern: CsrfToken::new("...".to_string())
25
+ - pattern: CsrfToken::new("...".to_owned())
26
+ - pattern: CsrfToken::new("...".into())
27
+ - pattern: CsrfToken::new(String::from("..."))
28
+ # Unit tests routinely pass a fixed `state` to assert on the URL — that is
29
+ # the test asserting determinism, not an app shipping a constant CSRF
30
+ # token. The `#[cfg(test)] mod tests { ... }` block is the canonical Rust
31
+ # idiom (e.g. oauth2-rs' own crate tests), so suppress matches inside it.
32
+ - pattern-not-inside: mod tests {...}
33
+ # Belt-and-suspenders: never fire on test/example/vendored/generated trees.
34
+ # `tests.rs` is Rust's sibling test-module file convention.
35
+ paths:
36
+ exclude:
37
+ - "**/test/**"
38
+ - "**/tests.rs"
39
+ - "**/*_test.*"
40
+ - "**/*.test.*"
41
+ - "**/example/**"
42
+ - "**/examples/**"
43
+ - "**/mock*/**"
44
+ - "**/vendor/**"
45
+ - "**/node_modules/**"
46
+ - "**/target/**"
47
+ metadata:
48
+ oauthlint-rule-id: AUTH-RUST-OAUTH-003
49
+ oauthlint-doc-url: https://oauthlint.dev/rules/rust-oauth-static-state
50
+ category: security
51
+ cwe: CWE-330
52
+ owasp: API1:2023
53
+ llm-prevalence: MEDIUM
54
+ technology:
55
+ - oauth2
56
+ references:
57
+ - https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
58
+ - https://cwe.mitre.org/data/definitions/330.html