UNPKG

@sun-asterisk/sunlint

Version:

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

github.com/sun-asterisk/engineer-excellence/tree/main/coding-quality/extensions/sunlint

sun-asterisk/engineer-excellence

86 lines (80 loc) 2.65 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
{ "ruleId": "S005", "name": "No Origin Header Authentication", "description": "Do not use Origin header for authentication or access control", "category": "security", "severity": "error", "languages": ["typescript", "javascript"], "version": "1.0.0", "status": "stable", "tags": ["security", "authentication", "headers", "origin", "access-control"], "patterns": { "vulnerable": [ "req.headers.origin in authentication context", "req.get('origin') for access control", "Origin-based conditional authentication", "CORS origin configuration mixed with auth", "Express middleware using origin for security" ], "secure": [ "JWT token authentication", "Session-based authentication", "API key authentication", "OAuth 2.0 flows", "Proper CORS configuration without auth reliance" ] }, "configuration": { "checkAuthContext": true, "checkMiddleware": true, "checkConditionals": true, "checkCORSMixing": true, "contextDepth": 3, "ignoreComments": true }, "examples": { "violations": [ { "code": "if (req.headers.origin === 'trusted.com') { req.authenticated = true; }", "reason": "Using Origin header for authentication is insecure" }, { "code": "const authMiddleware = (req, res, next) => { if (req.get('origin') === 'admin.com') next(); }", "reason": "Middleware should not rely on Origin header for access control" } ], "valid": [ { "code": "const token = req.headers.authorization; jwt.verify(token, secret, callback);", "reason": "Proper JWT token authentication" }, { "code": "console.log('Request from:', req.headers.origin);", "reason": "Using Origin header for logging only, not authentication" } ] }, "remediation": { "recommendations": [ "Use JWT tokens for authentication", "Implement session-based authentication", "Use API keys for service authentication", "Implement OAuth 2.0 for third-party authentication", "Use proper CORS configuration without relying on it for authentication" ], "resources": [ "https://owasp.org/www-community/vulnerabilities/CORS_OriginHeaderScrutiny", "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin", "https://auth0.com/docs/secure/tokens/json-web-tokens" ] }, "performance": { "complexity": "O(n)", "accuracy": { "ast": 95, "regex": 85 }, "falsePositiveRate": "< 5%", "coverage": "High for TypeScript/JavaScript" } }