UNPKG

@sun-asterisk/sunlint

Version:

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

github.com/sun-asterisk/engineer-excellence/tree/main/coding-quality/extensions/sunlint

sun-asterisk/engineer-excellence

149 lines (124 loc) 4.99 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# S016 Analysis Strategy ## Rule Focus: Prevent Sensitive Data in URL Query Parameters ### Detection Pipeline: 1. **Find URL Construction Patterns** (Symbol-based) - Use AST to detect URL construction: `new URL()`, `new URLSearchParams()` - Identify HTTP client calls: `fetch()`, `axios.*()`, `request.*()` - Find location manipulations: `window.location.href`, `location.search` 2. **Locate Query Parameter Usage** (Symbol-based) - Find property access patterns: `params.password`, `query.token` - Detect query string manipulations: `querystring.stringify()`, `qs.stringify()` - Identify URL building with template literals and concatenation 3. **Analyze Parameter Content** (AST + Pattern Analysis) - Check parameter names against sensitive patterns - Validate URL construction arguments - Detect object properties in URLSearchParams constructor - Check for sensitive data in query string values ### Violations to Detect: #### 1. **Sensitive Data in URL Constructor** ```javascript // ❌ Bad - Password in URL const url = new URL(`https://api.com/login?password=${userPassword}`); // ❌ Bad - Token in URLSearchParams const params = new URLSearchParams({ token: authToken, apiKey: process.env.API_KEY }); // ✅ Good - Use request body or headers const response = await fetch('https://api.com/login', { method: 'POST', headers: { 'Authorization': `Bearer ${token}` }, body: JSON.stringify({ credentials }) }); ``` #### 2. **Sensitive Data in HTTP Client URLs** ```javascript // ❌ Bad - Credentials in query string fetch(`https://api.com/users?password=${pwd}&ssn=${userSSN}`); // ❌ Bad - Sensitive data in axios axios.get('/api/profile', { params: { email: user.email, creditCard: user.cardNumber } }); // ✅ Good - Use POST with body or secure headers axios.post('/api/profile', { email: user.email, // Move sensitive data to encrypted request body }, { headers: { 'Authorization': `Bearer ${token}` } }); ``` #### 3. **Location/Window Object Manipulations** ```javascript // ❌ Bad - Sensitive data in location window.location.href = `/dashboard?token=${jwt}&password=${pwd}`; // ❌ Bad - Search parameter manipulation location.search += `&apiKey=${apiKey}&secret=${clientSecret}`; // ✅ Good - Use sessionStorage or secure alternatives sessionStorage.setItem('token', jwt); window.location.href = '/dashboard'; ``` #### 4. **Query String Building** ```javascript // ❌ Bad - Sensitive data in query string const params = querystring.stringify({ username: user.name, password: user.password, creditCard: user.card }); // ✅ Good - Separate public and sensitive data const params = querystring.stringify({ username: user.name, // Move sensitive data to secure request body }); ``` ### Sensitive Data Patterns to Detect: #### Authentication & Authorization: - `password`, `passwd`, `pwd`, `pass` - `token`, `jwt`, `accesstoken`, `refreshtoken`, `bearertoken` - `secret`, `secretkey`, `clientsecret`, `serversecret` - `apikey`, `api_key`, `key`, `privatekey`, `publickey` - `auth`, `authorization`, `authenticate` - `sessionid`, `session_id`, `jsessionid` - `csrf`, `csrftoken`, `xsrf` #### Financial & Personal: - `ssn`, `social`, `socialsecurity` - `creditcard`, `cardnumber`, `cardnum`, `ccnumber` - `cvv`, `cvc`, `cvd`, `cid` - `pin`, `pincode` - `bankaccount`, `routing`, `iban` #### Personal Identifiable Information: - `email`, `emailaddress`, `mail` - `phone`, `phonenumber`, `mobile`, `tel` - `address`, `homeaddress`, `zipcode`, `postal` - `birthdate`, `birthday`, `dob` - `license`, `passport`, `identity` ### URL Construction Methods to Monitor: - `new URL()` - `new URLSearchParams()` - `fetch()` with query parameters - `axios.*()` methods with params - `request.*()` methods - `window.location.href` assignments - `location.search` manipulations - `querystring.stringify()` / `qs.stringify()` ### Security Risks: 1. **Server Logs**: URLs with query parameters are logged by web servers 2. **Browser History**: URLs are stored in browser history 3. **Referrer Headers**: URLs can leak via referrer headers to third parties 4. **Network Traces**: URLs visible in network monitoring tools 5. **Proxy Logs**: Corporate/ISP proxies log full URLs 6. **Cache Issues**: URLs may be cached by CDNs or proxy servers ### Recommended Alternatives: 1. **Request Body**: Use POST/PUT with JSON body for sensitive data 2. **Secure Headers**: Use Authorization header for tokens 3. **Session Storage**: Store sensitive data in secure browser storage 4. **Encrypted Payloads**: Encrypt sensitive data before transmission 5. **Server-Side Sessions**: Use session IDs instead of actual sensitive data ### Implementation Priority: 1. **Phase 1**: Basic URL construction detection (new URL, fetch) 2. **Phase 2**: HTTP client library detection (axios, request) 3. **Phase 3**: Query string manipulation detection 4. **Phase 4**: Advanced patterns (template literals, dynamic construction)