UNPKG

@sun-asterisk/sunlint

Version:

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

github.com/sun-asterisk/engineer-excellence/tree/main/coding-quality/extensions/sunlint

sun-asterisk/engineer-excellence

63 lines (62 loc) 2.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
{ "ruleId": "S004", "name": "Sensitive Data Logging Protection", "description": "Prevent logging of sensitive information like passwords, tokens, and payment data without proper redaction", "category": "security", "severity": "warning", "languages": ["typescript", "javascript", "dart"], "tags": [ "security", "owasp", "logging", "sensitive-data", "pii", "credentials", "data-exposure" ], "enabled": true, "fixable": false, "engine": "heuristic", "metadata": { "owaspCategory": "A09:2021 - Security Logging and Monitoring Failures", "cweId": "CWE-532", "description": "Logging sensitive information without proper redaction can lead to data exposure through log files, monitoring systems, or centralized logging platforms. Logs may be shared with third parties, stored insecurely, or accessed by unauthorized personnel.", "impact": "Medium - Data exposure, credential theft, compliance violations (GDPR, PCI-DSS)", "likelihood": "High", "remediation": "Mask or redact sensitive fields before logging. Use selective field logging (omit/pick) or implement log sanitization filters." }, "patterns": { "vulnerable": [ "console.log(password) without masking", "logger.info(req.body) with sensitive fields", "console.log(access_token) without redaction", "logger.error(creditCard) unmasked", "console.log(`Token: ${token}`) without masking", "logger.info(req.headers) with Authorization header" ], "secure": [ "Use masking: console.log(password.replace(/./g, '*'))", "Selective logging: logger.info(omit(req.body, ['password', 'token']))", "Hash sensitive data: console.log({ tokenHash: hash(token) })", "Partial redaction: logger.info({ card: card.substr(0, 4) + '****' })", "Configure logger to filter sensitive fields automatically", "Use structured logging with field-level redaction" ] }, "examples": { "violations": [ "console.log('User password:', user.password);", "logger.info('Request data:', req.body);", "console.log(`Access token: ${accessToken}`);", "logger.error('Auth failed:', { credentials: creds });", "console.log(req.headers);" ], "fixes": [ "console.log('User login:', { username: user.username }); // Omit password", "logger.info('Request data:', omit(req.body, ['password', 'secret']));", "console.log(`Access token: ${accessToken.substr(0, 4)}****`);", "logger.error('Auth failed:', { username: creds.username }); // Omit password", "logger.info(omit(req.headers, ['authorization', 'cookie']));" ] } }