@sun-asterisk/sunlint
Version:
☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards
128 lines (127 loc) • 2.53 kB
JSON
{
"id": "S016",
"name": "Do not pass sensitive data via query string",
"category": "security",
"description": "S016 - Do not pass sensitive data (e.g. password, token, secret, apiKey, etc.) via query string in URLs. This can lead to exposure in logs, browser history, and network traces",
"severity": "error",
"enabled": true,
"semantic": {
"enabled": true,
"priority": "high",
"fallback": "heuristic"
},
"patterns": {
"include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
"exclude": [
"**/*.test.js",
"**/*.test.ts",
"**/*.spec.js",
"**/*.spec.ts",
"**/node_modules/**",
"**/dist/**",
"**/build/**"
]
},
"analysis": {
"approach": "symbol-based-primary",
"fallback": "regex-based",
"depth": 2,
"timeout": 5000
},
"validation": {
"urlPatterns": [
"new URL",
"URLSearchParams",
"fetch",
"axios",
"request",
"location.href",
"location.search",
"querystring.stringify",
"qs.stringify"
],
"sensitivePatterns": [
"password",
"passwd",
"pwd",
"pass",
"token",
"jwt",
"accesstoken",
"refreshtoken",
"bearertoken",
"secret",
"secretkey",
"clientsecret",
"serversecret",
"apikey",
"api_key",
"key",
"privatekey",
"publickey",
"auth",
"authorization",
"authenticate",
"sessionid",
"session_id",
"jsessionid",
"csrf",
"csrftoken",
"xsrf",
"ssn",
"social",
"socialsecurity",
"creditcard",
"cardnumber",
"cardnum",
"ccnumber",
"cvv",
"cvc",
"cvd",
"cid",
"pin",
"pincode",
"bankaccount",
"routing",
"iban",
"email",
"emailaddress",
"mail",
"phone",
"phonenumber",
"mobile",
"tel",
"address",
"homeaddress",
"zipcode",
"postal",
"birthdate",
"birthday",
"dob",
"license",
"passport",
"identity",
"salary",
"income",
"wage",
"medical",
"health",
"diagnosis"
],
"httpClientPatterns": [
"fetch",
"axios.get",
"axios.post",
"axios.put",
"axios.delete",
"axios.patch",
"axios.request",
"request.get",
"request.post",
"http.get",
"http.request",
"https.get",
"https.request"
]
}
}