UNPKG

@sun-asterisk/sunlint

Version:

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

github.com/sun-asterisk/engineer-excellence/tree/main/coding-quality/extensions/sunlint

sun-asterisk/engineer-excellence

126 lines (125 loc) 2.76 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
{ "ruleId": "S058", "name": "No SSRF (Server-Side Request Forgery)", "description": "Prevent SSRF attacks by validating URLs from user input before making HTTP requests", "category": "security", "severity": "error", "options": { "httpClientPatterns": [ "fetch\\s*\\(", "axios\\.(?:get|post|put|delete|patch|request)\\s*\\(", "http\\.(?:get|post|put|delete|patch|request)\\s*\\(", "https\\.(?:get|post|put|delete|patch|request)\\s*\\(", "(?:^|\\s|=|\\()request\\s*\\(", "got\\s*\\(", "superagent\\.", "needle\\.", "bent\\(", "node-fetch\\s*\\(", "isomorphic-fetch\\s*\\(", "ky\\s*\\(", "httpClient\\.", "\\.httpClient\\." ], "userInputSources": [ "req\\.body", "req\\.query", "req\\.params", "request\\.body", "request\\.query", "request\\.params", "ctx\\.request\\.body", "ctx\\.query", "ctx\\.params", "event\\.body", "event\\.queryStringParameters", "event\\.pathParameters", "\\.query\\.", "\\.body\\.", "\\.params\\.", "process\\.argv", "process\\.env\\.", "from.*request", "from.*input", "user.*input", "client.*data", "external.*data" ], "dangerousProtocols": [ "file://", "ftp://", "sftp://", "ldap://", "ldaps://", "dict://", "gopher://", "jar://", "netdoc://", "mailto:", "news:", "imap://", "pop3://", "smb://", "afp://", "telnet://", "ssh://" ], "blockedIPs": [ "127\\.0\\.0\\.1", "::1", "localhost", "169\\.254\\.169\\.254", "metadata\\.google\\.internal", "169\\.254\\.", "10\\.", "172\\.(1[6-9]|2[0-9]|3[01])\\.", "192\\.168\\." ], "blockedPorts": [ "22", "23", "25", "53", "135", "139", "445", "1433", "1521", "3306", "3389", "5432", "5984", "6379", "8080", "9200", "11211", "27017", "50070" ], "allowedDomains": [ "api\\.trusted-service\\.com", "service\\.company\\.com" ], "validationFunctions": [ "validateUrl", "validateUrlAllowList", "checkAllowedUrl", "isAllowedUrl", "sanitizeUrl", "verifyUrl", "urlValidator" ], "policy": { "requireExplicitValidation": true, "enforceAllowList": true, "blockPrivateIPs": true, "checkProtocols": true, "requireHttpsOnly": false, "maxRedirects": 0 }, "thresholds": { "maxSuspiciousUrls": 3, "maxUnvalidatedRequests": 1 } } }