@oculum/scanner 1.0.14 → 1.0.15

package/src/detect/ast-rules/json-parse-ast.ts

@@ -0,0 +1,162 @@
+/**
+ * AST-Based JSON.parse Source-Aware Detection
+ *
+ * Migrates dangerous-functions JSON.parse detection to AST.
+ *
+ * AST advantages:
+ * - Source classification from AST (req.body vs localStorage vs config)
+ * - Try-catch detection via AST ancestors (not regex line search)
+ * - Schema validation detection from nearby call expressions
+ * - Handles aliased JSON.parse: const parse = JSON.parse; parse(input)
+ */
+
+import type { ParsedAST } from '../../parse/ast'
+import { findEnclosingFunction } from '../../parse/ast'
+import { registerASTRule, type ASTRuleMatch, type NodeIndex, getNodes } from './index'
+import type Parser from 'tree-sitter'
+import { resolveCallTarget, getCallArguments } from './helpers/call-analysis'
+import { collectVariableAliases } from './helpers/scope-analysis'
+import { isInsideTryCatch } from './helpers/control-flow'
+import { isUserInputExpression } from './helpers/user-input'
+import { hasImport } from './helpers/import-analysis'
+import { isScannerOrFixtureFile, isTestOrMockFile } from '../../parse/file-classifier'
+
+// ============================================================================
+// Source Classification
+// ============================================================================
+
+type ParseSource =
+  | 'user_input' | 'local_storage' | 'database' | 'config'
+  | 'trusted_sdk' | 'internal' | 'test' | 'unknown'
+
+function classifySource(
+  argNode: Parser.SyntaxNode,
+  filePath: string,
+  root: Parser.SyntaxNode
+): ParseSource {
+  if (isTestOrMockFile(filePath)) return 'test'
+
+  const text = argNode.text
+
+  // User input sources
+  if (isUserInputExpression(argNode)) return 'user_input'
+  if (/req(uest)?\.body|event\.body|ctx\.request\.body/i.test(text)) return 'user_input'
+
+  // Local storage
+  if (/localStorage\.getItem|sessionStorage\.getItem/i.test(text)) return 'local_storage'
+
+  // Database
+  if (/row\.\w+|document\.\w+|item\.\w+|record\.\w+/i.test(text)) return 'database'
+
+  // Config
+  if (/config\.|settings\.|constants\./i.test(text)) return 'config'
+
+  // File system reads (standard config-loading pattern)
+  if (/readFileSync|readFile\b|\.readFile\(|fs\.promises\.readFile/i.test(text)) return 'config'
+
+  // Trusted SDK responses
+  if (/\.json\(\)|response\.text\(\)|\.data\b/i.test(text)) return 'trusted_sdk'
+
+  // Internal/migration files
+  if (/scripts?\/|tools?\//i.test(filePath)) return 'internal'
+
+  // Check file context for hints
+  if (hasImport(root, 'openai') || hasImport(root, '@anthropic-ai/sdk')) return 'trusted_sdk'
+
+  return 'unknown'
+}
+
+/** Check if there's schema validation nearby */
+function hasSchemaValidation(fnNode: Parser.SyntaxNode | null, root: Parser.SyntaxNode): boolean {
+  if (!fnNode) return false
+  const bodyText = fnNode.text
+  // Exclude JSON.parse itself from matching — look for schema-library parse calls
+  return /z\.(parse|safeParse|parseAsync)\s*\(|schema\.(parse|safeParse)\s*\(|\.safeParse\s*\(|\.validate\s*\(|\.check\s*\(|joi\.|yup\.|zod\./i.test(bodyText)
+}
+
+// ============================================================================
+// AST Rule: JSON.parse
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-json-parse',
+  title: 'JSON.parse with unvalidated input',
+  description: 'JSON.parse() called on potentially untrusted data without schema validation',
+  severity: 'medium',
+  category: 'dangerous_function',
+  suggestedFix: 'Add schema validation (zod, yup, joi) after JSON.parse() to validate the structure and types of parsed data.',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'medium',
+  baseConfidence: 0.35,
+  layer: 2,
+  source: 'structural',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    // Content pre-check: skip files without JSON.parse
+    if (!/JSON\.parse/.test(content)) return []
+
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+    const aliases = collectVariableAliases(root)
+
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      const target = resolveCallTarget(node, aliases)
+      if (!target) continue
+
+      // JSON.parse() or aliased
+      const isJSONParse =
+        (target.name === 'parse' && target.object === 'JSON') ||
+        (target.aliased && target.fullChain === 'JSON.parse')
+
+      if (!isJSONParse) continue
+
+      const args = getCallArguments(node)
+      if (args.length === 0) continue
+
+      const source = classifySource(args[0], ast.filePath, root)
+      const inTryCatch = isInsideTryCatch(node)
+      const fn = findEnclosingFunction(node)
+      const hasSchema = hasSchemaValidation(fn, root)
+
+      // Safe sources: skip entirely
+      if (source === 'test' || source === 'trusted_sdk' || source === 'internal') continue
+
+      // Config/database with try-catch: skip
+      if ((source === 'config' || source === 'database') && inTryCatch) continue
+
+      // Local storage with try-catch: skip
+      if (source === 'local_storage' && inTryCatch) continue
+
+      // User input: severity depends on try-catch and schema validation
+      if (source === 'user_input') {
+        if (hasSchema) continue // schema validation present
+        if (inTryCatch) {
+          matches.push({
+            node,
+            severity: 'low',
+            note: 'JSON.parse on user input wrapped in try-catch, but consider adding schema validation (zod/yup) for type safety',
+          })
+        } else {
+          matches.push({
+            node,
+            severity: 'medium',
+            note: 'JSON.parse on user input without try-catch or schema validation',
+          })
+        }
+        continue
+      }
+
+      // Unknown source without try-catch
+      if (source === 'unknown' && !inTryCatch && !hasSchema) {
+        matches.push({
+          node,
+          severity: 'info',
+          note: 'JSON.parse without try-catch - consider adding error handling',
+        })
+      }
+    }
+
+    return matches
+  },
+})

package/src/detect/ast-rules/log-injection-ast.ts

@@ -0,0 +1,243 @@
+/**
+ * AST-Based Log Injection Detection
+ *
+ * Migrates structural/log-injection.ts from regex to AST.
+ * Detects unsanitized user input flowing into log statements.
+ *
+ * AST advantages:
+ * - Resolves log sink calls structurally (console.log, logger.info, winston.error)
+ * - Checks argument nodes for user input references, not regex on line text
+ * - Detects taint through template literals and concatenation in log args
+ * - Distinguishes error logging (catch block) from user input logging
+ */
+
+import type { ParsedAST } from '../../parse/ast'
+import { walkAST } from '../../parse/ast'
+import { registerASTRule, type ASTRuleMatch, type NodeIndex, getNodes } from './index'
+import type Parser from 'tree-sitter'
+import { resolveCallTarget, getCallArguments, isMethodCallOn } from './helpers/call-analysis'
+import { isUserInputExpression } from './helpers/user-input'
+import { isInsideCatchClause } from './helpers/control-flow'
+import { isScannerOrFixtureFile, isTestOrMockFile } from '../../parse/file-classifier'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+/** Log method names */
+const LOG_METHODS = new Set(['log', 'info', 'warn', 'error', 'debug', 'trace', 'fatal', 'silly', 'verbose'])
+
+/** Log objects */
+const LOG_OBJECTS = /^(console|logger|log|winston|pino|bunyan|log4js|signale)$/
+
+function isLogSink(node: Parser.SyntaxNode): boolean {
+  const target = resolveCallTarget(node)
+  if (!target) return false
+  if (!target.object) return false
+  if (!LOG_OBJECTS.test(target.object)) return false
+  if (!LOG_METHODS.has(target.name)) return false
+  return true
+}
+
+/** Check if argument is an error variable from a catch clause */
+function isErrorVarLogging(arg: Parser.SyntaxNode, callNode: Parser.SyntaxNode): boolean {
+  // Direct error identifier: console.error(err)
+  if (arg.type === 'identifier' && /^(err|error|e|ex|exception)$/i.test(arg.text)) {
+    return true
+  }
+
+  // Error property: err.message, error.stack
+  if (arg.type === 'member_expression') {
+    const obj = arg.childForFieldName('object')
+    if (obj && /^(err|error|e|ex|exception)$/i.test(obj.text)) return true
+  }
+
+  // If inside catch clause, check if any arg references the catch variable
+  if (isInsideCatchClause(callNode)) {
+    // Walk up to find catch clause and its parameter
+    let current: Parser.SyntaxNode | null = callNode.parent
+    while (current) {
+      if (current.type === 'catch_clause') {
+        const param = current.childForFieldName('parameter')
+        if (param && arg.type === 'identifier' && arg.text === param.text) return true
+        break
+      }
+      current = current.parent
+    }
+  }
+
+  return false
+}
+
+/** Check if argument contains user input (recursive check for nested expressions) */
+function argContainsUserInput(arg: Parser.SyntaxNode): { found: boolean; type: 'header' | 'body' | 'spread' | 'stringify' } {
+  // Direct user input
+  if (isUserInputExpression(arg)) {
+    if (/\.headers/.test(arg.text)) return { found: true, type: 'header' }
+    return { found: true, type: 'body' }
+  }
+
+  // Spread of request body: { ...req.body }
+  if (arg.type === 'spread_element') {
+    const expr = arg.namedChildren[0]
+    if (expr && isUserInputExpression(expr)) return { found: true, type: 'spread' }
+  }
+
+  // JSON.stringify(req.body)
+  if (arg.type === 'call_expression') {
+    const target = resolveCallTarget(arg)
+    if (target?.object === 'JSON' && target?.name === 'stringify') {
+      const innerArgs = getCallArguments(arg)
+      if (innerArgs.length > 0 && isUserInputExpression(innerArgs[0])) {
+        return { found: true, type: 'stringify' }
+      }
+    }
+  }
+
+  // Template literal: `User input: ${req.body.name}`
+  if (arg.type === 'template_string') {
+    let found = false
+    let type: 'header' | 'body' = 'body'
+    walkAST(arg, (n) => {
+      if (n.type === 'template_substitution') {
+        const expr = n.namedChildren[0]
+        if (expr && isUserInputExpression(expr)) {
+          found = true
+          if (/\.headers/.test(expr.text)) type = 'header'
+        }
+      }
+      return false
+    })
+    if (found) return { found: true, type }
+  }
+
+  // Object literal with user input: { data: req.body }
+  if (arg.type === 'object') {
+    for (const child of arg.namedChildren) {
+      if (child.type === 'pair') {
+        const value = child.childForFieldName('value')
+        if (value && isUserInputExpression(value)) {
+          if (/\.headers/.test(value.text)) return { found: true, type: 'header' }
+          return { found: true, type: 'body' }
+        }
+      }
+      if (child.type === 'spread_element') {
+        const expr = child.namedChildren[0]
+        if (expr && isUserInputExpression(expr)) return { found: true, type: 'spread' }
+      }
+    }
+  }
+
+  // String concatenation with user input
+  if (arg.type === 'binary_expression') {
+    let found = false
+    let type: 'header' | 'body' = 'body'
+    walkAST(arg, (n) => {
+      if (isUserInputExpression(n)) {
+        found = true
+        if (/\.headers/.test(n.text)) type = 'header'
+      }
+      return false
+    })
+    if (found) return { found: true, type }
+  }
+
+  return { found: false, type: 'body' }
+}
+
+/** Check for sanitization in enclosing function */
+function hasSanitization(node: Parser.SyntaxNode): boolean {
+  let current: Parser.SyntaxNode | null = node.parent
+  let fnBody: Parser.SyntaxNode | null = null
+  while (current) {
+    if (current.type === 'function_declaration' || current.type === 'arrow_function' || current.type === 'function_expression') {
+      fnBody = current.childForFieldName('body') ?? current
+      break
+    }
+    current = current.parent
+  }
+  if (!fnBody) return false
+
+  const bodyText = fnBody.text
+  return /sanitize\s*\(|\.replace\s*\(\s*\/[\[\\]rn\]|stripNewlines?\s*\(|escapeLog/i.test(bodyText)
+}
+
+/** Check for middleware logging imports */
+function hasMiddlewareLogging(content: string): boolean {
+  return /(?:app|server|router)\.use\s*\(\s*(?:morgan|pino|express-winston|express\.logger)/.test(content)
+}
+
+// ============================================================================
+// AST Rule: Log Injection
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-log-injection',
+  title: 'Log injection: User input in log statement',
+  description: 'Unsanitized user input flows into log statements, risking log forging or injection',
+  severity: 'low',
+  category: 'log_injection',
+  suggestedFix: 'Sanitize user input before logging (strip newlines and control characters). Use structured logging (JSON format) to prevent log forging.',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'medium',
+  baseConfidence: 0.35,
+  layer: 2,
+  source: 'structural',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+    if (isTestOrMockFile(ast.filePath)) return []
+
+    // Skip files that use middleware logging (morgan, pino, etc.)
+    if (hasMiddlewareLogging(content)) return []
+
+    const matches: ASTRuleMatch[] = []
+
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      if (!isLogSink(node)) continue
+
+      const args = getCallArguments(node)
+      if (args.length === 0) continue
+
+      // Skip pure error logging
+      const allErrorArgs = args.every(a => isErrorVarLogging(a, node) || a.type === 'string' || a.type === 'template_string')
+      if (allErrorArgs && args.some(a => isErrorVarLogging(a, node))) continue
+
+      // Check each argument for user input
+      for (const arg of args) {
+        // Skip error variables
+        if (isErrorVarLogging(arg, node)) continue
+
+        const userInput = argContainsUserInput(arg)
+        if (!userInput.found) continue
+
+        // JSON.stringify escapes newlines, carriage returns, and control characters,
+        // which prevents log forging (CRLF injection, ANSI escape injection).
+        if (userInput.type === 'stringify') continue
+
+        // Skip if sanitization is nearby
+        if (hasSanitization(node)) continue
+
+        let severity: string = 'low'
+        let note = 'Request data in log statement.'
+
+        if (userInput.type === 'header') {
+          severity = 'medium'
+          note = 'HTTP headers logged without sanitization. Headers can contain CRLF sequences.'
+        } else if (userInput.type === 'spread') {
+          severity = 'low'
+          note = 'Entire request body logged, may contain unsanitized user input.'
+        }
+
+        matches.push({
+          node,
+          severity: severity as any,
+          note,
+        })
+
+        break // One finding per log call
+      }
+    }
+
+    return matches
+  },
+})