@sun-asterisk/sunlint 1.0.7 → 1.1.4

package/integrations/eslint/plugin/rules/common/c076-single-behavior-per-test.js

@@ -0,0 +1,254 @@
+/**
+ * Custom ESLint rule for: C076 – Each test should assert only one behavior
+ * Rule ID: custom/c076  
+ * Purpose: Ensure test functions focus on testing a single behavior/aspect
+ * Note: Similar to C072 but with broader scope and different focus
+ */
+
+module.exports = {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Each test should assert only one behavior to maintain focus and clarity",
+      recommended: true,
+      category: "Testing"
+    },
+    schema: [
+      {
+        type: "object",
+        properties: {
+          maxAssertions: {
+            type: "integer",
+            minimum: 1,
+            default: 1
+          },
+          allowSetupAssertions: {
+            type: "boolean",
+            default: true
+          },
+          assertionPatterns: {
+            type: "array",
+            items: {
+              type: "string"
+            },
+            default: ["expect", "assert", "should"]
+          }
+        },
+        additionalProperties: false
+      }
+    ],
+    messages: {
+      tooManyAssertions: "Test '{{testName}}' has {{count}} assertions. Each test should focus on one behavior (max {{max}} assertions)",
+      multipleBehaviors: "Test '{{testName}}' appears to test multiple behaviors. Consider splitting into separate test cases"
+    }
+  },
+  create(context) {
+    const options = context.options[0] || {};
+    const maxAssertions = options.maxAssertions || 1;
+    const allowSetupAssertions = options.allowSetupAssertions !== false;
+    const assertionPatterns = options.assertionPatterns || ["expect", "assert", "should"];
+
+    function isTestFunction(node) {
+      if (!node || !node.callee) return false;
+
+      if (node.type === "CallExpression") {
+        // Direct test/it/describe calls
+        if (node.callee.type === "Identifier") {
+          return ["test", "it", "describe", "context"].includes(node.callee.name);
+        }
+        
+        // Method calls like jest.test, mocha.it, etc.
+        if (node.callee.type === "MemberExpression" &&
+            node.callee.property &&
+            ["test", "it", "describe", "context"].includes(node.callee.property.name)) {
+          return true;
+        }
+      }
+      return false;
+    }
+
+    function isSetupFunction(node) {
+      if (!node || !node.callee) return false;
+
+      const setupFunctions = ["beforeEach", "afterEach", "beforeAll", "afterAll", "before", "after"];
+      
+      if (node.type === "CallExpression") {
+        if (node.callee.type === "Identifier") {
+          return setupFunctions.includes(node.callee.name);
+        }
+        
+        if (node.callee.type === "MemberExpression" &&
+            node.callee.property &&
+            setupFunctions.includes(node.callee.property.name)) {
+          return true;
+        }
+      }
+      return false;
+    }
+
+    function isAssertionCall(node) {
+      if (!node || node.type !== "CallExpression" || !node.callee) {
+        return false;
+      }
+
+      // Direct assertion calls
+      if (node.callee.type === "Identifier") {
+        return assertionPatterns.includes(node.callee.name);
+      }
+
+      // Method calls like chai.expect, jest.expect, etc.
+      if (node.callee.type === "MemberExpression" && node.callee.property) {
+        return assertionPatterns.includes(node.callee.property.name);
+      }
+
+      return false;
+    }
+
+    function countAssertions(testBody, testName) {
+      let assertionCount = 0;
+      let setupAssertionCount = 0;
+      let hasMultipleBehaviorIndicators = false;
+
+      function traverse(node) {
+        if (!node || typeof node !== 'object') return;
+
+        // Count assertions
+        if (isAssertionCall(node)) {
+          // Check if this assertion is in setup/teardown
+          let parent = node;
+          let inSetup = false;
+          while (parent && parent.parent) {
+            parent = parent.parent;
+            if (parent.type === "CallExpression" && isSetupFunction(parent)) {
+              inSetup = true;
+              break;
+            }
+          }
+
+          if (inSetup) {
+            setupAssertionCount++;
+          } else {
+            assertionCount++;
+          }
+        }
+
+        // Look for multiple behavior indicators
+        if (node.type === "CallExpression") {
+          // Multiple nested test functions indicate multiple behaviors
+          if (isTestFunction(node) && node !== testBody.parent) {
+            hasMultipleBehaviorIndicators = true;
+          }
+        }
+
+        // Look for comment patterns that suggest multiple behaviors
+        if (node.type === "ExpressionStatement" && node.leadingComments) {
+          const comments = node.leadingComments.map(c => c.value.toLowerCase());
+          const behaviorKeywords = ["and", "also", "then", "next", "additionally", "furthermore"];
+          if (comments.some(comment => 
+                behaviorKeywords.some(keyword => comment.includes(keyword)))) {
+            hasMultipleBehaviorIndicators = true;
+          }
+        }
+
+        // Recursively check child nodes, but don't go into nested test functions
+        for (const key in node) {
+          if (key === 'parent' || key === 'range' || key === 'loc') continue;
+          
+          const child = node[key];
+          if (Array.isArray(child)) {
+            child.forEach(item => {
+              if (item && typeof item === 'object' && item.type) {
+                if (!(item.type === "CallExpression" && isTestFunction(item))) {
+                  traverse(item);
+                }
+              }
+            });
+          } else if (child && typeof child === 'object' && child.type) {
+            if (!(child.type === "CallExpression" && isTestFunction(child))) {
+              traverse(child);
+            }
+          }
+        }
+      }
+
+      traverse(testBody);
+
+      return {
+        assertions: assertionCount,
+        setupAssertions: setupAssertionCount,
+        hasMultipleBehaviors: hasMultipleBehaviorIndicators
+      };
+    }
+
+    return {
+      CallExpression(node) {
+        // Only check test function calls, not describe blocks
+        if (!isTestFunction(node) || (node.callee.type === "Identifier" && node.callee.name === "describe")) {
+          return;
+        }
+
+        // Skip describe blocks  
+        if (node.callee.type === "Identifier" && ["describe", "context"].includes(node.callee.name)) {
+          return;
+        }
+
+        // Must have test name and callback
+        if (!node.arguments || node.arguments.length < 2) return;
+
+        const testName = node.arguments[0];
+        const testCallback = node.arguments[1];
+        
+        if (!testCallback || 
+            (testCallback.type !== "FunctionExpression" && 
+             testCallback.type !== "ArrowFunctionExpression")) {
+          return;
+        }
+
+        const testNameStr = testName.type === "Literal" ? testName.value : 
+                           testName.type === "TemplateLiteral" ? "template" : "unnamed";
+
+        // Get function body
+        const fnBody = testCallback.body;
+        if (!fnBody) return;
+
+        // Handle both block statements and expression bodies
+        let bodyToCheck = fnBody;
+        if (testCallback.type === "ArrowFunctionExpression" && fnBody.type !== "BlockStatement") {
+          bodyToCheck = { type: "BlockStatement", body: [{ type: "ExpressionStatement", expression: fnBody }] };
+        }
+
+        // Count assertions and analyze behavior
+        const analysis = countAssertions(bodyToCheck, testNameStr);
+        
+        // Calculate effective assertions (exclude setup if allowed)
+        const effectiveAssertions = allowSetupAssertions ? 
+          analysis.assertions : 
+          analysis.assertions + analysis.setupAssertions;
+
+        // Report if too many assertions
+        if (effectiveAssertions > maxAssertions) {
+          context.report({
+            node,
+            messageId: "tooManyAssertions",
+            data: {
+              testName: testNameStr,
+              count: effectiveAssertions,
+              max: maxAssertions
+            }
+          });
+        }
+
+        // Report if multiple behaviors detected
+        if (analysis.hasMultipleBehaviors) {
+          context.report({
+            node,
+            messageId: "multipleBehaviors", 
+            data: {
+              testName: testNameStr
+            }
+          });
+        }
+      }
+    };
+  }
+};

package/integrations/eslint/plugin/rules/security/s001-fail-securely.js

@@ -0,0 +1,381 @@
+"use strict";
+
+/**
+ * S001 – Verify that if there is an error in access control, the system fails securely
+ * OWASP ASVS 4.14
+ * Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.
+ */
+
+module.exports = {
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Verify that if there is an error in access control, the system fails securely (Fail Securely)',
+            category: 'Security',
+            recommended: true,
+            url: 'https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control'
+        },
+        fixable: 'code',
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    checkMethods: {
+                        type: 'array',
+                        items: {
+                            type: 'string'
+                        },
+                        default: ['authenticate', 'authorize', 'checkPermission', 'validateAccess']
+                    },
+                    allowedFailureMethods: {
+                        type: 'array',
+                        items: {
+                            type: 'string'
+                        },
+                        default: ['deny', 'reject', 'forbid', 'unauthorized', 'forbidden']
+                    }
+                },
+                additionalProperties: false
+            }
+        ],
+        messages: {
+            failInsecurely: 'Access control does not fail securely. On error, the system should deny access instead of allowing.',
+            missingErrorHandling: 'Missing error handling in access control. There must be a try-catch block or error handling.',
+            defaultAllowAccess: 'Should not allow access by default. The system should deny access when unsure.',
+            catchAllowsAccess: 'Catch block should not allow access. Deny access on error.',
+            missingFallback: 'Missing fallback case. There should be a default case to deny access.',
+            unsafeDefaultReturn: 'Default return statement is not secure. Should return false or deny access.'
+        }
+    },
+
+    create(context) {
+        const options = context.options[0] || {};
+        const checkMethods = options.checkMethods || ['authenticate', 'authorize', 'checkPermission', 'validateAccess'];
+        const allowedFailureMethods = options.allowedFailureMethods || ['deny', 'reject', 'forbid', 'unauthorized', 'forbidden'];
+
+        // Keywords related to access control
+        const accessControlKeywords = [
+            'authenticate', 'authorize', 'permission', 'access', 'role', 'auth',
+            'login', 'verify', 'check', 'validate', 'guard', 'middleware',
+            'canAccess', 'isAuthorized', 'hasPermission', 'checkAccess'
+        ];
+
+        // Keywords for allowing access
+        const allowKeywords = [
+            'allow', 'permit', 'grant', 'enable', 'accept', 'approve', 
+            'authorized', 'authenticated', 'allowed', 'granted', 'success'
+        ];
+
+        // Keywords for denying access
+        const denyKeywords = [
+            'deny', 'reject', 'forbid', 'block', 'refuse', 'unauthorized', 
+            'forbidden', 'denied', 'blocked', 'refused', 'error', 'failed'
+        ];
+
+        function isAccessControlFunction(node) {
+            const functionName = getFunctionName(node);
+            if (!functionName) return false;
+
+            return accessControlKeywords.some(keyword => 
+                functionName.toLowerCase().includes(keyword.toLowerCase())
+            );
+        }
+
+        function getFunctionName(node) {
+            if (!node || !node.type) {
+                return null;
+            }
+            
+            if (node.type === 'FunctionDeclaration' && node.id) {
+                return node.id.name;
+            }
+            if (node.type === 'FunctionExpression' || node.type === 'ArrowFunctionExpression') {
+                const parent = node.parent;
+                if (!parent || !parent.type) {
+                    return null;
+                }
+                if (parent.type === 'VariableDeclarator' && parent.id) {
+                    return parent.id.name;
+                }
+                if (parent.type === 'Property' && parent.key) {
+                    return parent.key.name;
+                }
+                if (parent.type === 'MethodDefinition' && parent.key) {
+                    return parent.key.name;
+                }
+            }
+            return null;
+        }
+
+        function containsKeywords(text, keywords) {
+            return keywords.some(keyword => 
+                text.toLowerCase().includes(keyword.toLowerCase())
+            );
+        }
+
+        function getReturnValue(node) {
+            if (!node || !node.type) {
+                return null;
+            }
+            
+            switch (node.type) {
+                case 'Literal':
+                    return String(node.value);
+                case 'Identifier':
+                    return node.name;
+                case 'MemberExpression':
+                    return getFullMemberExpression(node);
+                case 'ObjectExpression':
+                    return getObjectExpressionValue(node);
+                case 'ConditionalExpression':
+                    return 'conditional';
+                default:
+                    return null;
+            }
+        }
+
+        function getFullMemberExpression(node) {
+            const object = node.object.type === 'Identifier' ? node.object.name : 'unknown';
+            const property = node.property.type === 'Identifier' ? node.property.name : 'unknown';
+            return `${object}.${property}`;
+        }
+
+        function getObjectExpressionValue(node) {
+            const properties = node.properties.map(prop => {
+                if (prop.type === 'Property' && prop.key.type === 'Identifier') {
+                    return prop.key.name;
+                }
+                return '';
+            }).filter(Boolean);
+            return properties.join('.');
+        }
+
+        function isInAccessControlFunction(node) {
+            let parent = node.parent;
+            while (parent) {
+                if (isAccessControlFunction(parent)) {
+                    return true;
+                }
+                parent = parent.parent;
+            }
+            return false;
+        }
+
+        function isUnsafeReturn(returnValue) {
+            if (!returnValue) return false;
+            
+            return returnValue === 'true' || 
+                         returnValue === 'success' ||
+                         containsKeywords(returnValue, allowKeywords);
+        }
+
+        function isSafeReturn(returnValue) {
+            if (!returnValue) return false;
+            
+            return returnValue === 'false' || 
+                         returnValue === 'error' ||
+                         containsKeywords(returnValue, denyKeywords);
+        }
+
+        function checkTryStatement(node) {
+            if (!isAccessControlFunction(getParentFunction(node))) return;
+
+            const catchClause = node.handler;
+            if (!catchClause) {
+                context.report({
+                    node,
+                    messageId: 'missingErrorHandling'
+                });
+                return;
+            }
+
+            // Check catch block
+            const catchBody = catchClause.body;
+            if (catchBody.type === 'BlockStatement') {
+                const hasUnsafeReturn = catchBody.body.some(stmt => {
+                    if (stmt.type === 'ReturnStatement' && stmt.argument) {
+                        const returnValue = getReturnValue(stmt.argument);
+                        return isUnsafeReturn(returnValue);
+                    }
+                    return false;
+                });
+
+                if (hasUnsafeReturn) {
+                    context.report({
+                        node: catchClause,
+                        messageId: 'catchAllowsAccess'
+                    });
+                }
+
+                // Check for safe handling (throw or safe return)
+                const hasSafeHandling = catchBody.body.some(stmt => {
+                    if (stmt.type === 'ThrowStatement') return true;
+                    if (stmt.type === 'ReturnStatement' && stmt.argument) {
+                        const returnValue = getReturnValue(stmt.argument);
+                        return isSafeReturn(returnValue);
+                    }
+                    return false;
+                });
+
+                if (!hasSafeHandling) {
+                    context.report({
+                        node: catchClause,
+                        messageId: 'catchAllowsAccess'
+                    });
+                }
+            }
+        }
+
+        function getParentFunction(node) {
+            let parent = node.parent;
+            while (parent) {
+                if (parent.type === 'FunctionDeclaration' || 
+                        parent.type === 'FunctionExpression' || 
+                        parent.type === 'ArrowFunctionExpression') {
+                    return parent;
+                }
+                parent = parent.parent;
+            }
+            return null;
+        }
+
+        function checkReturnStatement(node) {
+            if (!node.argument || !isInAccessControlFunction(node)) return;
+
+            const returnValue = getReturnValue(node.argument);
+            if (isUnsafeReturn(returnValue)) {
+                // Check if inside try block
+                const tryBlock = findParentTryBlock(node);
+                if (!tryBlock) {
+                    // Check for guard condition
+                    if (!hasProperGuardCondition(node)) {
+                        context.report({
+                            node,
+                            messageId: 'unsafeDefaultReturn'
+                        });
+                    }
+                }
+            }
+        }
+
+        function findParentTryBlock(node) {
+            let parent = node.parent;
+            while (parent) {
+                if (parent.type === 'TryStatement') {
+                    return parent;
+                }
+                parent = parent.parent;
+            }
+            return null;
+        }
+
+        function hasProperGuardCondition(node) {
+            // Look for if/else conditions before the return statement
+            let parent = node.parent;
+            while (parent && parent.type === 'BlockStatement') {
+                const block = parent;
+                const returnIndex = block.body.indexOf(node);
+                
+                if (returnIndex > 0) {
+                    // Check statements before return
+                    for (let i = returnIndex - 1; i >= 0; i--) {
+                        const stmt = block.body[i];
+                        if (stmt.type === 'IfStatement') {
+                            const stmtText = context.getSourceCode().getText(stmt);
+                            if (containsKeywords(stmtText, ['check', 'verify', 'validate', 'auth', 'permission'])) {
+                                return true;
+                            }
+                        }
+                    }
+                }
+                
+                // Check parent if statement
+                if (parent.parent && parent.parent.type === 'IfStatement') {
+                    const ifStmt = parent.parent;
+                    const ifText = context.getSourceCode().getText(ifStmt.test);
+                    if (containsKeywords(ifText, ['check', 'verify', 'validate', 'auth', 'permission'])) {
+                        return true;
+                    }
+                }
+                
+                parent = parent.parent;
+            }
+            return false;
+        }
+
+        function checkFunction(node) {
+            if (!isAccessControlFunction(node)) return;
+
+            // Check if function has try-catch
+            const functionBody = node.body;
+            if (functionBody && functionBody.type === 'BlockStatement') {
+                const hasTryCatch = functionBody.body.some(stmt => stmt.type === 'TryStatement');
+                
+                if (!hasTryCatch) {
+                    // Check for throw or error handling
+                    const hasErrorHandling = functionBody.body.some(stmt => {
+                        if (stmt.type === 'ThrowStatement') return true;
+                        if (stmt.type === 'IfStatement') {
+                            const stmtText = context.getSourceCode().getText(stmt);
+                            return containsKeywords(stmtText, ['error', 'throw', 'reject']);
+                        }
+                        return false;
+                    });
+
+                    if (!hasErrorHandling) {
+                        context.report({
+                            node,
+                            messageId: 'missingErrorHandling'
+                        });
+                    }
+                }
+
+                // Check last return statement
+                const lastStatement = functionBody.body[functionBody.body.length - 1];
+                if (lastStatement && lastStatement.type === 'ReturnStatement' && lastStatement.argument) {
+                    const returnValue = getReturnValue(lastStatement.argument);
+                    if (isUnsafeReturn(returnValue)) {
+                        context.report({
+                            node: lastStatement,
+                            messageId: 'defaultAllowAccess'
+                        });
+                    }
+                }
+            }
+        }
+
+        function checkIfStatement(node) {
+            if (!isInAccessControlFunction(node)) return;
+
+            // Check if there is no else clause
+            if (!node.alternate) {
+                const consequent = node.consequent;
+                if (consequent.type === 'BlockStatement') {
+                    const hasUnsafeReturn = consequent.body.some(stmt => {
+                        if (stmt.type === 'ReturnStatement' && stmt.argument) {
+                            const returnValue = getReturnValue(stmt.argument);
+                            return isUnsafeReturn(returnValue);
+                        }
+                        return false;
+                    });
+
+                    if (hasUnsafeReturn) {
+                        context.report({
+                            node,
+                            messageId: 'missingFallback'
+                        });
+                    }
+                }
+            }
+        }
+
+        return {
+            'FunctionDeclaration': checkFunction,
+            'FunctionExpression': checkFunction,
+            'ArrowFunctionExpression': checkFunction,
+            'TryStatement': checkTryStatement,
+            'ReturnStatement': checkReturnStatement,
+            'IfStatement': checkIfStatement
+        };
+    }
+};