@sun-asterisk/sunlint 1.1.7 → 1.2.0

package/rules/security/S026_json_schema_validation/analyzer.js

@@ -1,251 +0,0 @@
-/**
- * Heuristic analyzer for: S026 – JSON Schema Validation cho dữ liệu đầu vào
- * Purpose: Detect unvalidated JSON inputs while avoiding false positives on styles/config objects
- */
-
-class S026Analyzer {
-  constructor() {
-    this.ruleId = 'S026';
-    this.ruleName = 'JSON Schema Validation Required';
-    this.description = 'Áp dụng JSON Schema Validation cho dữ liệu đầu vào để đảm bảo an toàn';
-    
-    // Patterns that indicate actual HTTP/API input (should be validated)
-    this.httpInputPatterns = [
-      'req.body', 'req.query', 'request.body', 'request.query',
-      'ctx.body', 'ctx.query', 'context.body', 'context.query',
-      'event.body', 'event.queryStringParameters'
-    ];
-    
-    // Patterns that are NOT JSON inputs (should not be flagged)
-    this.nonInputPatterns = [
-      'styles.', 'css.', 'theme.', 'colors.',
-      'config.', 'settings.', 'options.',
-      'data.', 'props.', 'state.',
-      'const.', 'static.', 'default.'
-    ];
-    
-    // Validation patterns that indicate input is being validated
-    this.validationPatterns = [
-      'schema.validate', 'joi.validate', 'ajv.validate',
-      'validate(', 'validateInput(', 'validateBody(',
-      'isValid(', 'checkSchema(', 'parseSchema(',
-      '.validate(', '.valid(', '.check('
-    ];
-    
-    // Express/HTTP framework patterns
-    this.httpFrameworkPatterns = [
-      'app.post(', 'app.put(', 'app.patch(',
-      'router.post(', 'router.put(', 'router.patch(',
-      'express()', '.post(', '.put(', '.patch('
-    ];
-  }
-
-  async analyze(files, language, options = {}) {
-    const violations = [];
-    
-    for (const filePath of files) {
-      if (options.verbose) {
-        console.log(`🔍 Running S026 analysis on ${require('path').basename(filePath)}`);
-      }
-      
-      try {
-        const content = require('fs').readFileSync(filePath, 'utf8');
-        const fileViolations = this.analyzeFile(content, filePath);
-        violations.push(...fileViolations);
-      } catch (error) {
-        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
-      }
-    }
-    
-    return violations;
-  }
-
-  analyzeFile(content, filePath) {
-    const violations = [];
-    const lines = content.split('\n');
-    
-    // Find all potential JSON inputs
-    const potentialInputs = this.findPotentialInputs(lines);
-    
-    // Check if they're validated
-    const validatedInputs = this.findValidatedInputs(content);
-    
-    // Report unvalidated inputs
-    potentialInputs.forEach(input => {
-      if (!this.isInputValidated(input, validatedInputs) && 
-          this.isActualJSONInput(input, content)) {
-        violations.push({
-          file: filePath,
-          line: input.line,
-          column: input.column,
-          message: `JSON input '${input.expression}' should be validated using a JSON schema before use. Consider using schema.validate(), joi.validate(), or similar validation library.`,
-          severity: 'warning',
-          ruleId: this.ruleId,
-          type: 'unvalidated_json_input',
-          inputExpression: input.expression
-        });
-      }
-    });
-    
-    return violations;
-  }
-  
-  findPotentialInputs(lines) {
-    const inputs = [];
-    
-    lines.forEach((line, index) => {
-      const trimmedLine = line.trim();
-      
-      // Skip comments and imports
-      if (trimmedLine.startsWith('//') || trimmedLine.startsWith('/*') || 
-          trimmedLine.startsWith('import') || trimmedLine.startsWith('export')) {
-        return;
-      }
-      
-      // Look for .body or .query patterns
-      const bodyMatches = [...line.matchAll(/(\w+\.\w*body\w*)/g)];
-      const queryMatches = [...line.matchAll(/(\w+\.\w*query\w*)/g)];
-      
-      [...bodyMatches, ...queryMatches].forEach(match => {
-        const expression = match[1];
-        const column = match.index + 1;
-        
-        inputs.push({
-          expression,
-          line: index + 1,
-          column,
-          originalLine: line
-        });
-      });
-    });
-    
-    return inputs;
-  }
-  
-  findValidatedInputs(content) {
-    const validatedInputs = new Set();
-    
-    // Find validation calls
-    this.validationPatterns.forEach(pattern => {
-      const regex = new RegExp(pattern.replace('(', '\\(') + '\\s*\\(([^)]+)\\)', 'g');
-      let match;
-      
-      while ((match = regex.exec(content)) !== null) {
-        const validatedInput = match[1].trim();
-        validatedInputs.add(validatedInput);
-        
-        // Also add simplified version (e.g., req.body from schema.validate(req.body))
-        const simplifiedInput = validatedInput.replace(/^\w+\./, '').replace(/\s+/g, '');
-        if (simplifiedInput.includes('.')) {
-          validatedInputs.add(simplifiedInput);
-        }
-      }
-    });
-    
-    return validatedInputs;
-  }
-  
-  isInputValidated(input, validatedInputs) {
-    const expression = input.expression;
-    
-    // Check exact match
-    if (validatedInputs.has(expression)) {
-      return true;
-    }
-    
-    // Check if any validated input contains this expression
-    for (const validated of validatedInputs) {
-      if (validated.includes(expression) || expression.includes(validated)) {
-        return true;
-      }
-    }
-    
-    // Check if validation happens in the same line or nearby
-    const lineContent = input.originalLine.toLowerCase();
-    if (this.validationPatterns.some(pattern => lineContent.includes(pattern.toLowerCase()))) {
-      return true;
-    }
-    
-    return false;
-  }
-  
-  isActualJSONInput(input, content) {
-    const expression = input.expression.toLowerCase();
-    
-    // Skip known non-input patterns (user feedback - styles, config, etc.)
-    if (this.nonInputPatterns.some(pattern => expression.startsWith(pattern.toLowerCase()))) {
-      return false;
-    }
-    
-    // Skip React/CSS style objects
-    if (this.isStyleOrConfigObject(input, content)) {
-      return false;
-    }
-    
-    // Check if it matches HTTP input patterns
-    if (this.httpInputPatterns.some(pattern => expression.includes(pattern.toLowerCase()))) {
-      return true;
-    }
-    
-    // Check if it's in HTTP handler context
-    if (this.isInHTTPHandlerContext(input, content)) {
-      return true;
-    }
-    
-    // Default to false to avoid false positives
-    return false;
-  }
-  
-  isStyleOrConfigObject(input, content) {
-    const expression = input.expression;
-    const lineContent = input.originalLine.toLowerCase();
-    
-    // Check for React/CSS style usage patterns
-    const styleIndicators = [
-      'style=', 'css=', 'theme=', 'styles=',
-      'background', 'color:', 'font', 'margin:', 'padding:',
-      'import', 'const styles', 'const css', 'const theme'
-    ];
-    
-    if (styleIndicators.some(indicator => lineContent.includes(indicator))) {
-      return true;
-    }
-    
-    // Check context around the input for style/config patterns
-    const lines = content.split('\n');
-    const inputLineIndex = input.line - 1;
-    const contextStart = Math.max(0, inputLineIndex - 3);
-    const contextEnd = Math.min(lines.length, inputLineIndex + 3);
-    const contextLines = lines.slice(contextStart, contextEnd).join('\n').toLowerCase();
-    
-    const contextIndicators = [
-      'const styles', 'const css', 'const config', 'const theme',
-      'styleshet.create', 'react', 'jsx', '<div', '</div>', 'component',
-      'export default', 'props', 'state'
-    ];
-    
-    return contextIndicators.some(indicator => contextLines.includes(indicator));
-  }
-  
-  isInHTTPHandlerContext(input, content) {
-    const lines = content.split('\n');
-    const inputLineIndex = input.line - 1;
-    
-    // Check surrounding context for HTTP framework patterns
-    const contextStart = Math.max(0, inputLineIndex - 10);
-    const contextEnd = Math.min(lines.length, inputLineIndex + 5);
-    const contextLines = lines.slice(contextStart, contextEnd).join('\n').toLowerCase();
-    
-    // Look for HTTP handler patterns in context
-    const httpIndicators = [
-      'app.post', 'app.put', 'app.patch', 'app.delete',
-      'router.post', 'router.put', 'router.patch',
-      '(req, res)', 'request, response', 'ctx.body', 'ctx.query',
-      'express', 'fastify', 'koa', 'hapi'
-    ];
-    
-    return httpIndicators.some(indicator => contextLines.includes(indicator));
-  }
-}
-
-module.exports = S026Analyzer;

package/rules/security/S026_json_schema_validation/config.json

@@ -1,27 +0,0 @@
-{
-    "id": "S026",
-    "name": "JSON Schema Validation for Input Data",
-    "description": "Ensure all user input data (from HTTP requests, APIs) is validated using JSON schemas before processing to prevent injection attacks.",
-    "category": "security",
-    "severity": "warning",
-    "enabled": true,
-    "engines": ["heuristic"],
-    "enginePreference": ["heuristic"],
-    "tags": ["security", "validation", "input", "json-schema", "http"],
-    "examples": {
-        "valid": [
-            "const schema = joi.object({ name: joi.string() }); const { error } = schema.validate(req.body);",
-            "const ajv = new Ajv(); const valid = ajv.validate(schema, req.body);",
-            "const styles = { body: { color: 'red' } }; // Style object - OK"
-        ],
-        "invalid": [
-            "const data = req.body; processUser(data); // No validation",
-            "const query = req.query; database.find(query); // Direct usage without validation"
-        ]
-    },
-    "fixable": false,
-    "docs": {
-        "description": "This rule ensures that all user input data from HTTP requests is validated using JSON schemas before processing. Direct usage of req.body, req.query, req.params without validation can lead to injection attacks and data corruption.",
-        "url": "https://owasp.org/Top10/A03_2021-Injection/"
-    }
-}

package/rules/security/S027_no_hardcoded_secrets/analyzer.js

@@ -1,263 +0,0 @@
-/**
- * Heuristic analyzer for: S027 – No Hardcoded Secrets
- * Purpose: Prevent hardcoded passwords, API keys, secrets while avoiding false positives
- * Based on user feedback: avoid flagging state variables, route names, input types
- */
-
-class S027Analyzer {
-  constructor() {
-    this.ruleId = 'S027';
-    this.ruleName = 'No Hardcoded Secrets';
-    this.description = 'Không để lộ thông tin bảo mật trong mã nguồn và Git';
-    
-    // Keywords that indicate sensitive information
-    this.sensitiveKeywords = [
-      'password', 'pass', 'pwd', 'secret', 'key', 'token', 
-      'apikey', 'auth', 'credential', 'seed', 'salt'
-    ];
-    
-    // Patterns that should NOT be flagged (based on user feedback)
-    this.allowedPatterns = [
-      // State variables and flags
-      /^(is|has|enable|show|display|visible|field|strength|valid)/i,
-      /^_(is|has|enable|show|display)/i,
-      
-      // Route/path patterns
-      /\/(setup|forgot|reset|change|update)-?password/i,
-      /password\//i,
-      
-      // Input type configurations
-      /type\s*[=:]\s*['"`]password['"`]/i,
-      /inputtype\s*[=:]\s*['"`]password['"`]/i,
-      
-      // Function names and method calls
-      /^(validate|check|verify|calculate|generate|get|fetch|create)/i,
-      
-      // Component/config properties
-      /^(token|auth|key)type$/i,
-      /enabled?$/i,
-    ];
-    
-    // Patterns that indicate environment variables or dynamic values
-    this.dynamicPatterns = [
-      /process\.env\./i,
-      /getenv\s*\(/i,
-      /config\.get\s*\(/i,
-      /\(\)/i,  // Function calls
-      /await\s+/i,
-      /\.then\s*\(/i,
-    ];
-    
-    // Common hardcoded secret patterns  
-    this.secretPatterns = [
-      // Long alphanumeric strings that look like tokens/keys
-      /^[a-zA-Z0-9+/=]{20,}$/,
-      // API key prefixes
-      /^(sk|pk|api|key|token)[-_][a-zA-Z0-9]{10,}$/i,
-      // Bearer tokens
-      /^bearer\s+[a-zA-Z0-9+/=]{10,}$/i,
-      // Database connection strings with passwords
-      /^(mongodb|postgres|mysql):\/\/.*:[^@]+@/i,
-      // JWT-like patterns
-      /^eyJ[a-zA-Z0-9+/=]+\.[a-zA-Z0-9+/=]+\.[a-zA-Z0-9+/=]*$/,
-      // Common weak passwords (more flexible)
-      /^(admin|password|123|root|test|user|pass|secret|key|token)\d*$/i,
-      // Passwords with common patterns
-      /^(admin|root|user|pass|secret)\d*$/i,
-      // Mixed alphanumeric secrets (6+ chars with both letters and numbers)
-      /^[a-zA-Z0-9]*[a-zA-Z][a-zA-Z0-9]*[0-9][a-zA-Z0-9]*$|^[a-zA-Z0-9]*[0-9][a-zA-Z0-9]*[a-zA-Z][a-zA-Z0-9]*$/,
-      // Secret-like strings with hyphens/underscores
-      /^[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+$/,
-      /^[a-zA-Z0-9]+_[a-zA-Z0-9]+_[a-zA-Z0-9]+$/,
-      // Bearer token pattern (more flexible)
-      /bearer\s+[a-zA-Z0-9]{6,}/i,
-    ];
-  }
-
-  async analyze(files, language, options = {}) {
-    const violations = [];
-    
-    for (const filePath of files) {
-      try {
-        const content = require('fs').readFileSync(filePath, 'utf8');
-        const fileViolations = this.analyzeFile(content, filePath);
-        violations.push(...fileViolations);
-      } catch (error) {
-        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
-      }
-    }
-    
-    return violations;
-  }
-
-  analyzeFile(content, filePath) {
-    const violations = [];
-    const lines = content.split('\n');
-    
-    // Find variable declarations and assignments with sensitive names
-    const assignments = this.findSensitiveAssignments(lines);
-    
-    assignments.forEach(assignment => {
-      if (this.isHardcodedSecret(assignment)) {
-        violations.push({
-          file: filePath,
-          line: assignment.line,
-          column: assignment.column,
-          message: `Avoid hardcoding sensitive information such as '${assignment.variableName}'. Use secure storage instead.`,
-          severity: 'warning',
-          ruleId: this.ruleId,
-          type: 'hardcoded_secret',
-          variableName: assignment.variableName,
-          value: assignment.value
-        });
-      }
-    });
-    
-    return violations;
-  }
-  
-  findSensitiveAssignments(lines) {
-    const assignments = [];
-    const processedLines = new Set(); // Avoid duplicates
-    
-    lines.forEach((line, index) => {
-      const trimmedLine = line.trim();
-      const lineKey = `${index}:${trimmedLine}`;
-      
-      // Skip comments, imports, and already processed lines
-      if (this.isCommentOrImport(trimmedLine) || processedLines.has(lineKey)) {
-        return;
-      }
-      
-      // Look for variable declarations: const/let/var name = "value"
-      const declMatch = trimmedLine.match(/(?:const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=\s*(['"`][^'"`]*['"`]|[^;,\n]+)/);
-      if (declMatch) {
-        const [, variableName, valueExpr] = declMatch;
-        if (this.hasSensitiveKeyword(variableName)) {
-          assignments.push({
-            line: index + 1,
-            column: line.indexOf(variableName) + 1,
-            variableName,
-            valueExpr: valueExpr.trim(),
-            value: this.extractStringValue(valueExpr),
-            type: 'declaration',
-            originalLine: line
-          });
-          processedLines.add(lineKey);
-        }
-      }
-      
-      // Look for assignments: name = "value" (but not in declarations)
-      else {
-        const assignMatch = trimmedLine.match(/([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=\s*(['"`][^'"`]*['"`]|[^;,\n]+)/);
-        if (assignMatch && !trimmedLine.match(/(?:const|let|var)\s/)) {
-          const [, variableName, valueExpr] = assignMatch;
-          if (this.hasSensitiveKeyword(variableName)) {
-            assignments.push({
-              line: index + 1,
-              column: line.indexOf(variableName) + 1,
-              variableName,
-              valueExpr: valueExpr.trim(), 
-              value: this.extractStringValue(valueExpr),
-              type: 'assignment',
-              originalLine: line
-            });
-            processedLines.add(lineKey);
-          }
-        }
-      }
-    });
-    
-    return assignments;
-  }
-  
-  hasSensitiveKeyword(variableName) {
-    const lowerName = variableName.toLowerCase();
-    return this.sensitiveKeywords.some(keyword => lowerName.includes(keyword));
-  }
-  
-  isCommentOrImport(line) {
-    return line.startsWith('//') || line.startsWith('/*') || 
-           line.startsWith('import') || line.startsWith('export') ||
-           line.startsWith('*') || line.startsWith('<');
-  }
-  
-  extractStringValue(valueExpr) {
-    // Extract string literal value
-    const stringMatch = valueExpr.match(/^(['"`])([^'"`]*)\1$/);
-    if (stringMatch) {
-      return stringMatch[2];
-    }
-    return null;
-  }
-  
-  isHardcodedSecret(assignment) {
-    const { variableName, value, valueExpr, originalLine } = assignment;
-    
-    // 1. Skip if it looks like an allowed pattern (state variables, routes, etc.)
-    if (this.isAllowedPattern(variableName, originalLine)) {
-      return false;
-    }
-    
-    // 2. Skip if value comes from environment or dynamic source
-    if (this.isDynamicValue(valueExpr)) {
-      return false;
-    }
-    
-    // 3. Skip if no string value (e.g., boolean, function call)
-    if (!value) {
-      return false;
-    }
-    
-    // 4. Check if the value looks like a hardcoded secret
-    return this.looksLikeSecret(value);
-  }
-  
-  isAllowedPattern(variableName, originalLine) {
-    const lowerName = variableName.toLowerCase();
-    const lowerLine = originalLine.toLowerCase();
-    
-    // Check against allowed patterns
-    if (this.allowedPatterns.some(pattern => pattern.test(lowerName) || pattern.test(lowerLine))) {
-      return true;
-    }
-    
-    // Remove comments before checking for paths to avoid false matches on "//"
-    const codeOnlyLine = lowerLine.replace(/\/\/.*$/, '').replace(/\/\*.*?\*\//g, '');
-    
-    // Special case: route objects and paths (but not comments with //)
-    if (codeOnlyLine.includes('route') || codeOnlyLine.includes('path') || 
-        (codeOnlyLine.includes('/') && !lowerLine.includes('//'))) {
-      return true;
-    }
-    
-    // Special case: React/component props  
-    if (codeOnlyLine.includes('<') || codeOnlyLine.includes('inputtype') || codeOnlyLine.includes('type=')) {
-      return true;
-    }
-    
-    return false;
-  }
-  
-  isDynamicValue(valueExpr) {
-    return this.dynamicPatterns.some(pattern => pattern.test(valueExpr));
-  }
-  
-  looksLikeSecret(value) {
-    // Skip very short values (likely not secrets)
-    if (value.length < 6) {
-      return false;
-    }
-    
-    // Skip common non-secret values
-    const commonValues = ['password', 'bearer', 'basic', 'token', 'key', 'secret', 'admin', 'user'];
-    if (commonValues.includes(value.toLowerCase())) {
-      return false;
-    }
-    
-    // Check against secret patterns
-    return this.secretPatterns.some(pattern => pattern.test(value));
-  }
-}
-
-module.exports = S027Analyzer;

package/rules/security/S027_no_hardcoded_secrets/config.json

@@ -1,29 +0,0 @@
-{
-    "id": "S027",
-    "name": "No Hardcoded Secrets",
-    "description": "Prevent hardcoded passwords, API keys, secrets while avoiding false positives on state variables and configuration.",
-    "category": "security",
-    "severity": "warning",
-    "enabled": true,
-    "engines": ["heuristic"],
-    "enginePreference": ["heuristic"],
-    "tags": ["security", "secrets", "credentials", "api-keys"],
-    "examples": {
-        "valid": [
-            "const password = process.env.PASSWORD;",
-            "const _isEnablePassCode = useState(false);",
-            "const passwordFieldVisible = true;",
-            "const routes = { setupPassword: '/setup-password' };"
-        ],
-        "invalid": [
-            "const password = 'admin123';",
-            "const apiKey = 'sk-1234567890abcdef';",
-            "const secret = 'my-secret-token';"
-        ]
-    },
-    "fixable": false,
-    "docs": {
-        "description": "This rule prevents hardcoded sensitive information like passwords, API keys, and secrets in source code. It avoids false positives on state variables, route names, and input type configurations.",
-        "url": "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
-    }
-}