@sun-asterisk/sunlint 1.1.7 → 1.2.0

package/rules/security/S029_csrf_protection/analyzer.js

@@ -1,264 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-
-class S029Analyzer {
-  constructor() {
-    this.ruleId = 'S029';
-    this.ruleName = 'CSRF Protection Required';
-    this.description = 'Cần áp dụng cơ chế chống CSRF cho các chức năng xác thực';
-  }
-
-  async analyze(files, language, options = {}) {
-    const violations = [];
-    
-    for (const filePath of files) {
-      if (options.verbose) {
-        console.log(`🔍 Running S029 analysis on ${path.basename(filePath)}`);
-      }
-      
-      try {
-        const content = fs.readFileSync(filePath, 'utf8');
-        const fileViolations = await this.analyzeFile(filePath, content, language, options);
-        violations.push(...fileViolations);
-      } catch (error) {
-        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
-      }
-    }
-    
-    return violations;
-  }
-
-  async analyzeFile(filePath, content, language, config) {
-    switch (language) {
-      case 'typescript':
-      case 'javascript':
-        return this.analyzeTypeScript(filePath, content, config);
-      default:
-        return [];
-    }
-  }
-
-  async analyzeTypeScript(filePath, content, config) {
-    const violations = [];
-    const lines = content.split('\n');
-    
-    // Check if file contains CSRF protection patterns
-    const hasCSRFProtection = this.hasCSRFProtection(content);
-    
-    lines.forEach((line, index) => {
-      const lineNumber = index + 1;
-      const trimmedLine = line.trim();
-
-      // Skip comments and imports
-      if (this.isCommentOrImport(trimmedLine)) {
-        return;
-      }
-
-      // Look for Express route handlers that need CSRF protection
-      const routeHandlers = this.findRouteHandlers(trimmedLine, line);
-      
-      routeHandlers.forEach(handler => {
-        // Skip if this is a mock or test context
-        if (this.isMockOrTestContext(content, handler.instance)) {
-          return;
-        }
-        
-        if (!hasCSRFProtection) {
-          violations.push({
-            ruleId: this.ruleId,
-            file: filePath,
-            line: lineNumber,
-            column: handler.column,
-            message: `CSRF protection is missing for route handler '${handler.route}'. Apply csurf() or equivalent middleware`,
-            severity: 'error',
-            code: trimmedLine,
-            type: 'missing_csrf_protection',
-            confidence: handler.confidence,
-            suggestion: 'Add CSRF middleware: app.use(csurf()) or use CSRF token validation'
-          });
-        }
-      });
-    });
-
-    return violations;
-  }
-
-  isCommentOrImport(line) {
-    const trimmed = line.trim();
-    return trimmed.startsWith('//') || 
-           trimmed.startsWith('/*') || 
-           trimmed.startsWith('*') ||
-           trimmed.startsWith('import ') ||
-           trimmed.startsWith('export ');
-  }
-
-  findRouteHandlers(line, originalLine) {
-    const handlers = [];
-    const foundMatches = new Set(); // Prevent duplicates
-    
-    // Only detect Express.js route patterns, not HTTP client methods
-    const routePatterns = [
-      // Express method with middleware: app.post('/path', middleware, handler)
-      {
-        regex: /\b(app|router|server)\s*\.\s*(post|put|delete|patch)\s*\(\s*(['"`][^'"`]*['"`])\s*,/gi,
-        type: 'express_route_with_middleware',
-        priority: 1 // Higher priority to check first
-      },
-      // app.post(), router.put(), etc.
-      {
-        regex: /\b(app|router|server)\s*\.\s*(post|put|delete|patch)\s*\(\s*(['"`][^'"`]*['"`])/gi,
-        type: 'express_route',
-        priority: 2
-      }
-    ];
-
-    // Sort by priority to avoid duplicates
-    routePatterns.sort((a, b) => a.priority - b.priority);
-
-    routePatterns.forEach(pattern => {
-      let match;
-      while ((match = pattern.regex.exec(line)) !== null) {
-        const instance = match[1]; // app, router, server
-        const method = match[2];   // post, put, delete, patch
-        const route = match[3];    // '/path'
-        const matchKey = `${instance}.${method}(${route})`; // Unique key
-        
-        // Skip duplicates
-        if (foundMatches.has(matchKey)) {
-          continue;
-        }
-        
-        // Skip if it's clearly not Express.js context
-        if (this.isNotExpressContext(line, instance)) {
-          continue;
-        }
-
-        foundMatches.add(matchKey);
-        handlers.push({
-          type: pattern.type,
-          instance: instance,
-          method: method,
-          route: route.replace(/['"]/g, ''),
-          column: match.index + 1,
-          confidence: this.calculateConfidence(line, pattern.type)
-        });
-      }
-    });
-
-    return handlers;
-  }
-
-  isNotExpressContext(line, instance) {
-    // Skip HTTP client methods (like axios, fetch wrappers)
-    const clientPatterns = [
-      'public ', 'private ', 'protected ',  // Class methods
-      'async ', 'function ',                // Function definitions
-      'const ', 'let ', 'var ',            // Variable assignments
-      ': Promise<', ': BaseResponse<',      // TypeScript return types
-      'this.http', 'httpClient',            // HTTP client instances
-      'axios.', 'fetch(',                   // HTTP client calls
-    ];
-
-    const lowerLine = line.toLowerCase();
-    
-    // If line contains client patterns, likely not Express route
-    const hasClientPattern = clientPatterns.some(pattern => 
-      lowerLine.includes(pattern.toLowerCase())
-    );
-
-    if (hasClientPattern) {
-      return true;
-    }
-
-    // If instance name suggests HTTP client, skip
-    const clientInstanceNames = ['httpclient', 'client', 'api', 'service'];
-    if (clientInstanceNames.includes(instance.toLowerCase())) {
-      return true;
-    }
-
-    return false;
-  }
-
-  // Check if the file content suggests this is a mock/test rather than real Express app
-  isMockOrTestContext(content, instance) {
-    const lowerContent = content.toLowerCase();
-    
-    // Look for mock object definitions
-    const mockPatterns = [
-      `const ${instance.toLowerCase()} = {`,
-      `let ${instance.toLowerCase()} = {`,
-      `var ${instance.toLowerCase()} = {`,
-      `${instance.toLowerCase()}: {`,
-    ];
-    
-    const hasMockDefinition = mockPatterns.some(pattern => 
-      lowerContent.includes(pattern)
-    );
-    
-    if (hasMockDefinition) {
-      return true;
-    }
-    
-    // Check for test file patterns
-    const testIndicators = ['.test.', '.spec.', '__tests__', 'test case', 'mock'];
-    const isTestContext = testIndicators.some(indicator => 
-      lowerContent.includes(indicator)
-    );
-    
-    return isTestContext;
-  }
-
-  hasCSRFProtection(content) {
-    const csrfPatterns = [
-      // Middleware usage
-      'csurf()',
-      'csrfProtection',
-      'verifyCsrfToken',
-      'checkCsrf',
-      'csrf-token',
-      '_csrf',
-      
-      // Manual CSRF checks
-      'req.csrfToken',
-      'csrf.verify',
-      'validateCSRF',
-      
-      // Security headers
-      'x-csrf-token',
-      'x-xsrf-token',
-      
-      // Framework-specific
-      'protect_from_forgery',  // Rails
-      '@csrf',                 // Laravel
-    ];
-
-    const lowerContent = content.toLowerCase();
-    
-    return csrfPatterns.some(pattern => 
-      lowerContent.includes(pattern.toLowerCase())
-    );
-  }
-
-  calculateConfidence(line, patternType) {
-    let confidence = 0.8;
-    
-    // Higher confidence for clear Express patterns
-    if (patternType === 'express_route_with_middleware') {
-      confidence += 0.1;
-    }
-
-    // Lower confidence if mixed with client-like patterns
-    const clientIndicators = ['public', 'class', 'Promise<', 'async'];
-    const hasClientIndicators = clientIndicators.some(indicator => 
-      line.includes(indicator)
-    );
-    
-    if (hasClientIndicators) {
-      confidence -= 0.3;
-    }
-
-    return Math.max(0.3, Math.min(1.0, confidence));
-  }
-}
-
-module.exports = new S029Analyzer();

package/rules/tests/C002_no_duplicate_code.test.js

@@ -1,50 +0,0 @@
-/**
- * C002_no_duplicate_code - Rule Tests
- * Tests for heuristic rule analyzer
- */
-
-const C002_no_duplicate_codeAnalyzer = require('./analyzer');
-
-describe('C002_no_duplicate_code Heuristic Rule', () => {
-    let analyzer;
-
-    beforeEach(() => {
-        analyzer = new C002_no_duplicate_codeAnalyzer();
-    });
-
-    describe('Valid Code', () => {
-        test('should not report violations for valid code', () => {
-            const code = `
-                // TODO: Add valid code examples
-            `;
-
-            const violations = analyzer.analyze(code, 'test.js');
-            expect(violations).toHaveLength(0);
-        });
-    });
-
-    describe('Invalid Code', () => {
-        test('should report violations for invalid code', () => {
-            const code = `
-                // TODO: Add invalid code examples
-            `;
-
-            const violations = analyzer.analyze(code, 'test.js');
-            expect(violations.length).toBeGreaterThan(0);
-            expect(violations[0].ruleId).toBe('C002_no_duplicate_code');
-        });
-    });
-
-    describe('Edge Cases', () => {
-        test('should handle empty code', () => {
-            const violations = analyzer.analyze('', 'test.js');
-            expect(violations).toHaveLength(0);
-        });
-
-        test('should handle syntax errors gracefully', () => {
-            const code = 'invalid javascript syntax {{{';
-            const violations = analyzer.analyze(code, 'test.js');
-            expect(Array.isArray(violations)).toBe(true);
-        });
-    });
-});

package/rules/utils/ast-utils.js

@@ -1,191 +0,0 @@
-/**
- * AST Utilities for Heuristic Rules
- * Provides AST parsing and traversal utilities for rule analyzers
- */
-
-class ASTUtils {
-    constructor() {
-        this.supportedLanguages = ['javascript', 'typescript'];
-    }
-
-    /**
-     * Parse code content into AST
-     * @param {string} content - Code content
-     * @param {string} language - Language (javascript, typescript)
-     * @returns {Object|null} Parsed AST or null if parsing fails
-     */
-    parse(content, language = 'javascript') {
-        try {
-            // TODO: Implement proper AST parsing
-            // For now, return a simple representation
-            return {
-                type: 'Program',
-                body: [],
-                language,
-                sourceCode: content
-            };
-        } catch (error) {
-            console.warn('AST parsing failed:', error.message);
-            return null;
-        }
-    }
-
-    /**
-     * Find function declarations in code
-     * @param {string} content - Code content
-     * @returns {Array} Array of function matches
-     */
-    findFunctions(content) {
-        const functions = [];
-        const functionRegex = /(?:function\s+(\w+)|(\w+)\s*=\s*function|(\w+)\s*=\s*\([^)]*\)\s*=>)/g;
-        let match;
-
-        while ((match = functionRegex.exec(content)) !== null) {
-            const line = this.getLineNumber(content, match.index);
-            const functionName = match[1] || match[2] || match[3];
-            
-            functions.push({
-                name: functionName,
-                line: line,
-                column: match.index - this.getLineStart(content, match.index),
-                match: match[0]
-            });
-        }
-
-        return functions;
-    }
-
-    /**
-     * Find variable declarations
-     * @param {string} content - Code content
-     * @returns {Array} Array of variable matches
-     */
-    findVariables(content) {
-        const variables = [];
-        const varRegex = /(?:var|let|const)\s+(\w+)/g;
-        let match;
-
-        while ((match = varRegex.exec(content)) !== null) {
-            const line = this.getLineNumber(content, match.index);
-            
-            variables.push({
-                name: match[1],
-                line: line,
-                column: match.index - this.getLineStart(content, match.index),
-                type: match[0].split(' ')[0] // var, let, const
-            });
-        }
-
-        return variables;
-    }
-
-    /**
-     * Find import/require statements
-     * @param {string} content - Code content
-     * @returns {Array} Array of import matches
-     */
-    findImports(content) {
-        const imports = [];
-        
-        // ES6 imports
-        const importRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
-        let match;
-
-        while ((match = importRegex.exec(content)) !== null) {
-            const line = this.getLineNumber(content, match.index);
-            imports.push({
-                type: 'import',
-                module: match[1],
-                line: line,
-                match: match[0]
-            });
-        }
-
-        // CommonJS requires
-        const requireRegex = /require\(['"]([^'"]+)['"]\)/g;
-        while ((match = requireRegex.exec(content)) !== null) {
-            const line = this.getLineNumber(content, match.index);
-            imports.push({
-                type: 'require',
-                module: match[1],
-                line: line,
-                match: match[0]
-            });
-        }
-
-        return imports;
-    }
-
-    /**
-     * Get line number for a character index
-     * @param {string} content - Code content
-     * @param {number} index - Character index
-     * @returns {number} Line number (1-based)
-     */
-    getLineNumber(content, index) {
-        return content.substring(0, index).split('\n').length;
-    }
-
-    /**
-     * Get line start position for a character index
-     * @param {string} content - Code content
-     * @param {number} index - Character index
-     * @returns {number} Line start index
-     */
-    getLineStart(content, index) {
-        const beforeIndex = content.substring(0, index);
-        const lastNewline = beforeIndex.lastIndexOf('\n');
-        return lastNewline === -1 ? 0 : lastNewline + 1;
-    }
-
-    /**
-     * Get line content for a line number
-     * @param {string} content - Code content
-     * @param {number} lineNumber - Line number (1-based)
-     * @returns {string} Line content
-     */
-    getLineContent(content, lineNumber) {
-        const lines = content.split('\n');
-        return lines[lineNumber - 1] || '';
-    }
-
-    /**
-     * Check if position is inside a comment
-     * @param {string} content - Code content
-     * @param {number} index - Character index
-     * @returns {boolean} True if inside comment
-     */
-    isInComment(content, index) {
-        const beforeIndex = content.substring(0, index);
-        
-        // Single line comment
-        const lastLineStart = beforeIndex.lastIndexOf('\n');
-        const lineContent = beforeIndex.substring(lastLineStart + 1);
-        if (lineContent.includes('//')) {
-            return true;
-        }
-
-        // Block comment
-        const lastBlockStart = beforeIndex.lastIndexOf('/*');
-        const lastBlockEnd = beforeIndex.lastIndexOf('*/');
-        
-        return lastBlockStart > lastBlockEnd;
-    }
-
-    /**
-     * Extract function parameters
-     * @param {string} functionDeclaration - Function declaration string
-     * @returns {Array} Array of parameter names
-     */
-    extractParameters(functionDeclaration) {
-        const paramMatch = functionDeclaration.match(/\(([^)]*)\)/);
-        if (!paramMatch || !paramMatch[1]) return [];
-        
-        return paramMatch[1]
-            .split(',')
-            .map(param => param.trim().split('=')[0].trim()) // Handle default parameters
-            .filter(param => param.length > 0);
-    }
-}
-
-module.exports = { ASTUtils };

package/rules/utils/base-analyzer.js

@@ -1,98 +0,0 @@
-/**
- * Base Analyzer Class for SunLint Rules
- * Provides common functionality and consistent severity management
- */
-
-const { getSeverity, isValidSeverity } = require('./severity-constants');
-
-class BaseAnalyzer {
-  constructor(ruleId, ruleName, description, category = 'QUALITY') {
-    this.ruleId = ruleId;
-    this.ruleName = ruleName;
-    this.description = description;
-    this.category = category;
-    
-    // Severity will be determined dynamically
-    this._severity = null;
-  }
-  
-  /**
-   * Get severity for this rule, considering config overrides
-   * @param {Object} config - Configuration object
-   * @returns {string} Severity level
-   */
-  getSeverity(config = {}) {
-    // Check if already cached
-    if (this._severity) {
-      return this._severity;
-    }
-    
-    // Get from config override
-    const configOverride = config?.rules?.[this.ruleId]?.severity || 
-                          config?.rules?.[this.ruleId];
-    
-    this._severity = getSeverity(this.ruleId, this.category, configOverride);
-    return this._severity;
-  }
-  
-  /**
-   * Set severity (for backward compatibility or testing)
-   * @param {string} severity - Severity level
-   */
-  setSeverity(severity) {
-    if (!isValidSeverity(severity)) {
-      console.warn(`Invalid severity '${severity}' for rule ${this.ruleId}. Using default.`);
-      return;
-    }
-    this._severity = severity;
-  }
-  
-  /**
-   * Create a violation object with consistent structure
-   * @param {Object} params - Violation parameters
-   * @returns {Object} Formatted violation
-   */
-  createViolation(params) {
-    const {
-      filePath,
-      line,
-      column,
-      message,
-      source,
-      suggestion,
-      additionalData = {}
-    } = params;
-    
-    return {
-      ruleId: this.ruleId,
-      severity: this._severity || this.getSeverity(),
-      message: message || this.description,
-      filePath,
-      line,
-      column,
-      source,
-      suggestion,
-      category: this.category,
-      ...additionalData
-    };
-  }
-  
-  /**
-   * Check if rule is enabled based on severity
-   * @param {Object} config - Configuration
-   * @returns {boolean} True if rule should run
-   */
-  isEnabled(config = {}) {
-    const severity = this.getSeverity(config);
-    return severity !== 'off';
-  }
-  
-  /**
-   * Abstract analyze method - must be implemented by subclasses
-   */
-  async analyze(files, language, config) {
-    throw new Error(`analyze() method must be implemented by ${this.constructor.name}`);
-  }
-}
-
-module.exports = BaseAnalyzer;