@sun-asterisk/sunlint 1.2.1 → 1.2.2

package/rules/security/S015_insecure_tls_certificate/ast-analyzer.js

@@ -0,0 +1,237 @@
+/**
+ * AST-based analyzer for S015 - Insecure TLS Certificate Detection
+ * Detects usage of insecure TLS certificate configurations like rejectUnauthorized: false
+ */
+
+const babel = require('@babel/parser');
+const traverse = require('@babel/traverse').default;
+
+class S015ASTAnalyzer {
+  constructor() {
+    this.ruleId = 'S015';
+    this.ruleName = 'Insecure TLS Certificate';
+    this.description = 'Prevent usage of insecure TLS certificate configurations';
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = await this.analyzeFile(content, filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ S015 AST analysis failed for ${filePath}: ${error.message}`);
+        }
+      }
+    }
+    
+    return violations;
+  }
+
+  async analyzeFile(content, filePath, options = {}) {
+    const violations = [];
+    
+    try {
+      // Parse with TypeScript/JavaScript support
+      const ast = babel.parse(content, {
+        sourceType: 'module',
+        allowImportExportEverywhere: true,
+        allowReturnOutsideFunction: true,
+        plugins: [
+          'typescript',
+          'jsx',
+          'objectRestSpread',
+          'functionBind',
+          'exportDefaultFrom',
+          'decorators-legacy',
+          'classProperties',
+          'asyncGenerators',
+          'dynamicImport'
+        ]
+      });
+
+      // Traverse AST to find insecure TLS configurations
+      traverse(ast, {
+        Property: (path) => {
+          this.checkTLSProperty(path, violations, filePath);
+        },
+        ObjectExpression: (path) => {
+          this.checkHTTPSOptions(path, violations, filePath);
+        }
+      });
+
+    } catch (parseError) {
+      if (options.verbose) {
+        console.warn(`⚠️ S015 parse failed for ${filePath}: ${parseError.message}`);
+      }
+      // Fall back to regex analysis if AST parsing fails
+      return this.analyzeWithRegex(content, filePath, options);
+    }
+
+    return violations;
+  }
+
+  checkTLSProperty(path, violations, filePath) {
+    const node = path.node;
+    
+    // Check for rejectUnauthorized: false
+    if (this.isPropertyKey(node.key, 'rejectUnauthorized')) {
+      if (this.isFalseLiteral(node.value)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: 'error',
+          message: 'Untrusted/self-signed/expired certificate accepted. Only use trusted certificates in production.',
+          line: node.loc ? node.loc.start.line : 1,
+          column: node.loc ? node.loc.start.column + 1 : 1,
+          filePath: filePath,
+          type: 'insecure_tls_config'
+        });
+      }
+    }
+
+    // Check for other insecure TLS options
+    const insecureOptions = [
+      'checkServerIdentity',
+      'secureProtocol',
+      'ciphers',
+      'secureOptions'
+    ];
+
+    if (insecureOptions.some(opt => this.isPropertyKey(node.key, opt))) {
+      if (this.hasInsecureValue(node.value, node.key.name || node.key.value)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: 'warning',
+          message: `Potentially insecure TLS option '${node.key.name || node.key.value}'. Review configuration for security.`,
+          line: node.loc ? node.loc.start.line : 1,
+          column: node.loc ? node.loc.start.column + 1 : 1,
+          filePath: filePath,
+          type: 'potentially_insecure_tls'
+        });
+      }
+    }
+  }
+
+  checkHTTPSOptions(path, violations, filePath) {
+    const node = path.node;
+    
+    // Look for HTTPS server configurations
+    const parent = path.parent;
+    if (parent && parent.type === 'CallExpression') {
+      const callee = parent.callee;
+      
+      // Check for https.createServer(options, ...)
+      if (this.isHTTPSCreateServer(callee)) {
+        // Check each property in the options object
+        node.properties.forEach(prop => {
+          if (prop.type === 'ObjectProperty') {
+            if (this.isPropertyKey(prop.key, 'rejectUnauthorized') && 
+                this.isFalseLiteral(prop.value)) {
+              violations.push({
+                ruleId: this.ruleId,
+                severity: 'error',
+                message: 'HTTPS server configured with rejectUnauthorized: false. This disables certificate validation.',
+                line: prop.loc ? prop.loc.start.line : 1,
+                column: prop.loc ? prop.loc.start.column + 1 : 1,
+                filePath: filePath,
+                type: 'https_server_insecure'
+              });
+            }
+          }
+        });
+      }
+    }
+  }
+
+  isPropertyKey(key, expectedName) {
+    return (key.type === 'Identifier' && key.name === expectedName) ||
+           (key.type === 'StringLiteral' && key.value === expectedName) ||
+           (key.type === 'Literal' && key.value === expectedName);
+  }
+
+  isFalseLiteral(value) {
+    return (value.type === 'BooleanLiteral' && value.value === false) ||
+           (value.type === 'Literal' && value.value === false);
+  }
+
+  isHTTPSCreateServer(callee) {
+    return (callee.type === 'MemberExpression' &&
+            callee.object.name === 'https' &&
+            callee.property.name === 'createServer') ||
+           (callee.type === 'Identifier' && callee.name === 'createServer');
+  }
+
+  hasInsecureValue(value, propertyName) {
+    // Check for potentially insecure values based on property type
+    if (propertyName === 'checkServerIdentity' && this.isFalseLiteral(value)) {
+      return true;
+    }
+    
+    if (propertyName === 'secureProtocol' && value.type === 'StringLiteral') {
+      const insecureProtocols = ['SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_method'];
+      return insecureProtocols.some(protocol => 
+        value.value.toLowerCase().includes(protocol.toLowerCase())
+      );
+    }
+
+    if (propertyName === 'ciphers' && value.type === 'StringLiteral') {
+      const weakCiphers = ['NULL', 'RC4', 'DES', 'MD5'];
+      return weakCiphers.some(cipher => 
+        value.value.toUpperCase().includes(cipher)
+      );
+    }
+
+    return false;
+  }
+
+  // Fallback regex analysis
+  analyzeWithRegex(content, filePath, options = {}) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      
+      // Check for rejectUnauthorized: false
+      if (/rejectUnauthorized\s*:\s*false/i.test(line)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: 'error',
+          message: 'Untrusted/self-signed/expired certificate accepted. Only use trusted certificates in production.',
+          line: lineNumber,
+          column: line.indexOf('rejectUnauthorized') + 1,
+          filePath: filePath,
+          type: 'insecure_tls_config_regex'
+        });
+      }
+
+      // Check for other insecure patterns
+      const insecurePatterns = [
+        { pattern: /checkServerIdentity\s*:\s*false/i, message: 'Server identity check disabled' },
+        { pattern: /secureProtocol\s*:\s*['"]SSL/i, message: 'Insecure SSL protocol used' },
+        { pattern: /secureProtocol\s*:\s*['"]TLSv1['"]/i, message: 'Insecure TLS v1.0 protocol used' }
+      ];
+
+      insecurePatterns.forEach(({ pattern, message }) => {
+        if (pattern.test(line)) {
+          violations.push({
+            ruleId: this.ruleId,
+            severity: 'warning',
+            message: `${message}. Use secure TLS configuration.`,
+            line: lineNumber,
+            column: line.search(pattern) + 1,
+            filePath: filePath,
+            type: 'insecure_tls_pattern_regex'
+          });
+        }
+      });
+    });
+
+    return violations;
+  }
+}
+
+module.exports = S015ASTAnalyzer;

package/rules/security/S023_no_json_injection/analyzer.js

@@ -0,0 +1,278 @@
+/**
+ * Heuristic analyzer for: S023 – No JSON Injection
+ * Purpose: Prevent JSON injection attacks and unsafe JSON handling
+ * Detects: unsafe JSON.parse(), eval() with JSON, JSON.stringify in HTML context
+ */
+
+class S023Analyzer {
+  constructor() {
+    this.ruleId = 'S023';
+    this.ruleName = 'No JSON Injection';
+    this.description = 'Prevent JSON injection attacks and unsafe JSON handling';
+    
+    // Patterns that indicate user input sources
+    this.userInputPatterns = [
+      /localStorage\.getItem/,
+      /sessionStorage\.getItem/,
+      /window\.location/,
+      /location\.(search|hash|href)/,
+      /URLSearchParams/,
+      /req\.(body|query|params)/,
+      /request\.(body|query|params)/,
+      /document\.cookie/,
+      /window\.name/,
+      /postMessage/,
+      /fetch\(/,
+      /axios\./,
+      /xhr\./
+    ];
+    
+    // Patterns that indicate validation/safety measures
+    this.validationPatterns = [
+      /try\s*\{/,
+      /catch\s*\(/,
+      /if\s*\(/,
+      /typeof\s+/,
+      /instanceof\s+/,
+      /\.length\s*[><=]/,
+      /validate/i,
+      /check/i,
+      /isValid/i,
+      /sanitize/i,
+      /escape/i,
+      /filter/i
+    ];
+    
+    // HTML context patterns
+    this.htmlContextPatterns = [
+      /innerHTML/,
+      /outerHTML/,
+      /insertAdjacentHTML/,
+      /document\.write/,
+      /\.html\(/,
+      /<script/i,
+      /<\/script>/i
+    ];
+    
+    // JSON patterns for eval detection
+    this.jsonPatterns = [
+      /json/i,
+      /\{.*\}/,
+      /\[.*\]/,
+      /parse/i,
+      /stringify/i
+    ];
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      try {
+        const fileViolations = await this.analyzeFile(filePath, language, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+    
+    return violations;
+  }
+
+  async analyzeFile(filePath, language, options = {}) {
+    switch (language) {
+      case 'typescript':
+      case 'javascript':
+        return this.analyzeJavaScript(filePath, options);
+      default:
+        return [];
+    }
+  }
+
+  async analyzeJavaScript(filePath, options = {}) {
+    try {
+      // Try AST analysis first (preferred method)
+      const astAnalyzer = require('./ast-analyzer.js');
+      const astViolations = await astAnalyzer.analyze([filePath], 'javascript', options);
+      if (astViolations.length > 0) {
+        return astViolations;
+      }
+    } catch (astError) {
+      if (options.verbose) {
+        console.log(`⚠️ AST analysis failed for ${filePath}, falling back to regex`);
+      }
+    }
+    
+    // Fallback to regex analysis
+    return this.analyzeWithRegex(filePath, options);
+  }
+
+  async analyzeWithRegex(filePath, options = {}) {
+    const fs = require('fs');
+    const path = require('path');
+    
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const violations = [];
+      const lines = content.split('\n');
+      
+      // 1. Check JSON.parse() calls
+      const jsonParseViolations = this.checkJsonParseCalls(content, lines, filePath);
+      violations.push(...jsonParseViolations);
+      
+      // 2. Check eval() with JSON patterns
+      const evalViolations = this.checkEvalWithJson(content, lines, filePath);
+      violations.push(...evalViolations);
+      
+      // 3. Check JSON.stringify in HTML context
+      const htmlViolations = this.checkJsonStringifyInHtml(content, lines, filePath);
+      violations.push(...htmlViolations);
+      
+      return violations;
+    } catch (error) {
+      if (options.verbose) {
+        console.warn(`⚠️ Failed to read file ${filePath}: ${error.message}`);
+      }
+      return [];
+    }
+  }
+
+  checkJsonParseCalls(content, lines, filePath) {
+    const violations = [];
+    const jsonParsePattern = /JSON\.parse\s*\(\s*([^)]+)\)/g;
+    let match;
+    
+    while ((match = jsonParsePattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[lineNumber - 1] || '';
+      const argument = match[1].trim();
+      
+      // Check if argument is from user input
+      if (this.isUserInputArgument(argument)) {
+        // Check if there's validation around this call
+        if (!this.hasValidationContext(content, match.index, lineNumber, lines)) {
+          violations.push({
+            ruleId: this.ruleId,
+            file: filePath,
+            line: lineNumber,
+            column: match.index - content.lastIndexOf('\n', match.index),
+            message: 'Unsafe JSON parsing - validate input before parsing',
+            severity: 'warning',
+            code: lineText.trim(),
+            type: 'unsafe_json_parse',
+            confidence: 0.8,
+            suggestion: 'Validate input before parsing JSON or use try-catch block'
+          });
+        }
+      }
+    }
+    
+    return violations;
+  }
+
+  checkEvalWithJson(content, lines, filePath) {
+    const violations = [];
+    const evalPattern = /eval\s*\(\s*([^)]+)\)/g;
+    let match;
+    
+    while ((match = evalPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[lineNumber - 1] || '';
+      const argument = match[1].trim();
+      
+      // Check if eval contains JSON patterns
+      if (this.containsJsonPattern(argument)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: 'Never use eval() to process JSON data - use JSON.parse() instead',
+          severity: 'error',
+          code: lineText.trim(),
+          type: 'eval_json',
+          confidence: 0.9,
+          suggestion: 'Use JSON.parse() instead of eval() for parsing JSON'
+        });
+      }
+    }
+    
+    return violations;
+  }
+
+  checkJsonStringifyInHtml(content, lines, filePath) {
+    const violations = [];
+    const jsonStringifyPattern = /JSON\.stringify\s*\([^)]+\)/g;
+    let match;
+    
+    while ((match = jsonStringifyPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[lineNumber - 1] || '';
+      
+      // Check if JSON.stringify is used in HTML context
+      if (this.isInHtmlContext(content, match.index)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: 'JSON.stringify output should be escaped when used in HTML context',
+          severity: 'warning',
+          code: lineText.trim(),
+          type: 'json_stringify_html',
+          confidence: 0.7,
+          suggestion: 'Escape JSON.stringify output when inserting into HTML'
+        });
+      }
+    }
+    
+    return violations;
+  }
+
+  isUserInputArgument(argument) {
+    return this.userInputPatterns.some(pattern => pattern.test(argument));
+  }
+
+  hasValidationContext(content, matchIndex, lineNumber, lines) {
+    // Check surrounding lines for validation patterns
+    const startLine = Math.max(0, lineNumber - 3);
+    const endLine = Math.min(lines.length, lineNumber + 2);
+    
+    for (let i = startLine; i < endLine; i++) {
+      const line = lines[i] || '';
+      if (this.validationPatterns.some(pattern => pattern.test(line))) {
+        return true;
+      }
+    }
+    
+    // Check if the call is inside a try block
+    const beforeText = content.substring(Math.max(0, matchIndex - 200), matchIndex);
+    const afterText = content.substring(matchIndex, Math.min(content.length, matchIndex + 100));
+    
+    return /try\s*\{[^}]*$/.test(beforeText) || /catch\s*\(/.test(afterText);
+  }
+
+  containsJsonPattern(text) {
+    return this.jsonPatterns.some(pattern => pattern.test(text));
+  }
+
+  isInHtmlContext(content, matchIndex) {
+    // Check surrounding context for HTML patterns
+    const contextStart = Math.max(0, matchIndex - 100);
+    const contextEnd = Math.min(content.length, matchIndex + 100);
+    const context = content.substring(contextStart, contextEnd);
+    
+    return this.htmlContextPatterns.some(pattern => pattern.test(context));
+  }
+
+  // Utility method for file extension checking
+  isSupportedFile(filePath) {
+    const supportedExtensions = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.cjs'];
+    const path = require('path');
+    return supportedExtensions.includes(path.extname(filePath));
+  }
+}
+
+module.exports = new S023Analyzer();