@sun-asterisk/sunlint 1.2.1 → 1.2.2

package/rules/security/S023_no_json_injection/ast-analyzer.js

@@ -0,0 +1,359 @@
+const fs = require('fs');
+const path = require('path');
+
+class S023ASTAnalyzer {
+  constructor() {
+    this.ruleId = 'S023';
+    this.ruleName = 'No JSON Injection Prevention (AST-Enhanced)';
+    this.description = 'AST-based detection of unsafe JSON parsing and injection vulnerabilities';
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`🎯 Running S023 AST analysis on ${path.basename(filePath)}`);
+      }
+      
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = await this.analyzeFile(filePath, content, language, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+      }
+    }
+    
+    return violations;
+  }
+
+  async analyzeFile(filePath, content, language, config) {
+    switch (language) {
+      case 'typescript':
+      case 'javascript':
+        return this.analyzeJSTS(filePath, content, config);
+      default:
+        return [];
+    }
+  }
+
+  async analyzeJSTS(filePath, content, config) {
+    const violations = [];
+    
+    try {
+      // Try AST analysis first (like ESLint approach)
+      const astViolations = await this.analyzeWithAST(filePath, content, config);
+      if (astViolations.length > 0) {
+        violations.push(...astViolations);
+      }
+    } catch (astError) {
+      if (config.verbose) {
+        console.log(`⚠️ AST analysis failed for ${path.basename(filePath)}, falling back to regex`);
+      }
+      
+      // Fallback to regex-based analysis
+      const regexViolations = await this.analyzeWithRegex(filePath, content, config);
+      violations.push(...regexViolations);
+    }
+    
+    return violations;
+  }
+
+  async analyzeWithAST(filePath, content, config) {
+    const violations = [];
+    
+    // Import AST modules dynamically
+    let astModules;
+    try {
+      astModules = require('../../../core/ast-modules');
+    } catch (error) {
+      throw new Error('AST modules not available');
+    }
+
+    // Try to parse with AST
+    let ast;
+    try {
+      ast = await astModules.parseCode(content, 'javascript', filePath);
+      if (!ast) {
+        throw new Error('AST parsing returned null');
+      }
+    } catch (parseError) {
+      throw new Error(`Parse error: ${parseError.message}`);
+    }
+
+    // Traverse AST to find JSON injection vulnerabilities - mimicking ESLint's approach
+    const rootNode = ast.program || ast;
+    this.traverseAST(rootNode, (node) => {
+      // Check JSON.parse() calls
+      if (this.isJsonParseCall(node)) {
+        const violation = this.checkJsonParseForUnsafeUsage(node, filePath, content);
+        if (violation) {
+          violations.push(violation);
+        }
+      }
+      
+      // Check eval() with JSON patterns
+      if (this.isEvalCall(node)) {
+        const violation = this.checkEvalForJsonUsage(node, filePath, content);
+        if (violation) {
+          violations.push(violation);
+        }
+      }
+      
+      // Check JSON.stringify in HTML context
+      if (this.isJsonStringifyCall(node)) {
+        const violation = this.checkJsonStringifyInHtmlContext(node, filePath, content);
+        if (violation) {
+          violations.push(violation);
+        }
+      }
+    });
+
+    return violations;
+  }
+
+  traverseAST(node, callback) {
+    if (!node || typeof node !== 'object') return;
+    
+    callback(node);
+    
+    for (const key in node) {
+      if (key === 'parent' || key === 'leadingComments' || key === 'trailingComments') continue;
+      
+      const child = node[key];
+      if (Array.isArray(child)) {
+        child.forEach(item => this.traverseAST(item, callback));
+      } else if (child && typeof child === 'object') {
+        this.traverseAST(child, callback);
+      }
+    }
+  }
+
+  isJsonParseCall(node) {
+    return node.type === 'CallExpression' &&
+           node.callee && 
+           node.callee.type === 'MemberExpression' &&
+           node.callee.object && node.callee.object.name === 'JSON' &&
+           node.callee.property && node.callee.property.name === 'parse';
+  }
+
+  isEvalCall(node) {
+    return node.type === 'CallExpression' &&
+           node.callee && 
+           node.callee.type === 'Identifier' &&
+           node.callee.name === 'eval';
+  }
+
+  isJsonStringifyCall(node) {
+    return node.type === 'CallExpression' &&
+           node.callee && 
+           node.callee.type === 'MemberExpression' &&
+           node.callee.object && node.callee.object.name === 'JSON' &&
+           node.callee.property && node.callee.property.name === 'stringify';
+  }
+
+  checkJsonParseForUnsafeUsage(node, filePath, content) {
+    if (!node.arguments || node.arguments.length === 0) return null;
+    
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    const lineText = lines[lineNumber - 1] || '';
+    
+    // Check if the argument is from user input (similar to ESLint logic)
+    const argument = node.arguments[0];
+    if (this.isUserInputSource(argument, content)) {
+      // Check if there's validation before JSON.parse
+      if (!this.hasValidationBefore(node, content)) {
+        return {
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: node.loc.start.column + 1,
+          message: 'Unsafe JSON parsing - validate input before parsing',
+          severity: 'warning',
+          code: lineText.trim(),
+          type: 'unsafe_json_parse',
+          confidence: 0.8,
+          suggestion: 'Validate input before parsing JSON'
+        };
+      }
+    }
+    
+    return null;
+  }
+
+  checkEvalForJsonUsage(node, filePath, content) {
+    if (!node.arguments || node.arguments.length === 0) return null;
+    
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    const lineText = lines[lineNumber - 1] || '';
+    
+    // Check if eval contains JSON patterns
+    const argument = node.arguments[0];
+    if (this.containsJsonPattern(argument, content)) {
+      return {
+        ruleId: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: node.loc.start.column + 1,
+        message: 'Never use eval() to process JSON data - use JSON.parse() instead',
+        severity: 'error',
+        code: lineText.trim(),
+        type: 'eval_json',
+        confidence: 0.9,
+        suggestion: 'Use JSON.parse() instead of eval()'
+      };
+    }
+    
+    return null;
+  }
+
+  checkJsonStringifyInHtmlContext(node, filePath, content) {
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    const lineText = lines[lineNumber - 1] || '';
+    
+    // Check if JSON.stringify is used in HTML context
+    if (this.isInHtmlContext(node, content)) {
+      return {
+        ruleId: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: node.loc.start.column + 1,
+        message: 'JSON.stringify output should be escaped when used in HTML context',
+        severity: 'warning',
+        code: lineText.trim(),
+        type: 'json_stringify_html',
+        confidence: 0.7,
+        suggestion: 'Escape JSON.stringify output in HTML context'
+      };
+    }
+    
+    return null;
+  }
+
+  isUserInputSource(node, content) {
+    if (!node) return false;
+    
+    // Check for common user input patterns (similar to ESLint)
+    const userInputPatterns = [
+      /localStorage\.getItem/,
+      /sessionStorage\.getItem/,
+      /window\.location/,
+      /location\.(search|hash)/,
+      /URLSearchParams/,
+      /req\.(body|query|params)/,
+      /request\.(body|query|params)/
+    ];
+    
+    return userInputPatterns.some(pattern => {
+      const nodeText = this.getNodeText(node, content);
+      return pattern.test(nodeText);
+    });
+  }
+
+  hasValidationBefore(node, content) {
+    // Simple check for validation patterns before JSON.parse
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    
+    // Check previous lines for validation patterns
+    for (let i = Math.max(0, lineNumber - 5); i < lineNumber - 1; i++) {
+      const line = lines[i] || '';
+      if (this.containsValidationPattern(line)) {
+        return true;
+      }
+    }
+    
+    return false;
+  }
+
+  containsValidationPattern(line) {
+    const validationPatterns = [
+      /try\s*{/,
+      /catch\s*\(/,
+      /if\s*\(/,
+      /typeof\s+/,
+      /instanceof\s+/,
+      /\.length\s*>/,
+      /validate/i,
+      /check/i,
+      /isValid/i
+    ];
+    
+    return validationPatterns.some(pattern => pattern.test(line));
+  }
+
+  containsJsonPattern(node, content) {
+    const nodeText = this.getNodeText(node, content);
+    return /json|JSON|\{|\[/.test(nodeText);
+  }
+
+  isInHtmlContext(node, content) {
+    // Check if JSON.stringify is used in HTML context
+    const htmlPatterns = [
+      /innerHTML/,
+      /outerHTML/,
+      /insertAdjacentHTML/,
+      /document\.write/,
+      /\.html\(/
+    ];
+    
+    const surroundingText = this.getSurroundingText(node, content, 3);
+    return htmlPatterns.some(pattern => pattern.test(surroundingText));
+  }
+
+  getNodeText(node, content) {
+    if (!node || !node.loc) return '';
+    const lines = content.split('\n');
+    return lines[node.loc.start.line - 1] || '';
+  }
+
+  getSurroundingText(node, content, radius = 2) {
+    if (!node || !node.loc) return '';
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    
+    const startLine = Math.max(0, lineNumber - radius - 1);
+    const endLine = Math.min(lines.length, lineNumber + radius);
+    
+    return lines.slice(startLine, endLine).join('\n');
+  }
+
+  async analyzeWithRegex(filePath, content, config) {
+    // Fallback regex analysis for basic JSON.parse detection
+    const violations = [];
+    const lines = content.split('\n');
+    
+    const jsonParsePattern = /JSON\.parse\s*\(\s*([^)]+)\)/g;
+    let match;
+    
+    while ((match = jsonParsePattern.exec(content)) !== null) {
+      const line = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[line - 1] || '';
+      
+      // Simple check for unsafe patterns
+      const argument = match[1];
+      if (/localStorage\.getItem|sessionStorage\.getItem/.test(argument)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: line,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: 'Unsafe JSON parsing - validate input before parsing',
+          severity: 'warning',
+          code: lineText.trim(),
+          type: 'unsafe_json_parse_regex',
+          confidence: 0.6,
+          suggestion: 'Validate input before parsing JSON'
+        });
+      }
+    }
+    
+    return violations;
+  }
+}
+
+module.exports = new S023ASTAnalyzer();

package/rules/security/S026_json_schema_validation/analyzer.js

@@ -0,0 +1,251 @@
+/**
+ * Heuristic analyzer for: S026 – JSON Schema Validation cho dữ liệu đầu vào
+ * Purpose: Detect unvalidated JSON inputs while avoiding false positives on styles/config objects
+ */
+
+class S026Analyzer {
+  constructor() {
+    this.ruleId = 'S026';
+    this.ruleName = 'JSON Schema Validation Required';
+    this.description = 'Áp dụng JSON Schema Validation cho dữ liệu đầu vào để đảm bảo an toàn';
+    
+    // Patterns that indicate actual HTTP/API input (should be validated)
+    this.httpInputPatterns = [
+      'req.body', 'req.query', 'request.body', 'request.query',
+      'ctx.body', 'ctx.query', 'context.body', 'context.query',
+      'event.body', 'event.queryStringParameters'
+    ];
+    
+    // Patterns that are NOT JSON inputs (should not be flagged)
+    this.nonInputPatterns = [
+      'styles.', 'css.', 'theme.', 'colors.',
+      'config.', 'settings.', 'options.',
+      'data.', 'props.', 'state.',
+      'const.', 'static.', 'default.'
+    ];
+    
+    // Validation patterns that indicate input is being validated
+    this.validationPatterns = [
+      'schema.validate', 'joi.validate', 'ajv.validate',
+      'validate(', 'validateInput(', 'validateBody(',
+      'isValid(', 'checkSchema(', 'parseSchema(',
+      '.validate(', '.valid(', '.check('
+    ];
+    
+    // Express/HTTP framework patterns
+    this.httpFrameworkPatterns = [
+      'app.post(', 'app.put(', 'app.patch(',
+      'router.post(', 'router.put(', 'router.patch(',
+      'express()', '.post(', '.put(', '.patch('
+    ];
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`🔍 Running S026 analysis on ${require('path').basename(filePath)}`);
+      }
+      
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+      }
+    }
+    
+    return violations;
+  }
+
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    
+    // Find all potential JSON inputs
+    const potentialInputs = this.findPotentialInputs(lines);
+    
+    // Check if they're validated
+    const validatedInputs = this.findValidatedInputs(content);
+    
+    // Report unvalidated inputs
+    potentialInputs.forEach(input => {
+      if (!this.isInputValidated(input, validatedInputs) && 
+          this.isActualJSONInput(input, content)) {
+        violations.push({
+          file: filePath,
+          line: input.line,
+          column: input.column,
+          message: `JSON input '${input.expression}' should be validated using a JSON schema before use. Consider using schema.validate(), joi.validate(), or similar validation library.`,
+          severity: 'warning',
+          ruleId: this.ruleId,
+          type: 'unvalidated_json_input',
+          inputExpression: input.expression
+        });
+      }
+    });
+    
+    return violations;
+  }
+  
+  findPotentialInputs(lines) {
+    const inputs = [];
+    
+    lines.forEach((line, index) => {
+      const trimmedLine = line.trim();
+      
+      // Skip comments and imports
+      if (trimmedLine.startsWith('//') || trimmedLine.startsWith('/*') || 
+          trimmedLine.startsWith('import') || trimmedLine.startsWith('export')) {
+        return;
+      }
+      
+      // Look for .body or .query patterns
+      const bodyMatches = [...line.matchAll(/(\w+\.\w*body\w*)/g)];
+      const queryMatches = [...line.matchAll(/(\w+\.\w*query\w*)/g)];
+      
+      [...bodyMatches, ...queryMatches].forEach(match => {
+        const expression = match[1];
+        const column = match.index + 1;
+        
+        inputs.push({
+          expression,
+          line: index + 1,
+          column,
+          originalLine: line
+        });
+      });
+    });
+    
+    return inputs;
+  }
+  
+  findValidatedInputs(content) {
+    const validatedInputs = new Set();
+    
+    // Find validation calls
+    this.validationPatterns.forEach(pattern => {
+      const regex = new RegExp(pattern.replace('(', '\\(') + '\\s*\\(([^)]+)\\)', 'g');
+      let match;
+      
+      while ((match = regex.exec(content)) !== null) {
+        const validatedInput = match[1].trim();
+        validatedInputs.add(validatedInput);
+        
+        // Also add simplified version (e.g., req.body from schema.validate(req.body))
+        const simplifiedInput = validatedInput.replace(/^\w+\./, '').replace(/\s+/g, '');
+        if (simplifiedInput.includes('.')) {
+          validatedInputs.add(simplifiedInput);
+        }
+      }
+    });
+    
+    return validatedInputs;
+  }
+  
+  isInputValidated(input, validatedInputs) {
+    const expression = input.expression;
+    
+    // Check exact match
+    if (validatedInputs.has(expression)) {
+      return true;
+    }
+    
+    // Check if any validated input contains this expression
+    for (const validated of validatedInputs) {
+      if (validated.includes(expression) || expression.includes(validated)) {
+        return true;
+      }
+    }
+    
+    // Check if validation happens in the same line or nearby
+    const lineContent = input.originalLine.toLowerCase();
+    if (this.validationPatterns.some(pattern => lineContent.includes(pattern.toLowerCase()))) {
+      return true;
+    }
+    
+    return false;
+  }
+  
+  isActualJSONInput(input, content) {
+    const expression = input.expression.toLowerCase();
+    
+    // Skip known non-input patterns (user feedback - styles, config, etc.)
+    if (this.nonInputPatterns.some(pattern => expression.startsWith(pattern.toLowerCase()))) {
+      return false;
+    }
+    
+    // Skip React/CSS style objects
+    if (this.isStyleOrConfigObject(input, content)) {
+      return false;
+    }
+    
+    // Check if it matches HTTP input patterns
+    if (this.httpInputPatterns.some(pattern => expression.includes(pattern.toLowerCase()))) {
+      return true;
+    }
+    
+    // Check if it's in HTTP handler context
+    if (this.isInHTTPHandlerContext(input, content)) {
+      return true;
+    }
+    
+    // Default to false to avoid false positives
+    return false;
+  }
+  
+  isStyleOrConfigObject(input, content) {
+    const expression = input.expression;
+    const lineContent = input.originalLine.toLowerCase();
+    
+    // Check for React/CSS style usage patterns
+    const styleIndicators = [
+      'style=', 'css=', 'theme=', 'styles=',
+      'background', 'color:', 'font', 'margin:', 'padding:',
+      'import', 'const styles', 'const css', 'const theme'
+    ];
+    
+    if (styleIndicators.some(indicator => lineContent.includes(indicator))) {
+      return true;
+    }
+    
+    // Check context around the input for style/config patterns
+    const lines = content.split('\n');
+    const inputLineIndex = input.line - 1;
+    const contextStart = Math.max(0, inputLineIndex - 3);
+    const contextEnd = Math.min(lines.length, inputLineIndex + 3);
+    const contextLines = lines.slice(contextStart, contextEnd).join('\n').toLowerCase();
+    
+    const contextIndicators = [
+      'const styles', 'const css', 'const config', 'const theme',
+      'styleshet.create', 'react', 'jsx', '<div', '</div>', 'component',
+      'export default', 'props', 'state'
+    ];
+    
+    return contextIndicators.some(indicator => contextLines.includes(indicator));
+  }
+  
+  isInHTTPHandlerContext(input, content) {
+    const lines = content.split('\n');
+    const inputLineIndex = input.line - 1;
+    
+    // Check surrounding context for HTTP framework patterns
+    const contextStart = Math.max(0, inputLineIndex - 10);
+    const contextEnd = Math.min(lines.length, inputLineIndex + 5);
+    const contextLines = lines.slice(contextStart, contextEnd).join('\n').toLowerCase();
+    
+    // Look for HTTP handler patterns in context
+    const httpIndicators = [
+      'app.post', 'app.put', 'app.patch', 'app.delete',
+      'router.post', 'router.put', 'router.patch',
+      '(req, res)', 'request, response', 'ctx.body', 'ctx.query',
+      'express', 'fastify', 'koa', 'hapi'
+    ];
+    
+    return httpIndicators.some(indicator => contextLines.includes(indicator));
+  }
+}
+
+module.exports = S026Analyzer;

package/rules/security/S026_json_schema_validation/config.json

@@ -0,0 +1,27 @@
+{
+    "id": "S026",
+    "name": "JSON Schema Validation for Input Data",
+    "description": "Ensure all user input data (from HTTP requests, APIs) is validated using JSON schemas before processing to prevent injection attacks.",
+    "category": "security",
+    "severity": "warning",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "validation", "input", "json-schema", "http"],
+    "examples": {
+        "valid": [
+            "const schema = joi.object({ name: joi.string() }); const { error } = schema.validate(req.body);",
+            "const ajv = new Ajv(); const valid = ajv.validate(schema, req.body);",
+            "const styles = { body: { color: 'red' } }; // Style object - OK"
+        ],
+        "invalid": [
+            "const data = req.body; processUser(data); // No validation",
+            "const query = req.query; database.find(query); // Direct usage without validation"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures that all user input data from HTTP requests is validated using JSON schemas before processing. Direct usage of req.body, req.query, req.params without validation can lead to injection attacks and data corruption.",
+        "url": "https://owasp.org/Top10/A03_2021-Injection/"
+    }
+}