@sun-asterisk/sunlint 1.2.1 → 1.2.2

package/rules/security/S027_no_hardcoded_secrets/analyzer.js

@@ -0,0 +1,436 @@
+/**
+ * Heuristic analyzer for: S027 – No Hardcoded Secrets
+ * Purpose: Prevent hardcoded passwords, API keys, secrets while avoiding false positives
+ * Based on user feedback: avoid flagging state variables, route names, input types
+ */
+
+class S027Analyzer {
+  constructor() {
+    this.ruleId = 'S027';
+    this.ruleName = 'No Hardcoded Secrets';
+    this.description = 'Không để lộ thông tin bảo mật trong mã nguồn và Git';
+    
+    // Enhanced keywords that indicate sensitive information
+    this.sensitiveKeywords = [
+      'password', 'pass', 'pwd', 'secret', 'key', 'token', 
+      'apikey', 'auth', 'credential', 'seed', 'salt',
+      // Enhanced patterns from roadmap
+      'access_token', 'refresh_token', 'id_token', 'bearer',
+      'client_secret', 'client_id', 'private_key', 'public_key',
+      'encryption_key', 'signing_key', 'session_key',
+      'database_password', 'db_password', 'db_pass',
+      'aws_secret', 'aws_key', 'github_token', 'slack_token',
+      'stripe_key', 'paypal_secret', 'oauth_secret'
+    ];
+    
+    // Patterns that should NOT be flagged (based on user feedback)
+    this.allowedPatterns = [
+      // State variables and flags
+      /^(is|has|enable|show|display|visible|field|strength|valid)/i,
+      /^_(is|has|enable|show|display)/i,
+      
+      // Route/path patterns
+      /\/(setup|forgot|reset|change|update)-?password/i,
+      /password\//i,
+      
+      // Input type configurations
+      /type\s*[=:]\s*['"`]password['"`]/i,
+      /inputtype\s*[=:]\s*['"`]password['"`]/i,
+      
+      // Function names and method calls
+      /^(validate|check|verify|calculate|generate|get|fetch|create)/i,
+      
+      // Component/config properties
+      /^(token|auth|key)type$/i,
+      /enabled?$/i,
+    ];
+    
+    // Patterns that indicate environment variables or dynamic values
+    this.dynamicPatterns = [
+      /process\.env\./i,
+      /getenv\s*\(/i,
+      /config\.get\s*\(/i,
+      /\(\)/i,  // Function calls
+      /await\s+/i,
+      /\.then\s*\(/i,
+    ];
+    
+    // Enhanced secret patterns based on roadmap
+    this.secretPatterns = [
+      // API Keys - Enhanced patterns
+      /(?:api[_-]?key|apikey)['":\s=]+['"]+([a-zA-Z0-9]{20,})['"]+/i,
+      /['"]+[A-Za-z0-9+\/]{40,}={0,2}['"]+/, // Base64 encoded
+      
+      // JWT Tokens
+      /eyJ[A-Za-z0-9\-_=]+\.[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_.+/=]*/,
+      
+      // AWS Credentials
+      /AKIA[0-9A-Z]{16}/,
+      /['"]+[A-Za-z0-9\/+=]{40}['"]+/, // AWS Secret Key
+      
+      // Database URLs with credentials
+      /(mongodb|mysql|postgres|redis):\/\/[^\/\s'"]+:[^\/\s'"]+@[^\/\s'"]+/,
+      
+      // Private Keys
+      /-----BEGIN [A-Z ]+PRIVATE KEY-----/,
+      
+      // GitHub Tokens
+      /gh[pousr]_[A-Za-z0-9_]{36}/,
+      
+      // Slack Tokens
+      /xox[baprs]-[A-Za-z0-9-]+/,
+      
+      // Bearer tokens
+      /^bearer\s+[a-zA-Z0-9+/=]{10,}$/i,
+      
+      // Long alphanumeric strings that look like tokens/keys
+      /^[a-zA-Z0-9+/=]{20,}$/,
+      
+      // API key prefixes
+      /^(sk|pk|api|key|token)[-_][a-zA-Z0-9]{10,}$/i,
+      
+      // Common weak passwords (more flexible)
+      /^(admin|password|123|root|test|user|pass|secret|key|token)\d*$/i,
+      
+      // Mixed alphanumeric secrets (6+ chars with both letters and numbers)
+      /^[a-zA-Z0-9]*[a-zA-Z][a-zA-Z0-9]*[0-9][a-zA-Z0-9]*$|^[a-zA-Z0-9]*[0-9][a-zA-Z0-9]*[a-zA-Z][a-zA-Z0-9]*$/,
+      
+      // Secret-like strings with hyphens/underscores
+      /^[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+$/,
+      /^[a-zA-Z0-9]+_[a-zA-Z0-9]+_[a-zA-Z0-9]+$/,
+      
+      // Generic password patterns
+      /^.{8,}[a-zA-Z0-9@#$%^&*()!]+$/,  // Complex passwords 8+ chars
+      
+      // Tokens with specific formats  
+      /^[a-f0-9]{32,}$/i,  // Hex tokens
+      /^[A-Z0-9]{16,}$/,   // Uppercase alphanumeric
+    ];
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      // Skip build directories, test files, and node_modules to reduce false positives
+      if (filePath.includes('build/') || filePath.includes('dist/') ||
+          filePath.includes('node_modules/') || filePath.includes('.next/') ||
+          filePath.includes('vendor/') || filePath.includes('coverage/') ||
+          filePath.includes('.test.') || filePath.includes('.spec.') || 
+          filePath.includes('test/') || filePath.includes('tests/') ||
+          filePath.includes('__tests__/') || filePath.includes('.mock.') ||
+          filePath.includes('mocks/') || filePath.includes('fixtures/')) {
+        continue;
+      }
+      
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+      }
+    }
+    
+    return violations;
+  }
+
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    
+    // Find variable declarations and assignments with sensitive names
+    const assignments = this.findSensitiveAssignments(lines);
+    
+    // Find hardcoded secrets in string literals (new enhancement)
+    const stringSecrets = this.findSecretsInStrings(lines);
+    
+    assignments.forEach(assignment => {
+      if (this.isHardcodedSecret(assignment)) {
+        violations.push({
+          file: filePath,
+          line: assignment.line,
+          column: assignment.column,
+          message: `Avoid hardcoding sensitive information such as '${assignment.variableName}'. Use secure storage instead.`,
+          severity: 'warning',
+          ruleId: this.ruleId,
+          type: 'hardcoded_secret',
+          variableName: assignment.variableName,
+          value: assignment.value
+        });
+      }
+    });
+    
+    stringSecrets.forEach(secret => {
+      violations.push({
+        file: filePath,
+        line: secret.line,
+        column: secret.column,
+        message: `Potential hardcoded secret detected: '${secret.pattern}'. Use secure storage instead.`,
+        severity: 'warning',
+        ruleId: this.ruleId,
+        type: 'hardcoded_string_secret',
+        pattern: secret.pattern,
+        value: secret.value
+      });
+    });
+    
+    return violations;
+  }
+  
+  findSensitiveAssignments(lines) {
+    const assignments = [];
+    const processedLines = new Set(); // Avoid duplicates
+    
+    lines.forEach((line, index) => {
+      const trimmedLine = line.trim();
+      const lineKey = `${index}:${trimmedLine}`;
+      
+      // Skip comments, imports, and already processed lines
+      if (this.isCommentOrImport(trimmedLine) || processedLines.has(lineKey)) {
+        return;
+      }
+      
+      // Look for variable declarations: const/let/var name = "value"
+      const declMatch = trimmedLine.match(/(?:const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=\s*(['"`][^'"`]*['"`]|[^;,\n]+)/);
+      if (declMatch) {
+        const [, variableName, valueExpr] = declMatch;
+        if (this.hasSensitiveKeyword(variableName)) {
+          assignments.push({
+            line: index + 1,
+            column: line.indexOf(variableName) + 1,
+            variableName,
+            valueExpr: valueExpr.trim(),
+            value: this.extractStringValue(valueExpr),
+            type: 'declaration',
+            originalLine: line
+          });
+          processedLines.add(lineKey);
+        }
+      }
+      
+      // Look for assignments: name = "value" (but not in declarations)
+      else {
+        const assignMatch = trimmedLine.match(/([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=\s*(['"`][^'"`]*['"`]|[^;,\n]+)/);
+        if (assignMatch && !trimmedLine.match(/(?:const|let|var)\s/)) {
+          const [, variableName, valueExpr] = assignMatch;
+          if (this.hasSensitiveKeyword(variableName)) {
+            assignments.push({
+              line: index + 1,
+              column: line.indexOf(variableName) + 1,
+              variableName,
+              valueExpr: valueExpr.trim(), 
+              value: this.extractStringValue(valueExpr),
+              type: 'assignment',
+              originalLine: line
+            });
+            processedLines.add(lineKey);
+          }
+        }
+      }
+    });
+    
+    return assignments;
+  }
+  
+  findSecretsInStrings(lines) {
+    const secrets = [];
+    
+    lines.forEach((line, index) => {
+      const trimmedLine = line.trim();
+      
+      // Skip comments, imports, and test files
+      if (this.isCommentOrImport(trimmedLine) || this.isTestFile(line)) {
+        return;
+      }
+      
+      // Extract all string literals from the line
+      const stringLiterals = this.extractStringLiterals(line);
+      
+      stringLiterals.forEach(literal => {
+        // Check if string looks like a secret pattern
+        const secretPattern = this.detectSecretPattern(literal.value);
+        if (secretPattern) {
+          secrets.push({
+            line: index + 1,
+            column: literal.column,
+            pattern: secretPattern,
+            value: literal.value,
+            originalLine: line
+          });
+        }
+      });
+    });
+    
+    return secrets;
+  }
+  
+  extractStringLiterals(line) {
+    const literals = [];
+    const stringRegex = /(['"`])([^'"`]*)\1/g;
+    let match;
+    
+    while ((match = stringRegex.exec(line)) !== null) {
+      const value = match[2];
+      if (value.length >= 6) { // Only check strings with reasonable length
+        literals.push({
+          value: value,
+          column: match.index + 1
+        });
+      }
+    }
+    
+    return literals;
+  }
+  
+  detectSecretPattern(value) {
+    // Enhanced secret detection patterns
+    const advancedPatterns = [
+      { name: 'JWT Token', pattern: /^eyJ[A-Za-z0-9\-_=]+\.[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_.+/=]*$/ },
+      { name: 'AWS Access Key', pattern: /^AKIA[0-9A-Z]{16}$/ },
+      { name: 'GitHub Token', pattern: /^gh[pousr]_[A-Za-z0-9_]{36}$/ },
+      { name: 'Slack Token', pattern: /^xox[baprs]-[A-Za-z0-9-]+$/ },
+      { name: 'Base64 Encoded', pattern: /^[A-Za-z0-9+\/]{40,}={0,2}$/ },
+      { name: 'Private Key', pattern: /-----BEGIN [A-Z ]+PRIVATE KEY-----/ },
+      { name: 'Database URL', pattern: /(mongodb|mysql|postgres|redis):\/\/[^\/\s'"]+:[^\/\s'"]+@[^\/\s'"]+/ },
+      { name: 'Long Hex Token', pattern: /^[a-f0-9]{32,}$/i },
+      { name: 'API Key Format', pattern: /^(sk|pk|api|key|token)[-_][a-zA-Z0-9]{10,}$/i },
+      // Removed overly aggressive Complex Password pattern
+    ];
+    
+    for (const {name, pattern} of advancedPatterns) {
+      if (pattern.test(value)) {
+        return name;
+      }
+    }
+    
+    return null;
+  }
+  
+  isTestFile(line) {
+    const testIndicators = ['.spec.', '.test.', '__tests__', 'describe(', 'it(', 'test(', 'expect(', 'jest.', 'mock'];
+    return testIndicators.some(indicator => line.includes(indicator));
+  }
+  
+  findSecretsInStrings(lines) {
+    const secrets = [];
+    
+    lines.forEach((line, index) => {
+      const trimmedLine = line.trim();
+      
+      // Skip comments, imports, and test files
+      if (this.isCommentOrImport(trimmedLine) || this.isTestFile(trimmedLine)) {
+        return;
+      }
+      
+      // Extract all string literals from the line
+      const stringLiterals = this.extractStringLiterals(line);
+      
+      stringLiterals.forEach(literal => {
+        // Check if string looks like a secret pattern
+        const secretPattern = this.detectSecretPattern(literal.value);
+        if (secretPattern) {
+          secrets.push({
+            line: index + 1,
+            column: literal.column,
+            pattern: secretPattern,
+            value: literal.value,
+            originalLine: line
+          });
+        }
+      });
+    });
+    
+    return secrets;
+  }
+  
+  hasSensitiveKeyword(variableName) {
+    const lowerName = variableName.toLowerCase();
+    return this.sensitiveKeywords.some(keyword => lowerName.includes(keyword));
+  }
+  
+  isCommentOrImport(line) {
+    return line.startsWith('//') || line.startsWith('/*') || 
+           line.startsWith('import') || line.startsWith('export') ||
+           line.startsWith('*') || line.startsWith('<');
+  }
+  
+  extractStringValue(valueExpr) {
+    // Extract string literal value
+    const stringMatch = valueExpr.match(/^(['"`])([^'"`]*)\1$/);
+    if (stringMatch) {
+      return stringMatch[2];
+    }
+    return null;
+  }
+  
+  isHardcodedSecret(assignment) {
+    const { variableName, value, valueExpr, originalLine } = assignment;
+    
+    // 1. Skip if it looks like an allowed pattern (state variables, routes, etc.)
+    if (this.isAllowedPattern(variableName, originalLine)) {
+      return false;
+    }
+    
+    // 2. Skip if value comes from environment or dynamic source
+    if (this.isDynamicValue(valueExpr)) {
+      return false;
+    }
+    
+    // 3. Skip if no string value (e.g., boolean, function call)
+    if (!value) {
+      return false;
+    }
+    
+    // 4. Check if the value looks like a hardcoded secret
+    return this.looksLikeSecret(value);
+  }
+  
+  isAllowedPattern(variableName, originalLine) {
+    const lowerName = variableName.toLowerCase();
+    const lowerLine = originalLine.toLowerCase();
+    
+    // Check against allowed patterns
+    if (this.allowedPatterns.some(pattern => pattern.test(lowerName) || pattern.test(lowerLine))) {
+      return true;
+    }
+    
+    // Remove comments before checking for paths to avoid false matches on "//"
+    const codeOnlyLine = lowerLine.replace(/\/\/.*$/, '').replace(/\/\*.*?\*\//g, '');
+    
+    // Special case: route objects and paths (but not comments with //)
+    if (codeOnlyLine.includes('route') || codeOnlyLine.includes('path') || 
+        (codeOnlyLine.includes('/') && !lowerLine.includes('//'))) {
+      return true;
+    }
+    
+    // Special case: React/component props  
+    if (codeOnlyLine.includes('<') || codeOnlyLine.includes('inputtype') || codeOnlyLine.includes('type=')) {
+      return true;
+    }
+    
+    return false;
+  }
+  
+  isDynamicValue(valueExpr) {
+    return this.dynamicPatterns.some(pattern => pattern.test(valueExpr));
+  }
+  
+  looksLikeSecret(value) {
+    // Skip very short values (likely not secrets)
+    if (value.length < 6) {
+      return false;
+    }
+    
+    // Skip common non-secret values
+    const commonValues = ['password', 'bearer', 'basic', 'token', 'key', 'secret', 'admin', 'user'];
+    if (commonValues.includes(value.toLowerCase())) {
+      return false;
+    }
+    
+    // Check against secret patterns
+    return this.secretPatterns.some(pattern => pattern.test(value));
+  }
+}
+
+module.exports = S027Analyzer;

package/rules/security/S027_no_hardcoded_secrets/config.json

@@ -0,0 +1,29 @@
+{
+    "id": "S027",
+    "name": "No Hardcoded Secrets",
+    "description": "Prevent hardcoded passwords, API keys, secrets while avoiding false positives on state variables and configuration.",
+    "category": "security",
+    "severity": "warning",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "secrets", "credentials", "api-keys"],
+    "examples": {
+        "valid": [
+            "const password = process.env.PASSWORD;",
+            "const _isEnablePassCode = useState(false);",
+            "const passwordFieldVisible = true;",
+            "const routes = { setupPassword: '/setup-password' };"
+        ],
+        "invalid": [
+            "const password = 'admin123';",
+            "const apiKey = 'sk-1234567890abcdef';",
+            "const secret = 'my-secret-token';"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule prevents hardcoded sensitive information like passwords, API keys, and secrets in source code. It avoids false positives on state variables, route names, and input type configurations.",
+        "url": "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
+    }
+}