@sun-asterisk/sunlint 1.2.1 → 1.3.0

package/rules/security/S029_csrf_protection/analyzer.js

@@ -0,0 +1,330 @@
+const fs = require('fs');
+const path = require('path');
+
+class S029Analyzer {
+  constructor() {
+    this.ruleId = 'S029';
+    this.ruleName = 'CSRF Protection Required';
+    this.description = 'Cần áp dụng cơ chế chống CSRF cho các chức năng xác thực';
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`🔍 Running S029 analysis on ${path.basename(filePath)}`);
+      }
+      
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = await this.analyzeFile(filePath, content, language, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+      }
+    }
+    
+    return violations;
+  }
+
+  async analyzeFile(filePath, content, language, config) {
+    switch (language) {
+      case 'typescript':
+      case 'javascript':
+        return this.analyzeTypeScript(filePath, content, config);
+      default:
+        return [];
+    }
+  }
+
+  async analyzeTypeScript(filePath, content, config) {
+    const violations = [];
+    const lines = content.split('\n');
+    
+    // Find lines where global CSRF protection is applied
+    const globalCSRFLines = this.findGlobalCSRFLines(lines);
+    
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      const trimmedLine = line.trim();
+
+      // Skip comments and imports
+      if (this.isCommentOrImport(trimmedLine)) {
+        return;
+      }
+
+      // Look for Express route handlers that need CSRF protection
+      const routeHandlers = this.findRouteHandlers(trimmedLine, line);
+      
+      routeHandlers.forEach(handler => {
+        // Skip if this is a mock or test context
+        if (this.isMockOrTestContext(content, handler.instance)) {
+          return;
+        }
+        
+        // Check if global CSRF protection was applied before this route
+        const hasGlobalCSRFProtection = this.hasGlobalCSRFProtectionBeforeLine(globalCSRFLines, index, handler.instance);
+        
+        // Check if this specific route has CSRF protection
+        const hasRouteCSRFProtection = this.hasRouteSpecificCSRFProtection(lines, index, handler);
+        
+        if (!hasGlobalCSRFProtection && !hasRouteCSRFProtection) {
+          violations.push({
+            ruleId: this.ruleId,
+            file: filePath,
+            line: lineNumber,
+            column: handler.column,
+            message: `CSRF protection is missing for route handler '${handler.route}'. Apply csurf() or equivalent middleware`,
+            severity: 'error',
+            code: trimmedLine,
+            type: 'missing_csrf_protection',
+            confidence: handler.confidence,
+            suggestion: 'Add CSRF middleware: app.use(csurf()) or use CSRF token validation'
+          });
+        }
+      });
+    });
+
+    return violations;
+  }
+
+  isCommentOrImport(line) {
+    const trimmed = line.trim();
+    return trimmed.startsWith('//') || 
+           trimmed.startsWith('/*') || 
+           trimmed.startsWith('*') ||
+           trimmed.startsWith('import ') ||
+           trimmed.startsWith('export ');
+  }
+
+  findRouteHandlers(line, originalLine) {
+    const handlers = [];
+    const foundMatches = new Set(); // Prevent duplicates
+    
+    // Only detect Express.js route patterns, not HTTP client methods
+    const routePatterns = [
+      // Express method with middleware: app.post('/path', middleware, handler)
+      {
+        regex: /\b(app|router|server)\s*\.\s*(post|put|delete|patch)\s*\(\s*(['"`][^'"`]*['"`])\s*,/gi,
+        type: 'express_route_with_middleware',
+        priority: 1 // Higher priority to check first
+      },
+      // app.post(), router.put(), etc.
+      {
+        regex: /\b(app|router|server)\s*\.\s*(post|put|delete|patch)\s*\(\s*(['"`][^'"`]*['"`])/gi,
+        type: 'express_route',
+        priority: 2
+      }
+    ];
+
+    // Sort by priority to avoid duplicates
+    routePatterns.sort((a, b) => a.priority - b.priority);
+
+    routePatterns.forEach(pattern => {
+      let match;
+      while ((match = pattern.regex.exec(line)) !== null) {
+        const instance = match[1]; // app, router, server
+        const method = match[2];   // post, put, delete, patch
+        const route = match[3];    // '/path'
+        const matchKey = `${instance}.${method}(${route})`; // Unique key
+        
+        // Skip duplicates
+        if (foundMatches.has(matchKey)) {
+          continue;
+        }
+        
+        // Skip if it's clearly not Express.js context
+        if (this.isNotExpressContext(line, instance)) {
+          continue;
+        }
+
+        foundMatches.add(matchKey);
+        handlers.push({
+          type: pattern.type,
+          instance: instance,
+          method: method,
+          route: route.replace(/['"]/g, ''),
+          column: match.index + 1,
+          confidence: this.calculateConfidence(line, pattern.type)
+        });
+      }
+    });
+
+    return handlers;
+  }
+
+  isNotExpressContext(line, instance) {
+    // Skip HTTP client methods (like axios, fetch wrappers)
+    const clientPatterns = [
+      'public ', 'private ', 'protected ',  // Class methods
+      'async ', 'function ',                // Function definitions
+      'const ', 'let ', 'var ',            // Variable assignments
+      ': Promise<', ': BaseResponse<',      // TypeScript return types
+      'this.http', 'httpClient',            // HTTP client instances
+      'axios.', 'fetch(',                   // HTTP client calls
+    ];
+
+    const lowerLine = line.toLowerCase();
+    
+    // If line contains client patterns, likely not Express route
+    const hasClientPattern = clientPatterns.some(pattern => 
+      lowerLine.includes(pattern.toLowerCase())
+    );
+
+    if (hasClientPattern) {
+      return true;
+    }
+
+    // If instance name suggests HTTP client, skip
+    const clientInstanceNames = ['httpclient', 'client', 'api', 'service'];
+    if (clientInstanceNames.includes(instance.toLowerCase())) {
+      return true;
+    }
+
+    return false;
+  }
+
+  // Check if the file content suggests this is a mock/test rather than real Express app
+  isMockOrTestContext(content, instance) {
+    const lowerContent = content.toLowerCase();
+    
+    // Look for mock object definitions
+    const mockPatterns = [
+      `const ${instance.toLowerCase()} = {`,
+      `let ${instance.toLowerCase()} = {`,
+      `var ${instance.toLowerCase()} = {`,
+      `${instance.toLowerCase()}: {`,
+    ];
+    
+    const hasMockDefinition = mockPatterns.some(pattern => 
+      lowerContent.includes(pattern)
+    );
+    
+    if (hasMockDefinition) {
+      return true;
+    }
+    
+    // Check for test file patterns
+    const testIndicators = ['.test.', '.spec.', '__tests__', 'test case', 'mock'];
+    const isTestContext = testIndicators.some(indicator => 
+      lowerContent.includes(indicator)
+    );
+    
+    return isTestContext;
+  }
+
+  hasCSRFProtection(content) {
+    const csrfPatterns = [
+      // Middleware usage
+      'csurf()',
+      'csrfProtection',
+      'verifyCsrfToken',
+      'checkCsrf',
+      'csrf-token',
+      '_csrf',
+      
+      // Manual CSRF checks
+      'req.csrfToken',
+      'csrf.verify',
+      'validateCSRF',
+      
+      // Security headers
+      'x-csrf-token',
+      'x-xsrf-token',
+      
+      // Framework-specific
+      'protect_from_forgery',  // Rails
+      '@csrf',                 // Laravel
+    ];
+
+    const lowerContent = content.toLowerCase();
+    
+    return csrfPatterns.some(pattern => 
+      lowerContent.includes(pattern.toLowerCase())
+    );
+  }
+
+  hasGlobalCSRFProtection(content) {
+    // Check for global CSRF middleware: app.use(csurf())
+    const globalPatterns = [
+      /\b(app|router|server)\s*\.\s*use\s*\(\s*csurf\(\)/gi,
+      /\b(app|router|server)\s*\.\s*use\s*\(\s*csrfProtection/gi,
+      /\b(app|router|server)\s*\.\s*use\s*\(\s*csrf\(\)/gi,
+    ];
+
+    return globalPatterns.some(pattern => pattern.test(content));
+  }
+
+  findGlobalCSRFLines(lines) {
+    const csrfLines = [];
+    
+    lines.forEach((line, index) => {
+      const globalPatterns = [
+        /\b(app|router|server)\s*\.\s*use\s*\(\s*csurf\(\)/gi,
+        /\b(app|router|server)\s*\.\s*use\s*\(\s*csrfProtection/gi,
+        /\b(app|router|server)\s*\.\s*use\s*\(\s*csrf\(\)/gi,
+      ];
+
+      globalPatterns.forEach(pattern => {
+        let match;
+        while ((match = pattern.exec(line)) !== null) {
+          csrfLines.push({
+            lineIndex: index,
+            instance: match[1], // app, router, server
+            line: line.trim()
+          });
+        }
+      });
+    });
+
+    return csrfLines;
+  }
+
+  hasGlobalCSRFProtectionBeforeLine(globalCSRFLines, routeLineIndex, routeInstance) {
+    // Check if any global CSRF protection was applied for this instance before this route
+    return globalCSRFLines.some(csrf => 
+      csrf.instance === routeInstance && csrf.lineIndex < routeLineIndex
+    );
+  }
+
+  hasRouteSpecificCSRFProtection(lines, currentIndex, handler) {
+    // Check if the route has CSRF middleware as parameter
+    // e.g. app.post('/path', csrfProtection, handler)
+    const currentLine = lines[currentIndex];
+    
+    const csrfMiddlewarePatterns = [
+      'csrfProtection',
+      'csurf()',
+      'verifyCsrfToken',
+      'checkCsrf',
+    ];
+
+    return csrfMiddlewarePatterns.some(pattern => 
+      currentLine.includes(pattern)
+    );
+  }
+
+  calculateConfidence(line, patternType) {
+    let confidence = 0.8;
+    
+    // Higher confidence for clear Express patterns
+    if (patternType === 'express_route_with_middleware') {
+      confidence += 0.1;
+    }
+
+    // Lower confidence if mixed with client-like patterns
+    const clientIndicators = ['public', 'class', 'Promise<', 'async'];
+    const hasClientIndicators = clientIndicators.some(indicator => 
+      line.includes(indicator)
+    );
+    
+    if (hasClientIndicators) {
+      confidence -= 0.3;
+    }
+
+    return Math.max(0.3, Math.min(1.0, confidence));
+  }
+}
+
+module.exports = new S029Analyzer();

package/rules/tests/C002_no_duplicate_code.test.js

@@ -0,0 +1,50 @@
+/**
+ * C002_no_duplicate_code - Rule Tests
+ * Tests for heuristic rule analyzer
+ */
+
+const C002_no_duplicate_codeAnalyzer = require('./analyzer');
+
+describe('C002_no_duplicate_code Heuristic Rule', () => {
+    let analyzer;
+
+    beforeEach(() => {
+        analyzer = new C002_no_duplicate_codeAnalyzer();
+    });
+
+    describe('Valid Code', () => {
+        test('should not report violations for valid code', () => {
+            const code = `
+                // TODO: Add valid code examples
+            `;
+
+            const violations = analyzer.analyze(code, 'test.js');
+            expect(violations).toHaveLength(0);
+        });
+    });
+
+    describe('Invalid Code', () => {
+        test('should report violations for invalid code', () => {
+            const code = `
+                // TODO: Add invalid code examples
+            `;
+
+            const violations = analyzer.analyze(code, 'test.js');
+            expect(violations.length).toBeGreaterThan(0);
+            expect(violations[0].ruleId).toBe('C002_no_duplicate_code');
+        });
+    });
+
+    describe('Edge Cases', () => {
+        test('should handle empty code', () => {
+            const violations = analyzer.analyze('', 'test.js');
+            expect(violations).toHaveLength(0);
+        });
+
+        test('should handle syntax errors gracefully', () => {
+            const code = 'invalid javascript syntax {{{';
+            const violations = analyzer.analyze(code, 'test.js');
+            expect(Array.isArray(violations)).toBe(true);
+        });
+    });
+});

package/rules/utils/ast-utils.js

@@ -0,0 +1,191 @@
+/**
+ * AST Utilities for Heuristic Rules
+ * Provides AST parsing and traversal utilities for rule analyzers
+ */
+
+class ASTUtils {
+    constructor() {
+        this.supportedLanguages = ['javascript', 'typescript'];
+    }
+
+    /**
+     * Parse code content into AST
+     * @param {string} content - Code content
+     * @param {string} language - Language (javascript, typescript)
+     * @returns {Object|null} Parsed AST or null if parsing fails
+     */
+    parse(content, language = 'javascript') {
+        try {
+            // TODO: Implement proper AST parsing
+            // For now, return a simple representation
+            return {
+                type: 'Program',
+                body: [],
+                language,
+                sourceCode: content
+            };
+        } catch (error) {
+            console.warn('AST parsing failed:', error.message);
+            return null;
+        }
+    }
+
+    /**
+     * Find function declarations in code
+     * @param {string} content - Code content
+     * @returns {Array} Array of function matches
+     */
+    findFunctions(content) {
+        const functions = [];
+        const functionRegex = /(?:function\s+(\w+)|(\w+)\s*=\s*function|(\w+)\s*=\s*\([^)]*\)\s*=>)/g;
+        let match;
+
+        while ((match = functionRegex.exec(content)) !== null) {
+            const line = this.getLineNumber(content, match.index);
+            const functionName = match[1] || match[2] || match[3];
+            
+            functions.push({
+                name: functionName,
+                line: line,
+                column: match.index - this.getLineStart(content, match.index),
+                match: match[0]
+            });
+        }
+
+        return functions;
+    }
+
+    /**
+     * Find variable declarations
+     * @param {string} content - Code content
+     * @returns {Array} Array of variable matches
+     */
+    findVariables(content) {
+        const variables = [];
+        const varRegex = /(?:var|let|const)\s+(\w+)/g;
+        let match;
+
+        while ((match = varRegex.exec(content)) !== null) {
+            const line = this.getLineNumber(content, match.index);
+            
+            variables.push({
+                name: match[1],
+                line: line,
+                column: match.index - this.getLineStart(content, match.index),
+                type: match[0].split(' ')[0] // var, let, const
+            });
+        }
+
+        return variables;
+    }
+
+    /**
+     * Find import/require statements
+     * @param {string} content - Code content
+     * @returns {Array} Array of import matches
+     */
+    findImports(content) {
+        const imports = [];
+        
+        // ES6 imports
+        const importRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
+        let match;
+
+        while ((match = importRegex.exec(content)) !== null) {
+            const line = this.getLineNumber(content, match.index);
+            imports.push({
+                type: 'import',
+                module: match[1],
+                line: line,
+                match: match[0]
+            });
+        }
+
+        // CommonJS requires
+        const requireRegex = /require\(['"]([^'"]+)['"]\)/g;
+        while ((match = requireRegex.exec(content)) !== null) {
+            const line = this.getLineNumber(content, match.index);
+            imports.push({
+                type: 'require',
+                module: match[1],
+                line: line,
+                match: match[0]
+            });
+        }
+
+        return imports;
+    }
+
+    /**
+     * Get line number for a character index
+     * @param {string} content - Code content
+     * @param {number} index - Character index
+     * @returns {number} Line number (1-based)
+     */
+    getLineNumber(content, index) {
+        return content.substring(0, index).split('\n').length;
+    }
+
+    /**
+     * Get line start position for a character index
+     * @param {string} content - Code content
+     * @param {number} index - Character index
+     * @returns {number} Line start index
+     */
+    getLineStart(content, index) {
+        const beforeIndex = content.substring(0, index);
+        const lastNewline = beforeIndex.lastIndexOf('\n');
+        return lastNewline === -1 ? 0 : lastNewline + 1;
+    }
+
+    /**
+     * Get line content for a line number
+     * @param {string} content - Code content
+     * @param {number} lineNumber - Line number (1-based)
+     * @returns {string} Line content
+     */
+    getLineContent(content, lineNumber) {
+        const lines = content.split('\n');
+        return lines[lineNumber - 1] || '';
+    }
+
+    /**
+     * Check if position is inside a comment
+     * @param {string} content - Code content
+     * @param {number} index - Character index
+     * @returns {boolean} True if inside comment
+     */
+    isInComment(content, index) {
+        const beforeIndex = content.substring(0, index);
+        
+        // Single line comment
+        const lastLineStart = beforeIndex.lastIndexOf('\n');
+        const lineContent = beforeIndex.substring(lastLineStart + 1);
+        if (lineContent.includes('//')) {
+            return true;
+        }
+
+        // Block comment
+        const lastBlockStart = beforeIndex.lastIndexOf('/*');
+        const lastBlockEnd = beforeIndex.lastIndexOf('*/');
+        
+        return lastBlockStart > lastBlockEnd;
+    }
+
+    /**
+     * Extract function parameters
+     * @param {string} functionDeclaration - Function declaration string
+     * @returns {Array} Array of parameter names
+     */
+    extractParameters(functionDeclaration) {
+        const paramMatch = functionDeclaration.match(/\(([^)]*)\)/);
+        if (!paramMatch || !paramMatch[1]) return [];
+        
+        return paramMatch[1]
+            .split(',')
+            .map(param => param.trim().split('=')[0].trim()) // Handle default parameters
+            .filter(param => param.length > 0);
+    }
+}
+
+module.exports = { ASTUtils };

package/rules/utils/base-analyzer.js

@@ -0,0 +1,98 @@
+/**
+ * Base Analyzer Class for SunLint Rules
+ * Provides common functionality and consistent severity management
+ */
+
+const { getSeverity, isValidSeverity } = require('./severity-constants');
+
+class BaseAnalyzer {
+  constructor(ruleId, ruleName, description, category = 'QUALITY') {
+    this.ruleId = ruleId;
+    this.ruleName = ruleName;
+    this.description = description;
+    this.category = category;
+    
+    // Severity will be determined dynamically
+    this._severity = null;
+  }
+  
+  /**
+   * Get severity for this rule, considering config overrides
+   * @param {Object} config - Configuration object
+   * @returns {string} Severity level
+   */
+  getSeverity(config = {}) {
+    // Check if already cached
+    if (this._severity) {
+      return this._severity;
+    }
+    
+    // Get from config override
+    const configOverride = config?.rules?.[this.ruleId]?.severity || 
+                          config?.rules?.[this.ruleId];
+    
+    this._severity = getSeverity(this.ruleId, this.category, configOverride);
+    return this._severity;
+  }
+  
+  /**
+   * Set severity (for backward compatibility or testing)
+   * @param {string} severity - Severity level
+   */
+  setSeverity(severity) {
+    if (!isValidSeverity(severity)) {
+      console.warn(`Invalid severity '${severity}' for rule ${this.ruleId}. Using default.`);
+      return;
+    }
+    this._severity = severity;
+  }
+  
+  /**
+   * Create a violation object with consistent structure
+   * @param {Object} params - Violation parameters
+   * @returns {Object} Formatted violation
+   */
+  createViolation(params) {
+    const {
+      filePath,
+      line,
+      column,
+      message,
+      source,
+      suggestion,
+      additionalData = {}
+    } = params;
+    
+    return {
+      ruleId: this.ruleId,
+      severity: this._severity || this.getSeverity(),
+      message: message || this.description,
+      filePath,
+      line,
+      column,
+      source,
+      suggestion,
+      category: this.category,
+      ...additionalData
+    };
+  }
+  
+  /**
+   * Check if rule is enabled based on severity
+   * @param {Object} config - Configuration
+   * @returns {boolean} True if rule should run
+   */
+  isEnabled(config = {}) {
+    const severity = this.getSeverity(config);
+    return severity !== 'off';
+  }
+  
+  /**
+   * Abstract analyze method - must be implemented by subclasses
+   */
+  async analyze(files, language, config) {
+    throw new Error(`analyze() method must be implemented by ${this.constructor.name}`);
+  }
+}
+
+module.exports = BaseAnalyzer;