@sun-asterisk/sunlint 1.2.2 → 1.3.1

package/rules/security/S027_no_hardcoded_secrets/analyzer.js

@@ -1,436 +1,250 @@
-/**
- * Heuristic analyzer for: S027 – No Hardcoded Secrets
- * Purpose: Prevent hardcoded passwords, API keys, secrets while avoiding false positives
- * Based on user feedback: avoid flagging state variables, route names, input types
- */
+const fs = require('fs');
+const path = require('path');
 
-class S027Analyzer {
+class S027CategorizedAnalyzer {
   constructor() {
     this.ruleId = 'S027';
-    this.ruleName = 'No Hardcoded Secrets';
-    this.description = 'Không để lộ thông tin bảo mật trong mã nguồn và Git';
+    this.ruleName = 'No Hardcoded Secrets (Categorized)';
+    this.description = 'Phát hiện thông tin bảo mật theo categories với độ ưu tiên khác nhau';
     
-    // Enhanced keywords that indicate sensitive information
-    this.sensitiveKeywords = [
-      'password', 'pass', 'pwd', 'secret', 'key', 'token', 
-      'apikey', 'auth', 'credential', 'seed', 'salt',
-      // Enhanced patterns from roadmap
-      'access_token', 'refresh_token', 'id_token', 'bearer',
-      'client_secret', 'client_id', 'private_key', 'public_key',
-      'encryption_key', 'signing_key', 'session_key',
-      'database_password', 'db_password', 'db_pass',
-      'aws_secret', 'aws_key', 'github_token', 'slack_token',
-      'stripe_key', 'paypal_secret', 'oauth_secret'
-    ];
-    
-    // Patterns that should NOT be flagged (based on user feedback)
-    this.allowedPatterns = [
-      // State variables and flags
-      /^(is|has|enable|show|display|visible|field|strength|valid)/i,
-      /^_(is|has|enable|show|display)/i,
-      
-      // Route/path patterns
-      /\/(setup|forgot|reset|change|update)-?password/i,
-      /password\//i,
-      
-      // Input type configurations
-      /type\s*[=:]\s*['"`]password['"`]/i,
-      /inputtype\s*[=:]\s*['"`]password['"`]/i,
-      
-      // Function names and method calls
-      /^(validate|check|verify|calculate|generate|get|fetch|create)/i,
-      
-      // Component/config properties
-      /^(token|auth|key)type$/i,
-      /enabled?$/i,
-    ];
-    
-    // Patterns that indicate environment variables or dynamic values
-    this.dynamicPatterns = [
-      /process\.env\./i,
-      /getenv\s*\(/i,
-      /config\.get\s*\(/i,
-      /\(\)/i,  // Function calls
-      /await\s+/i,
-      /\.then\s*\(/i,
-    ];
+    // Load categories config
+    this.config = this.loadConfig();
+    this.categories = this.config.categories;
+    this.globalExcludePatterns = this.config.global_exclude_patterns.map(p => new RegExp(p, 'i'));
+    this.minLength = this.config.min_length || 8;
+    this.maxLength = this.config.max_length || 1000;
     
-    // Enhanced secret patterns based on roadmap
-    this.secretPatterns = [
-      // API Keys - Enhanced patterns
-      /(?:api[_-]?key|apikey)['":\s=]+['"]+([a-zA-Z0-9]{20,})['"]+/i,
-      /['"]+[A-Za-z0-9+\/]{40,}={0,2}['"]+/, // Base64 encoded
-      
-      // JWT Tokens
-      /eyJ[A-Za-z0-9\-_=]+\.[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_.+/=]*/,
-      
-      // AWS Credentials
-      /AKIA[0-9A-Z]{16}/,
-      /['"]+[A-Za-z0-9\/+=]{40}['"]+/, // AWS Secret Key
-      
-      // Database URLs with credentials
-      /(mongodb|mysql|postgres|redis):\/\/[^\/\s'"]+:[^\/\s'"]+@[^\/\s'"]+/,
-      
-      // Private Keys
-      /-----BEGIN [A-Z ]+PRIVATE KEY-----/,
-      
-      // GitHub Tokens
-      /gh[pousr]_[A-Za-z0-9_]{36}/,
-      
-      // Slack Tokens
-      /xox[baprs]-[A-Za-z0-9-]+/,
-      
-      // Bearer tokens
-      /^bearer\s+[a-zA-Z0-9+/=]{10,}$/i,
-      
-      // Long alphanumeric strings that look like tokens/keys
-      /^[a-zA-Z0-9+/=]{20,}$/,
-      
-      // API key prefixes
-      /^(sk|pk|api|key|token)[-_][a-zA-Z0-9]{10,}$/i,
-      
-      // Common weak passwords (more flexible)
-      /^(admin|password|123|root|test|user|pass|secret|key|token)\d*$/i,
-      
-      // Mixed alphanumeric secrets (6+ chars with both letters and numbers)
-      /^[a-zA-Z0-9]*[a-zA-Z][a-zA-Z0-9]*[0-9][a-zA-Z0-9]*$|^[a-zA-Z0-9]*[0-9][a-zA-Z0-9]*[a-zA-Z][a-zA-Z0-9]*$/,
-      
-      // Secret-like strings with hyphens/underscores
-      /^[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+$/,
-      /^[a-zA-Z0-9]+_[a-zA-Z0-9]+_[a-zA-Z0-9]+$/,
-      
-      // Generic password patterns
-      /^.{8,}[a-zA-Z0-9@#$%^&*()!]+$/,  // Complex passwords 8+ chars
-      
-      // Tokens with specific formats  
-      /^[a-f0-9]{32,}$/i,  // Hex tokens
-      /^[A-Z0-9]{16,}$/,   // Uppercase alphanumeric
-    ];
+    // Compile patterns for performance
+    this.compilePatterns();
   }
-
+  
+  loadConfig() {
+    const configPath = path.join(__dirname, 'categories.json');
+    try {
+      const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      return config.S027;
+    } catch (error) {
+      console.error('Failed to load S027 categories config:', error.message);
+      return { categories: [], global_exclude_patterns: [] };
+    }
+  }
+  
+  compilePatterns() {
+    this.categories.forEach(category => {
+      category.compiledPatterns = category.patterns.map(p => ({
+        regex: new RegExp(p, 'gm'),
+        original: p
+      }));
+      
+      if (category.exclude_patterns) {
+        category.compiledExcludePatterns = category.exclude_patterns.map(p => new RegExp(p, 'i'));
+      }
+    });
+  }
+  
   async analyze(files, language, options = {}) {
     const violations = [];
+    this.currentFilePath = '';
     
     for (const filePath of files) {
-      // Skip build directories, test files, and node_modules to reduce false positives
-      if (filePath.includes('build/') || filePath.includes('dist/') ||
-          filePath.includes('node_modules/') || filePath.includes('.next/') ||
-          filePath.includes('vendor/') || filePath.includes('coverage/') ||
-          filePath.includes('.test.') || filePath.includes('.spec.') || 
-          filePath.includes('test/') || filePath.includes('tests/') ||
-          filePath.includes('__tests__/') || filePath.includes('.mock.') ||
-          filePath.includes('mocks/') || filePath.includes('fixtures/')) {
+      // Skip build/dist/node_modules
+      if (this.shouldSkipFile(filePath)) {
         continue;
       }
       
+      this.currentFilePath = filePath;
+      
       try {
-        const content = require('fs').readFileSync(filePath, 'utf8');
+        const content = fs.readFileSync(filePath, 'utf8');
         const fileViolations = this.analyzeFile(content, filePath);
         violations.push(...fileViolations);
       } catch (error) {
-        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        if (options.verbose) {
+          console.error(`Error analyzing ${filePath}:`, error.message);
+        }
       }
     }
     
     return violations;
   }
-
-  analyzeFile(content, filePath) {
-    const violations = [];
-    const lines = content.split('\n');
-    
-    // Find variable declarations and assignments with sensitive names
-    const assignments = this.findSensitiveAssignments(lines);
-    
-    // Find hardcoded secrets in string literals (new enhancement)
-    const stringSecrets = this.findSecretsInStrings(lines);
-    
-    assignments.forEach(assignment => {
-      if (this.isHardcodedSecret(assignment)) {
-        violations.push({
-          file: filePath,
-          line: assignment.line,
-          column: assignment.column,
-          message: `Avoid hardcoding sensitive information such as '${assignment.variableName}'. Use secure storage instead.`,
-          severity: 'warning',
-          ruleId: this.ruleId,
-          type: 'hardcoded_secret',
-          variableName: assignment.variableName,
-          value: assignment.value
-        });
-      }
-    });
-    
-    stringSecrets.forEach(secret => {
-      violations.push({
-        file: filePath,
-        line: secret.line,
-        column: secret.column,
-        message: `Potential hardcoded secret detected: '${secret.pattern}'. Use secure storage instead.`,
-        severity: 'warning',
-        ruleId: this.ruleId,
-        type: 'hardcoded_string_secret',
-        pattern: secret.pattern,
-        value: secret.value
-      });
-    });
+  
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      'build/', 'dist/', 'node_modules/', '.git/',
+      'coverage/', '.next/', '.cache/', 'tmp/',
+      '.lock', '.log', '.min.js', '.bundle.js'
+    ];
     
-    return violations;
+    return skipPatterns.some(pattern => filePath.includes(pattern));
   }
   
-  findSensitiveAssignments(lines) {
-    const assignments = [];
-    const processedLines = new Set(); // Avoid duplicates
+  analyzeFile(content, filePath) {
+    const violations = [];
+    // Handle different line endings (Windows \r\n, Unix \n, Mac \r)
+    const lines = content.split(/\r?\n/);
+    
+    // Check if this is a test file for context
+    const isTestFile = this.isTestFile(filePath);
     
     lines.forEach((line, index) => {
+      const lineNumber = index + 1;
       const trimmedLine = line.trim();
-      const lineKey = `${index}:${trimmedLine}`;
       
-      // Skip comments, imports, and already processed lines
-      if (this.isCommentOrImport(trimmedLine) || processedLines.has(lineKey)) {
+      // Skip comments and imports
+      if (this.isCommentOrImport(trimmedLine)) {
         return;
       }
       
-      // Look for variable declarations: const/let/var name = "value"
-      const declMatch = trimmedLine.match(/(?:const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=\s*(['"`][^'"`]*['"`]|[^;,\n]+)/);
-      if (declMatch) {
-        const [, variableName, valueExpr] = declMatch;
-        if (this.hasSensitiveKeyword(variableName)) {
-          assignments.push({
-            line: index + 1,
-            column: line.indexOf(variableName) + 1,
-            variableName,
-            valueExpr: valueExpr.trim(),
-            value: this.extractStringValue(valueExpr),
-            type: 'declaration',
-            originalLine: line
-          });
-          processedLines.add(lineKey);
-        }
-      }
-      
-      // Look for assignments: name = "value" (but not in declarations)
-      else {
-        const assignMatch = trimmedLine.match(/([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=\s*(['"`][^'"`]*['"`]|[^;,\n]+)/);
-        if (assignMatch && !trimmedLine.match(/(?:const|let|var)\s/)) {
-          const [, variableName, valueExpr] = assignMatch;
-          if (this.hasSensitiveKeyword(variableName)) {
-            assignments.push({
-              line: index + 1,
-              column: line.indexOf(variableName) + 1,
-              variableName,
-              valueExpr: valueExpr.trim(), 
-              value: this.extractStringValue(valueExpr),
-              type: 'assignment',
-              originalLine: line
-            });
-            processedLines.add(lineKey);
-          }
-        }
-      }
-    });
-    
-    return assignments;
-  }
-  
-  findSecretsInStrings(lines) {
-    const secrets = [];
-    
-    lines.forEach((line, index) => {
-      const trimmedLine = line.trim();
-      
-      // Skip comments, imports, and test files
-      if (this.isCommentOrImport(trimmedLine) || this.isTestFile(line)) {
+      // Check global exclude patterns first
+      if (this.matchesGlobalExcludes(line)) {
         return;
       }
       
-      // Extract all string literals from the line
-      const stringLiterals = this.extractStringLiterals(line);
-      
-      stringLiterals.forEach(literal => {
-        // Check if string looks like a secret pattern
-        const secretPattern = this.detectSecretPattern(literal.value);
-        if (secretPattern) {
-          secrets.push({
-            line: index + 1,
-            column: literal.column,
-            pattern: secretPattern,
-            value: literal.value,
-            originalLine: line
-          });
-        }
+      // Check each category
+      this.categories.forEach(category => {
+        const categoryViolations = this.checkCategory(
+          category, line, lineNumber, filePath, isTestFile
+        );
+        violations.push(...categoryViolations);
       });
     });
     
-    return secrets;
+    return violations;
   }
   
-  extractStringLiterals(line) {
-    const literals = [];
-    const stringRegex = /(['"`])([^'"`]*)\1/g;
-    let match;
-    
-    while ((match = stringRegex.exec(line)) !== null) {
-      const value = match[2];
-      if (value.length >= 6) { // Only check strings with reasonable length
-        literals.push({
-          value: value,
-          column: match.index + 1
-        });
-      }
-    }
+  isTestFile(filePath) {
+    const testPatterns = [
+      /\.(test|spec)\./i,
+      /__tests__/i,
+      /\/tests?\//i,
+      /\/spec\//i,
+      /setupTests/i,
+      /testSetup/i,
+      /test[-_]/i,  // Matches test- or test_
+      /^.*\/test[^\/]*\.js$/i  // Matches files starting with test
+    ];
     
-    return literals;
+    return testPatterns.some(pattern => pattern.test(filePath));
   }
   
-  detectSecretPattern(value) {
-    // Enhanced secret detection patterns
-    const advancedPatterns = [
-      { name: 'JWT Token', pattern: /^eyJ[A-Za-z0-9\-_=]+\.[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_.+/=]*$/ },
-      { name: 'AWS Access Key', pattern: /^AKIA[0-9A-Z]{16}$/ },
-      { name: 'GitHub Token', pattern: /^gh[pousr]_[A-Za-z0-9_]{36}$/ },
-      { name: 'Slack Token', pattern: /^xox[baprs]-[A-Za-z0-9-]+$/ },
-      { name: 'Base64 Encoded', pattern: /^[A-Za-z0-9+\/]{40,}={0,2}$/ },
-      { name: 'Private Key', pattern: /-----BEGIN [A-Z ]+PRIVATE KEY-----/ },
-      { name: 'Database URL', pattern: /(mongodb|mysql|postgres|redis):\/\/[^\/\s'"]+:[^\/\s'"]+@[^\/\s'"]+/ },
-      { name: 'Long Hex Token', pattern: /^[a-f0-9]{32,}$/i },
-      { name: 'API Key Format', pattern: /^(sk|pk|api|key|token)[-_][a-zA-Z0-9]{10,}$/i },
-      // Removed overly aggressive Complex Password pattern
-    ];
-    
-    for (const {name, pattern} of advancedPatterns) {
-      if (pattern.test(value)) {
-        return name;
-      }
-    }
-    
-    return null;
+  isCommentOrImport(line) {
+    return line.startsWith('//') || line.startsWith('/*') || 
+           line.startsWith('import') || line.startsWith('export') ||
+           line.startsWith('*') || line.startsWith('<');
   }
   
-  isTestFile(line) {
-    const testIndicators = ['.spec.', '.test.', '__tests__', 'describe(', 'it(', 'test(', 'expect(', 'jest.', 'mock'];
-    return testIndicators.some(indicator => line.includes(indicator));
+  matchesGlobalExcludes(line) {
+    return this.globalExcludePatterns.some(pattern => pattern.test(line));
   }
   
-  findSecretsInStrings(lines) {
-    const secrets = [];
+  checkCategory(category, line, lineNumber, filePath, isTestFile) {
+    const violations = [];
     
-    lines.forEach((line, index) => {
-      const trimmedLine = line.trim();
-      
-      // Skip comments, imports, and test files
-      if (this.isCommentOrImport(trimmedLine) || this.isTestFile(trimmedLine)) {
-        return;
-      }
+    category.compiledPatterns.forEach(({ regex, original }) => {
+      let match;
       
-      // Extract all string literals from the line
-      const stringLiterals = this.extractStringLiterals(line);
+      // Reset regex lastIndex for global patterns
+      regex.lastIndex = 0;
       
-      stringLiterals.forEach(literal => {
-        // Check if string looks like a secret pattern
-        const secretPattern = this.detectSecretPattern(literal.value);
-        if (secretPattern) {
-          secrets.push({
-            line: index + 1,
-            column: literal.column,
-            pattern: secretPattern,
-            value: literal.value,
-            originalLine: line
-          });
+      while ((match = regex.exec(line)) !== null) {
+        const matchedText = match[0];
+        const column = match.index + 1;
+        
+        // Check length constraints
+        if (matchedText.length < this.minLength || matchedText.length > this.maxLength) {
+          continue;
         }
-      });
+        
+        // Check category-specific excludes
+        if (category.compiledExcludePatterns && 
+            category.compiledExcludePatterns.some(pattern => pattern.test(matchedText))) {
+          continue;
+        }
+        
+        // Be more lenient in test files for lower severity categories
+        // But still report critical/high severity issues even in test files
+        if (isTestFile && category.severity === 'low') {
+          continue;
+        }
+        
+        violations.push({
+          file: filePath,
+          line: lineNumber,
+          column: column,
+          message: `[${category.name}] Potential ${category.severity} security risk: '${matchedText}'. ${category.description}`,
+          severity: this.mapSeverity(category.severity),
+          ruleId: this.ruleId,
+          category: category.name,
+          categoryDescription: category.description,
+          matchedPattern: original,
+          matchedText: matchedText
+        });
+      }
     });
     
-    return secrets;
-  }
-  
-  hasSensitiveKeyword(variableName) {
-    const lowerName = variableName.toLowerCase();
-    return this.sensitiveKeywords.some(keyword => lowerName.includes(keyword));
-  }
-  
-  isCommentOrImport(line) {
-    return line.startsWith('//') || line.startsWith('/*') || 
-           line.startsWith('import') || line.startsWith('export') ||
-           line.startsWith('*') || line.startsWith('<');
+    return violations;
   }
   
-  extractStringValue(valueExpr) {
-    // Extract string literal value
-    const stringMatch = valueExpr.match(/^(['"`])([^'"`]*)\1$/);
-    if (stringMatch) {
-      return stringMatch[2];
-    }
-    return null;
+  mapSeverity(categorySeverity) {
+    const severityMap = {
+      'critical': 'error',
+      'high': 'warning', 
+      'medium': 'warning',
+      'low': 'info'
+    };
+    
+    return severityMap[categorySeverity] || 'warning';
   }
   
-  isHardcodedSecret(assignment) {
-    const { variableName, value, valueExpr, originalLine } = assignment;
-    
-    // 1. Skip if it looks like an allowed pattern (state variables, routes, etc.)
-    if (this.isAllowedPattern(variableName, originalLine)) {
-      return false;
-    }
-    
-    // 2. Skip if value comes from environment or dynamic source
-    if (this.isDynamicValue(valueExpr)) {
-      return false;
-    }
+  // Method for getting category statistics
+  getCategoryStats(violations) {
+    const stats = {};
+    
+    violations.forEach(violation => {
+      const category = violation.category;
+      if (!stats[category]) {
+        stats[category] = {
+          count: 0,
+          severity: violation.severity,
+          files: new Set()
+        };
+      }
+      stats[category].count++;
+      stats[category].files.add(violation.file);
+    });
     
-    // 3. Skip if no string value (e.g., boolean, function call)
-    if (!value) {
-      return false;
-    }
+    // Convert Set to array for JSON serialization
+    Object.keys(stats).forEach(category => {
+      stats[category].files = Array.from(stats[category].files);
+      stats[category].fileCount = stats[category].files.length;
+    });
     
-    // 4. Check if the value looks like a hardcoded secret
-    return this.looksLikeSecret(value);
+    return stats;
   }
   
-  isAllowedPattern(variableName, originalLine) {
-    const lowerName = variableName.toLowerCase();
-    const lowerLine = originalLine.toLowerCase();
-    
-    // Check against allowed patterns
-    if (this.allowedPatterns.some(pattern => pattern.test(lowerName) || pattern.test(lowerLine))) {
-      return true;
-    }
-    
-    // Remove comments before checking for paths to avoid false matches on "//"
-    const codeOnlyLine = lowerLine.replace(/\/\/.*$/, '').replace(/\/\*.*?\*\//g, '');
-    
-    // Special case: route objects and paths (but not comments with //)
-    if (codeOnlyLine.includes('route') || codeOnlyLine.includes('path') || 
-        (codeOnlyLine.includes('/') && !lowerLine.includes('//'))) {
-      return true;
-    }
-    
-    // Special case: React/component props  
-    if (codeOnlyLine.includes('<') || codeOnlyLine.includes('inputtype') || codeOnlyLine.includes('type=')) {
-      return true;
+  // Method for filtering by category
+  filterByCategory(violations, categoryNames) {
+    if (!categoryNames || categoryNames.length === 0) {
+      return violations;
     }
     
-    return false;
-  }
-  
-  isDynamicValue(valueExpr) {
-    return this.dynamicPatterns.some(pattern => pattern.test(valueExpr));
+    return violations.filter(violation => 
+      categoryNames.includes(violation.category)
+    );
   }
   
-  looksLikeSecret(value) {
-    // Skip very short values (likely not secrets)
-    if (value.length < 6) {
-      return false;
-    }
+  // Method for filtering by severity
+  filterBySeverity(violations, minSeverity = 'info') {
+    const severityOrder = ['info', 'warning', 'error'];
+    const minIndex = severityOrder.indexOf(minSeverity);
     
-    // Skip common non-secret values
-    const commonValues = ['password', 'bearer', 'basic', 'token', 'key', 'secret', 'admin', 'user'];
-    if (commonValues.includes(value.toLowerCase())) {
-      return false;
-    }
+    if (minIndex === -1) return violations;
     
-    // Check against secret patterns
-    return this.secretPatterns.some(pattern => pattern.test(value));
+    return violations.filter(violation => {
+      const violationIndex = severityOrder.indexOf(violation.severity);
+      return violationIndex >= minIndex;
+    });
   }
 }
 
-module.exports = S027Analyzer;
+module.exports = S027CategorizedAnalyzer;