@sun-asterisk/sunlint 1.3.0 → 1.3.2

package/rules/security/S016_no_sensitive_querystring/analyzer.js

@@ -0,0 +1,276 @@
+/**
+ * S016 Main Analyzer - Sensitive Data in URL Query Parameters Detection
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S016 --input=examples/rule-test-fixtures/rules/S016_no_sensitive_querystring --engine=heuristic
+ */
+
+const S016SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S016RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+
+class S016Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S016] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S016] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S016";
+    this.ruleName = "Sensitive Data in URL Query Parameters";
+    this.description =
+      "Do not pass sensitive data (e.g. password, token, secret, apiKey, etc.) via query string in URLs. This can lead to exposure in logs, browser history, and network traces";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Only when symbol fails completely
+      symbolBasedOnly: false, // Can be set to true for pure mode
+    };
+
+    // Initialize both analyzers
+    try {
+      this.symbolAnalyzer = new S016SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S016] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S016] Error creating symbol analyzer:`, error);
+    }
+
+    try {
+      this.regexAnalyzer = new S016RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S016] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S016] Error creating regex analyzer:`, error);
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S016] Constructor completed`);
+    }
+  }
+
+  /**
+   * Initialize with semantic engine
+   */
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+
+    // Initialize both analyzers
+    await this.symbolAnalyzer.initialize(semanticEngine);
+    await this.regexAnalyzer.initialize(semanticEngine);
+
+    // Ensure verbose flag is propagated
+    this.regexAnalyzer.verbose = this.verbose;
+    this.symbolAnalyzer.verbose = this.verbose;
+
+    if (this.verbose) {
+      console.log(
+        `🔧 [S016 Hybrid] Analyzer initialized - verbose: ${this.verbose}`
+      );
+    }
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S016] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+
+    const violations = [];
+
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S016] Processing file: ${filePath}`);
+        }
+
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S016] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S016] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S016] Total violations found: ${violations.length}`);
+    }
+
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S016] analyzeFile() called for: ${filePath}`);
+    }
+
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S016] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S016] Source file found, analyzing with symbol-based...`
+            );
+          }
+          const violations = await this.symbolAnalyzer.analyzeFileWithSymbols(
+            filePath,
+            { ...options, verbose: options.verbose }
+          );
+
+          // Mark violations with analysis strategy
+          violations.forEach((v) => (v.analysisStrategy = "symbol-based"));
+
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `✅ [S016] Symbol-based analysis: ${violations.length} violations`
+            );
+          }
+          return violations; // Return even if 0 violations - symbol analysis completed successfully
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`⚠️ [S016] Source file not found in project`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠️ [S016] Symbol analysis failed: ${error.message}`);
+        // Continue to fallback
+      }
+    } else {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔄 [S016] Symbol analysis conditions check:`);
+        console.log(`  - useSymbolBased: ${this.config.useSymbolBased}`);
+        console.log(`  - semanticEngine: ${!!this.semanticEngine}`);
+        console.log(
+          `  - semanticEngine.project: ${!!this.semanticEngine?.project}`
+        );
+        console.log(
+          `  - semanticEngine.initialized: ${this.semanticEngine?.initialized}`
+        );
+        console.log(
+          `🔄 [S016] Symbol analysis unavailable, using regex fallback`
+        );
+      }
+    }
+
+    // 2. Fallback to regex-based analysis
+    if (this.config.fallbackToRegex) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S016] Trying regex-based analysis...`);
+        }
+        const violations = await this.regexAnalyzer.analyzeFileBasic(
+          filePath,
+          options
+        );
+
+        // Mark violations with analysis strategy
+        violations.forEach((v) => (v.analysisStrategy = "regex-fallback"));
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔄 [S016] Regex-based analysis: ${violations.length} violations`
+          );
+        }
+        return violations;
+      } catch (error) {
+        console.error(`⚠ [S016] Regex analysis failed: ${error.message}`);
+      }
+    }
+
+    console.log(`🔧 [S016] No analysis methods succeeded, returning empty`);
+    return [];
+  }
+
+  async analyzeFileBasic(filePath, options = {}) {
+    console.log(`🔧 [S016] analyzeFileBasic() called for: ${filePath}`);
+    console.log(`🔧 [S016] semanticEngine exists: ${!!this.semanticEngine}`);
+    console.log(`🔧 [S016] symbolAnalyzer exists: ${!!this.symbolAnalyzer}`);
+    console.log(`🔧 [S016] regexAnalyzer exists: ${!!this.regexAnalyzer}`);
+
+    try {
+      // Try symbol-based analysis first
+      if (
+        this.semanticEngine?.isSymbolEngineReady?.() &&
+        this.semanticEngine.project
+      ) {
+        if (this.verbose) {
+          console.log(`🔍 [S016] Using symbol-based analysis for ${filePath}`);
+        }
+
+        const violations = await this.symbolAnalyzer.analyzeFileBasic(
+          filePath,
+          options
+        );
+        return violations;
+      }
+    } catch (error) {
+      if (this.verbose) {
+        console.warn(`⚠️ [S016] Symbol analysis failed: ${error.message}`);
+      }
+    }
+
+    // Fallback to regex-based analysis
+    if (this.verbose) {
+      console.log(
+        `🔄 [S016] Using regex-based analysis (fallback) for ${filePath}`
+      );
+    }
+
+    console.log(`🔧 [S016] About to call regexAnalyzer.analyzeFileBasic()`);
+    try {
+      const result = await this.regexAnalyzer.analyzeFileBasic(
+        filePath,
+        options
+      );
+      console.log(
+        `🔧 [S016] Regex analyzer returned: ${result.length} violations`
+      );
+      return result;
+    } catch (error) {
+      console.error(`🔧 [S016] Error in regex analyzer:`, error);
+      return [];
+    }
+  }
+
+  /**
+   * Methods for compatibility with different engine invocation patterns
+   */
+  async analyzeFileWithSymbols(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
+  }
+
+  async analyzeWithSemantics(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
+  }
+}
+
+module.exports = S016Analyzer;

package/rules/security/S016_no_sensitive_querystring/config.json

@@ -0,0 +1,127 @@
+{
+  "id": "S016",
+  "name": "Do not pass sensitive data via query string",
+  "category": "security",
+  "description": "S016 - Do not pass sensitive data (e.g. password, token, secret, apiKey, etc.) via query string in URLs. This can lead to exposure in logs, browser history, and network traces",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 2,
+    "timeout": 5000
+  },
+  "validation": {
+    "urlPatterns": [
+      "new URL",
+      "URLSearchParams",
+      "fetch",
+      "axios",
+      "request",
+      "location.href",
+      "location.search",
+      "querystring.stringify",
+      "qs.stringify"
+    ],
+    "sensitivePatterns": [
+      "password",
+      "passwd",
+      "pwd",
+      "pass",
+      "token",
+      "jwt",
+      "accesstoken",
+      "refreshtoken",
+      "bearertoken",
+      "secret",
+      "secretkey",
+      "clientsecret",
+      "serversecret",
+      "apikey",
+      "api_key",
+      "key",
+      "privatekey",
+      "publickey",
+      "auth",
+      "authorization",
+      "authenticate",
+      "sessionid",
+      "session_id",
+      "jsessionid",
+      "csrf",
+      "csrftoken",
+      "xsrf",
+      "ssn",
+      "social",
+      "socialsecurity",
+      "creditcard",
+      "cardnumber",
+      "cardnum",
+      "ccnumber",
+      "cvv",
+      "cvc",
+      "cvd",
+      "cid",
+      "pin",
+      "pincode",
+      "bankaccount",
+      "routing",
+      "iban",
+      "email",
+      "emailaddress",
+      "mail",
+      "phone",
+      "phonenumber",
+      "mobile",
+      "tel",
+      "address",
+      "homeaddress",
+      "zipcode",
+      "postal",
+      "birthdate",
+      "birthday",
+      "dob",
+      "license",
+      "passport",
+      "identity",
+      "salary",
+      "income",
+      "wage",
+      "medical",
+      "health",
+      "diagnosis"
+    ],
+    "httpClientPatterns": [
+      "fetch",
+      "axios.get",
+      "axios.post",
+      "axios.put",
+      "axios.delete",
+      "axios.patch",
+      "axios.request",
+      "request.get",
+      "request.post",
+      "http.get",
+      "http.request",
+      "https.get",
+      "https.request"
+    ]
+  }
+}

package/rules/security/S016_no_sensitive_querystring/regex-based-analyzer.js

@@ -0,0 +1,258 @@
+/**
+ * S016 Regex-based Analyzer - Sensitive Data in URL Query Parameters Detection
+ * Purpose: Fallback pattern matching when symbol analysis fails
+ */
+
+class S016RegexBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = 'S016';
+    this.ruleName = 'Sensitive Data in URL Query Parameters (Regex-Based)';
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+    
+    // URL construction patterns (regex)
+    this.urlConstructionPatterns = [
+      /new\s+URL\s*\([^)]*\)/gi,
+      /new\s+URLSearchParams\s*\([^)]*\)/gi,
+      /window\.location\.href\s*=\s*[^;]+/gi,
+      /location\.href\s*=\s*[^;]+/gi,
+      /location\.search\s*[+]?=\s*[^;]+/gi
+    ];
+    
+    // HTTP client patterns
+    this.httpClientPatterns = [
+      /fetch\s*\(\s*[`"'][^`"']*[?][^`"']*[`"']/gi,
+      /axios\.(get|post|put|delete|patch|request)\s*\([^)]*\)/gi,
+      /request\.(get|post)\s*\([^)]*\)/gi,
+      /https?\.(?:get|request)\s*\([^)]*\)/gi
+    ];
+    
+    // Query string manipulation patterns
+    this.queryStringPatterns = [
+      /querystring\.stringify\s*\([^)]*\)/gi,
+      /qs\.stringify\s*\([^)]*\)/gi,
+      /URLSearchParams\s*\([^)]*\)/gi,
+      /\.search\s*[+]?=\s*[^;]+/gi,
+      /[?&]\w+=[^&\s]+/g
+    ];
+    
+    // Sensitive data patterns (same as symbol-based)
+    this.sensitivePatterns = [
+      // Authentication & Authorization
+      /\b(?:password|passwd|pwd|pass)\b/gi,
+      /\b(?:token|jwt|accesstoken|refreshtoken|bearertoken)\b/gi,
+      /\b(?:secret|secretkey|clientsecret|serversecret)\b/gi,
+      /\b(?:apikey|api_key|key|privatekey|publickey)\b/gi,
+      /\b(?:auth|authorization|authenticate)\b/gi,
+      /\b(?:sessionid|session_id|jsessionid)\b/gi,
+      /\b(?:csrf|csrftoken|xsrf)\b/gi,
+      
+      // Financial & Personal
+      /\b(?:ssn|social|socialsecurity)\b/gi,
+      /\b(?:creditcard|cardnumber|cardnum|ccnumber)\b/gi,
+      /\b(?:cvv|cvc|cvd|cid)\b/gi,
+      /\b(?:pin|pincode)\b/gi,
+      /\b(?:bankaccount|routing|iban)\b/gi,
+      
+      // Personal Identifiable Information
+      /\b(?:email|emailaddress|mail)\b/gi,
+      /\b(?:phone|phonenumber|mobile|tel)\b/gi,
+      /\b(?:address|homeaddress|zipcode|postal)\b/gi,
+      /\b(?:birthdate|birthday|dob)\b/gi,
+      /\b(?:license|passport|identity)\b/gi
+    ];
+    
+    // Combined patterns for efficiency
+    this.allUrlPatterns = [
+      ...this.urlConstructionPatterns,
+      ...this.httpClientPatterns,
+      ...this.queryStringPatterns
+    ];
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+    
+    if (this.verbose) {
+      console.log(`🔧 [S016 Regex-Based] Analyzer initialized`);
+    }
+  }
+
+  async analyzeFileBasic(filePath, options = {}) {
+    const fs = require('fs');
+    const violations = [];
+
+    if (this.verbose) {
+      console.log(`🔧 [S016 Regex] Starting analysis for: ${filePath}`);
+    }
+
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      
+      if (this.verbose) {
+        console.log(`🔧 [S016 Regex] File content length: ${content.length}`);
+      }
+      
+      const lines = content.split('\n');
+      
+      // Find all URL/query related patterns
+      const urlMatches = this.findUrlPatterns(content);
+      
+      if (this.verbose) {
+        console.log(`🔧 [S016 Regex] Found ${urlMatches.length} URL patterns`);
+      }
+
+      for (const match of urlMatches) {
+        const matchViolations = this.analyzeUrlMatch(match, lines, filePath);
+        if (this.verbose && matchViolations.length > 0) {
+          console.log(`🔧 [S016 Regex] Match violations: ${matchViolations.length}`);
+        }
+        violations.push(...matchViolations);
+      }
+
+      if (this.verbose) {
+        console.log(`🔧 [S016 Regex] Total violations found: ${violations.length}`);
+      }
+      
+      return violations;
+    } catch (error) {
+      if (this.verbose) {
+        console.error(`🔧 [S016 Regex] Error analyzing ${filePath}:`, error);
+      }
+      return [];
+    }
+  }
+
+  /**
+   * Find URL patterns in content using regex
+   */
+  findUrlPatterns(content) {
+    const matches = [];
+    
+    for (const pattern of this.allUrlPatterns) {
+      pattern.lastIndex = 0; // Reset regex
+      let match;
+      
+      while ((match = pattern.exec(content)) !== null) {
+        const fullMatch = match[0];
+        
+        // Calculate line number
+        const beforeMatch = content.substring(0, match.index);
+        const lineNumber = beforeMatch.split('\n').length;
+        const lineStart = beforeMatch.lastIndexOf('\n') + 1;
+        const columnNumber = match.index - lineStart + 1;
+        
+        matches.push({
+          fullMatch,
+          lineNumber,
+          columnNumber,
+          startIndex: match.index,
+          pattern: pattern.source
+        });
+      }
+    }
+    
+    return matches;
+  }
+
+  /**
+   * Analyze URL match for sensitive data violations
+   */
+  analyzeUrlMatch(match, lines, filePath) {
+    const violations = [];
+    const { fullMatch, lineNumber, columnNumber, pattern } = match;
+    
+    // Check for sensitive data in the matched content
+    const sensitiveData = this.findSensitiveDataInMatch(fullMatch);
+    
+    if (sensitiveData.length > 0) {
+      const patternType = this.identifyPatternType(pattern);
+      
+      violations.push({
+        ruleId: this.ruleId,
+        severity: 'error',
+        message: 'Sensitive data detected in URL query parameters',
+        source: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: columnNumber,
+        description: `[REGEX-FALLBACK] Sensitive patterns detected: ${sensitiveData.join(', ')}. URLs with sensitive data can be exposed in logs, browser history, and network traces.`,
+        suggestion: 'Move sensitive data to request body (POST/PUT) or use secure headers. For authentication, use proper Authorization header.',
+        category: 'security',
+        patternType: patternType,
+        matchedText: fullMatch.length > 100 ? fullMatch.substring(0, 100) + '...' : fullMatch
+      });
+    }
+    
+    return violations;
+  }
+
+  /**
+   * Find sensitive data patterns in matched text
+   */
+  findSensitiveDataInMatch(matchText) {
+    const sensitiveData = [];
+    
+    for (const pattern of this.sensitivePatterns) {
+      pattern.lastIndex = 0; // Reset regex
+      const matches = matchText.match(pattern);
+      if (matches) {
+        sensitiveData.push(...matches.map(m => m.toLowerCase()));
+      }
+    }
+    
+    return [...new Set(sensitiveData)]; // Remove duplicates
+  }
+
+  /**
+   * Identify what type of pattern was matched
+   */
+  identifyPatternType(patternSource) {
+    if (patternSource.includes('URL') || patternSource.includes('location')) {
+      return 'url_construction';
+    } else if (patternSource.includes('fetch') || patternSource.includes('axios') || patternSource.includes('request')) {
+      return 'http_client';
+    } else if (patternSource.includes('stringify') || patternSource.includes('search')) {
+      return 'query_string';
+    }
+    return 'unknown';
+  }
+
+  async analyze(files, language, options = {}) {
+    if (this.verbose) {
+      console.log(`🔧 [S016 Regex] analyze() called with ${files.length} files, language: ${language}`);
+    }
+    
+    const violations = [];
+    
+    for (const filePath of files) {
+      try {
+        if (this.verbose) {
+          console.log(`🔧 [S016 Regex] Processing file: ${filePath}`);
+        }
+        
+        const fileViolations = await this.analyzeFileBasic(filePath, options);
+        violations.push(...fileViolations);
+        
+        if (this.verbose) {
+          console.log(`🔧 [S016 Regex] File ${filePath}: Found ${fileViolations.length} violations`);
+        }
+      } catch (error) {
+        if (this.verbose) {
+          console.warn(`⚠ [S016 Regex] Analysis failed for ${filePath}:`, error.message);
+        }
+      }
+    }
+    
+    if (this.verbose) {
+      console.log(`🔧 [S016 Regex] Total violations found: ${violations.length}`);
+    }
+    
+    return violations;
+  }
+}
+
+module.exports = S016RegexBasedAnalyzer;