npm - @sun-asterisk/sunlint - Versions diffs - 1.3.0 → 1.3.2 - Mend

@sun-asterisk/sunlint 1.3.0 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (124) hide show

package/rules/security/S055_content_type_validation/analyzer.js ADDED Viewed

@@ -0,0 +1,312 @@
+/**
+ * Heuristic analyzer for S055 - Content-Type Validation in REST Services
+ * Purpose: Detect REST endpoints that process request body without validating Content-Type
+ * Based on OWASP ASVS 13.2.5 - Input Validation
+ */
+class S055Analyzer {
+  constructor() {
+    this.ruleId = 'S055';
+    this.ruleName = 'Content-Type Validation in REST Services';
+    this.description = 'Verify that REST services explicitly check the incoming Content-Type';
+    // HTTP methods that typically have request bodies
+    this.httpMethodsWithBody = [
+      'post', 'put', 'patch', 'delete'
+    ];
+    // Patterns that indicate request body usage
+    this.requestBodyPatterns = [
+      // Express.js patterns
+      /req\.body/i,
+      /request\.body/i,
+      // NestJS patterns
+      /@Body\(\)/i,
+      /@Body\([^)]*\)/i,
+      // Generic body access patterns
+      /\.body\s*[;\.,\]\}]/i,
+      /body\s*[:=]/i,
+    ];
+    // Patterns that indicate Content-Type validation
+    this.contentTypeValidationPatterns = [
+      // Express.js validation methods
+      /req\.is\s*\(\s*['"`][^'"`]*application\/[^'"`]*['"`]\s*\)/i,
+      /request\.is\s*\(\s*['"`][^'"`]*application\/[^'"`]*['"`]\s*\)/i,
+      // Direct header checks
+      /req\.headers\s*\[\s*['"`]content-type['"`]\s*\]/i,
+      /request\.headers\s*\[\s*['"`]content-type['"`]\s*\]/i,
+      /req\.get\s*\(\s*['"`]content-type['"`]\s*\)/i,
+      /request\.get\s*\(\s*['"`]content-type['"`]\s*\)/i,
+      // Content-Type comparison
+      /content-type\s*[=!]==?\s*['"`]application\//i,
+      /['"`]application\/[^'"`]*['"`]\s*[=!]==?\s*.*content-type/i,
+      // Middleware patterns
+      /express\.json\s*\(/i,
+      /bodyParser\.json\s*\(/i,
+      /app\.use\s*\([^)]*json[^)]*\)/i,
+      // NestJS decorators
+      /@Header\s*\(\s*['"`]Content-Type['"`]/i,
+      /@UseInterceptors\s*\([^)]*ContentType[^)]*\)/i,
+      // Custom validation functions
+      /validateContentType/i,
+      /checkContentType/i,
+      /verifyContentType/i,
+    ];
+    // Patterns that indicate HTTP method handlers
+    this.httpHandlerPatterns = [
+      // Express.js route definitions
+      /app\.(post|put|patch|delete)\s*\(/i,
+      /router\.(post|put|patch|delete)\s*\(/i,
+      /express\(\)\.(post|put|patch|delete)\s*\(/i,
+      // NestJS decorators
+      /@(Post|Put|Patch|Delete)\s*\(/i,
+      // Generic handler patterns
+      /(post|put|patch|delete)\s*:\s*(async\s+)?function/i,
+      /(post|put|patch|delete)\s*:\s*\(/i,
+      // Function names indicating HTTP handlers
+      /function\s+(handle|process)?(Post|Put|Patch|Delete)/i,
+      /const\s+\w*(post|put|patch|delete)\w*\s*=/i,
+      /let\s+\w*(post|put|patch|delete)\w*\s*=/i,
+    ];
+    // Safe patterns to exclude from violations
+    this.safePatterns = [
+      // Comments and documentation
+      /\/\/|\/\*|\*\/|@param|@return|@example/,
+      // Import/export statements
+      /import|export|require|module\.exports/i,
+      // Type definitions
+      /interface|type|enum|declare/i,
+      // Test files patterns
+      /describe\s*\(|it\s*\(|test\s*\(|expect\s*\(/i,
+      // Configuration and constants
+      /const\s+\w+\s*=\s*['"`]/i,
+      // Logging and debugging
+      /console\.|logger\.|log\(/i,
+      // Middleware already handling Content-Type
+      /express\.json|bodyParser\.json|multer\(/i,
+    ];
+    // Patterns indicating secure implementations
+    this.secureImplementationPatterns = [
+      // Middleware usage that handles Content-Type
+      /app\.use\s*\([^)]*express\.json[^)]*\)/i,
+      /app\.use\s*\([^)]*bodyParser\.json[^)]*\)/i,
+      // Global Content-Type validation
+      /app\.use\s*\([^)]*validateContentType[^)]*\)/i,
+      /app\.use\s*\([^)]*checkContentType[^)]*\)/i,
+    ];
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      // Skip test files, build directories, and node_modules
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+    return violations;
+  }
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      'test/', 'tests/', '__tests__/', '.test.', '.spec.',
+      'node_modules/', 'build/', 'dist/', '.next/', 'coverage/',
+      'vendor/', 'mocks/', '.mock.',
+      // Config files
+      'config/', 'configs/', '.config.',
+      // Static assets
+      'public/', 'static/', 'assets/',
+    ];
+    return skipPatterns.some(pattern => filePath.includes(pattern));
+  }
+  analyzeFile(content, filePath, options = {}) {
+    const violations = [];
+    const lines = content.split('\n');
+    // First, check if file has global Content-Type validation (middleware)
+    const hasGlobalValidation = this.hasGlobalContentTypeValidation(content);
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      const trimmedLine = line.trim();
+      // Skip comments, imports, and empty lines
+      if (this.shouldSkipLine(trimmedLine)) {
+        return;
+      }
+      // Check for potential Content-Type validation violations
+      const violation = this.checkForContentTypeViolation(
+        line,
+        lineNumber,
+        filePath,
+        content,
+        hasGlobalValidation
+      );
+      if (violation) {
+        violations.push(violation);
+      }
+    });
+    return violations;
+  }
+  shouldSkipLine(line) {
+    return (
+      line.length === 0 ||
+      this.safePatterns.some(pattern => pattern.test(line))
+    );
+  }
+  hasGlobalContentTypeValidation(content) {
+    return this.secureImplementationPatterns.some(pattern => pattern.test(content));
+  }
+  checkForContentTypeViolation(line, lineNumber, filePath, fullContent, hasGlobalValidation) {
+    // Check if line contains request body usage
+    const hasRequestBodyUsage = this.requestBodyPatterns.some(pattern => pattern.test(line));
+    if (!hasRequestBodyUsage) {
+      return null;
+    }
+    // Check if this line is part of an HTTP handler
+    const isInHttpHandler = this.isInHttpHandlerContext(line, lineNumber, fullContent);
+    if (!isInHttpHandler) {
+      return null;
+    }
+    // Skip if there's global validation
+    if (hasGlobalValidation) {
+      return null;
+    }
+    // Check if there's local Content-Type validation in the same function/handler
+    const hasLocalValidation = this.hasLocalContentTypeValidation(lineNumber, fullContent);
+    if (hasLocalValidation) {
+      return null;
+    }
+    // Check if this is a NestJS handler with proper decorators
+    if (this.isSecureNestJSHandler(lineNumber, fullContent)) {
+      return null;
+    }
+    return {
+      ruleId: this.ruleId,
+      severity: 'error',
+      message: 'REST endpoint processes request body without validating Content-Type header. This can lead to security vulnerabilities.',
+      line: lineNumber,
+      column: this.findPatternColumn(line, this.requestBodyPatterns),
+      filePath: filePath,
+      type: 'missing_content_type_validation',
+      details: 'Consider adding Content-Type validation using req.is("application/json") or checking req.headers["content-type"] before processing request body.'
+    };
+  }
+  isInHttpHandlerContext(line, lineNumber, fullContent) {
+    const lines = fullContent.split('\n');
+    // Check previous lines for HTTP handler patterns
+    const contextRange = Math.max(0, lineNumber - 10); // Check up to 10 lines back
+    for (let i = contextRange; i < lineNumber; i++) {
+      const contextLine = lines[i];
+      if (this.httpHandlerPatterns.some(pattern => pattern.test(contextLine))) {
+        return true;
+      }
+    }
+    // Check current line
+    if (this.httpHandlerPatterns.some(pattern => pattern.test(line))) {
+      return true;
+    }
+    return false;
+  }
+  hasLocalContentTypeValidation(lineNumber, fullContent) {
+    const lines = fullContent.split('\n');
+    // Check surrounding lines for Content-Type validation
+    const startLine = Math.max(0, lineNumber - 15);
+    const endLine = Math.min(lines.length, lineNumber + 10);
+    for (let i = startLine; i < endLine; i++) {
+      const checkLine = lines[i];
+      if (this.contentTypeValidationPatterns.some(pattern => pattern.test(checkLine))) {
+        return true;
+      }
+    }
+    return false;
+  }
+  isSecureNestJSHandler(lineNumber, fullContent) {
+    const lines = fullContent.split('\n');
+    // Check previous lines for NestJS decorators that handle Content-Type
+    const contextRange = Math.max(0, lineNumber - 5);
+    for (let i = contextRange; i < lineNumber; i++) {
+      const line = lines[i];
+      if (/@Header\s*\(\s*['"`]Content-Type['"`]/i.test(line)) {
+        return true;
+      }
+      if (/@UseInterceptors\s*\([^)]*ContentType[^)]*\)/i.test(line)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  findPatternColumn(line, patterns) {
+    for (const pattern of patterns) {
+      const match = pattern.exec(line);
+      if (match) {
+        return match.index + 1;
+      }
+    }
+    return 1;
+  }
+}
+module.exports = S055Analyzer;

package/rules/security/S055_content_type_validation/config.json ADDED Viewed

@@ -0,0 +1,48 @@
+{
+  "ruleId": "S055",
+  "name": "Content-Type Validation in REST Services",
+  "description": "Verify that REST services explicitly check the incoming Content-Type to be the expected one",
+  "category": "security",
+  "severity": "error",
+  "languages": ["typescript", "javascript"],
+  "tags": ["security", "owasp", "rest-api", "input-validation", "asvs"],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "OWASP ASVS 13.2.5",
+    "cweId": "CWE-20",
+    "description": "REST services should validate the Content-Type header to ensure they receive data in the expected format. Missing Content-Type validation can lead to security vulnerabilities where attackers send malicious data in unexpected formats.",
+    "impact": "Medium - Data injection, parsing errors, security bypass",
+    "likelihood": "Medium",
+    "remediation": "Always validate Content-Type header before processing request body in REST endpoints"
+  },
+  "patterns": {
+    "vulnerable": [
+      "Processing req.body without checking Content-Type",
+      "Accepting any Content-Type in REST endpoints",
+      "Missing Content-Type validation in Express/NestJS handlers",
+      "Directly parsing request body without format validation"
+    ],
+    "secure": [
+      "Using req.is('application/json') to validate Content-Type",
+      "Checking req.headers['content-type'] before processing",
+      "Rejecting requests with unexpected Content-Type",
+      "Using middleware for Content-Type validation"
+    ]
+  },
+  "examples": {
+    "violations": [
+      "app.post('/api/users', (req, res) => { const user = req.body; });",
+      "router.put('/data', (req, res) => { processData(req.body); });",
+      "async createUser(req, res) { await userService.create(req.body); }",
+      "@Post() create(@Body() data: any) { return this.service.create(data); }"
+    ],
+    "fixes": [
+      "if (!req.is('application/json')) return res.status(415).send('Unsupported Media Type');",
+      "if (req.headers['content-type'] !== 'application/json') throw new Error('Invalid Content-Type');",
+      "app.use(express.json({ type: 'application/json' }));",
+      "@Post() @Header('Content-Type', 'application/json') create(@Body() data: CreateDto) {}"
+    ]
+  }
+}

package/rules/utils/rule-helpers.js CHANGED Viewed

@@ -261,4 +261,143 @@ class RuleHelper {
     }
 }
-module.exports = { RuleHelper };
+/**
+ * Comment Detection Utilities
+ * Reusable functions for detecting and handling comments in source code
+ */
+class CommentDetector {
+    /**
+     * Check if a line is within a block comment region
+     * @param {string[]} lines - Array of lines
+     * @param {number} lineIndex - Current line index (0-based)
+     * @returns {boolean} True if line is in block comment
+     */
+    static isLineInBlockComment(lines, lineIndex) {
+        let inBlockComment = false;
+        for (let i = 0; i <= lineIndex; i++) {
+            const line = lines[i];
+            // Check for block comment start
+            if (line.includes('/*')) {
+                inBlockComment = true;
+            }
+            // Check for block comment end on same line or later lines
+            if (line.includes('*/')) {
+                inBlockComment = false;
+            }
+        }
+        return inBlockComment;
+    }
+    /**
+     * Check if a specific position in a line is inside a comment
+     * @param {string} line - Line content
+     * @param {number} position - Character position in line
+     * @returns {boolean} True if position is inside a comment
+     */
+    static isPositionInComment(line, position) {
+        // Check if position is after // comment
+        const singleLineCommentPos = line.indexOf('//');
+        if (singleLineCommentPos !== -1 && position > singleLineCommentPos) {
+            return true;
+        }
+        // Check if position is inside /* */ comment on same line
+        let pos = 0;
+        while (pos < line.length) {
+            const commentStart = line.indexOf('/*', pos);
+            const commentEnd = line.indexOf('*/', pos);
+            if (commentStart !== -1 && commentEnd !== -1 && commentStart < commentEnd) {
+                if (position >= commentStart && position <= commentEnd + 1) {
+                    return true;
+                }
+                pos = commentEnd + 2;
+            } else {
+                break;
+            }
+        }
+        return false;
+    }
+    /**
+     * Clean line by removing comments but preserving structure for regex matching
+     * @param {string} line - Original line
+     * @returns {object} { cleanLine, commentRanges }
+     */
+    static cleanLineForMatching(line) {
+        let cleanLine = line;
+        const commentRanges = [];
+        // Track /* */ comments
+        let pos = 0;
+        while (pos < cleanLine.length) {
+            const commentStart = cleanLine.indexOf('/*', pos);
+            const commentEnd = cleanLine.indexOf('*/', pos);
+            if (commentStart !== -1 && commentEnd !== -1 && commentStart < commentEnd) {
+                commentRanges.push({ start: commentStart, end: commentEnd + 2 });
+                // Replace with spaces to preserve positions
+                const spaces = ' '.repeat(commentEnd + 2 - commentStart);
+                cleanLine = cleanLine.substring(0, commentStart) + spaces + cleanLine.substring(commentEnd + 2);
+                pos = commentEnd + 2;
+            } else {
+                break;
+            }
+        }
+        // Track // comments
+        const singleCommentPos = cleanLine.indexOf('//');
+        if (singleCommentPos !== -1) {
+            commentRanges.push({ start: singleCommentPos, end: cleanLine.length });
+            cleanLine = cleanLine.substring(0, singleCommentPos);
+        }
+        return { cleanLine, commentRanges };
+    }
+    /**
+     * Filter out comment lines from analysis
+     * @param {string[]} lines - Array of lines
+     * @returns {Array} Array of {line, lineNumber, isComment} objects
+     */
+    static filterCommentLines(lines) {
+        const result = [];
+        let inBlockComment = false;
+        lines.forEach((line, index) => {
+            const trimmedLine = line.trim();
+            // Track block comments
+            if (trimmedLine.includes('/*')) {
+                inBlockComment = true;
+            }
+            if (trimmedLine.includes('*/')) {
+                inBlockComment = false;
+                result.push({ line, lineNumber: index + 1, isComment: true });
+                return;
+            }
+            if (inBlockComment) {
+                result.push({ line, lineNumber: index + 1, isComment: true });
+                return;
+            }
+            // Check single line comments
+            const isComment = trimmedLine.startsWith('//') || trimmedLine.startsWith('#');
+            result.push({
+                line,
+                lineNumber: index + 1,
+                isComment
+            });
+        });
+        return result;
+    }
+}
+module.exports = { RuleHelper, CommentDetector };

package/scripts/consolidate-config.js ADDED Viewed

@@ -0,0 +1,116 @@
+#!/usr/bin/env node
+/**
+ * Script to consolidate all rules from rules-registry.json into enhanced-rules-registry.json
+ * then remove the old file to avoid config conflicts
+ */
+const fs = require('fs');
+const path = require('path');
+const oldRegistryPath = '/Users/bach.ngoc.hoai/Docs/ee/coding-quality/extensions/sunlint/config/rules/rules-registry.json';
+const enhancedRegistryPath = '/Users/bach.ngoc.hoai/Docs/ee/coding-quality/extensions/sunlint/config/rules/enhanced-rules-registry.json';
+console.log('🔄 Consolidating rule configurations...');
+try {
+  // Read both files
+  const oldRegistry = JSON.parse(fs.readFileSync(oldRegistryPath, 'utf8'));
+  const enhancedRegistry = JSON.parse(fs.readFileSync(enhancedRegistryPath, 'utf8'));
+  console.log(`📊 Old registry has ${Object.keys(oldRegistry.rules).length} rules`);
+  console.log(`📊 Enhanced registry has ${Object.keys(enhancedRegistry.rules).length} rules`);
+  // Track what was added
+  let addedRules = [];
+  let skippedRules = [];
+  // Add rules from old registry that don't exist in enhanced registry
+  for (const [ruleId, ruleConfig] of Object.entries(oldRegistry.rules)) {
+    if (!enhancedRegistry.rules[ruleId]) {
+      console.log(`➕ Adding rule ${ruleId}: ${ruleConfig.name}`);
+      enhancedRegistry.rules[ruleId] = ruleConfig;
+      addedRules.push(ruleId);
+    } else {
+      console.log(`⏭️  Skipping rule ${ruleId} (already exists in enhanced registry)`);
+      skippedRules.push(ruleId);
+    }
+  }
+  // Merge categories if needed
+  if (oldRegistry.categories) {
+    for (const [categoryId, categoryConfig] of Object.entries(oldRegistry.categories)) {
+      if (!enhancedRegistry.categories) {
+        enhancedRegistry.categories = {};
+      }
+      if (!enhancedRegistry.categories[categoryId]) {
+        console.log(`➕ Adding category ${categoryId}: ${categoryConfig.name}`);
+        enhancedRegistry.categories[categoryId] = categoryConfig;
+      } else {
+        // Merge rules from old category
+        const existingRules = new Set(enhancedRegistry.categories[categoryId].rules);
+        const newRules = categoryConfig.rules.filter(rule => !existingRules.has(rule));
+        if (newRules.length > 0) {
+          console.log(`🔄 Merging ${newRules.length} rules into category ${categoryId}`);
+          enhancedRegistry.categories[categoryId].rules.push(...newRules);
+        }
+      }
+    }
+  }
+  // Merge presets if needed
+  if (oldRegistry.presets) {
+    for (const [presetId, presetConfig] of Object.entries(oldRegistry.presets)) {
+      if (!enhancedRegistry.presets) {
+        enhancedRegistry.presets = {};
+      }
+      if (!enhancedRegistry.presets[presetId]) {
+        console.log(`➕ Adding preset ${presetId}: ${presetConfig.name}`);
+        enhancedRegistry.presets[presetId] = presetConfig;
+      }
+    }
+  }
+  // Merge languages if needed
+  if (oldRegistry.languages) {
+    for (const [langId, langConfig] of Object.entries(oldRegistry.languages)) {
+      if (!enhancedRegistry.languages) {
+        enhancedRegistry.languages = {};
+      }
+      if (!enhancedRegistry.languages[langId]) {
+        console.log(`➕ Adding language ${langId}`);
+        enhancedRegistry.languages[langId] = langConfig;
+      }
+    }
+  }
+  // Update metadata
+  if (enhancedRegistry.metadata) {
+    enhancedRegistry.metadata.totalRules = Object.keys(enhancedRegistry.rules).length;
+    enhancedRegistry.metadata.lastUpdated = new Date().toISOString().split('T')[0];
+    enhancedRegistry.metadata.consolidatedFrom = oldRegistryPath;
+  }
+  // Write enhanced registry back
+  fs.writeFileSync(enhancedRegistryPath, JSON.stringify(enhancedRegistry, null, 2));
+  console.log('✅ Consolidation completed!');
+  console.log(`📊 Total rules now: ${Object.keys(enhancedRegistry.rules).length}`);
+  console.log(`➕ Added rules: ${addedRules.length} - ${addedRules.join(', ')}`);
+  console.log(`⏭️  Skipped rules: ${skippedRules.length} - ${skippedRules.join(', ')}`);
+  // Create backup of old registry before deletion
+  const backupPath = oldRegistryPath + '.backup';
+  fs.copyFileSync(oldRegistryPath, backupPath);
+  console.log(`💾 Created backup: ${backupPath}`);
+  // Remove old registry
+  fs.unlinkSync(oldRegistryPath);
+  console.log(`🗑️  Removed old registry: ${oldRegistryPath}`);
+  console.log('🎉 Configuration consolidation complete!');
+} catch (error) {
+  console.error('❌ Error during consolidation:', error);
+  process.exit(1);
+}

package/scripts/prepare-release.sh CHANGED Viewed

@@ -135,7 +135,7 @@ sunlint --rule=C006 --input=src --format=summary
 # TypeScript Analysis
 --typescript               # Enable TypeScript analysis
---typescript-engine <type> # Engine: eslint, sunlint, hybrid
+--typescript-engine <type> # Engine: eslint, heuristic, hybrid
 # Output Control
 --format <format>          # Output: eslint, json, summary, table