@sun-asterisk/sunlint 1.3.1 → 1.3.2

package/rules/security/S016_no_sensitive_querystring/symbol-based-analyzer.js

@@ -0,0 +1,495 @@
+/**
+ * S016 Symbol-based Analyzer - Sensitive Data in URL Query Parameters Detection
+ * Purpose: Use AST + Symbol Resolution to detect sensitive data passed via query strings
+ */
+
+const { SyntaxKind } = require("ts-morph");
+
+class S016SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S016";
+    this.ruleName = "Sensitive Data in URL Query Parameters (Symbol-Based)";
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+
+    // URL construction patterns
+    this.urlPatterns = {
+      // Direct URL construction
+      urlConstructor: ["URL", "new URL"],
+      urlSearchParams: ["URLSearchParams", "new URLSearchParams"],
+
+      // HTTP client libraries
+      fetch: ["fetch"],
+      axios: [
+        "axios.get",
+        "axios.post",
+        "axios.put",
+        "axios.delete",
+        "axios.patch",
+        "axios.request",
+      ],
+      request: ["request", "request.get", "request.post"],
+
+      // Node.js modules
+      http: ["http.get", "http.request", "https.get", "https.request"],
+      querystring: ["querystring.stringify", "qs.stringify"],
+
+      // Framework specific
+      express: ["res.redirect", "req.query"],
+      nextjs: ["router.push", "router.replace", "Link"],
+      react: ["window.location.href", "location.href"],
+    };
+
+    // Sensitive data patterns (more comprehensive)
+    this.sensitivePatterns = [
+      // Authentication & Authorization
+      "password",
+      "passwd",
+      "pwd",
+      "pass",
+      "token",
+      "jwt",
+      "accesstoken",
+      "refreshtoken",
+      "bearertoken",
+      "secret",
+      "secretkey",
+      "clientsecret",
+      "serversecret",
+      "apikey",
+      "api_key",
+      "key",
+      "privatekey",
+      "publickey",
+      "auth",
+      "authorization",
+      "authenticate",
+      "sessionid",
+      "session_id",
+      "jsessionid",
+      "csrf",
+      "csrftoken",
+      "xsrf",
+
+      // Financial & Personal
+      "ssn",
+      "social",
+      "socialsecurity",
+      "creditcard",
+      "cardnumber",
+      "cardnum",
+      "ccnumber",
+      "cvv",
+      "cvc",
+      "cvd",
+      "cid",
+      "pin",
+      "pincode",
+      "bankaccount",
+      "routing",
+      "iban",
+
+      // Personal Identifiable Information
+      "email",
+      "emailaddress",
+      "mail",
+      "phone",
+      "phonenumber",
+      "mobile",
+      "tel",
+      "address",
+      "homeaddress",
+      "zipcode",
+      "postal",
+      "birthdate",
+      "birthday",
+      "dob",
+      "license",
+      "passport",
+      "identity",
+
+      // Business sensitive
+      "salary",
+      "income",
+      "wage",
+      "medical",
+      "health",
+      "diagnosis",
+    ];
+
+    // Query parameter indicators
+    this.queryIndicators = [
+      "query",
+      "params",
+      "search",
+      "searchparams",
+      "urlparams",
+      "querystring",
+      "qs",
+    ];
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S016 Symbol-Based] Analyzer initialized, verbose: ${this.verbose}`
+      );
+    }
+  }
+
+  async analyzeFileBasic(filePath, options = {}) {
+    return await this.analyzeFileWithSymbols(filePath, options);
+  }
+
+  async analyzeFileWithSymbols(filePath, options = {}) {
+    const violations = [];
+
+    const verbose = options.verbose || this.verbose;
+
+    if (!this.semanticEngine?.project) {
+      if (verbose) {
+        console.warn(
+          "[S016 Symbol-Based] No semantic engine available, skipping analysis"
+        );
+      }
+      return violations;
+    }
+
+    if (verbose) {
+      console.log(`🔍 [S016 Symbol-Based] Starting analysis for ${filePath}`);
+    }
+
+    try {
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      if (!sourceFile) {
+        return violations;
+      }
+
+      // Find various URL/query construction patterns
+      const urlConstructions = this.findUrlConstructions(sourceFile, verbose);
+      const queryStringUsages = this.findQueryStringUsages(sourceFile, verbose);
+      const httpClientCalls = this.findHttpClientCalls(sourceFile, verbose);
+
+      if (verbose) {
+        console.log(
+          `🔍 [S016 Symbol-Based] Found ${urlConstructions.length} URL constructions, ${queryStringUsages.length} query usages, ${httpClientCalls.length} HTTP calls`
+        );
+      }
+
+      // Analyze each pattern
+      const allPatterns = [
+        ...urlConstructions,
+        ...queryStringUsages,
+        ...httpClientCalls,
+      ];
+
+      for (const pattern of allPatterns) {
+        const patternViolations = this.analyzeUrlPattern(
+          pattern,
+          sourceFile,
+          filePath,
+          verbose
+        );
+        violations.push(...patternViolations);
+      }
+
+      if (verbose) {
+        console.log(
+          `🔍 [S016 Symbol-Based] Total violations found: ${violations.length}`
+        );
+      }
+
+      return violations;
+    } catch (error) {
+      if (verbose) {
+        console.warn(
+          `[S016 Symbol-Based] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+      return violations;
+    }
+  }
+
+  /**
+   * Find URL construction patterns (new URL, URLSearchParams, etc.)
+   */
+  findUrlConstructions(sourceFile, verbose = false) {
+    const patterns = [];
+
+    // Find 'new URL()' constructions
+    const newExpressions = sourceFile.getDescendantsOfKind(
+      SyntaxKind.NewExpression
+    );
+    for (const newExpr of newExpressions) {
+      const identifier = newExpr.getExpression();
+      if (
+        identifier.getText() === "URL" ||
+        identifier.getText() === "URLSearchParams"
+      ) {
+        patterns.push({
+          type: "constructor",
+          node: newExpr,
+          method: identifier.getText(),
+        });
+      }
+    }
+
+    if (verbose) {
+      console.log(
+        `🔍 [S016 Symbol-Based] Found ${patterns.length} URL constructor patterns`
+      );
+    }
+
+    return patterns;
+  }
+
+  /**
+   * Find query string manipulation patterns
+   */
+  findQueryStringUsages(sourceFile, verbose = false) {
+    const patterns = [];
+
+    // Find property access expressions that might involve query strings
+    const propertyAccess = sourceFile.getDescendantsOfKind(
+      SyntaxKind.PropertyAccessExpression
+    );
+
+    for (const propAccess of propertyAccess) {
+      const fullText = propAccess.getText().toLowerCase();
+
+      // Check for query-related property access
+      if (
+        this.queryIndicators.some((indicator) => fullText.includes(indicator))
+      ) {
+        patterns.push({
+          type: "property_access",
+          node: propAccess,
+          method: propAccess.getText(),
+        });
+      }
+
+      // Check for location.search, window.location.search, etc.
+      if (fullText.includes("search") || fullText.includes("query")) {
+        patterns.push({
+          type: "location_search",
+          node: propAccess,
+          method: propAccess.getText(),
+        });
+      }
+    }
+
+    if (verbose) {
+      console.log(
+        `🔍 [S016 Symbol-Based] Found ${patterns.length} query string usage patterns`
+      );
+    }
+
+    return patterns;
+  }
+
+  /**
+   * Find HTTP client calls that might include query parameters
+   */
+  findHttpClientCalls(sourceFile, verbose = false) {
+    const patterns = [];
+
+    const callExpressions = sourceFile.getDescendantsOfKind(
+      SyntaxKind.CallExpression
+    );
+
+    for (const callExpr of callExpressions) {
+      const expression = callExpr.getExpression();
+      const callText = expression.getText().toLowerCase();
+
+      // Check against known HTTP client patterns
+      for (const [client, methods] of Object.entries(this.urlPatterns)) {
+        for (const method of methods) {
+          if (callText.includes(method.toLowerCase())) {
+            patterns.push({
+              type: "http_client",
+              node: callExpr,
+              method: method,
+              client: client,
+            });
+            break;
+          }
+        }
+      }
+    }
+
+    if (verbose) {
+      console.log(
+        `🔍 [S016 Symbol-Based] Found ${patterns.length} HTTP client call patterns`
+      );
+    }
+
+    return patterns;
+  }
+
+  /**
+   * Analyze URL pattern for sensitive data in query parameters
+   */
+  analyzeUrlPattern(pattern, sourceFile, filePath, verbose = false) {
+    const violations = [];
+    const lineNumber = pattern.node.getStartLineNumber();
+    const columnNumber =
+      pattern.node.getStart() - pattern.node.getStartLinePos();
+
+    if (verbose) {
+      console.log(
+        `🔍 [S016 Symbol-Based] Analyzing ${pattern.type} pattern: ${pattern.method}`
+      );
+    }
+
+    // Only check for sensitive keys in actual query string
+    let queryString = "";
+    let sensitiveParams = [];
+
+    if (pattern.type === "constructor" || pattern.type === "http_client") {
+      const args = pattern.node.getArguments?.() || [];
+      // Only check first argument (URL)
+      if (args.length > 0) {
+        const urlText = args[0].getText();
+        const match = urlText.match(/\?(.*)/);
+        if (match && match[1]) {
+          queryString = match[1];
+          // Split query string into keys
+          const keys = queryString
+            .split("&")
+            .map((pair) => pair.split("=")[0].toLowerCase());
+          sensitiveParams = keys.filter((key) =>
+            this.sensitivePatterns.includes(key)
+          );
+        }
+      }
+    } else if (
+      pattern.type === "property_access" ||
+      pattern.type === "location_search"
+    ) {
+      // Only check if .searchParams.set or .query is used with sensitive key
+      const methodText = pattern.method.toLowerCase();
+      for (const sensitiveKey of this.sensitivePatterns) {
+        // Only match if set as key in searchParams or query
+        const regex = new RegExp(`\.set\(['"]${sensitiveKey}['"]`, "i");
+        if (regex.test(methodText)) {
+          sensitiveParams.push(sensitiveKey);
+        }
+      }
+    }
+
+    if (sensitiveParams.length > 0) {
+      violations.push({
+        ruleId: this.ruleId,
+        severity: "error",
+        message: "Sensitive data detected in URL query parameters",
+        source: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: columnNumber,
+        description: `[SYMBOL-BASED] Sensitive parameters detected: ${sensitiveParams.join(
+          ", "
+        )}. This can expose data in logs, browser history, and network traces.`,
+        suggestion:
+          "Move sensitive data to request body (POST/PUT) or use secure headers. For authentication, use proper header-based tokens.",
+        category: "security",
+        patternType: pattern.type,
+        method: pattern.method,
+      });
+    }
+
+    // Additional checks for specific patterns
+    if (
+      pattern.type === "constructor" &&
+      pattern.method === "URLSearchParams"
+    ) {
+      // Special handling for URLSearchParams constructor
+      const constructorViolations = this.analyzeURLSearchParamsConstructor(
+        pattern.node,
+        filePath,
+        verbose
+      );
+      violations.push(...constructorViolations);
+    }
+
+    return violations;
+  }
+
+  /**
+   * Analyze URLSearchParams constructor specifically
+   */
+  analyzeURLSearchParamsConstructor(node, filePath, verbose = false) {
+    const violations = [];
+    const args = node.getArguments();
+
+    if (args.length === 0) return violations;
+
+    const firstArg = args[0];
+
+    // If first argument is an object literal, check its properties
+    if (firstArg.getKind() === SyntaxKind.ObjectLiteralExpression) {
+      const properties = firstArg.getProperties();
+
+      for (const prop of properties) {
+        if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+          const propName = prop.getName()?.toLowerCase() || "";
+
+          const matchingSensitivePattern = this.sensitivePatterns.find(
+            (pattern) => {
+              const regex = new RegExp(`\\b${pattern}\\b`, "i");
+              return regex.test(propName);
+            }
+          );
+
+          if (matchingSensitivePattern) {
+            violations.push({
+              ruleId: this.ruleId,
+              severity: "error",
+              message: `Sensitive parameter '${propName}' in URLSearchParams constructor`,
+              source: this.ruleId,
+              file: filePath,
+              line: prop.getStartLineNumber(),
+              column: prop.getStart() - prop.getStartLinePos(),
+              description: `[SYMBOL-BASED] Parameter '${propName}' contains sensitive data pattern '${matchingSensitivePattern}'. URLSearchParams will be visible in URLs.`,
+              suggestion:
+                "Move sensitive parameters to request body or secure headers",
+              category: "security",
+            });
+          }
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  /**
+   * Find sensitive parameters in content
+   */
+  findSensitiveParameters(content, verbose = false) {
+    const sensitiveParams = [];
+    const lowerContent = content.toLowerCase();
+
+    for (const pattern of this.sensitivePatterns) {
+      // Use word boundaries to avoid false positives
+      const regex = new RegExp(`\\b${pattern}\\b`, "i");
+      if (regex.test(lowerContent)) {
+        sensitiveParams.push(pattern);
+        if (verbose) {
+          console.log(
+            `🔍 [S016 Symbol-Based] Sensitive pattern detected: '${pattern}'`
+          );
+        }
+      }
+    }
+
+    return [...new Set(sensitiveParams)]; // Remove duplicates
+  }
+}
+
+module.exports = S016SymbolBasedAnalyzer;

package/rules/security/S048_no_current_password_in_reset/README.md

@@ -0,0 +1,222 @@
+# S048 - No Current Password in Reset Process
+
+## Mô tả
+
+Rule này kiểm tra xem các quy trình đặt lại mật khẩu có yêu cầu mật khẩu hiện tại hay không. Việc yêu cầu mật khẩu hiện tại trong quy trình reset mật khẩu vi phạm nguyên tắc bảo mật và làm mất đi mục đích của tính năng "quên mật khẩu".
+
+## Mục tiêu
+
+- Ngăn chặn việc yêu cầu mật khẩu hiện tại trong quy trình reset mật khẩu
+- Đảm bảo quy trình reset mật khẩu được thiết kế an toàn và hợp lý
+- Tuân thủ OWASP A04:2021 - Insecure Design và CWE-640
+
+## Chi tiết Rule
+
+### Phát hiện lỗi khi:
+
+1. **API endpoints yêu cầu current password trong reset**:
+   ```javascript
+   app.post('/reset-password', (req, res) => {
+     const { currentPassword, newPassword } = req.body; // ❌ Yêu cầu mật khẩu hiện tại
+     if (!validateCurrentPassword(currentPassword)) {
+       return res.status(400).json({ error: 'Current password incorrect' });
+     }
+   });
+   ```
+
+2. **Form validation yêu cầu current password**:
+   ```typescript
+   const resetPasswordSchema = {
+     currentPassword: { type: String, required: true }, // ❌ Bắt buộc mật khẩu hiện tại
+     newPassword: { type: String, required: true }
+   };
+   ```
+
+3. **Service methods kiểm tra current password trong reset**:
+   ```javascript
+   async resetPassword(userId, currentPassword, newPassword) {
+     const user = await User.findById(userId);
+     if (!user.validatePassword(currentPassword)) { // ❌ Validate mật khẩu hiện tại
+       throw new Error('Current password is incorrect');
+     }
+   }
+   ```
+
+4. **React components với current password field**:
+   ```typescript
+   function ResetPasswordForm() {
+     return (
+       <form>
+         <input name="currentPassword" required /> {/* ❌ Trường mật khẩu hiện tại */}
+         <input name="newPassword" required />
+       </form>
+     );
+   }
+   ```
+
+### Cách khắc phục:
+
+1. **Sử dụng token-based reset**:
+   ```javascript
+   app.post('/reset-password', (req, res) => {
+     const { token, newPassword } = req.body; // ✅ Sử dụng token thay vì current password
+     if (!validateResetToken(token)) {
+       return res.status(400).json({ error: 'Invalid reset token' });
+     }
+   });
+   ```
+
+2. **Schema với reset token**:
+   ```typescript
+   const resetPasswordSchema = {
+     resetToken: { type: String, required: true }, // ✅ Token reset an toàn
+     newPassword: { type: String, required: true }
+   };
+   ```
+
+3. **Service method an toàn**:
+   ```javascript
+   async resetPasswordWithToken(resetToken, newPassword) {
+     const tokenData = await validateResetToken(resetToken); // ✅ Validate token
+     if (!tokenData.valid) {
+       throw new Error('Invalid or expired reset token');
+     }
+   }
+   ```
+
+4. **Form với email verification**:
+   ```typescript
+   function ForgotPasswordForm() {
+     return (
+       <form>
+         <input name="email" type="email" required /> {/* ✅ Chỉ cần email */}
+         <button>Send Reset Link</button>
+       </form>
+     );
+   }
+   ```
+
+## Tại sao đây là vấn đề bảo mật?
+
+### 1. **Mâu thuẫn logic**
+- Nếu người dùng nhớ mật khẩu hiện tại, họ không cần reset
+- Yêu cầu mật khẩu hiện tại làm vô hiệu hóa tính năng "quên mật khẩu"
+
+### 2. **Tạo điểm yếu bảo mật**
+- Kẻ tấn công có thể lợi dụng để brute force mật khẩu
+- Tăng surface attack cho account takeover
+
+### 3. **Trải nghiệm người dùng kém**
+- Người dùng quên mật khẩu không thể hoàn thành quy trình reset
+- Dẫn đến khóa tài khoản và frustration
+
+## Các trường hợp ngoại lệ
+
+### Trường hợp hợp lệ (không phải lỗi):
+
+1. **Password Change (không phải Reset)**:
+   ```javascript
+   // ✅ Thay đổi mật khẩu khi đã đăng nhập - hợp lệ
+   app.post('/change-password', authenticateUser, (req, res) => {
+     const { currentPassword, newPassword } = req.body;
+     // Hợp lệ vì đây là thay đổi, không phải reset
+   });
+   ```
+
+2. **Profile settings**:
+   ```javascript
+   // ✅ Cập nhật mật khẩu trong settings - hợp lệ
+   function ProfileSettings() {
+     return (
+       <div>
+         <h2>Change Password</h2> {/* Đây là change, không phải reset */}
+         <input name="currentPassword" />
+         <input name="newPassword" />
+       </div>
+     );
+   }
+   ```
+
+## Phương pháp detect
+
+Rule này sử dụng **heuristic analysis** với các pattern:
+
+1. **Context Detection**: Phát hiện ngữ cảnh password reset
+   - Keywords: `reset`, `forgot`, `recover`, `forgotpassword`
+   - Endpoints: `/reset-password`, `/forgot-password`
+   - Functions: `resetPassword()`, `forgotPassword()`
+
+2. **Violation Detection**: Tìm yêu cầu current password
+   - Field names: `currentPassword`, `oldPassword`, `existingPassword`
+   - Validation patterns: `validateCurrentPassword()`, `checkOldPassword()`
+   - Schema fields: `currentPassword: { required: true }`
+
+3. **Context Filtering**: Loại bỏ false positives
+   - Bỏ qua password change contexts
+   - Bỏ qua test files và documentation
+   - Bỏ qua comments và type definitions
+
+## Tham khảo
+
+- [OWASP A04:2021 - Insecure Design](https://owasp.org/Top10/A04_2021-Insecure_Design/)
+- [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html)
+- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#forgot-password)
+- [NIST SP 800-63B - Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)
+
+## Ví dụ
+
+### Violation Examples
+
+```javascript
+// ❌ Express.js với current password requirement
+app.post('/reset-password', (req, res) => {
+  if (!req.body.currentPassword) {
+    return res.status(400).json({ error: 'Current password required' });
+  }
+});
+
+// ❌ NestJS với validation current password
+@Post('reset-password')
+async resetPassword(@Body() data: { currentPassword: string, newPassword: string }) {
+  await this.authService.validateCurrentPassword(data.currentPassword);
+}
+
+// ❌ Mongoose schema yêu cầu current password
+const resetSchema = new Schema({
+  currentPassword: { type: String, required: true }, // Vi phạm
+  newPassword: { type: String, required: true }
+});
+
+// ❌ React form với current password field
+<input 
+  name="currentPassword" 
+  placeholder="Enter current password" 
+  required 
+/>
+```
+
+### Secure Examples
+
+```javascript
+// ✅ Token-based reset
+app.post('/reset-password', (req, res) => {
+  const { token, newPassword } = req.body;
+  if (!validateResetToken(token)) {
+    return res.status(400).json({ error: 'Invalid reset token' });
+  }
+});
+
+// ✅ Email-based forgot password
+app.post('/forgot-password', (req, res) => {
+  const { email } = req.body;
+  sendResetEmail(email);
+  res.json({ message: 'Reset link sent to email' });
+});
+
+// ✅ Secure reset schema
+const resetSchema = new Schema({
+  resetToken: { type: String, required: true },
+  newPassword: { type: String, required: true },
+  tokenExpiry: { type: Date, required: true }
+});
+```