npm - @sun-asterisk/sunlint - Versions diffs - 1.3.1 → 1.3.3 - Mend

@sun-asterisk/sunlint 1.3.1 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (120) hide show

package/rules/security/S016_no_sensitive_querystring/symbol-based-analyzer.js ADDED Viewed

@@ -0,0 +1,495 @@
+/**
+ * S016 Symbol-based Analyzer - Sensitive Data in URL Query Parameters Detection
+ * Purpose: Use AST + Symbol Resolution to detect sensitive data passed via query strings
+ */
+const { SyntaxKind } = require("ts-morph");
+class S016SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S016";
+    this.ruleName = "Sensitive Data in URL Query Parameters (Symbol-Based)";
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+    // URL construction patterns
+    this.urlPatterns = {
+      // Direct URL construction
+      urlConstructor: ["URL", "new URL"],
+      urlSearchParams: ["URLSearchParams", "new URLSearchParams"],
+      // HTTP client libraries
+      fetch: ["fetch"],
+      axios: [
+        "axios.get",
+        "axios.post",
+        "axios.put",
+        "axios.delete",
+        "axios.patch",
+        "axios.request",
+      ],
+      request: ["request", "request.get", "request.post"],
+      // Node.js modules
+      http: ["http.get", "http.request", "https.get", "https.request"],
+      querystring: ["querystring.stringify", "qs.stringify"],
+      // Framework specific
+      express: ["res.redirect", "req.query"],
+      nextjs: ["router.push", "router.replace", "Link"],
+      react: ["window.location.href", "location.href"],
+    };
+    // Sensitive data patterns (more comprehensive)
+    this.sensitivePatterns = [
+      // Authentication & Authorization
+      "password",
+      "passwd",
+      "pwd",
+      "pass",
+      "token",
+      "jwt",
+      "accesstoken",
+      "refreshtoken",
+      "bearertoken",
+      "secret",
+      "secretkey",
+      "clientsecret",
+      "serversecret",
+      "apikey",
+      "api_key",
+      "key",
+      "privatekey",
+      "publickey",
+      "auth",
+      "authorization",
+      "authenticate",
+      "sessionid",
+      "session_id",
+      "jsessionid",
+      "csrf",
+      "csrftoken",
+      "xsrf",
+      // Financial & Personal
+      "ssn",
+      "social",
+      "socialsecurity",
+      "creditcard",
+      "cardnumber",
+      "cardnum",
+      "ccnumber",
+      "cvv",
+      "cvc",
+      "cvd",
+      "cid",
+      "pin",
+      "pincode",
+      "bankaccount",
+      "routing",
+      "iban",
+      // Personal Identifiable Information
+      "email",
+      "emailaddress",
+      "mail",
+      "phone",
+      "phonenumber",
+      "mobile",
+      "tel",
+      "address",
+      "homeaddress",
+      "zipcode",
+      "postal",
+      "birthdate",
+      "birthday",
+      "dob",
+      "license",
+      "passport",
+      "identity",
+      // Business sensitive
+      "salary",
+      "income",
+      "wage",
+      "medical",
+      "health",
+      "diagnosis",
+    ];
+    // Query parameter indicators
+    this.queryIndicators = [
+      "query",
+      "params",
+      "search",
+      "searchparams",
+      "urlparams",
+      "querystring",
+      "qs",
+    ];
+  }
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S016 Symbol-Based] Analyzer initialized, verbose: ${this.verbose}`
+      );
+    }
+  }
+  async analyzeFileBasic(filePath, options = {}) {
+    return await this.analyzeFileWithSymbols(filePath, options);
+  }
+  async analyzeFileWithSymbols(filePath, options = {}) {
+    const violations = [];
+    const verbose = options.verbose || this.verbose;
+    if (!this.semanticEngine?.project) {
+      if (verbose) {
+        console.warn(
+          "[S016 Symbol-Based] No semantic engine available, skipping analysis"
+        );
+      }
+      return violations;
+    }
+    if (verbose) {
+      console.log(`🔍 [S016 Symbol-Based] Starting analysis for ${filePath}`);
+    }
+    try {
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      if (!sourceFile) {
+        return violations;
+      }
+      // Find various URL/query construction patterns
+      const urlConstructions = this.findUrlConstructions(sourceFile, verbose);
+      const queryStringUsages = this.findQueryStringUsages(sourceFile, verbose);
+      const httpClientCalls = this.findHttpClientCalls(sourceFile, verbose);
+      if (verbose) {
+        console.log(
+          `🔍 [S016 Symbol-Based] Found ${urlConstructions.length} URL constructions, ${queryStringUsages.length} query usages, ${httpClientCalls.length} HTTP calls`
+        );
+      }
+      // Analyze each pattern
+      const allPatterns = [
+        ...urlConstructions,
+        ...queryStringUsages,
+        ...httpClientCalls,
+      ];
+      for (const pattern of allPatterns) {
+        const patternViolations = this.analyzeUrlPattern(
+          pattern,
+          sourceFile,
+          filePath,
+          verbose
+        );
+        violations.push(...patternViolations);
+      }
+      if (verbose) {
+        console.log(
+          `🔍 [S016 Symbol-Based] Total violations found: ${violations.length}`
+        );
+      }
+      return violations;
+    } catch (error) {
+      if (verbose) {
+        console.warn(
+          `[S016 Symbol-Based] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+      return violations;
+    }
+  }
+  /**
+   * Find URL construction patterns (new URL, URLSearchParams, etc.)
+   */
+  findUrlConstructions(sourceFile, verbose = false) {
+    const patterns = [];
+    // Find 'new URL()' constructions
+    const newExpressions = sourceFile.getDescendantsOfKind(
+      SyntaxKind.NewExpression
+    );
+    for (const newExpr of newExpressions) {
+      const identifier = newExpr.getExpression();
+      if (
+        identifier.getText() === "URL" ||
+        identifier.getText() === "URLSearchParams"
+      ) {
+        patterns.push({
+          type: "constructor",
+          node: newExpr,
+          method: identifier.getText(),
+        });
+      }
+    }
+    if (verbose) {
+      console.log(
+        `🔍 [S016 Symbol-Based] Found ${patterns.length} URL constructor patterns`
+      );
+    }
+    return patterns;
+  }
+  /**
+   * Find query string manipulation patterns
+   */
+  findQueryStringUsages(sourceFile, verbose = false) {
+    const patterns = [];
+    // Find property access expressions that might involve query strings
+    const propertyAccess = sourceFile.getDescendantsOfKind(
+      SyntaxKind.PropertyAccessExpression
+    );
+    for (const propAccess of propertyAccess) {
+      const fullText = propAccess.getText().toLowerCase();
+      // Check for query-related property access
+      if (
+        this.queryIndicators.some((indicator) => fullText.includes(indicator))
+      ) {
+        patterns.push({
+          type: "property_access",
+          node: propAccess,
+          method: propAccess.getText(),
+        });
+      }
+      // Check for location.search, window.location.search, etc.
+      if (fullText.includes("search") || fullText.includes("query")) {
+        patterns.push({
+          type: "location_search",
+          node: propAccess,
+          method: propAccess.getText(),
+        });
+      }
+    }
+    if (verbose) {
+      console.log(
+        `🔍 [S016 Symbol-Based] Found ${patterns.length} query string usage patterns`
+      );
+    }
+    return patterns;
+  }
+  /**
+   * Find HTTP client calls that might include query parameters
+   */
+  findHttpClientCalls(sourceFile, verbose = false) {
+    const patterns = [];
+    const callExpressions = sourceFile.getDescendantsOfKind(
+      SyntaxKind.CallExpression
+    );
+    for (const callExpr of callExpressions) {
+      const expression = callExpr.getExpression();
+      const callText = expression.getText().toLowerCase();
+      // Check against known HTTP client patterns
+      for (const [client, methods] of Object.entries(this.urlPatterns)) {
+        for (const method of methods) {
+          if (callText.includes(method.toLowerCase())) {
+            patterns.push({
+              type: "http_client",
+              node: callExpr,
+              method: method,
+              client: client,
+            });
+            break;
+          }
+        }
+      }
+    }
+    if (verbose) {
+      console.log(
+        `🔍 [S016 Symbol-Based] Found ${patterns.length} HTTP client call patterns`
+      );
+    }
+    return patterns;
+  }
+  /**
+   * Analyze URL pattern for sensitive data in query parameters
+   */
+  analyzeUrlPattern(pattern, sourceFile, filePath, verbose = false) {
+    const violations = [];
+    const lineNumber = pattern.node.getStartLineNumber();
+    const columnNumber =
+      pattern.node.getStart() - pattern.node.getStartLinePos();
+    if (verbose) {
+      console.log(
+        `🔍 [S016 Symbol-Based] Analyzing ${pattern.type} pattern: ${pattern.method}`
+      );
+    }
+    // Only check for sensitive keys in actual query string
+    let queryString = "";
+    let sensitiveParams = [];
+    if (pattern.type === "constructor" || pattern.type === "http_client") {
+      const args = pattern.node.getArguments?.() || [];
+      // Only check first argument (URL)
+      if (args.length > 0) {
+        const urlText = args[0].getText();
+        const match = urlText.match(/\?(.*)/);
+        if (match && match[1]) {
+          queryString = match[1];
+          // Split query string into keys
+          const keys = queryString
+            .split("&")
+            .map((pair) => pair.split("=")[0].toLowerCase());
+          sensitiveParams = keys.filter((key) =>
+            this.sensitivePatterns.includes(key)
+          );
+        }
+      }
+    } else if (
+      pattern.type === "property_access" ||
+      pattern.type === "location_search"
+    ) {
+      // Only check if .searchParams.set or .query is used with sensitive key
+      const methodText = pattern.method.toLowerCase();
+      for (const sensitiveKey of this.sensitivePatterns) {
+        // Only match if set as key in searchParams or query
+        const regex = new RegExp(`\.set\(['"]${sensitiveKey}['"]`, "i");
+        if (regex.test(methodText)) {
+          sensitiveParams.push(sensitiveKey);
+        }
+      }
+    }
+    if (sensitiveParams.length > 0) {
+      violations.push({
+        ruleId: this.ruleId,
+        severity: "error",
+        message: "Sensitive data detected in URL query parameters",
+        source: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: columnNumber,
+        description: `[SYMBOL-BASED] Sensitive parameters detected: ${sensitiveParams.join(
+          ", "
+        )}. This can expose data in logs, browser history, and network traces.`,
+        suggestion:
+          "Move sensitive data to request body (POST/PUT) or use secure headers. For authentication, use proper header-based tokens.",
+        category: "security",
+        patternType: pattern.type,
+        method: pattern.method,
+      });
+    }
+    // Additional checks for specific patterns
+    if (
+      pattern.type === "constructor" &&
+      pattern.method === "URLSearchParams"
+    ) {
+      // Special handling for URLSearchParams constructor
+      const constructorViolations = this.analyzeURLSearchParamsConstructor(
+        pattern.node,
+        filePath,
+        verbose
+      );
+      violations.push(...constructorViolations);
+    }
+    return violations;
+  }
+  /**
+   * Analyze URLSearchParams constructor specifically
+   */
+  analyzeURLSearchParamsConstructor(node, filePath, verbose = false) {
+    const violations = [];
+    const args = node.getArguments();
+    if (args.length === 0) return violations;
+    const firstArg = args[0];
+    // If first argument is an object literal, check its properties
+    if (firstArg.getKind() === SyntaxKind.ObjectLiteralExpression) {
+      const properties = firstArg.getProperties();
+      for (const prop of properties) {
+        if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+          const propName = prop.getName()?.toLowerCase() || "";
+          const matchingSensitivePattern = this.sensitivePatterns.find(
+            (pattern) => {
+              const regex = new RegExp(`\\b${pattern}\\b`, "i");
+              return regex.test(propName);
+            }
+          );
+          if (matchingSensitivePattern) {
+            violations.push({
+              ruleId: this.ruleId,
+              severity: "error",
+              message: `Sensitive parameter '${propName}' in URLSearchParams constructor`,
+              source: this.ruleId,
+              file: filePath,
+              line: prop.getStartLineNumber(),
+              column: prop.getStart() - prop.getStartLinePos(),
+              description: `[SYMBOL-BASED] Parameter '${propName}' contains sensitive data pattern '${matchingSensitivePattern}'. URLSearchParams will be visible in URLs.`,
+              suggestion:
+                "Move sensitive parameters to request body or secure headers",
+              category: "security",
+            });
+          }
+        }
+      }
+    }
+    return violations;
+  }
+  /**
+   * Find sensitive parameters in content
+   */
+  findSensitiveParameters(content, verbose = false) {
+    const sensitiveParams = [];
+    const lowerContent = content.toLowerCase();
+    for (const pattern of this.sensitivePatterns) {
+      // Use word boundaries to avoid false positives
+      const regex = new RegExp(`\\b${pattern}\\b`, "i");
+      if (regex.test(lowerContent)) {
+        sensitiveParams.push(pattern);
+        if (verbose) {
+          console.log(
+            `🔍 [S016 Symbol-Based] Sensitive pattern detected: '${pattern}'`
+          );
+        }
+      }
+    }
+    return [...new Set(sensitiveParams)]; // Remove duplicates
+  }
+}
+module.exports = S016SymbolBasedAnalyzer;

package/rules/security/S017_use_parameterized_queries/README.md ADDED Viewed

@@ -0,0 +1,128 @@
+# S017 - Always use parameterized queries
+## Rule Description
+Always use parameterized queries instead of string concatenation to build SQL queries. This prevents SQL injection attacks by separating SQL logic from data.
+## Risk Level
+**HIGH** - SQL injection is one of the most critical security vulnerabilities
+## Rule Details
+This rule detects potentially vulnerable SQL query construction patterns:
+### ❌ Violations (Dangerous Patterns)
+```javascript
+// String concatenation with user input
+const query = "SELECT * FROM users WHERE id = " + userId;
+db.query(query);
+// Template literals with interpolation
+const sql = `SELECT * FROM products WHERE name = '${productName}'`;
+connection.execute(sql);
+// Direct variable insertion
+const deleteQuery = "DELETE FROM orders WHERE status = '" + status + "'";
+mysql.query(deleteQuery);
+// Complex concatenation
+const updateSql =
+  "UPDATE users SET name = '" +
+  name +
+  "', email = '" +
+  email +
+  "' WHERE id = " +
+  id;
+```
+### ✅ Correct Usage (Safe Patterns)
+```javascript
+// Using parameterized queries with placeholders
+const query = "SELECT * FROM users WHERE id = ?";
+db.query(query, [userId]);
+// Using named parameters
+const sql = "SELECT * FROM products WHERE name = $1";
+client.query(sql, [productName]);
+// Using prepared statements
+const stmt = db.prepare("DELETE FROM orders WHERE status = ?");
+stmt.run(status);
+// ORM usage (usually safe)
+const user = await User.findOne({ where: { id: userId } });
+// Using parameter objects
+const updateSql = "UPDATE users SET name = ?, email = ? WHERE id = ?";
+db.query(updateSql, [name, email, id]);
+```
+## Detected Libraries
+- **Database drivers**: mysql, mysql2, pg, sqlite3, mssql, oracle
+- **ORMs**: sequelize, typeorm, prisma, mongoose
+- **Query builders**: knex, objection
+## Security Impact
+- **SQL Injection attacks**: Malicious SQL code execution
+- **Data breach**: Unauthorized access to sensitive data
+- **Data manipulation**: Unauthorized data modification/deletion
+- **Authentication bypass**: Circumventing login mechanisms
+- **Privilege escalation**: Gaining admin access
+## Best Practices
+1. **Always use parameterized queries** with placeholders (?, $1, etc.)
+2. **Use prepared statements** when available
+3. **Validate and sanitize** all user inputs
+4. **Use ORMs** that handle parameterization automatically
+5. **Apply principle of least privilege** for database accounts
+6. **Regular security audits** of SQL query patterns
+## Examples by Library
+### MySQL/MySQL2
+```javascript
+// ❌ Vulnerable
+const query = `SELECT * FROM users WHERE email = '${email}'`;
+connection.query(query);
+// ✅ Safe
+const query = "SELECT * FROM users WHERE email = ?";
+connection.query(query, [email]);
+```
+### PostgreSQL (pg)
+```javascript
+// ❌ Vulnerable
+const text = `SELECT * FROM users WHERE id = ${id}`;
+client.query(text);
+// ✅ Safe
+const text = "SELECT * FROM users WHERE id = $1";
+client.query(text, [id]);
+```
+### SQLite
+```javascript
+// ❌ Vulnerable
+const sql = "INSERT INTO logs (message) VALUES ('" + message + "')";
+db.run(sql);
+// ✅ Safe
+const sql = "INSERT INTO logs (message) VALUES (?)";
+db.run(sql, [message]);
+```
+## References
+- [OWASP SQL Injection Prevention](https://owasp.org/www-community/attacks/SQL_Injection)
+- [CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html)
+- [Node.js Security Best Practices](https://nodejs.org/en/docs/guides/security/)