@sun-asterisk/sunlint 1.3.16 → 1.3.17

package/rules/common/C041_no_sensitive_hardcode/symbol-based-analyzer.js

@@ -0,0 +1,575 @@
+/**
+ * C041 Symbol-based Analyzer - Do not hardcode or push sensitive information
+ * Purpose: Prevent hardcoded secrets, tokens, API keys, passwords, and sensitive URLs in code
+ */
+const { SyntaxKind } = require('ts-morph');
+
+class C041SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = 'C041';
+    this.ruleName = 'Do not hardcode or push sensitive information (token, API key, secret, URL)';
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+
+    // === Sensitive Patterns ===
+    this.sensitivePatterns = {
+      // API Keys and Tokens
+      apiKey: /\b(api[_-]?key|apikey|api[_-]?token)\s*[:=]\s*["'`]([a-zA-Z0-9_\-]{20,})["'`]/gi,
+      
+      // AWS credentials
+      awsAccessKey: /\b(aws[_-]?access[_-]?key[_-]?id|aws[_-]?secret[_-]?access[_-]?key)\s*[:=]\s*["'`]([A-Z0-9]{20,})["'`]/gi,
+      
+      // Private keys
+      privateKey: /(-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----)/gi,
+      
+      // Database connection strings
+      dbConnection: /(mongodb|mysql|postgresql|postgres):\/\/[^:]+:[^@]+@/gi,
+      
+      // JWT secrets
+      jwtSecret: /\b(jwt[_-]?secret|secret[_-]?key)\s*[:=]\s*["'`]([a-zA-Z0-9_\-]{16,})["'`]/gi,
+      
+      // Bearer tokens
+      bearerToken: /\b(bearer|authorization)\s*[:=]\s*["'`]([a-zA-Z0-9_\-\.]{20,})["'`]/gi,
+      
+      // OAuth tokens
+      oauthToken: /\b(oauth[_-]?token|access[_-]?token|refresh[_-]?token)\s*[:=]\s*["'`]([a-zA-Z0-9_\-\.]{20,})["'`]/gi,
+      
+      // Generic secrets
+      secret: /\b(secret|password|passwd|pwd)\s*[:=]\s*["'`](?!.*(\$\{|process\.env|env\.|config\.))([^"'`\s]{8,})["'`]/gi,
+      
+      // API endpoints with embedded credentials
+      credentialUrl: /(https?:\/\/[^:\/]+:[^@\/]+@[^\s"'`]+)/gi,
+      
+      // SSH keys
+      sshKey: /(ssh-rsa\s+[A-Za-z0-9+\/=]{100,})/gi,
+      
+      // Google API keys
+      googleApiKey: /AIza[0-9A-Za-z\-_]{35}/gi,
+      
+      // Slack tokens
+      slackToken: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,}/gi,
+      
+      // GitHub tokens
+      githubToken: /gh[pousr]_[A-Za-z0-9_]{36,}/gi,
+      
+      // Stripe keys
+      stripeKey: /sk_live_[0-9a-zA-Z]{24,}/gi,
+      
+      // Generic high-entropy strings (potential secrets) - DISABLED, too many false positives
+      // highEntropy: /["'`]([a-zA-Z0-9+\/=_\-]{32,})["'`]/g
+    };
+
+    // === Variable name patterns that suggest sensitive data ===
+    this.sensitiveVariableNames = [
+      /api[_-]?key/i,
+      /secret/i,
+      /password/i,
+      /passwd/i,
+      /pass/i,
+      /token/i,
+      /auth/i,
+      /credential/i,
+      /private[_-]?key/i,
+      /access[_-]?key/i,
+      /client[_-]?secret/i,
+      /encryption[_-]?key/i
+    ];
+
+    // === Safe patterns to exclude (env vars, config imports) ===
+    this.safePatterns = [
+      /process\.env\./,
+      /import\.meta\.env\./,
+      /env\./,
+      /config\./,
+      /Config\./,
+      /\$\{.*\}/,  // Template literals with variables
+      /getEnv\(/,
+      /loadConfig\(/,
+      /readSecret\(/,
+      /vault\./i,
+      /secretManager\./i,
+      /keyVault\./i
+    ];
+
+    // === Ignore Configuration ===
+    this.ignoredFilePatterns = [
+      /test\//,
+      /tests\//,
+      /__tests__\//,
+      /\.test\./,
+      /\.spec\./,
+      /node_modules\//,
+      /\.env\.example$/,
+      /\.env\.template$/,
+      /mock/i,
+      /sample/i,
+    ];
+
+    // Common placeholder/dummy values to ignore
+    this.ignoredValues = [
+      'your-api-key-here',
+      'your_api_key',
+      'mock',
+      'xxx',
+      'yyy',
+      'zzz',
+      'example',
+      'test',
+      'dummy',
+      'placeholder',
+      'changeme',
+      'replace-me'
+    ];
+
+    // Patterns for non-sensitive constant values (event names, actions, etc.)
+    this.nonSensitivePatterns = [
+      /^(use|on|handle)[A-Z]/,  // React hooks: usePassword, onPasswordChange
+      /_trigger$/i,              // Event triggers: password_trigger
+      /_event$/i,                // Event names: password_event
+      /_action$/i,               // Action names: change_password_action
+      /_validation$/i,           // Validation keys: password_validation
+      /_field$/i,                // Form fields: password_field
+      /_input$/i,                // Input names: password_input
+      /_activity$/i,             // Activity names: updatePassword-activity
+      /_service$/i,              // Service names: auth-service
+      /_handler$/i,              // Handler names: password-handler
+      /_method$/i,               // Method names: resetPassword-method
+      /^(change|update|set|get|renew|reset|forgot)[A-Z_]/i,  // Action verbs: changePassword, renewpassword
+      /^[a-z_]+_(type|mode|status|state)$/i,  // State keys: password_type, auth_mode
+      /^\/[a-zA-Z0-9_\/-]+$/i,                 // URL-like paths: /forgot_password, /reset_password
+      /^[a-z][a-zA-Z0-9]*-[a-z]+$/,  // Kebab-case identifiers: updatePassword-activity
+    ];
+
+    // Variable/constant names that contain error messages or config (not secrets)
+    this.errorMessageConstants = [
+      /^[A-Z_]+ERROR[A-Z_]*$/,        // COGNITO_ERROR, API_ERROR
+      /^[A-Z_]+MESSAGE[A-Z_]*$/,      // MESSAGE_LOG, ERROR_MESSAGE
+      /^[A-Z_]+EXCEPTION[A-Z_]*$/,    // AUTH_EXCEPTION
+      /^[A-Z_]+CODE[A-Z_]*$/,         // ERROR_CODE, STATUS_CODE
+      /^[A-Z_]+STATUS[A-Z_]*$/,       // USER_STATUS
+      /^[A-Z_]+TYPE[A-Z_]*$/,         // MESSAGE_TYPE
+    ];
+
+    // Parent object names that contain service/activity mappings (not secrets)
+    this.serviceConfigConstants = [
+      /^activity$/i,
+      /^activities$/i,
+      /^service$/i,
+      /^services$/i,
+      /^handler$/i,
+      /^handlers$/i,
+      /^method$/i,
+      /^methods$/i,
+      /^action$/i,
+      /^actions$/i,
+      /^route$/i,
+      /^routes$/i,
+    ];
+
+    // Patterns in values that indicate error messages (not secrets)
+    this.errorMessagePatterns = [
+      /Exception$/,                   // NotAuthorizedException
+      /Error$/,                       // ValidationError
+      /\s+(not\s+found|invalid|expired|exceeded|failed)/i,  // "User not found", "Token expired"
+      /^[A-Z][a-z]+([A-Z][a-z]+)*Exception$/,  // PascalCaseException
+      /^[A-Z][a-z]+\s/,              // Sentence case messages: "Email not found"
+    ];
+
+    // Patterns that indicate legitimate long strings (not secrets)
+    this.legitimateStringPatterns = [
+      /\sas\s+["'`]/i,           // SQL aliases: AS "columnName"
+      /SELECT\s/i,               // SQL queries
+      /FROM\s/i,                 // SQL queries
+      /WHERE\s/i,                // SQL queries
+      /JOIN\s/i,                 // SQL queries
+      /\.[a-z_]+\s+as\s+/i,      // SQL column aliases
+      /^[a-z_]+\.[a-z_]+/i,      // Dot notation: table.column
+      /\s+AS\s+/,                // SQL AS keyword
+      /<[^>]+>/,                 // HTML/XML tags
+      /^(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP)/i, // SQL statements
+      /^\/[^\/]+\//,             // Regex patterns or paths
+      /^\w+:\/\//,               // URLs (but not with credentials)
+    ];
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [C041 Symbol-Based] Analyzer initialized, verbose: ${this.verbose}`);
+    }
+  }
+
+  async analyzeFileBasic(filePath, options = {}) {
+    return await this.analyzeFileWithSymbols(filePath, options);
+  }
+
+  async analyzeFileWithSymbols(filePath, options = {}) {
+    const violations = [];
+    const verbose = options.verbose || this.verbose;
+
+    if (!this.semanticEngine?.project) {
+      if (verbose) {
+        console.warn('[C041 Symbol-Based] No semantic engine available, skipping analysis');
+      }
+      return violations;
+    }
+
+    if (this.shouldIgnoreFile(filePath)) {
+      if (verbose) console.log(`[${this.ruleId}] Ignoring ${filePath}`);
+      return violations;
+    }
+
+    if (verbose) {
+      console.log(`🔍 [C041 Symbol-Based] Starting analysis for ${filePath}`);
+    }
+
+    try {
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      if (!sourceFile) {
+        if (verbose) {
+          console.log(`⚠️  [C041] Could not load source file: ${filePath}`);
+        }
+        return violations;
+      }
+
+      // Check string literals
+      this.checkStringLiterals(sourceFile, violations);
+
+      // Check variable declarations
+      this.checkVariableDeclarations(sourceFile, violations);
+
+      // Check property assignments
+      this.checkPropertyAssignments(sourceFile, violations);
+
+      // Check template literals
+      this.checkTemplateLiterals(sourceFile, violations);
+
+      if (verbose) {
+        console.log(`✅ [C041] Found ${violations.length} violations in ${filePath}`);
+      }
+
+    } catch (error) {
+      if (verbose) {
+        console.warn(`[C041 Symbol-Based] Analysis failed for ${filePath}:`, error.message);
+      }
+    }
+
+    return violations;
+  }
+
+  checkStringLiterals(sourceFile, violations) {
+    const stringLiterals = sourceFile.getDescendantsOfKind(SyntaxKind.StringLiteral);
+
+    stringLiterals.forEach(literal => {
+      const text = literal.getText();
+      const value = literal.getLiteralValue();
+
+      // Skip if it's a legitimate long string (SQL, HTML, etc.)
+      if (this.isLegitimateString(value)) {
+        return;
+      }
+
+      // Skip if it's a safe pattern (env variable reference)
+      if (this.isSafeContext(literal)) {
+        return;
+      }
+
+      // Check against sensitive patterns
+      this.checkAgainstPatterns(literal, value, sourceFile, violations);
+    });
+  }
+
+  checkVariableDeclarations(sourceFile, violations) {
+    const variableDeclarations = sourceFile.getDescendantsOfKind(SyntaxKind.VariableDeclaration);
+
+    variableDeclarations.forEach(varDecl => {
+      const name = varDecl.getName();
+      const initializer = varDecl.getInitializer();
+
+      if (!initializer) return;
+
+      // Check if variable name suggests sensitive data
+      const isSensitiveName = this.sensitiveVariableNames.some(pattern => pattern.test(name));
+
+      if (isSensitiveName) {
+        const initText = initializer.getText();
+
+        // Skip if using env variables or config
+        if (this.isSafeValue(initText)) {
+          return;
+        }
+
+        // Check if it's a hardcoded value
+        if (SyntaxKind.StringLiteral === initializer.getKind() ||
+            SyntaxKind.NoSubstitutionTemplateLiteral === initializer.getKind()) {
+          const value = initializer.getText().replace(/^["'`]|["'`]$/g, '');
+
+          // Skip if the value itself is a non-sensitive constant (event names, actions, etc.)
+          if (this.isNonSensitiveConstant(value)) {
+            return;
+          }
+
+          // More lenient check: any non-trivial string in a sensitive variable is suspicious
+          if (value.length >= 8 && !this.isIgnoredValue(value)) {
+            violations.push(this.createViolation(
+              varDecl,
+              sourceFile,
+              `Variable '${name}' appears to contain hardcoded sensitive information`
+            ));
+          }
+        } else if (SyntaxKind.TemplateExpression === initializer.getKind()) {
+          // Check template literals for hardcoded secrets in the string parts
+          const templateText = initializer.getText();
+
+          // Check if template has hardcoded secrets (not just variables)
+          if (!this.isSafeValue(templateText) && this.hasHardcodedSecretInTemplate(templateText)) {
+            violations.push(this.createViolation(
+              varDecl,
+              sourceFile,
+              `Variable '${name}' template literal contains hardcoded sensitive information`
+            ));
+          }
+        }
+      }
+    });
+  }
+
+  checkPropertyAssignments(sourceFile, violations) {
+    const propertyAssignments = sourceFile.getDescendantsOfKind(SyntaxKind.PropertyAssignment);
+
+    propertyAssignments.forEach(prop => {
+      const name = prop.getName();
+      const initializer = prop.getInitializer();
+
+      if (!initializer) return;
+
+      // Skip if parent is an error/message constant object
+      const parent = prop.getParent()?.getParent();
+      if (parent && parent.getKind() === SyntaxKind.VariableDeclaration) {
+        const parentName = parent.asKind(SyntaxKind.VariableDeclaration)?.getName();
+        if (parentName && (this.isErrorMessageConstant(parentName) || this.isServiceConfigConstant(parentName))) {
+          return; // Skip properties inside error/service constant objects
+        }
+      }
+
+      // Also check grandparent for nested objects like activity.account
+      const grandParent = prop.getParent()?.getParent()?.getParent()?.getParent();
+      if (grandParent && grandParent.getKind() === SyntaxKind.VariableDeclaration) {
+        const grandParentName = grandParent.asKind(SyntaxKind.VariableDeclaration)?.getName();
+        if (grandParentName && (this.isErrorMessageConstant(grandParentName) || this.isServiceConfigConstant(grandParentName))) {
+          return; // Skip properties inside nested service config objects
+        }
+      }
+
+      const isSensitiveName = this.sensitiveVariableNames.some(pattern => pattern.test(name));
+
+      if (isSensitiveName) {
+        const initText = initializer.getText();
+
+        if (this.isSafeValue(initText)) {
+          return;
+        }
+
+        if (SyntaxKind.StringLiteral === initializer.getKind() ||
+            SyntaxKind.NoSubstitutionTemplateLiteral === initializer.getKind()) {
+          const value = initializer.getText().replace(/^["'`]|["'`]$/g, '');
+
+          // Skip if the value itself is a non-sensitive constant
+          if (this.isNonSensitiveConstant(value)) {
+            return;
+          }
+
+          // Skip if the value looks like an error message
+          if (this.isErrorMessage(value)) {
+            return;
+          }
+
+          // More lenient check for properties with sensitive names
+          if (value.length >= 8 && !this.isIgnoredValue(value)) {
+            violations.push(this.createViolation(
+              prop,
+              sourceFile,
+              `Property '${name}' appears to contain hardcoded sensitive information`
+            ));
+          }
+        } else if (SyntaxKind.TemplateExpression === initializer.getKind()) {
+          const templateText = initializer.getText();
+
+          if (!this.isSafeValue(templateText) && this.hasHardcodedSecretInTemplate(templateText)) {
+            violations.push(this.createViolation(
+              prop,
+              sourceFile,
+              `Property '${name}' template literal contains hardcoded sensitive information`
+            ));
+          }
+        }
+      }
+    });
+  }
+
+  checkTemplateLiterals(sourceFile, violations) {
+    const templates = sourceFile.getDescendantsOfKind(SyntaxKind.TemplateExpression);
+
+    templates.forEach(template => {
+      const text = template.getText();
+
+      // Check if template contains hardcoded secrets even with variables
+      if (this.hasHardcodedSecretInTemplate(text)) {
+        // Check against patterns
+        this.checkAgainstPatterns(template, text, sourceFile, violations);
+      }
+    });
+  }
+
+  checkAgainstPatterns(node, value, sourceFile, violations) {
+    for (const [patternName, pattern] of Object.entries(this.sensitivePatterns)) {
+      pattern.lastIndex = 0; // Reset regex
+      const matches = pattern.exec(value);
+
+      if (matches) {
+        const matchedValue = matches[2] || matches[1] || matches[0];
+
+        if (this.isIgnoredValue(matchedValue)) {
+          continue;
+        }
+
+        violations.push(this.createViolation(
+          node,
+          sourceFile,
+          `Potential hardcoded sensitive data detected (${patternName})`
+        ));
+      }
+    }
+  }
+
+  isSafeContext(node) {
+    let parent = node.getParent();
+    let depth = 0;
+    const maxDepth = 5;
+
+    while (parent && depth < maxDepth) {
+      const text = parent.getText();
+
+      if (this.safePatterns.some(pattern => pattern.test(text))) {
+        return true;
+      }
+
+      parent = parent.getParent();
+      depth++;
+    }
+
+    return false;
+  }
+
+  isSafeValue(value) {
+    return this.safePatterns.some(pattern => pattern.test(value));
+  }
+
+  isLikelySecret(value) {
+    // Check length
+    if (value.length < 8) return false;
+
+    // Check if it looks like a placeholder
+    if (this.isIgnoredValue(value.toLowerCase())) return false;
+
+    // Check entropy (randomness)
+    const entropy = this.calculateEntropy(value);
+    return entropy > 3.5; // High entropy suggests random/generated secret
+  }
+
+  calculateEntropy(str) {
+    const len = str.length;
+    const frequencies = {};
+
+    for (let i = 0; i < len; i++) {
+      const char = str[i];
+      frequencies[char] = (frequencies[char] || 0) + 1;
+    }
+
+    let entropy = 0;
+    for (const freq of Object.values(frequencies)) {
+      const p = freq / len;
+      entropy -= p * Math.log2(p);
+    }
+
+    return entropy;
+  }
+
+  isIgnoredValue(value) {
+    const lowerValue = value.toLowerCase();
+    return this.ignoredValues.some(ignored =>
+      lowerValue.includes(ignored.toLowerCase())
+    );
+  }
+
+  isNonSensitiveConstant(nameOrValue) {
+    return this.nonSensitivePatterns.some(pattern => pattern.test(nameOrValue));
+  }
+
+  isLegitimateString(value) {
+    // Check if the string matches legitimate patterns (SQL, HTML, etc.)
+    return this.legitimateStringPatterns.some(pattern => pattern.test(value));
+  }
+
+  isErrorMessageConstant(name) {
+    return this.errorMessageConstants.some(pattern => pattern.test(name));
+  }
+
+  isErrorMessage(value) {
+    return this.errorMessagePatterns.some(pattern => pattern.test(value));
+  }
+
+  isServiceConfigConstant(name) {
+    return this.serviceConfigConstants.some(pattern => pattern.test(name));
+  }
+
+  hasHardcodedSecretInTemplate(templateText) {
+    // Extract the static string parts (not the ${...} parts)
+    const staticParts = templateText.split(/\$\{[^}]+\}/);
+
+    // Check if any static part contains what looks like a secret
+    for (const part of staticParts) {
+      // Check for patterns like "secret=xxx", "token=xxx", "key=xxx"
+      if (/(?:secret|token|key|password|passwd)[:=][^&\s`]{8,}/i.test(part)) {
+        return true;
+      }
+
+      // Check for high entropy strings in URL parameters
+      if (/[:=]([a-zA-Z0-9_\-]{16,})/.test(part)) {
+        const match = part.match(/[:=]([a-zA-Z0-9_\-]{16,})/);
+        if (match && match[1] && !this.isIgnoredValue(match[1])) {
+          const entropy = this.calculateEntropy(match[1]);
+          if (entropy > 3.5) {
+            return true;
+          }
+        }
+      }
+    }
+
+    return false;
+  }
+
+  createViolation(node, sourceFile, message) {
+    return {
+      ruleId: this.ruleId,
+      severity: 'warning',
+      message: message,
+      source: this.ruleId,
+      file: sourceFile.getFilePath(),
+      line: node.getStartLineNumber(),
+      column: node.getStart() - node.getStartLinePos(),
+      description: `[SYMBOL-BASED] ${message}`,
+      suggestion: 'Remove hardcoded sensitive information and use secure storage or environment variables instead.',
+      category: 'security',
+    };
+  }
+
+  shouldIgnoreFile(filePath) {
+    return this.ignoredFilePatterns.some((pattern) => pattern.test(filePath));
+  }
+}
+
+module.exports = C041SymbolBasedAnalyzer;

package/rules/common/C067_no_hardcoded_config/analyzer.js

@@ -1,15 +1,16 @@
 // rules/common/C067_no_hardcoded_config/analyzer.js
-const C067SymbolBasedAnalyzer = require('./symbol-based-analyzer.js');
+const C067SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
 
 class C067Analyzer {
   constructor(semanticEngine = null) {
-    this.ruleId = 'C067';
-    this.ruleName = 'No Hardcoded Configuration';
-    this.description = 'Improve configurability, reduce risk when changing environments, and make configuration management flexible and maintainable.';
+    this.ruleId = "C067";
+    this.ruleName = "Do not hardcode configuration inside code";
+    this.description =
+      "Improve configurability, reduce risk when changing environments, and make configuration management flexible and maintainable. Avoid hardcoding API URLs, credentials, timeouts, retry intervals, batch sizes, and feature flags.";
     this.semanticEngine = semanticEngine;
     this.verbose = false;
-    
-    // Use symbol-based only for accuracy
+
+    // Use symbol-based analyzer with ts-morph for accurate AST analysis
     this.symbolAnalyzer = new C067SymbolBasedAnalyzer(semanticEngine);
   }
 
@@ -24,12 +25,12 @@ class C067Analyzer {
   // Main analyze method required by heuristic engine
   async analyze(files, language, options = {}) {
     const violations = [];
-    
+
     for (const filePath of files) {
       if (options.verbose) {
-        console.log(`[DEBUG] 🎯 C067: Analyzing ${filePath.split('/').pop()}`);
+        console.log(`[DEBUG] 🎯 C067: Analyzing ${filePath.split("/").pop()}`);
       }
-      
+
       try {
         const fileViolations = await this.analyzeFileBasic(filePath, options);
         violations.push(...fileViolations);
@@ -37,7 +38,7 @@ class C067Analyzer {
         console.warn(`C067: Skipping ${filePath}: ${error.message}`);
       }
     }
-    
+
     return violations;
   }
 
@@ -46,11 +47,11 @@ class C067Analyzer {
       // Try semantic engine first, fallback to standalone ts-morph
       if (this.semanticEngine?.isSymbolEngineReady?.() && this.semanticEngine.project) {
         if (this.verbose) {
-          console.log(`[DEBUG] 🎯 C067: Using semantic engine for ${filePath.split('/').pop()}`);
+          console.log(`[DEBUG] 🎯 C067: Using semantic engine for ${filePath.split("/").pop()}`);
         }
-        
+
         const violations = await this.symbolAnalyzer.analyzeFileBasic(filePath, options);
-        
+
         if (this.verbose) {
           console.log(`[DEBUG] 🎯 C067: Symbol-based analysis found ${violations.length} violations`);
         }
@@ -59,11 +60,11 @@ class C067Analyzer {
       } else {
         // Fallback to standalone analysis
         if (this.verbose) {
-          console.log(`[DEBUG] 🎯 C067: Using standalone analysis for ${filePath.split('/').pop()}`);
+          console.log(`[DEBUG] 🎯 C067: Using standalone analysis for ${filePath.split("/").pop()}`);
         }
-        
+
         const violations = await this.symbolAnalyzer.analyzeFileStandalone(filePath, options);
-        
+
         if (this.verbose) {
           console.log(`[DEBUG] 🎯 C067: Standalone analysis found ${violations.length} violations`);
         }