@sun-asterisk/sunlint 1.3.16 → 1.3.17

package/rules/security/S006_no_plaintext_recovery_codes/symbol-based-analyzer.js

@@ -0,0 +1,805 @@
+/**
+ * S006 Symbol-Based Analyzer - No Plaintext Recovery/Activation Codes
+ *
+ * Uses ts-morph AST analysis to detect plaintext recovery/activation codes
+ * in various contexts: API responses, logging, email templates, etc.
+ */
+
+const { SyntaxKind } = require("ts-morph");
+
+class S006SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S006";
+
+    // Sensitive code-related identifiers (security/auth related only)
+    this.sensitiveIdentifiers = new Set([
+      "activationcode",
+      "recoverycode",
+      "resetcode",
+      "verificationcode",
+      "confirmationcode",
+      "otp",
+      "otpcode",
+      "totp",
+      "pin",
+      "pincode",
+      // Removed generic "code" - too many false positives with business codes
+      // Only specific security-related codes above
+      "secret",
+      "password",
+      "passphrase",
+    ]);
+
+    // Business/technical identifiers that should NOT be flagged (not security codes)
+    this.safeBusinessIdentifiers = new Set([
+      "statuscode",
+      "httpstatuscode",
+      "errorcode",
+      "responsecode",
+      "agencycode",
+      "companycode",
+      "eventcode",
+      "productcode",
+      "itemcode",
+      "categorycode",
+      "departmentcode",
+      "locationcode",
+      "branchcode",
+      "regioncode",
+      "countrycode",
+      "languagecode",
+      "currencycode",
+      "timecode",
+      "zipcode",
+      "postalcode",
+      "areacode",
+      "dialcode",
+      "apiname",
+      "adminapiname",
+      "appinstall",
+      "externalpointeventid", // External point system event identifier
+      "externalserviceid", // External service identifier
+      "pointstatus", // User point status (business state, not security code)
+      "memberstatus", // User member status
+      "friendshipstatus", // User friendship status
+    ]);
+
+    // Safe password-related patterns (template names, route names, not actual passwords)
+    this.safePasswordPatterns = [
+      "forgotpassword",
+      "resetpassword",
+      "changepassword",
+      "updatepassword",
+      "passwordreset",
+      "passwordchange",
+      "passwordupdate",
+      "passwordrecovery",
+    ];
+
+    // Safe token types (JWT, session tokens, etc.)
+    this.safeTokenTypes = new Set([
+      "resettoken",
+      "accesstoken",
+      "refreshtoken",
+      "sessiontoken",
+      "authtoken",
+      "jwttoken",
+      "bearertoken",
+    ]);
+
+    // Transmission/exposure contexts
+    this.exposureContexts = new Set([
+      "send",
+      "email",
+      "sms",
+      "text",
+      "message",
+      "mail",
+      "push",
+      "notify",
+      "response",
+      "body",
+      "json",
+      "data",
+      "payload",
+      "log",
+      "console",
+      "debug",
+      "info",
+      "warn",
+      "error",
+      "trace",
+      "render",
+      "template",
+      "view",
+      "html",
+    ]);
+
+    // Safe patterns to exclude
+    this.safePatterns = [
+      "hash",
+      "encrypt",
+      "cipher",
+      "bcrypt",
+      "crypto",
+      "secure",
+      "hashed",
+      "encrypted",
+      "sendsecure",
+      "hashcode",
+      "encryptcode",
+      "savehashed",
+      "storehashed",
+      "validatecode",
+      "verifycode",
+      "checkcode",
+      // Audit/internal logging (not external exposure)
+      "logadminpointhistory",
+      "adminpointhistory",
+      "auditlog",
+      "systemlog",
+      "internallog",
+      "logger.warn", // Warning logs are typically business messages, not sensitive data exposure
+      "logger.debug", // Debug logs are for development, not production exposure
+      "logger.info", // Info logs are for general information
+    ];
+
+    // Safe return/response patterns (just success messages, no actual codes)
+    this.safeResponsePatterns = [
+      "success",
+      "message",
+      "sent",
+      "instructions",
+      "check your",
+      "please enter",
+      "has been sent",
+      "successfully sent",
+      "sent to your email",
+      "sent to email",
+      "sent successfully",
+      "generated successfully",
+    ];
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+  }
+
+  async analyze(sourceFile, filePath) {
+    const violations = [];
+
+    try {
+      // Check return statements with sensitive codes
+      this.checkReturnStatements(sourceFile, filePath, violations);
+
+      // Check property assignments in objects
+      this.checkObjectLiterals(sourceFile, filePath, violations);
+
+      // Check call expressions (res.json, console.log, etc.)
+      this.checkCallExpressions(sourceFile, filePath, violations);
+
+      // Check template literals with codes
+      this.checkTemplateLiterals(sourceFile, filePath, violations);
+
+      // Check interface/type definitions
+      this.checkTypeDefinitions(sourceFile, filePath, violations);
+
+      // Removed: checkVariableDeclarations - too many false positives
+      // Variables can be used safely in many contexts (hashing, validation, etc.)
+    } catch (error) {
+      console.warn(`⚠️ [S006] Analysis error in ${filePath}: ${error.message}`);
+    }
+
+    return violations;
+  }
+
+  /**
+   * Check return statements that expose sensitive codes
+   * e.g., return { activationCode };
+   */
+  checkReturnStatements(sourceFile, filePath, violations) {
+    const returnStatements = sourceFile.getDescendantsOfKind(
+      SyntaxKind.ReturnStatement
+    );
+
+    for (const returnStmt of returnStatements) {
+      const expression = returnStmt.getExpression();
+      if (!expression) continue;
+
+      // Check if returning object with sensitive properties
+      if (expression.getKind() === SyntaxKind.ObjectLiteralExpression) {
+        const objLiteral = expression;
+        const properties = objLiteral.getProperties();
+
+        // Skip if return object contains only safe messages (success, message, etc.)
+        const hasOnlySafeProperties = properties.every((prop) => {
+          const name = prop.getName?.() || "";
+          const normalizedName = name.toLowerCase();
+          return (
+            normalizedName === "success" ||
+            normalizedName === "message" ||
+            normalizedName === "expiresat" ||
+            normalizedName === "timestamp" ||
+            normalizedName === "status"
+          );
+        });
+
+        if (hasOnlySafeProperties) {
+          continue;
+        }
+
+        for (const prop of properties) {
+          if (
+            prop.getKind() === SyntaxKind.PropertyAssignment ||
+            prop.getKind() === SyntaxKind.ShorthandPropertyAssignment
+          ) {
+            const name = prop.getName?.() || "";
+            const normalizedName = this.normalizeIdentifier(name);
+
+            // Skip statusCode - it's HTTP status code, not sensitive
+            if (normalizedName === "statuscode") {
+              continue;
+            }
+
+            if (
+              this.isSensitiveIdentifier(normalizedName) &&
+              !this.isInSafeContext(prop)
+            ) {
+              violations.push({
+                ruleId: this.ruleId,
+                severity: "error",
+                message: `Returning sensitive code '${name}' in plaintext - codes should be encrypted or excluded from responses`,
+                line: prop.getStartLineNumber(),
+                column: prop.getStart() - prop.getStartLinePos() + 1,
+                filePath: filePath,
+                file: filePath,
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+
+  /**
+   * Check object literals for sensitive code exposure
+   * e.g., { resetCode: code, ... }
+   */
+  checkObjectLiterals(sourceFile, filePath, violations) {
+    const objectLiterals = sourceFile.getDescendantsOfKind(
+      SyntaxKind.ObjectLiteralExpression
+    );
+
+    for (const objLiteral of objectLiterals) {
+      // Skip if in safe context
+      if (this.isInSafeContext(objLiteral)) continue;
+
+      const properties = objLiteral.getProperties();
+
+      for (const prop of properties) {
+        if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+          const name = prop.getName?.() || "";
+          const normalizedName = this.normalizeIdentifier(name);
+
+          if (this.isSensitiveIdentifier(normalizedName)) {
+            // Check if in exposure context (e.g., res.json, send, etc.)
+            const parent = this.findParentContext(objLiteral);
+            if (parent && this.isExposureContext(parent)) {
+              // Check if this is request input (not exposure)
+              // Look for JSON.stringify in parent chain with body/data context
+              let currentParent = parent;
+              let depth = 0;
+              let isRequestBody = false;
+
+              while (currentParent && depth < 10) {
+                const parentText = currentParent.getText().toLowerCase();
+
+                // Check if this object is being passed to JSON.stringify
+                // and is part of a fetch/axios request body
+                if (parentText.includes("json.stringify")) {
+                  // Look further up for body: or data: context
+                  let upperParent = currentParent.getParent();
+                  let upperDepth = 0;
+
+                  while (upperParent && upperDepth < 5) {
+                    const upperText = upperParent.getText().toLowerCase();
+                    if (
+                      (upperText.includes("body:") ||
+                        upperText.includes("data:")) &&
+                      (upperText.includes("fetch") ||
+                        upperText.includes("axios") ||
+                        upperText.includes("method:") ||
+                        upperText.includes("post") ||
+                        upperText.includes("put"))
+                    ) {
+                      isRequestBody = true;
+                      break;
+                    }
+                    upperParent = upperParent.getParent();
+                    upperDepth++;
+                  }
+                }
+
+                if (isRequestBody) break;
+                currentParent = currentParent.getParent();
+                depth++;
+              }
+
+              if (isRequestBody) {
+                // This is request body - user sending code to server for verification
+                // Not an exposure, so skip
+                continue;
+              }
+
+              // Use warning for JWT config properties (common pattern in DTOs)
+              const isJwtConfig =
+                normalizedName === "secret" &&
+                (objLiteral.getText().includes("expiresIn") ||
+                  objLiteral.getText().includes("JWT") ||
+                  objLiteral.getText().includes("process.env"));
+
+              violations.push({
+                ruleId: this.ruleId,
+                severity: isJwtConfig ? "warning" : "error",
+                message: isJwtConfig
+                  ? `Object property '${name}' in JWT config - consider refactoring signing logic to service layer`
+                  : `Object property '${name}' exposes sensitive code in plaintext - use encrypted transmission or exclude from response`,
+                line: prop.getStartLineNumber(),
+                column: prop.getStart() - prop.getStartLinePos() + 1,
+                filePath: filePath,
+                file: filePath,
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+
+  /**
+   * Check call expressions like res.json(), console.log(), etc.
+   * e.g., res.json({ code: verificationCode })
+   */
+  checkCallExpressions(sourceFile, filePath, violations) {
+    const callExpressions = sourceFile.getDescendantsOfKind(
+      SyntaxKind.CallExpression
+    );
+
+    for (const callExpr of callExpressions) {
+      const expression = callExpr.getExpression();
+      const expressionText = expression.getText().toLowerCase();
+
+      // Skip safe methods
+      if (
+        this.safePatterns.some((pattern) => expressionText.includes(pattern))
+      ) {
+        continue;
+      }
+
+      // Check for exposure methods
+      const isExposureMethod =
+        expressionText.includes("json") ||
+        expressionText.includes("send") ||
+        expressionText.includes("log") ||
+        expressionText.includes("console") ||
+        expressionText.includes("email") ||
+        expressionText.includes("sms") ||
+        expressionText.includes("notify") ||
+        expressionText.includes("render");
+
+      if (!isExposureMethod) continue;
+
+      // Skip JSON.stringify in request body context (client sending code to server for verification)
+      if (expressionText.includes("json.stringify")) {
+        // Check if this is part of fetch/axios request body
+        let parent = callExpr.getParent();
+        let depth = 0;
+        let isRequestBody = false;
+
+        while (parent && depth < 10) {
+          const parentText = parent.getText().toLowerCase();
+          if (
+            (parentText.includes("body:") || parentText.includes("data:")) &&
+            (parentText.includes("fetch") ||
+              parentText.includes("axios") ||
+              parentText.includes("method:") ||
+              parentText.includes("post"))
+          ) {
+            isRequestBody = true;
+            break;
+          }
+          parent = parent.getParent();
+          depth++;
+        }
+
+        if (isRequestBody) {
+          continue; // Skip - this is client sending code for verification, not exposure
+        }
+      }
+
+      // Check arguments for sensitive codes
+      const args = callExpr.getArguments();
+      for (const arg of args) {
+        // Skip if argument is in safe context
+        if (this.isInSafeContext(arg)) {
+          continue;
+        }
+
+        // Skip safe string messages
+        if (
+          arg.getKind() === SyntaxKind.StringLiteral ||
+          arg.getKind() === SyntaxKind.NoSubstitutionTemplateLiteral
+        ) {
+          const text = arg.getText().toLowerCase();
+          if (
+            this.safeResponsePatterns.some((pattern) => text.includes(pattern))
+          ) {
+            continue;
+          }
+        }
+
+        if (this.containsSensitiveCode(arg)) {
+          const argText = arg.getText();
+          const match = argText.match(
+            /\b(activation|recovery|reset|verification|otp|code)\w*/i
+          );
+          const codeName = match ? match[0] : "sensitive code";
+
+          // Check if this is OTP/SMS transmission (accepted functional requirement)
+          const isOtpSms =
+            (expressionText.includes("sendmessage") ||
+              expressionText.includes("sendsms") ||
+              expressionText.includes("sendotp")) &&
+            (codeName.toLowerCase().includes("otp") ||
+              argText.toLowerCase().includes("otp"));
+
+          violations.push({
+            ruleId: this.ruleId,
+            severity: isOtpSms ? "warning" : "error",
+            message: isOtpSms
+              ? `OTP transmission via ${expressionText}() - ensure secure channel and proper expiration/rate limiting`
+              : `Exposing '${codeName}' via ${expressionText}() - codes should not be transmitted in plaintext`,
+            line: arg.getStartLineNumber(),
+            column: arg.getStart() - arg.getStartLinePos() + 1,
+            filePath: filePath,
+            file: filePath,
+          });
+        }
+      }
+    }
+  }
+
+  /**
+   * Check template literals for code exposure
+   * e.g., `Your code is: ${activationCode}`
+   */
+  checkTemplateLiterals(sourceFile, filePath, violations) {
+    const templates = sourceFile.getDescendantsOfKind(
+      SyntaxKind.TemplateExpression
+    );
+
+    for (const template of templates) {
+      const spans = template.getTemplateSpans();
+
+      for (const span of spans) {
+        const expression = span.getExpression();
+        const expressionText = expression.getText().toLowerCase();
+        const normalizedExpr = this.normalizeIdentifier(expressionText);
+
+        // Skip JWT signing operations - these produce signed tokens (safe), not plaintext secrets
+        if (
+          expressionText.includes("jwtsecret") ||
+          expressionText.includes("jwtsign") ||
+          expressionText.includes("tokensign") ||
+          expressionText.includes("sign(") ||
+          expressionText.includes(".sign(")
+        ) {
+          continue;
+        }
+
+        if (this.isSensitiveIdentifier(normalizedExpr)) {
+          // Check if in exposure context
+          const parent = this.findParentContext(template);
+          if (parent && this.isExposureContext(parent)) {
+            violations.push({
+              ruleId: this.ruleId,
+              severity: "error",
+              message: `Template literal exposes sensitive code '${expression.getText()}' - avoid including codes in templates`,
+              line: expression.getStartLineNumber(),
+              column: expression.getStart() - expression.getStartLinePos() + 1,
+              filePath: filePath,
+              file: filePath,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  /**
+   * Check interface/type definitions
+   * e.g., interface Response { verificationCode: string }
+   */
+  checkTypeDefinitions(sourceFile, filePath, violations) {
+    const interfaces = sourceFile.getDescendantsOfKind(
+      SyntaxKind.InterfaceDeclaration
+    );
+
+    for (const iface of interfaces) {
+      const name = iface.getName();
+      const normalizedName = name.toLowerCase();
+
+      // Check if it's a response/DTO type
+      if (
+        normalizedName.includes("response") ||
+        normalizedName.includes("result") ||
+        normalizedName.includes("dto") ||
+        normalizedName.includes("payload")
+      ) {
+        const properties = iface.getProperties();
+
+        for (const prop of properties) {
+          const propName = prop.getName();
+          const normalizedPropName = this.normalizeIdentifier(propName);
+
+          if (this.isSensitiveIdentifier(normalizedPropName)) {
+            violations.push({
+              ruleId: this.ruleId,
+              severity: "warning",
+              message: `Interface '${name}' exposes sensitive property '${propName}' - consider excluding codes from response types`,
+              line: prop.getStartLineNumber(),
+              column: prop.getStart() - prop.getStartLinePos() + 1,
+              filePath: filePath,
+              file: filePath,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  /**
+   * Check variable declarations for sensitive code handling
+   */
+  checkVariableDeclarations(sourceFile, filePath, violations) {
+    const varDecls = sourceFile.getDescendantsOfKind(
+      SyntaxKind.VariableDeclaration
+    );
+
+    for (const varDecl of varDecls) {
+      const name = varDecl.getName();
+      const normalizedName = this.normalizeIdentifier(name);
+
+      if (!this.isSensitiveIdentifier(normalizedName)) continue;
+
+      const initializer = varDecl.getInitializer();
+      if (!initializer) continue;
+
+      // Check if variable is used in exposure context
+      const varStatement = varDecl.getFirstAncestorByKind(
+        SyntaxKind.VariableStatement
+      );
+      if (!varStatement) continue;
+
+      const scope = varStatement.getParent();
+      if (!scope) continue;
+
+      // Look for usage in exposure contexts
+      const identifiers = scope.getDescendantsOfKind(SyntaxKind.Identifier);
+      for (const identifier of identifiers) {
+        if (identifier.getText() === name) {
+          const parent = identifier.getParent();
+          if (parent && this.isExposureContext(parent)) {
+            violations.push({
+              ruleId: this.ruleId,
+              severity: "warning",
+              message: `Variable '${name}' containing sensitive code is used in exposure context - ensure proper encryption`,
+              line: identifier.getStartLineNumber(),
+              column: identifier.getStart() - identifier.getStartLinePos() + 1,
+              filePath: filePath,
+              file: filePath,
+            });
+            break; // Only report once per variable
+          }
+        }
+      }
+    }
+  }
+
+  /**
+   * Helper: Normalize identifier by removing non-alphanumeric and lowercase
+   */
+  normalizeIdentifier(name) {
+    return name.replace(/[^a-zA-Z0-9]/g, "").toLowerCase();
+  }
+
+  /**
+   * Helper: Check if identifier is sensitive
+   */
+  isSensitiveIdentifier(normalizedName) {
+    // First check if it's a safe token type (JWT, session token, etc.)
+    if (this.safeTokenTypes.has(normalizedName)) {
+      return false;
+    }
+
+    // Check if it's a business/technical identifier (not security code)
+    if (this.safeBusinessIdentifiers.has(normalizedName)) {
+      return false;
+    }
+
+    // Check if it's a safe password pattern (template/route names, not actual passwords)
+    if (
+      this.safePasswordPatterns.some((pattern) =>
+        normalizedName.includes(pattern)
+      )
+    ) {
+      return false;
+    }
+
+    // Check if it ends with "token" (resetToken, authToken, etc. are secure JWT tokens)
+    if (normalizedName.endsWith("token")) {
+      return false;
+    }
+
+    // Check if it's just generic "code" without security context
+    // Only flag if it's specifically security-related
+    if (normalizedName === "code") {
+      // Check if it has security context in variable name
+      // e.g., "verificationCode", "otpCode" are sensitive
+      // but "errorCode", "statusCode" are not
+      return false; // Generic "code" alone is not sensitive
+    }
+
+    // Skip if it's "password" alone in object key context (likely config/route name)
+    if (normalizedName === "password") {
+      return false; // Will be caught by containsSensitiveCode if it's actual password value
+    }
+
+    return (
+      this.sensitiveIdentifiers.has(normalizedName) ||
+      Array.from(this.sensitiveIdentifiers).some((sensitive) =>
+        normalizedName.includes(sensitive)
+      )
+    );
+  }
+
+  /**
+   * Helper: Check if node is in safe context (hashed, encrypted, etc.)
+   */
+  isInSafeContext(node) {
+    // Check the node itself
+    const nodeText = node.getText().toLowerCase();
+    if (this.safePatterns.some((pattern) => nodeText.includes(pattern))) {
+      return true;
+    }
+
+    // Check if it's part of a safe message response (success: true, message: "...")
+    if (
+      this.safeResponsePatterns.some((pattern) => nodeText.includes(pattern))
+    ) {
+      return true;
+    }
+
+    // Check parent context
+    let current = node.getParent();
+    let depth = 0;
+
+    while (current && depth < 5) {
+      const text = current.getText().toLowerCase();
+
+      // Check for safe patterns
+      if (this.safePatterns.some((pattern) => text.includes(pattern))) {
+        return true;
+      }
+
+      // Check if parent is a variable with "hashed" or "encrypted" in name
+      if (current.getKind() === SyntaxKind.VariableDeclaration) {
+        const varName = current.getName?.() || "";
+        const normalizedVarName = varName.toLowerCase();
+        if (
+          normalizedVarName.includes("hashed") ||
+          normalizedVarName.includes("encrypted") ||
+          normalizedVarName.includes("secure") ||
+          normalizedVarName.includes("token")
+        ) {
+          return true;
+        }
+      }
+
+      // Check if parent is a safe function call (e.g., sendSecure, hash, encrypt)
+      if (current.getKind() === SyntaxKind.CallExpression) {
+        const callExpr = current;
+        const expression = callExpr.getExpression();
+        const exprText = expression.getText().toLowerCase();
+        if (this.safePatterns.some((pattern) => exprText.includes(pattern))) {
+          return true;
+        }
+      }
+
+      current = current.getParent();
+      depth++;
+    }
+
+    return false;
+  }
+
+  /**
+   * Helper: Find parent context (call expression, return, etc.)
+   */
+  findParentContext(node) {
+    let current = node.getParent();
+    let depth = 0;
+
+    while (current && depth < 10) {
+      const kind = current.getKind();
+      if (
+        kind === SyntaxKind.CallExpression ||
+        kind === SyntaxKind.ReturnStatement ||
+        kind === SyntaxKind.VariableDeclaration
+      ) {
+        return current;
+      }
+      current = current.getParent();
+      depth++;
+    }
+
+    return null;
+  }
+
+  /**
+   * Helper: Check if parent context is exposure context
+   */
+  isExposureContext(node) {
+    const text = node.getText().toLowerCase();
+    return Array.from(this.exposureContexts).some((context) =>
+      text.includes(context)
+    );
+  }
+
+  /**
+   * Helper: Check if argument contains sensitive code
+   */
+  containsSensitiveCode(node) {
+    const text = node.getText().toLowerCase();
+    const normalized = this.normalizeIdentifier(text);
+
+    // Check for sensitive identifiers
+    if (this.isSensitiveIdentifier(normalized)) {
+      return true;
+    }
+
+    // Check child nodes (for object literals, etc.)
+    if (node.getKind() === SyntaxKind.ObjectLiteralExpression) {
+      const properties = node.getProperties();
+      for (const prop of properties) {
+        const propName = prop.getName?.() || "";
+        const normalizedPropName = this.normalizeIdentifier(propName);
+        if (this.isSensitiveIdentifier(normalizedPropName)) {
+          return true;
+        }
+      }
+    }
+
+    // Check template spans
+    if (node.getKind() === SyntaxKind.TemplateExpression) {
+      const spans = node.getTemplateSpans();
+      for (const span of spans) {
+        const expr = span.getExpression();
+        const exprText = expr.getText().toLowerCase();
+        const normalizedExpr = this.normalizeIdentifier(exprText);
+        if (this.isSensitiveIdentifier(normalizedExpr)) {
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  cleanup() {
+    // No cleanup needed
+  }
+}
+
+module.exports = S006SymbolBasedAnalyzer;