@sun-asterisk/sunlint 1.3.16 → 1.3.17

package/rules/security/S013_tls_enforcement/README.md

@@ -0,0 +1,51 @@
+````markdown
+# S013 - Enforce TLS for all connections
+
+## Overview
+
+Rule S013 ensures that applications only create or call secure (HTTPS/TLS) endpoints. It detects insecure server bindings (http.createServer, express app.listen without HTTPS), hard-coded http:// URLs in client calls, and framework-specific misconfigurations that disable TLS.
+
+## Framework Support
+
+- Express.js: detect `http.createServer`, `app.listen` used without TLS wrapper, `app.set('trust proxy', false)` combined with http
+- Next.js: detect API routes calling `fetch('http://...')` or new Response created from http sources
+- Nuxt.js: detect server config `server: { https: false }` or HTTP public assets
+- NestJS: detect direct use of http server via `createServer` or `app.listen` without TLS
+
+## Security Impact
+
+Serving over HTTP or making unencrypted client calls can expose credentials, session tokens, and sensitive data to passive observers. TLS must be enforced for all communication in production.
+
+## Examples
+
+❌ Violation (Express server using http):
+
+```js
+const http = require("http");
+const server = http.createServer(app);
+server.listen(80);
+```
+
+❌ Violation (client fetch to http):
+
+```js
+await fetch("http://internal-api.local/auth");
+```
+
+✅ Compliant (HTTPS enforced):
+
+```js
+const https = require("https");
+const fs = require("fs");
+const server = https.createServer(
+  { key: fs.readFileSync("key"), cert: fs.readFileSync("cert") },
+  app
+);
+server.listen(443);
+```
+
+## Analysis Approach
+
+- Symbol-based (primary): analyze AST for server creation calls, imports of `http`, usages of `fetch`/`axios`/`request` with `http://` literals, and framework-specific config objects.
+- Regex-based (fallback): scan lines for `http.createServer`, `fetch('http://`, `app.listen(` with numeric port 80, `server: { https: false }`, etc.
+````

package/rules/security/S013_tls_enforcement/analyzer.js

@@ -0,0 +1,99 @@
+// Command: node cli.js --rule=S013 --input=examples/rule-test-fixtures/rules/S013_tls_enforcement --engine=heuristic
+
+const S013SymbolBasedAnalyzer = require("./symbol-based-analyzer");
+
+class S013Analyzer {
+  constructor(options = {}) {
+    this.ruleId = "S013";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    try {
+      this.symbolAnalyzer = new S013SymbolBasedAnalyzer(this.semanticEngine);
+    } catch (e) {
+      console.warn(`⚠ [S013] Failed to create symbol analyzer: ${e.message}`);
+    }
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.symbolAnalyzer && this.symbolAnalyzer.initialize) {
+      await this.symbolAnalyzer.initialize(semanticEngine);
+    }
+  }
+
+  analyzeSingle(filePath, options = {}) {
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        const vs = await this.analyzeFile(filePath, options);
+        violations.push(...vs);
+      } catch (e) {
+        console.warn(`⚠ [S013] Analysis error for ${filePath}: ${e.message}`);
+      }
+    }
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    const violationMap = new Map();
+
+    if (!this.symbolAnalyzer) {
+      return [];
+    }
+
+    try {
+      let sourceFile = null;
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      }
+
+      if (!sourceFile) {
+        // create temporary ts-morph source file
+        const fs = require("fs");
+        const path = require("path");
+        const { Project } = require("ts-morph");
+        if (!fs.existsSync(filePath)) {
+          throw new Error(`File not found: ${filePath}`);
+        }
+        const content = fs.readFileSync(filePath, "utf8");
+        const tmp = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: { allowJs: true },
+        });
+        sourceFile = tmp.createSourceFile(path.basename(filePath), content);
+      }
+
+      if (sourceFile) {
+        const symbolViolations = await this.symbolAnalyzer.analyze(
+          sourceFile,
+          filePath
+        );
+        symbolViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+      }
+    } catch (e) {
+      console.warn(`⚠ [S013] Symbol analysis failed: ${e.message}`);
+    }
+
+    return Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+  }
+
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+  }
+}
+
+module.exports = S013Analyzer;

package/rules/security/S013_tls_enforcement/config.json

@@ -0,0 +1,41 @@
+{
+  "id": "S013",
+  "name": "Enforce TLS for all connections",
+  "category": "security",
+  "description": "S013 - Ensure TLS (HTTPS) is always used for network connections and server bindings. Detects unsecured HTTP server creation, use of http:// endpoints in client calls, and framework-specific configurations that disable HTTPS.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 1,
+    "timeout": 4000
+  },
+  "validation": {
+    "httpIndicators": [
+      "http://",
+      "require('http')",
+      "require(\"http\")",
+      "http.createServer"
+    ],
+    "httpsModules": ["https", "tls"],
+    "frameworks": ["express", "nextjs", "nuxtjs", "nestjs"]
+  }
+}

package/rules/security/S013_tls_enforcement/symbol-based-analyzer.js

@@ -0,0 +1,339 @@
+/**
+ * S013 Symbol-Based Analyzer - Enforce TLS for all connections
+ */
+
+class S013SymbolBasedAnalyzer {
+  constructor(semanticEngine) {
+    this.ruleId = "S013";
+    this.semanticEngine = semanticEngine;
+    this.httpIndicators = [
+      /http:\/\//i,
+      /ws:\/\//i, // WebSocket insecure protocol
+      /http\.createServer/,
+      /require\(['\"]http['\"]\)/,
+    ];
+    this.tlsModules = ["https", "tls"];
+    this.clientCallMethods = [
+      "fetch",
+      "axios",
+      "request",
+      "http.request",
+      "http.get",
+    ];
+  }
+
+  async initialize() {}
+
+  analyze(sourceFile, filePath) {
+    const violations = [];
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      // Check for imports/requires of 'http' module
+      const importDecls = sourceFile.getImportDeclarations();
+      for (const imp of importDecls) {
+        const moduleName = imp.getModuleSpecifierValue();
+        if (moduleName === "http") {
+          const startLine = imp.getStartLineNumber();
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Import of insecure 'http' module detected - prefer 'https' or TLS-wrapped server`,
+            severity: "error",
+            line: startLine,
+            column: 1,
+          });
+        }
+      }
+
+      // Check for require('http') style and variable assignments with insecure URLs
+      const varDecls = sourceFile.getDescendantsOfKind(
+        SyntaxKind.VariableDeclaration
+      );
+      for (const v of varDecls) {
+        const init = v.getInitializer();
+        if (init && init.getText) {
+          const initText = init.getText();
+
+          // Check for require('http')
+          if (/require\(['\"]http['\"]\)/.test(initText)) {
+            violations.push({
+              ruleId: this.ruleId,
+              message: `CommonJS require of insecure 'http' module detected - prefer 'https'`,
+              severity: "error",
+              line: v.getStartLineNumber(),
+              column: 1,
+            });
+          }
+
+          // Check for template literals with http:// or ws:// in variable assignments
+          const kind = init.getKind && init.getKind();
+          if (
+            kind === SyntaxKind.TemplateExpression ||
+            kind === SyntaxKind.NoSubstitutionTemplateLiteral
+          ) {
+            if (/http:\/\//i.test(initText)) {
+              violations.push({
+                ruleId: this.ruleId,
+                message: `Variable assigned insecure URL in template literal - use 'https://'`,
+                severity: "error",
+                line: v.getStartLineNumber(),
+                column: 1,
+              });
+            } else if (/ws:\/\//i.test(initText)) {
+              violations.push({
+                ruleId: this.ruleId,
+                message: `Variable assigned insecure WebSocket URL in template literal - use 'wss://'`,
+                severity: "error",
+                line: v.getStartLineNumber(),
+                column: 1,
+              });
+            }
+          }
+        }
+      }
+
+      // Check for http.createServer or server.listen on port 80
+      const calls = sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression);
+      for (const call of calls) {
+        const expr = call.getExpression();
+        const text = expr.getText();
+
+        // Check for 'new' expressions (like new WebSocket('ws://...'))
+        const parent = call.getParent();
+        const isNewExpression =
+          parent &&
+          parent.getKind &&
+          parent.getKind() === SyntaxKind.NewExpression;
+
+        // http.createServer(...)
+        if (/http\.createServer/.test(text)) {
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Insecure server created with http.createServer - use TLS (https.createServer)`,
+            severity: "error",
+            line: call.getStartLineNumber(),
+            column: 1,
+          });
+        }
+
+        // app.listen(80) or server.listen(80)
+        if (/\.listen/.test(text)) {
+          const args = call.getArguments();
+          if (args.length > 0) {
+            const first = args[0];
+            try {
+              const val = first.getText();
+              if (/\b80\b/.test(val) || /['\"]http:\/\//.test(val)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Server listening on insecure port or http endpoint (${val}) - configure TLS (443) or use HTTPS`,
+                  severity: "error",
+                  line: call.getStartLineNumber(),
+                  column: 1,
+                });
+              }
+            } catch (e) {
+              // ignore
+            }
+          }
+        }
+
+        // client calls with http:// or ws:// in literal args (fetch('http://...'))
+        const args = call.getArguments();
+        for (const a of args) {
+          try {
+            const kind = a.getKind && a.getKind();
+
+            // Check StringLiteral
+            if (kind === SyntaxKind.StringLiteral) {
+              const lit = a.getLiteralValue();
+              if (/^http:\/\//i.test(lit)) {
+                const msgPrefix = isNewExpression
+                  ? "Constructor"
+                  : "Insecure client call";
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `${msgPrefix} to '${lit}' detected - use 'https://'`,
+                  severity: "error",
+                  line: call.getStartLineNumber(),
+                  column: 1,
+                });
+              } else if (/^ws:\/\//i.test(lit)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Insecure WebSocket connection to '${lit}' detected - use 'wss://'`,
+                  severity: "error",
+                  line: call.getStartLineNumber(),
+                  column: 1,
+                });
+              }
+            }
+
+            // Check TemplateExpression and NoSubstitutionTemplateLiteral
+            if (
+              kind === SyntaxKind.TemplateExpression ||
+              kind === SyntaxKind.NoSubstitutionTemplateLiteral
+            ) {
+              const text = a.getText();
+              if (/http:\/\//i.test(text)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Insecure URL in template literal detected - use 'https://'`,
+                  severity: "error",
+                  line: a.getStartLineNumber(),
+                  column: 1,
+                });
+              } else if (/ws:\/\//i.test(text)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Insecure WebSocket in template literal detected - use 'wss://'`,
+                  severity: "error",
+                  line: a.getStartLineNumber(),
+                  column: 1,
+                });
+              }
+            }
+          } catch (e) {
+            // ignore
+          }
+        }
+      }
+
+      // Check NewExpression separately for WebSocket and similar constructors
+      const newExprs = sourceFile.getDescendantsOfKind(
+        SyntaxKind.NewExpression
+      );
+      for (const newExpr of newExprs) {
+        try {
+          const args = newExpr.getArguments();
+          for (const a of args) {
+            const kind = a.getKind && a.getKind();
+
+            if (kind === SyntaxKind.StringLiteral) {
+              const lit = a.getLiteralValue();
+              if (/^ws:\/\//i.test(lit)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Insecure WebSocket connection to '${lit}' detected - use 'wss://'`,
+                  severity: "error",
+                  line: newExpr.getStartLineNumber(),
+                  column: 1,
+                });
+              } else if (/^http:\/\//i.test(lit)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Constructor with insecure URL '${lit}' detected - use 'https://'`,
+                  severity: "error",
+                  line: newExpr.getStartLineNumber(),
+                  column: 1,
+                });
+              }
+            }
+          }
+        } catch (e) {
+          // ignore
+        }
+      }
+
+      // Check framework config objects for https: false or tls disabled
+      const objLits = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ObjectLiteralExpression
+      );
+      for (const obj of objLits) {
+        const text = obj.getText();
+        if (/https\s*:\s*false/.test(text) || /tls\s*:\s*false/.test(text)) {
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Framework configuration disables TLS (https: false) - enable TLS for production`,
+            severity: "error",
+            line: obj.getStartLineNumber(),
+            column: 1,
+          });
+        }
+      }
+
+      // Check object property assignments for insecure URLs
+      const properties = sourceFile.getDescendantsOfKind(
+        SyntaxKind.PropertyAssignment
+      );
+      for (const prop of properties) {
+        try {
+          const initializer = prop.getInitializer();
+          if (initializer) {
+            const kind = initializer.getKind && initializer.getKind();
+
+            // Check string literal property values
+            if (kind === SyntaxKind.StringLiteral) {
+              const value = initializer.getLiteralValue();
+              if (/^http:\/\//i.test(value)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Object property contains insecure URL '${value}' - use 'https://'`,
+                  severity: "error",
+                  line: prop.getStartLineNumber(),
+                  column: 1,
+                });
+              } else if (/^ws:\/\//i.test(value)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Object property contains insecure WebSocket URL '${value}' - use 'wss://'`,
+                  severity: "error",
+                  line: prop.getStartLineNumber(),
+                  column: 1,
+                });
+              }
+            }
+          }
+        } catch (e) {
+          // ignore
+        }
+      }
+
+      // Check array literals for insecure URLs
+      const arrayLits = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ArrayLiteralExpression
+      );
+      for (const arr of arrayLits) {
+        const elements = arr.getElements();
+        for (const elem of elements) {
+          try {
+            const kind = elem.getKind && elem.getKind();
+            if (kind === SyntaxKind.StringLiteral) {
+              const value = elem.getLiteralValue();
+              if (/^http:\/\//i.test(value)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Array element contains insecure URL '${value}' - use 'https://'`,
+                  severity: "error",
+                  line: elem.getStartLineNumber(),
+                  column: 1,
+                });
+              } else if (/^ws:\/\//i.test(value)) {
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Array element contains insecure WebSocket URL '${value}' - use 'wss://'`,
+                  severity: "error",
+                  line: elem.getStartLineNumber(),
+                  column: 1,
+                });
+              }
+            }
+          } catch (e) {
+            // ignore
+          }
+        }
+      }
+    } catch (err) {
+      console.warn(
+        `⚠ [S013] Symbol analysis failed for ${filePath}:`,
+        err.message
+      );
+    }
+
+    return violations;
+  }
+
+  cleanup() {}
+}
+
+module.exports = S013SymbolBasedAnalyzer;