@sun-asterisk/sunlint 1.3.16 → 1.3.17

package/rules/security/S055_content_type_validation/symbol-based-analyzer.js

@@ -0,0 +1,346 @@
+/**
+ * S055
+ * REST services must:
+ * 1. Check the Content-Type header in incoming requests.
+ * 2. Accept only supported types, such as:
+ *     application/json
+ *     application/xml (only if required)
+ * 3. Reject unsupported or unexpected types, e.g.:
+ *     text/plain
+ *      multipart/form-data (unless explicitly required)
+ * 4. Log all rejected requests for security and debugging.
+ * 5. Avoid blindly trusting framework parsing (e.g., using body-parser or @Body() decorators without validation).
+ */
+
+const { SyntaxKind } = require('ts-morph');
+
+class S055SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S055";
+    this.ruleName = 'Validate input Content-Type in REST services';
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+    this.skipPatterns = [
+      /test\//, /tests\//, /__tests__\//, /\.test\./, /\.spec\./,
+      /node_modules\//, /build\//, /dist\//, /\.next\//, /coverage\//,
+      /vendor\//, /mocks\//, /\.mock\./,
+      /config\//, /configs\//, /\.config\./,
+      /public\//, /static\//, /assets\//,
+    ];
+
+    // Patterns to identify REST endpoints
+    this.restDecorators = ['@Post', '@Put', '@Patch', '@Get', '@Delete'];
+    this.expressPatterns = ['app.post', 'app.put', 'app.patch', 'router.post', 'router.put', 'router.patch'];
+
+    // Content-Type validation patterns
+    this.contentTypeChecks = [
+      'Content-Type', 'content-type', 'contentType',
+      'req.is(', 'request.is(',
+      'application/json', 'application/xml'
+    ];
+
+    // Patterns for valid exceptions (GOOD cases)
+    this.validExceptions = {
+      // File upload decorators/middleware
+      fileUpload: [
+        '@UseInterceptors(FileInterceptor',
+        '@UseInterceptors(FilesInterceptor',
+        '@UseInterceptors(FileFieldsInterceptor',
+        '@UseInterceptors(AnyFilesInterceptor',
+        'multer(',
+        'upload.single',
+        'upload.array',
+        'upload.fields',
+        'multipart/form-data'
+      ],
+      // Custom interceptors for validation
+      customInterceptors: [
+        '@UseInterceptors(ContentTypeInterceptor',
+        '@UseInterceptors(ValidationInterceptor',
+        '@UseInterceptors(ContentTypeValidation',
+        '@UseGuards(ContentTypeGuard',
+        'ContentTypeValidator',
+        'validateContentType'
+      ],
+      // Middleware patterns
+      middleware: [
+        'contentTypeMiddleware',
+        'validateContentType',
+        'checkContentType'
+      ]
+    };
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S055 Symbol-Based] Analyzer initialized, verbose: ${this.verbose}`);
+    }
+  }
+
+  async analyzeFileBasic(filePath, options = {}) {
+    // This is the main entry point called by the hybrid analyzer
+    return await this.analyzeFileWithSymbols(filePath, options);
+  }
+
+  analyzeFileWithSymbols(filePath, options = {}) {
+    const violations = [];
+
+    // Enable verbose mode if requested
+    const verbose = options.verbose || this.verbose;
+
+    if (!this.semanticEngine?.project) {
+      if (verbose) {
+        console.warn('[S055 Symbol-Based] No semantic engine available, skipping analysis');
+      }
+      return violations;
+    }
+
+    if (this.shouldIgnoreFile(filePath)) {
+      if (verbose) console.log(`[${this.ruleId}] Ignoring ${filePath}`);
+      return violations;
+    }
+
+    if (verbose) {
+      console.log(`🔍 [S055 Symbol-Based] Starting analysis for ${filePath}`);
+    }
+
+    try {
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      if (!sourceFile) {
+        return violations;
+      }
+
+      // Find all methods and functions
+      const methods = sourceFile.getDescendantsOfKind(SyntaxKind.MethodDeclaration);
+      const functions = sourceFile.getDescendantsOfKind(SyntaxKind.FunctionDeclaration);
+      const arrowFunctions = sourceFile.getDescendantsOfKind(SyntaxKind.ArrowFunction);
+      const functionExpressions = sourceFile.getDescendantsOfKind(SyntaxKind.FunctionExpression);
+
+      // Check all methods
+      methods.forEach(method => this.checkMethod(method, sourceFile, violations));
+
+      // Check all functions
+      [...functions, ...arrowFunctions, ...functionExpressions].forEach(func => {
+        this.checkFunction(func, sourceFile, violations);
+      });
+
+      // Check Express-style route handlers
+      this.checkExpressRoutes(sourceFile, violations);
+
+      if (verbose) {
+        console.log(`🔍 [S055 Symbol-Based] Total violations found: ${violations.length}`);
+      }
+
+      return violations;
+    } catch (error) {
+      if (verbose) {
+        console.warn(`[S055 Symbol-Based] Analysis failed for ${filePath}:`, error.message);
+      }
+
+      return violations;
+    }
+  }
+
+   checkMethod(method, sourceFile, violations) {
+    // Check if it's a REST endpoint (NestJS, Spring-style decorators)
+    const decorators = method.getDecorators();
+    const isRestEndpoint = decorators.some(dec => {
+      const name = dec.getName();
+      return this.restDecorators.some(pattern => name.includes(pattern.substring(1)));
+    });
+
+    if (!isRestEndpoint) {
+      return;
+    }
+
+    // GOOD CASE: Check for file upload interceptors
+    if (this.hasFileUploadHandling(method, decorators)) {
+      if (this.verbose) {
+        console.log(`✅ [S055] Method ${method.getName()} has file upload handling - GOOD`);
+      }
+      return;
+    }
+
+    // GOOD CASE: Check for custom content-type interceptors/guards
+    if (this.hasCustomContentTypeValidation(method, decorators)) {
+      if (this.verbose) {
+        console.log(`✅ [S055] Method ${method.getName()} has custom interceptor - GOOD`);
+      }
+      return;
+    }
+
+    // Check if POST, PUT, or PATCH (methods that accept body)
+    const hasBodyDecorator = decorators.some(dec => {
+      const name = dec.getName();
+      return ['Post', 'Put', 'Patch'].includes(name);
+    });
+
+    if (hasBodyDecorator) {
+      this.checkContentTypeValidation(method, sourceFile, violations);
+    }
+  }
+
+  checkFunction(func, sourceFile, violations) {
+    const parent = func.getParent();
+
+    // Check if it's a route handler (has req/request parameter)
+    const params = func.getParameters();
+    const hasRequestParam = params.some(p => {
+      const name = p.getName();
+      return name === 'req' || name === 'request';
+    });
+
+    if (!hasRequestParam) {
+      return;
+    }
+
+    // GOOD CASE: Check for middleware usage
+    if (this.hasMiddlewareValidation(func, sourceFile)) {
+      if (this.verbose) {
+        console.log(`✅ [S055] Function has middleware validation - GOOD`);
+      }
+      return;
+    }
+
+    this.checkContentTypeValidation(func, sourceFile, violations);
+  }
+
+  checkExpressRoutes(sourceFile, violations) {
+    // Find all call expressions like app.post(), router.put(), etc.
+    const callExpressions = sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression);
+
+    callExpressions.forEach(call => {
+      const expr = call.getExpression();
+      const text = expr.getText();
+
+      const isRestRoute = this.expressPatterns.some(pattern => text.includes(pattern));
+
+      if (!isRestRoute) {
+        return;
+      }
+
+      // GOOD CASE: Check for multer or file upload middleware
+      const args = call.getArguments();
+      if (this.hasFileUploadMiddleware(args)) {
+        if (this.verbose) {
+          console.log(`✅ [S055] Express route has file upload middleware - GOOD`);
+        }
+        return;
+      }
+
+      // GOOD CASE: Check for content-type validation middleware
+      if (this.hasContentTypeMiddleware(args)) {
+        if (this.verbose) {
+          console.log(`✅ [S055] Express route has content-type middleware - GOOD`);
+        }
+        return;
+      }
+
+      // Get the handler function (usually the last argument)
+      const handler = args[args.length - 1];
+
+      if (handler) {
+        this.checkContentTypeValidation(handler, sourceFile, violations);
+      }
+    });
+  }
+
+  hasFileUploadHandling(node, decorators) {
+    const nodeText = node.getText();
+
+    // Check decorators
+    const hasFileDecorator = decorators?.some(dec => {
+      const text = dec.getText();
+      return this.validExceptions.fileUpload.some(pattern => text.includes(pattern));
+    });
+
+    // Check method body
+    const hasFileInBody = this.validExceptions.fileUpload.some(pattern =>
+      nodeText.includes(pattern)
+    );
+
+    return hasFileDecorator || hasFileInBody;
+  }
+
+  hasCustomContentTypeValidation(node, decorators) {
+    const nodeText = node.getText();
+
+    // Check decorators
+    const hasInterceptor = decorators?.some(dec => {
+      const text = dec.getText();
+      return this.validExceptions.customInterceptors.some(pattern => text.includes(pattern));
+    });
+
+    // Check method body
+    const hasValidatorInBody = this.validExceptions.customInterceptors.some(pattern =>
+      nodeText.includes(pattern)
+    );
+
+    return hasInterceptor || hasValidatorInBody;
+  }
+
+  hasMiddlewareValidation(func, sourceFile) {
+    // Look for middleware usage in the same file or parent scope
+    const parentScope = func.getParent();
+    const scopeText = parentScope?.getText() || '';
+
+    return this.validExceptions.middleware.some(pattern =>
+      scopeText.includes(pattern)
+    );
+  }
+
+  hasFileUploadMiddleware(args) {
+    return args.some(arg => {
+      const text = arg.getText();
+      return this.validExceptions.fileUpload.some(pattern => text.includes(pattern));
+    });
+  }
+
+  hasContentTypeMiddleware(args) {
+    // Check if any middleware argument validates content-type
+    return args.some(arg => {
+      const text = arg.getText();
+      return this.validExceptions.middleware.some(pattern => text.includes(pattern)) ||
+             this.validExceptions.customInterceptors.some(pattern => text.includes(pattern));
+    });
+  }
+
+  checkContentTypeValidation(node, sourceFile, violations) {
+    const bodyText = node.getText();
+
+    // Check if Content-Type validation exists
+    const hasContentTypeCheck = this.contentTypeChecks.some(pattern =>
+      bodyText.includes(pattern)
+    );
+
+    if (!hasContentTypeCheck) {
+      const startLine = node.getStartLineNumber();
+      const name = node.getKind() === SyntaxKind.MethodDeclaration
+        ? node.getName()
+        : 'anonymous function';
+
+      violations.push({
+        ruleId: this.ruleId,
+        ruleName: this.ruleName,
+        severity: 'medium',
+        message: `REST endpoint '${name}' does not validate Content-Type header. Add validation for 'application/json' or other expected types.`,
+        line: startLine,
+        column: node.getStart() - node.getStartLinePos() + 1,
+        filePath: sourceFile.getFilePath(),
+        type: 'missing_content_type_validation',
+        details: 'Consider adding Content-Type validation using req.is("application/json") or checking req.headers["content-type"] before processing request body.'
+      });
+    }
+  }
+
+  shouldIgnoreFile(filePath) {
+    return this.skipPatterns.some((pattern) => pattern.test(filePath));
+  }
+}
+
+module.exports = S055SymbolBasedAnalyzer;

package/rules/tests/C002_no_duplicate_code.test.js

@@ -3,48 +3,137 @@
  * Tests for heuristic rule analyzer
  */
 
-const C002_no_duplicate_codeAnalyzer = require('./analyzer');
+const path = require('path');
+const fs = require('fs');
+const C002_no_duplicate_codeAnalyzer = require('../common/C002_no_duplicate_code/analyzer');
 
 describe('C002_no_duplicate_code Heuristic Rule', () => {
     let analyzer;
+    const fixturesPath = path.join(__dirname, '../../examples/rule-test-fixtures/rules/C002_no_duplicate_code');
 
     beforeEach(() => {
-        analyzer = new C002_no_duplicate_codeAnalyzer();
+        analyzer = new C002_no_duplicate_codeAnalyzer({ minLines: 10, similarityThreshold: 0.85 });
     });
 
-    describe('Valid Code', () => {
-        test('should not report violations for valid code', () => {
-            const code = `
-                // TODO: Add valid code examples
-            `;
+    describe('Configuration', () => {
+        test('should have correct default configuration', () => {
+            const config = analyzer.getConfig();
+            expect(config.minLines).toBe(10);
+            expect(config.similarityThreshold).toBe(0.85);
+            expect(config.ignoreComments).toBe(true);
+            expect(config.ignoreWhitespace).toBe(true);
+        });
+    });
 
-            const violations = analyzer.analyze(code, 'test.js');
-            expect(violations).toHaveLength(0);
+    describe('Valid Code - No Duplicates', () => {
+        test('should not report violations for clean code with no duplicates', () => {
+            const testFile = path.join(fixturesPath, 'clean/no-duplicates.ts');
+            if (fs.existsSync(testFile)) {
+                const violations = analyzer.analyze([testFile], 'typescript');
+                expect(violations).toHaveLength(0);
+            }
+        });
+
+        test('should not report violations for properly extracted utilities', () => {
+            const testFile = path.join(fixturesPath, 'clean/extracted-utilities.ts');
+            if (fs.existsSync(testFile)) {
+                const violations = analyzer.analyze([testFile], 'typescript');
+                expect(violations).toHaveLength(0);
+            }
+        });
+
+        test('should not report violations for inheritance pattern', () => {
+            const testFile = path.join(fixturesPath, 'clean/inheritance-pattern.ts');
+            if (fs.existsSync(testFile)) {
+                const violations = analyzer.analyze([testFile], 'typescript');
+                expect(violations).toHaveLength(0);
+            }
+        });
+
+        test('should not report violations for composition pattern', () => {
+            const testFile = path.join(fixturesPath, 'clean/composition-pattern.ts');
+            if (fs.existsSync(testFile)) {
+                const violations = analyzer.analyze([testFile], 'typescript');
+                expect(violations).toHaveLength(0);
+            }
         });
     });
 
-    describe('Invalid Code', () => {
-        test('should report violations for invalid code', () => {
-            const code = `
-                // TODO: Add invalid code examples
-            `;
+    describe('Invalid Code - With Duplicates', () => {
+        test('should report violations for duplicate validation logic', () => {
+            const testFile = path.join(fixturesPath, 'violations/duplicate-with-comments.ts');
+            if (fs.existsSync(testFile)) {
+                const violations = analyzer.analyze([testFile], 'typescript');
+                expect(violations.length).toBeGreaterThan(0);
+                expect(violations[0].ruleId).toBe('C002');
+                expect(violations[0].message).toContain('Duplicate');
+                expect(violations[0].data.suggestions).toBeDefined();
+            }
+        });
 
-            const violations = analyzer.analyze(code, 'test.js');
-            expect(violations.length).toBeGreaterThan(0);
-            expect(violations[0].ruleId).toBe('C002_no_duplicate_code');
+        test('should report violations for duplicate repository logic', () => {
+            const testFile = path.join(fixturesPath, 'violations/duplicate-repository-logic.ts');
+            if (fs.existsSync(testFile)) {
+                const violations = analyzer.analyze([testFile], 'typescript');
+                expect(violations.length).toBeGreaterThan(0);
+                expect(violations[0].message).toContain('Duplicate');
+            }
+        });
+
+        test('should report violations for duplicate error handling', () => {
+            const testFile = path.join(fixturesPath, 'violations/duplicate-error-handling.ts');
+            if (fs.existsSync(testFile)) {
+                const violations = analyzer.analyze([testFile], 'typescript');
+                expect(violations.length).toBeGreaterThan(0);
+            }
+        });
+    });
+
+    describe('Suggestions', () => {
+        test('should provide context-aware suggestions', () => {
+            const testFile = path.join(fixturesPath, 'violations/duplicate-with-comments.ts');
+            if (fs.existsSync(testFile)) {
+                const violations = analyzer.analyze([testFile], 'typescript');
+                if (violations.length > 0) {
+                    expect(violations[0].data.suggestions).toBeDefined();
+                    expect(Array.isArray(violations[0].data.suggestions)).toBe(true);
+                    expect(violations[0].data.suggestions.length).toBeGreaterThan(0);
+                }
+            }
         });
     });
 
     describe('Edge Cases', () => {
-        test('should handle empty code', () => {
-            const violations = analyzer.analyze('', 'test.js');
+        test('should handle empty file list', () => {
+            const violations = analyzer.analyze([], 'typescript');
             expect(violations).toHaveLength(0);
         });
 
-        test('should handle syntax errors gracefully', () => {
-            const code = 'invalid javascript syntax {{{';
-            const violations = analyzer.analyze(code, 'test.js');
+        test('should handle non-existent files gracefully', () => {
+            const violations = analyzer.analyze(['/non/existent/file.ts'], 'typescript');
             expect(Array.isArray(violations)).toBe(true);
         });
+
+        test('should handle files with only comments', () => {
+            const tempFile = path.join(__dirname, 'temp-comments-only.ts');
+            fs.writeFileSync(tempFile, '// Only comments\n/* More comments */\n');
+            const violations = analyzer.analyze([tempFile], 'typescript');
+            expect(violations).toHaveLength(0);
+            if (fs.existsSync(tempFile)) {
+                fs.unlinkSync(tempFile);
+            }
+        });
+    });
+
+    describe('Cross-file Detection', () => {
+        test('should detect duplicates across multiple files', () => {
+            const file1 = path.join(fixturesPath, 'violations/duplicate-repository-logic.ts');
+            const file2 = path.join(fixturesPath, 'violations/duplicate-error-handling.ts');
+            
+            if (fs.existsSync(file1) && fs.existsSync(file2)) {
+                const violations = analyzer.analyze([file1, file2], 'typescript');
+                expect(Array.isArray(violations)).toBe(true);
+            }
+        });
     });
 });