npm - @sun-asterisk/sunlint - Versions diffs - 1.3.18 → 1.3.19 - Mend

@sun-asterisk/sunlint 1.3.18 → 1.3.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/rules/security/S041_session_token_invalidation/README.md ADDED Viewed

@@ -0,0 +1,303 @@
+# S041 - Session Tokens must be invalidated after logout or expiration
+## Overview
+This rule enforces proper session token invalidation after logout or expiration to prevent session hijacking and unauthorized access. It ensures that session data is properly cleared and tokens are invalidated when users log out.
+## Description
+Session token invalidation is a critical security measure that helps prevent:
+- **Session hijacking** through stolen or leaked tokens
+- **Unauthorized access** using expired or invalidated sessions
+- **Token reuse attacks** where old tokens remain valid
+- **Privilege escalation** through persistent session data
+## Rule Details
+**Rule ID**: S041
+**Category**: Security
+**Severity**: Error
+**Type**: Hybrid Analysis (Symbol-based + Regex-based)
+## Examples
+### ❌ Violations
+```typescript
+// Express.js - Logout without session cleanup
+app.post('/logout', (req, res) => {
+  // Missing session cleanup
+  res.json({ message: 'Logged out' });
+});
+// NestJS - Logout handler without token invalidation
+@Post('logout')
+async logout(@Req() req: Request, @Res() res: Response) {
+  // Missing token invalidation
+  res.redirect('/login');
+}
+// JWT token signing during logout (wrong approach)
+app.post('/logout', (req, res) => {
+  const token = jwt.sign({ userId: req.user.id }, secret);
+  res.json({ token }); // Should invalidate, not sign new token
+});
+// Session method without proper cleanup
+app.post('/logout', (req, res) => {
+  req.session.userId = null; // Should use destroy()
+  res.json({ message: 'Logged out' });
+});
+// Logout handler function without session cleanup
+function logoutHandler(req, res) {
+  // Missing session cleanup and token invalidation
+  res.json({ message: 'Logged out successfully' });
+}
+// Session storage without token invalidation
+app.post('/logout', (req, res) => {
+  sessionStorage.removeItem('userToken');
+  // Missing proper session cleanup
+  res.json({ message: 'Logged out' });
+});
+```
+### ✅ Correct Usage
+```typescript
+// Express.js - Complete logout with session cleanup
+app.post('/logout', (req, res) => {
+  req.session.destroy((err) => {
+    if (err) {
+      return res.status(500).json({ error: 'Logout failed' });
+    }
+    res.clearCookie('sessionId');
+    res.json({ message: 'Logged out successfully' });
+  });
+});
+// NestJS - Logout with token invalidation
+@Post('logout')
+async logout(@Req() req: Request, @Res() res: Response) {
+  const token = req.headers.authorization?.split(' ')[1];
+  if (token) {
+    await this.tokenService.blacklist(token);
+  }
+  req.session.destroy();
+  res.clearCookie('sessionId');
+  res.redirect('/login');
+}
+// JWT token blacklisting during logout
+app.post('/logout', async (req, res) => {
+  const token = req.headers.authorization?.split(' ')[1];
+  if (token) {
+    await tokenService.blacklist(token);
+  }
+  req.session.destroy();
+  res.clearCookie('sessionId');
+  res.json({ message: 'Logged out successfully' });
+});
+// Complete logout implementation
+app.post('/logout', async (req, res) => {
+  try {
+    // 1. Invalidate JWT token
+    const token = req.headers.authorization?.split(' ')[1];
+    if (token) {
+      await this.invalidateToken(token);
+    }
+    // 2. Clear session data
+    req.session.destroy((err) => {
+      if (err) {
+        return res.status(500).json({ error: 'Session cleanup failed' });
+      }
+      // 3. Clear all cookies
+      res.clearCookie('sessionId');
+      res.clearCookie('token');
+      res.clearCookie('refreshToken');
+      res.json({
+        message: 'Logged out successfully',
+        clearStorage: true
+      });
+    });
+  } catch (error) {
+    res.status(500).json({ error: 'Logout failed' });
+  }
+});
+// Express session with regeneration
+app.post('/secure-logout', (req, res) => {
+  req.session.regenerate((err) => {
+    if (err) {
+      return res.status(500).json({ error: 'Logout failed' });
+    }
+    res.clearCookie('connect.sid', {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'strict'
+    });
+    res.json({ message: 'Securely logged out' });
+  });
+});
+```
+## Configuration
+### Detected Patterns
+This rule detects session token invalidation issues in multiple scenarios:
+### Logout Methods
+- `logout()`, `signOut()`, `logOut()` methods without session cleanup
+- `invalidate()`, `revoke()`, `expire()` methods without proper implementation
+- Logout handler functions without token invalidation
+### Session Methods
+- `req.session.destroy()` calls in logout context
+- `req.session.clear()`, `req.session.remove()` without token invalidation
+- `sessionStorage.clear()`, `localStorage.clear()` without proper cleanup
+### JWT Token Handling
+- `jwt.sign()` calls during logout (should invalidate instead)
+- JWT token creation in logout context
+- Missing token blacklisting/revocation
+### Session Storage
+- `sessionStorage.removeItem()`, `localStorage.removeItem()` without token invalidation
+- Session data clearing without proper token cleanup
+- Cookie clearing without session destruction
+**Logout Method Names:**
+- `logout`, `signOut`, `logOut`
+- `destroy`, `clear`, `invalidate`
+- `revoke`, `expire`
+**Session Methods:**
+- `req.session.destroy`, `req.session.clear`, `req.session.remove`
+- `sessionStorage.clear`, `localStorage.clear`
+- `res.clearCookie`, `res.clearCookie()`
+**Token Invalidation Patterns:**
+- `blacklist`, `revoke`, `invalidate`
+- `expire`, `remove.*token`, `delete.*token`
+- `clear.*token`, `destroy.*token`
+### Required Session Cleanup Patterns
+**Session Cleanup:**
+- `req.session.destroy()`
+- `req.session = null`
+- `req.session = {}`
+- `session.destroy()`
+- `session.clear()`
+- `session.remove()`
+**Cookie Cleanup:**
+- `res.clearCookie()`
+- `sessionStorage.clear()`
+- `localStorage.clear()`
+**Token Invalidation:**
+- Token blacklisting
+- Token revocation
+- Token expiration
+- Token removal/deletion
+## Security Benefits
+1. **Session Security**: Prevents unauthorized access through persistent sessions
+2. **Token Invalidation**: Ensures old tokens cannot be reused
+3. **Data Cleanup**: Removes sensitive session data from memory
+4. **Attack Prevention**: Mitigates session hijacking and token reuse attacks
+## Analysis Approach
+### Symbol-based Analysis (Primary)
+- Uses TypeScript AST for semantic analysis
+- Detects logout methods and session handling
+- Analyzes function context for proper cleanup
+- Provides precise line/column positions
+### Regex-based Analysis (Fallback)
+- Pattern-based detection for complex cases
+- Handles string-based session methods
+- Covers edge cases missed by AST analysis
+- Maintains line number accuracy
+## Best Practices
+1. **Always destroy sessions** when users log out
+2. **Invalidate JWT tokens** by blacklisting or revoking them
+3. **Clear all cookies** related to authentication
+4. **Remove session data** from client-side storage
+5. **Handle errors gracefully** during logout process
+6. **Use proper session methods** like `destroy()` instead of setting to null
+7. **Implement token blacklisting** for JWT-based authentication
+8. **Clear multiple storage types** (sessionStorage, localStorage, cookies)
+## Testing
+Run the rule on test fixtures:
+```bash
+# Test violations
+node cli.js --rule=S041 --input=examples/rule-test-fixtures/rules/S041_session_token_invalidation/violations --engine=heuristic
+# Test clean examples
+node cli.js --rule=S041 --input=examples/rule-test-fixtures/rules/S041_session_token_invalidation/clean --engine=heuristic
+# Test all examples
+node cli.js --rule=S041 --input=examples/rule-test-fixtures/rules/S041_session_token_invalidation --engine=heuristic
+# Framework-specific testing
+# Test with ESLint engine (fast)
+node cli.js --rule=S041 --input=path/to/your/files
+# Test with heuristic engine (comprehensive)
+node cli.js --rule=S041 --input=path/to/your/files --engine=heuristic
+```
+## Framework Compatibility
+- **Node.js**: All versions
+- **Frameworks**: Express.js, NestJS, Next.js, NextAuth.js
+- **Languages**: JavaScript, TypeScript
+- **Analysis Engines**: ESLint (fast), Heuristic (comprehensive)
+## Related Rules
+- **S031**: Set Secure flag for Session Cookies
+- **S032**: Set HttpOnly attribute for Session Cookies
+- **S033**: Set SameSite attribute for Session Cookies
+- **S034**: Use __Host- prefix for Session Cookies
+- **S049**: Authentication tokens should have short validity periods
+Together, these rules provide comprehensive session and token security.
+## OWASP References
+- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+- [OWASP Session Hijacking Attack](https://owasp.org/www-community/attacks/Session_hijacking_attack)
+- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)

package/rules/security/S041_session_token_invalidation/analyzer.js ADDED Viewed

@@ -0,0 +1,242 @@
+/**
+ * S041 Main Analyzer - Session Tokens must be invalidated after logout or expiration
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S041 --input=examples/rule-test-fixtures/rules/S041_session_token_invalidation --engine=heuristic
+ */
+const S041SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S041RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+class S041Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S041] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S041] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S041";
+    this.ruleName = "Session Tokens must be invalidated after logout or expiration";
+    this.description =
+      "Session tokens must be properly invalidated after logout or expiration to prevent session hijacking and unauthorized access. This includes clearing session data, invalidating JWT tokens, and ensuring proper session cleanup.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Secondary approach
+      regexBasedOnly: false, // Can be set to true for pure mode
+    };
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S041SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S041] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S041] Error creating symbol analyzer:`, error);
+    }
+    try {
+      this.regexAnalyzer = new S041RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S041] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S041] Error creating regex analyzer:`, error);
+    }
+  }
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S041] Main analyzer initializing...`);
+    }
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+    // Clean up if needed
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S041] Main analyzer initialized successfully`);
+    }
+  }
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`📊 [S041] analyzeSingle() called for: ${filePath}`);
+    }
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S041] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S041] Processing file: ${filePath}`);
+        }
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S041] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S041] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S041] Total violations found: ${violations.length}`);
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S041] analyzeFile() called for: ${filePath}`);
+    }
+    // Create a Map to track unique violations and prevent duplicates
+    const violationMap = new Map();
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S041] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S041] Source file found, analyzing...`);
+          }
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          // Add to violation map with deduplication
+          symbolViolations.forEach((violation) => {
+            const key = `${violation.line}:${violation.column}:${violation.message}`;
+            if (!violationMap.has(key)) {
+              violationMap.set(key, violation);
+            }
+          });
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S041] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S041] Source file not found, falling back...`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠ [S041] Symbol analysis failed:`, error.message);
+      }
+    }
+    // 2. Try Regex-based analysis (fallback or additional)
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S041] Trying regex-based analysis...`);
+        }
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        // Add to violation map with deduplication
+        regexViolations.forEach((violation) => {
+          const key = `${violation.line}:${violation.column}:${violation.message}`;
+          if (!violationMap.has(key)) {
+            violationMap.set(key, violation);
+          }
+        });
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S041] Regex analysis completed: ${regexViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S041] Regex analysis failed:`, error.message);
+      }
+    }
+    // Convert Map values to array and add filePath to each violation
+    const finalViolations = Array.from(violationMap.values()).map(
+      (violation) => ({
+        ...violation,
+        filePath: filePath,
+        file: filePath, // Also add 'file' for compatibility
+      })
+    );
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S041] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    }
+    return finalViolations;
+  }
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+    if (this.regexAnalyzer?.cleanup) {
+      this.regexAnalyzer.cleanup();
+    }
+  }
+}
+module.exports = S041Analyzer;