@sun-asterisk/sunlint 1.3.18 → 1.3.19

package/rules/security/S041_session_token_invalidation/config.json

@@ -0,0 +1,175 @@
+{
+  "rule": {
+    "id": "S041",
+    "name": "Session Tokens must be invalidated after logout or expiration",
+    "description": "Session tokens must be properly invalidated after logout or expiration to prevent session hijacking and unauthorized access. This includes clearing session data, invalidating JWT tokens, and ensuring proper session cleanup.",
+    "category": "security",
+    "severity": "error",
+    "languages": ["typescript", "javascript"],
+    "frameworks": ["express", "nestjs", "node"],
+    "version": "1.0.0",
+    "status": "stable",
+    "tags": ["security", "session", "token", "logout", "invalidation", "owasp"],
+    "references": [
+      "https://owasp.org/www-community/controls/Session_Management_Cheat_Sheet",
+      "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html",
+      "https://owasp.org/www-community/attacks/Session_hijacking_attack",
+      "https://portswigger.net/web-security/authentication/password-based/lab-session-fixation"
+    ]
+  },
+  "configuration": {
+    "enableLogoutDetection": true,
+    "enableSessionCleanupDetection": true,
+    "enableTokenInvalidationDetection": true,
+    "enableJWTHandlingDetection": true,
+    "checkLogoutMethods": [
+      "logout",
+      "signOut",
+      "logOut", 
+      "destroy",
+      "clear",
+      "invalidate",
+      "revoke",
+      "expire"
+    ],
+    "checkSessionMethods": [
+      "removeItem",
+      "clear",
+      "destroy",
+      "delete"
+    ],
+    "checkExpressSessionMethods": [
+      "destroy",
+      "regenerate",
+      "reload",
+      "save"
+    ],
+    "checkJWTMethods": [
+      "sign",
+      "verify",
+      "decode",
+      "invalidate",
+      "blacklist"
+    ],
+    "checkTokenMethods": [
+      "removeToken",
+      "clearToken",
+      "invalidateToken",
+      "revokeToken",
+      "deleteToken",
+      "destroyToken"
+    ],
+    "sessionCleanupPatterns": [
+      "req.session.destroy",
+      "req.session = null",
+      "req.session = {}",
+      "session.destroy",
+      "session.clear",
+      "session.remove",
+      ".removeItem(",
+      ".clear(",
+      ".delete("
+    ],
+    "tokenInvalidationPatterns": [
+      "blacklist",
+      "revoke",
+      "invalidate",
+      "expire",
+      "remove.*token",
+      "delete.*token",
+      "clear.*token",
+      "destroy.*token"
+    ],
+    "logoutHandlerPatterns": [
+      "function.*logout",
+      "const.*logout.*=",
+      "let.*logout.*=",
+      "var.*logout.*=",
+      "logout.*:.*function",
+      "logout.*:.*("
+    ],
+    "sessionStoragePatterns": [
+      "sessionStorage",
+      "localStorage",
+      "req.session",
+      "session["
+    ]
+  },
+  "examples": {
+    "violations": [
+      {
+        "description": "Logout method without session cleanup",
+        "code": "app.post('/logout', (req, res) => {\n  // Missing session cleanup\n  res.json({ message: 'Logged out' });\n});"
+      },
+      {
+        "description": "Logout handler without token invalidation",
+        "code": "function logout(req, res) {\n  // Missing token invalidation\n  res.redirect('/login');\n}"
+      },
+      {
+        "description": "JWT token signing during logout",
+        "code": "app.post('/logout', (req, res) => {\n  const token = jwt.sign({ userId: req.user.id }, secret);\n  res.json({ token });\n});"
+      },
+      {
+        "description": "Session method without proper cleanup",
+        "code": "app.post('/logout', (req, res) => {\n  req.session.userId = null; // Should use destroy()\n  res.json({ message: 'Logged out' });\n});"
+      }
+    ],
+    "fixes": [
+      {
+        "description": "Proper session cleanup in logout",
+        "code": "app.post('/logout', (req, res) => {\n  req.session.destroy((err) => {\n    if (err) {\n      return res.status(500).json({ error: 'Logout failed' });\n    }\n    res.clearCookie('sessionId');\n    res.json({ message: 'Logged out successfully' });\n  });\n});"
+      },
+      {
+        "description": "JWT token blacklisting during logout",
+        "code": "app.post('/logout', (req, res) => {\n  const token = req.headers.authorization?.split(' ')[1];\n  if (token) {\n    // Add token to blacklist\n    blacklist.add(token);\n  }\n  res.json({ message: 'Logged out successfully' });\n});"
+      },
+      {
+        "description": "Complete session and token cleanup",
+        "code": "app.post('/logout', async (req, res) => {\n  try {\n    // Invalidate JWT token\n    const token = req.headers.authorization?.split(' ')[1];\n    if (token) {\n      await tokenService.blacklist(token);\n    }\n    \n    // Clear session\n    req.session.destroy();\n    \n    // Clear cookies\n    res.clearCookie('sessionId');\n    res.clearCookie('token');\n    \n    res.json({ message: 'Logged out successfully' });\n  } catch (error) {\n    res.status(500).json({ error: 'Logout failed' });\n  }\n});"
+      }
+    ]
+  },
+  "testing": {
+    "testCases": [
+      {
+        "name": "logout_without_session_cleanup",
+        "type": "violation",
+        "description": "Logout method without proper session cleanup"
+      },
+      {
+        "name": "logout_handler_without_token_invalidation",
+        "type": "violation", 
+        "description": "Logout handler without token invalidation"
+      },
+      {
+        "name": "jwt_sign_during_logout",
+        "type": "violation",
+        "description": "JWT token signing during logout process"
+      },
+      {
+        "name": "session_method_without_cleanup",
+        "type": "violation",
+        "description": "Session method without proper cleanup"
+      },
+      {
+        "name": "secure_logout_with_session_cleanup",
+        "type": "clean",
+        "description": "Logout with proper session cleanup"
+      },
+      {
+        "name": "secure_logout_with_token_invalidation",
+        "type": "clean",
+        "description": "Logout with proper token invalidation"
+      },
+      {
+        "name": "complete_logout_implementation",
+        "type": "clean",
+        "description": "Complete logout implementation with all security measures"
+      }
+    ]
+  },
+  "performance": {
+    "complexity": "O(n)",
+    "description": "Linear complexity based on number of function calls and expressions in the source code"
+  }
+}

package/rules/security/S041_session_token_invalidation/regex-based-analyzer.js

@@ -0,0 +1,411 @@
+/**
+ * S041 Regex-Based Analyzer - Session Tokens must be invalidated after logout or expiration
+ * Uses regex patterns for analysis when symbol-based analysis is not available
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+class S041RegexBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S041";
+    this.category = "security";
+
+    // Logout method patterns
+    this.logoutPatterns = [
+      /logout\s*\(/gi,
+      /signOut\s*\(/gi,
+      /logOut\s*\(/gi,
+      /destroy\s*\(/gi,
+      /clear\s*\(/gi,
+      /invalidate\s*\(/gi,
+      /revoke\s*\(/gi,
+      /expire\s*\(/gi,
+      /endSession\s*\(/gi,
+      /end-session\s*\(/gi,
+      /clear-session\s*\(/gi,
+      /destroy-session\s*\(/gi,
+      /remove-session\s*\(/gi
+    ];
+
+    // Session cleanup patterns (what should be present)
+    this.sessionCleanupPatterns = [
+      /req\.session\.destroy/gi,
+      /req\.session\s*=\s*null/gi,
+      /req\.session\s*=\s*\{\}/gi,
+      /session\.destroy/gi,
+      /session\.clear/gi,
+      /session\.remove/gi,
+      /\.removeItem\s*\(/gi,
+      /\.clear\s*\(/gi,
+      /\.delete\s*\(/gi,
+      /res\.clearCookie/gi,
+      /sessionStorage\.clear/gi,
+      /localStorage\.clear/gi,
+      /req\.session\.regenerate/gi
+    ];
+
+    // Token invalidation patterns (what should be present)
+    this.tokenInvalidationPatterns = [
+      /blacklist/gi,
+      /revoke/gi,
+      /invalidate/gi,
+      /expire/gi,
+      /remove.*token/gi,
+      /delete.*token/gi,
+      /clear.*token/gi,
+      /destroy.*token/gi
+    ];
+
+    // JWT token patterns
+    this.jwtPatterns = [
+      /jwt\.sign/gi,
+      /jwt\.verify/gi,
+      /jwt\.decode/gi,
+      /jsonwebtoken/gi
+    ];
+
+    // Session storage patterns
+    this.sessionStoragePatterns = [
+      /sessionStorage/gi,
+      /localStorage/gi,
+      /req\.session/gi,
+      /session\[/gi
+    ];
+
+    // Logout handler function patterns
+    this.logoutHandlerPatterns = [
+      /function\s+\w*logout\w*\s*\(/gi,
+      /const\s+\w*logout\w*\s*=/gi,
+      /let\s+\w*logout\w*\s*=/gi,
+      /var\s+\w*logout\w*\s*=/gi,
+      /logout\s*:\s*function/gi,
+      /logout\s*:\s*\(/gi,
+      /async\s+\w*logout\w*\s*\(/gi,
+      /async\s+\w*signout\w*\s*\(/gi,
+      /async\s+\w*endSession\w*\s*\(/gi,
+      /@Post\s*\(\s*['"]logout['"]\s*\)/gi,
+      /@Post\s*\(\s*['"]signout['"]\s*\)/gi,
+      /@Post\s*\(\s*['"]end-session['"]\s*\)/gi
+    ];
+  }
+
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.verbose) {
+      console.log(`🔍 [${this.ruleId}] Regex: Semantic engine initialized`);
+    }
+  }
+
+  async analyze(filePath) {
+    if (this.verbose) {
+      console.log(
+        `🔍 [${this.ruleId}] Regex: Starting analysis for ${filePath}`
+      );
+    }
+
+    try {
+      const content = fs.readFileSync(filePath, "utf8");
+      return await this.analyzeContent(content, filePath);
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Regex: Error reading file:`,
+          error.message
+        );
+      }
+      return [];
+    }
+  }
+
+  async analyzeContent(content, filePath) {
+    const violations = [];
+
+    try {
+      if (this.verbose) {
+        console.log(`🔍 [${this.ruleId}] Regex: Starting regex-based analysis`);
+      }
+
+      // Split content into lines for line number tracking
+      const lines = content.split("\n");
+
+      // 1. Check for logout methods without proper session cleanup
+      const logoutViolations = this.findLogoutViolations(lines, filePath);
+      violations.push(...logoutViolations);
+
+      // 2. Check for logout handlers without session cleanup
+      const handlerViolations = this.findLogoutHandlerViolations(lines, filePath);
+      violations.push(...handlerViolations);
+
+      // 3. Check for JWT token handling in logout context
+      const jwtViolations = this.findJWTViolations(lines, filePath);
+      violations.push(...jwtViolations);
+
+      // 4. Check for session methods without token invalidation
+      const sessionViolations = this.findSessionViolations(lines, filePath);
+      violations.push(...sessionViolations);
+
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Regex: Analysis completed. Found ${violations.length} violations`
+        );
+      }
+
+      return violations;
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Regex: Error in content analysis:`,
+          error.message
+        );
+      }
+      return [];
+    }
+  }
+
+  findLogoutViolations(lines, filePath) {
+    const violations = [];
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+
+      // Check if line contains logout method
+      const hasLogoutMethod = this.logoutPatterns.some(pattern => 
+        pattern.test(line)
+      );
+
+      if (hasLogoutMethod) {
+        // Check if session cleanup is present in the same function
+        const hasSessionCleanup = this.hasSessionCleanupInFunction(lines, i);
+        
+        if (!hasSessionCleanup) {
+          violations.push({
+            rule: this.ruleId,
+            source: filePath,
+            category: this.category,
+            line: lineNumber,
+            column: 1,
+            message: "Session token invalidation vulnerability: Logout method should invalidate session tokens and clear session data",
+            severity: "error",
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  findLogoutHandlerViolations(lines, filePath) {
+    const violations = [];
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+
+      // Check if line contains logout handler function
+      const hasLogoutHandler = this.logoutHandlerPatterns.some(pattern => 
+        pattern.test(line)
+      );
+
+      if (hasLogoutHandler) {
+        // Check if session cleanup is present in the function
+        const hasSessionCleanup = this.hasSessionCleanupInFunction(lines, i);
+        
+        if (!hasSessionCleanup) {
+          violations.push({
+            rule: this.ruleId,
+            source: filePath,
+            category: this.category,
+            line: lineNumber,
+            column: 1,
+            message: "Session token invalidation vulnerability: Logout handler should clear session data and invalidate tokens",
+            severity: "error",
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  findJWTViolations(lines, filePath) {
+    const violations = [];
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+
+      // Check if line contains JWT sign method
+      const hasJWTSign = /jwt\.sign/gi.test(line);
+
+      if (hasJWTSign) {
+        // Check if it's in a logout context
+        const isInLogoutContext = this.isInLogoutContext(lines, i);
+        
+        if (isInLogoutContext) {
+          violations.push({
+            rule: this.ruleId,
+            source: filePath,
+            category: this.category,
+            line: lineNumber,
+            column: 1,
+            message: "Session token invalidation vulnerability: JWT token should be invalidated/blacklisted during logout, not signed",
+            severity: "error",
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  findSessionViolations(lines, filePath) {
+    const violations = [];
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+
+      // Don't detect session cleanup methods as violations
+      const sessionCleanupMethods = [
+        'req.session.destroy',
+        'session.destroy',
+        'res.clearCookie',
+        'sessionStorage.clear',
+        'localStorage.clear',
+        'req.session.reload',
+        'req.session.regenerate'
+      ];
+      
+      if (sessionCleanupMethods.some(method => line.includes(method))) {
+        continue;
+      }
+
+      // Check if line contains session storage methods
+      const hasSessionMethod = this.sessionStoragePatterns.some(pattern => 
+        pattern.test(line)
+      );
+
+      if (hasSessionMethod) {
+        // Check if it's in a logout context and if token invalidation is present
+        const isInLogoutContext = this.isInLogoutContext(lines, i);
+        const hasTokenInvalidation = this.hasTokenInvalidationInFunction(lines, i);
+        
+        // Only report if it's in logout context and missing token invalidation
+        if (isInLogoutContext && !hasTokenInvalidation) {
+          violations.push({
+            rule: this.ruleId,
+            source: filePath,
+            category: this.category,
+            line: lineNumber,
+            column: 1,
+            message: "Session token invalidation vulnerability: Session method should invalidate tokens during logout",
+            severity: "error",
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  hasSessionCleanupInFunction(lines, startIndex) {
+    // Look for session cleanup patterns in the current function scope
+    const functionEnd = this.findFunctionEnd(lines, startIndex);
+    
+    for (let i = startIndex; i <= functionEnd && i < lines.length; i++) {
+      const line = lines[i];
+      const hasCleanup = this.sessionCleanupPatterns.some(pattern => 
+        pattern.test(line)
+      );
+      if (hasCleanup) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  hasTokenInvalidationInFunction(lines, startIndex) {
+    // Look for token invalidation patterns in the current function scope
+    const functionEnd = this.findFunctionEnd(lines, startIndex);
+    
+    for (let i = startIndex; i <= functionEnd && i < lines.length; i++) {
+      const line = lines[i];
+      const hasInvalidation = this.tokenInvalidationPatterns.some(pattern => 
+        pattern.test(line)
+      );
+      if (hasInvalidation) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  isInLogoutContext(lines, startIndex) {
+    // Look for logout-related patterns in the current function scope
+    const functionEnd = this.findFunctionEnd(lines, startIndex);
+    
+    for (let i = startIndex; i <= functionEnd && i < lines.length; i++) {
+      const line = lines[i];
+      
+      // Check for actual logout method calls or function names
+      const hasLogoutMethod = this.logoutPatterns.some(pattern => 
+        pattern.test(line)
+      );
+      
+      // Check for logout handler function patterns
+      const hasLogoutHandler = this.logoutHandlerPatterns.some(pattern =>
+        pattern.test(line)
+      );
+      
+      if (hasLogoutMethod || hasLogoutHandler) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  findFunctionEnd(lines, startIndex) {
+    let braceCount = 0;
+    let inFunction = false;
+    
+    for (let i = startIndex; i < lines.length; i++) {
+      const line = lines[i];
+      
+      // Count opening and closing braces
+      const openBraces = (line.match(/\{/g) || []).length;
+      const closeBraces = (line.match(/\}/g) || []).length;
+      
+      if (openBraces > 0) {
+        inFunction = true;
+      }
+      
+      if (inFunction) {
+        braceCount += openBraces - closeBraces;
+        
+        if (braceCount === 0 && closeBraces > 0) {
+          return i;
+        }
+      }
+    }
+    
+    return lines.length - 1;
+  }
+
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    // No cleanup needed for regex-based analyzer
+  }
+}
+
+module.exports = S041RegexBasedAnalyzer;