@sun-asterisk/sunlint 1.3.18 → 1.3.19

package/rules/security/S044_re_authentication_required/regex-based-analyzer.js

@@ -0,0 +1,329 @@
+/**
+ * S044 Regex-Based Analyzer - Re-authentication Required for Sensitive Operations
+ * Fallback analyzer using regex patterns for cases where symbol-based analysis is not available
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+class S044RegexBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S044";
+    this.category = "security";
+
+    // Sensitive operations patterns
+    this.sensitiveOperationPatterns = [
+      /changePassword|updatePassword|resetPassword/gi,
+      /changeEmail|updateEmail/gi,
+      /changeProfile|updateProfile/gi,
+      /deleteAccount|deactivateAccount/gi,
+      /changePhoneNumber|updatePhoneNumber/gi,
+      /changeSecurityQuestion|updateSecurityQuestion/gi,
+      /changeTwoFactorSettings|updateTwoFactorSettings/gi,
+      /changeBillingInfo|updateBillingInfo/gi,
+      /changePaymentMethod|updatePaymentMethod/gi
+    ];
+
+    // Re-authentication patterns
+    this.reAuthPatterns = [
+      /verifyPassword|confirmPassword|reAuthenticate/gi,
+      /verifyCurrentPassword|validatePassword/gi,
+      /checkPassword|authenticateUser/gi,
+      /verifyIdentity/gi
+    ];
+
+    // Re-authentication middleware patterns
+    this.reAuthMiddlewarePatterns = [
+      /requireReAuth|requireReAuthentication/gi,
+      /verifyReAuth|checkReAuth/gi,
+      /validateReAuth/gi,
+      /ReAuthGuard|ReAuthenticationGuard/gi,
+      /VerifyReAuthGuard/gi
+    ];
+
+    // NestJS decorator patterns
+    this.nestjsDecoratorPatterns = [
+      /@RequireReAuth|@ReAuthenticationRequired/gi,
+      /@VerifyReAuth/gi,
+      /@UseGuards\s*\(\s*ReAuthGuard/gi,
+      /@UseGuards\s*\(\s*ReAuthenticationGuard/gi,
+      /@UseGuards\s*\(\s*VerifyReAuthGuard/gi
+    ];
+
+    // Express route patterns
+    this.expressRoutePatterns = [
+      /\.(get|post|put|patch|delete)\s*\(\s*['"`]\/change-password/gi,
+      /\.(get|post|put|patch|delete)\s*\(\s*['"`]\/update-password/gi,
+      /\.(get|post|put|patch|delete)\s*\(\s*['"`]\/change-email/gi,
+      /\.(get|post|put|patch|delete)\s*\(\s*['"`]\/update-email/gi,
+      /\.(get|post|put|patch|delete)\s*\(\s*['"`]\/change-profile/gi,
+      /\.(get|post|put|patch|delete)\s*\(\s*['"`]\/update-profile/gi,
+      /\.(get|post|put|patch|delete)\s*\(\s*['"`]\/delete-account/gi,
+      /\.(get|post|put|patch|delete)\s*\(\s*['"`]\/deactivate-account/gi
+    ];
+
+    // Exclude patterns
+    this.excludePatterns = [
+      /login|register|logout/gi,
+      /forgot-password|reset-password-request/gi,
+      /signin|signup|signout/gi
+    ];
+  }
+
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.verbose) {
+      console.log(`🔍 [${this.ruleId}] Regex: Semantic engine initialized`);
+    }
+  }
+
+  async analyze(filePath) {
+    if (this.verbose) {
+      console.log(
+        `🔍 [${this.ruleId}] Regex: Starting analysis for ${filePath}`
+      );
+    }
+
+    try {
+      const content = fs.readFileSync(filePath, "utf8");
+      const lines = content.split("\n");
+      const violations = [];
+      let inControllerClass = false;
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+
+        // Track if we're inside a controller class
+        if (this.isControllerClassDeclaration(line)) {
+          inControllerClass = true;
+        } else if (this.isClassDeclaration(line) && !this.isControllerClassDeclaration(line)) {
+          inControllerClass = false;
+        }
+
+        // Only check methods inside controller classes
+        if (inControllerClass) {
+          const violation = this.analyzeLine(line, lineNumber, filePath, lines, i);
+          if (violation) {
+            violations.push(violation);
+          }
+        }
+      }
+
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Regex: Analysis completed. Found ${violations.length} violations`
+        );
+      }
+
+      return violations;
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Regex: Error in analysis:`,
+          error.message
+        );
+      }
+      return [];
+    }
+  }
+
+  analyzeLine(line, lineNumber, filePath, lines, currentIndex) {
+    try {
+      // Skip comments and empty lines
+      if (this.isCommentOrEmpty(line)) {
+        return null;
+      }
+
+      // Check for sensitive operations
+      const sensitiveOperation = this.findSensitiveOperation(line);
+      if (!sensitiveOperation) {
+        return null;
+      }
+
+      // Check if this is an excluded pattern
+      if (this.isExcludedPattern(line)) {
+        return null;
+      }
+
+      // Check if re-authentication is present in current line or previous lines
+      if (this.hasReAuthentication(line) || this.hasReAuthenticationInContext(lines, currentIndex)) {
+        return null; // Properly protected
+      }
+
+      // Only check methods in controller classes, not service classes
+      if (this.isControllerMethod(line)) {
+        return this.createViolation(
+          filePath,
+          lineNumber,
+          line.indexOf(sensitiveOperation),
+          `Sensitive operation '${sensitiveOperation}' requires re-authentication before execution`
+        );
+      }
+
+      // Check if this is an Express route
+      if (this.isExpressRoute(line)) {
+        return this.createViolation(
+          filePath,
+          lineNumber,
+          line.indexOf(sensitiveOperation),
+          `Sensitive route requires re-authentication middleware`
+        );
+      }
+
+      return null;
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Regex: Error analyzing line ${lineNumber}:`,
+          error.message
+        );
+      }
+      return null;
+    }
+  }
+
+  isCommentOrEmpty(line) {
+    const trimmed = line.trim();
+    return (
+      trimmed === "" ||
+      trimmed.startsWith("//") ||
+      trimmed.startsWith("/*") ||
+      trimmed.startsWith("*") ||
+      trimmed.startsWith("#")
+    );
+  }
+
+  findSensitiveOperation(line) {
+    for (const pattern of this.sensitiveOperationPatterns) {
+      const match = line.match(pattern);
+      if (match) {
+        return match[0];
+      }
+    }
+    return null;
+  }
+
+  isExcludedPattern(line) {
+    return this.excludePatterns.some(pattern => pattern.test(line));
+  }
+
+  hasReAuthentication(line) {
+    // Check for re-authentication methods
+    if (this.reAuthPatterns.some(pattern => pattern.test(line))) {
+      return true;
+    }
+
+    // Check for re-authentication middleware
+    if (this.reAuthMiddlewarePatterns.some(pattern => pattern.test(line))) {
+      return true;
+    }
+
+    // Check for NestJS decorators
+    if (this.nestjsDecoratorPatterns.some(pattern => pattern.test(line))) {
+      return true;
+    }
+
+    // Check for @UseGuards decorators
+    if (/@UseGuards\s*\(\s*ReAuth/gi.test(line)) {
+      return true;
+    }
+
+    return false;
+  }
+
+  isControllerClassDeclaration(line) {
+    return /class\s+\w*Controller\s*{/gi.test(line) || 
+           /@Controller/gi.test(line);
+  }
+
+  isClassDeclaration(line) {
+    return /class\s+\w+\s*{/gi.test(line);
+  }
+
+  isControllerMethod(line) {
+    // Check if this is a method in a controller class
+    // Look for @Controller decorator or controller class pattern
+    return (
+      /^\s*@\w+.*\s+(async\s+)?(public\s+|private\s+|protected\s+)?(static\s+)?(async\s+)?\w+\s*\(/gi.test(line) ||
+      /^\s*(async\s+)?(public\s+|private\s+|protected\s+)?(static\s+)?(async\s+)?\w+\s*\(/gi.test(line)
+    );
+  }
+
+  hasReAuthenticationInContext(lines, currentIndex) {
+    // Check previous lines for re-authentication decorators
+    for (let i = Math.max(0, currentIndex - 5); i < currentIndex; i++) {
+      if (this.hasReAuthentication(lines[i])) {
+        return true;
+      }
+    }
+    
+    // Check if method calls re-authentication methods
+    const methodBody = this.getMethodBody(lines, currentIndex);
+    if (methodBody && this.hasReAuthMethodCall(methodBody)) {
+      return true;
+    }
+    
+    return false;
+  }
+
+  getMethodBody(lines, currentIndex) {
+    // Get the method body by looking for the opening brace
+    let braceCount = 0;
+    let methodBody = [];
+    let foundOpeningBrace = false;
+    
+    for (let i = currentIndex; i < lines.length && i < currentIndex + 20; i++) {
+      const line = lines[i];
+      methodBody.push(line);
+      
+      // Count braces to find method body
+      for (const char of line) {
+        if (char === '{') {
+          braceCount++;
+          foundOpeningBrace = true;
+        } else if (char === '}') {
+          braceCount--;
+          if (foundOpeningBrace && braceCount === 0) {
+            return methodBody.join('\n');
+          }
+        }
+      }
+    }
+    
+    return null;
+  }
+
+  hasReAuthMethodCall(methodBody) {
+    return this.reAuthPatterns.some(pattern => pattern.test(methodBody));
+  }
+
+  isExpressRoute(line) {
+    return this.expressRoutePatterns.some(pattern => pattern.test(line));
+  }
+
+  createViolation(filePath, line, column, message) {
+    return {
+      rule: this.ruleId,
+      source: filePath,
+      category: this.category,
+      line: line,
+      column: column,
+      message: message,
+      severity: "error",
+    };
+  }
+
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    // No cleanup needed for regex-based analyzer
+  }
+}
+
+module.exports = S044RegexBasedAnalyzer;