@sun-asterisk/sunlint 1.3.18 → 1.3.19

package/rules/security/S006_no_plaintext_recovery_codes/symbol-based-analyzer.js

@@ -63,9 +63,56 @@ class S006SymbolBasedAnalyzer {
       "pointstatus", // User point status (business state, not security code)
       "memberstatus", // User member status
       "friendshipstatus", // User friendship status
+      "groupinvoicedetailid", // Invoice detail identifier (business ID, not security code)
+      "invoiceid", // Invoice identifier
+      "orderid", // Order identifier
+      "detailid", // Detail record identifier
+      "transactionid", // Transaction identifier
+      "paymentid", // Payment identifier
+      "subscriptionid", // Subscription identifier
+      "customerid", // Customer identifier
+      "userid", // User identifier (not sensitive in business context)
+      "accountid", // Account identifier
+      // API/Endpoint related (not sensitive codes)
+      "generateotpapi", // API endpoint name
+      "adduserbyemailnopasswordapi", // API endpoint name
+      "setpasswordurl", // URL configuration
+      "responseotp", // Response field name in config
+      "apidocsauthbasicpassword", // API docs authentication (config)
+      "basicauthpassword", // Basic auth config (not actual password)
+      // Time/interval configurations (not sensitive codes)
+      "dedupinginterval", // SWR deduping interval
+      "refreshinterval", // Refresh interval
+      "retryinterval", // Retry interval
+      "pollinginterval", // Polling interval
+      "timeoutinterval", // Timeout interval
+      // Message/validation constants (not actual codes/passwords)
+      "invalidpassword", // Error message constant
+      "incorrectpassword", // Error message constant
+      "incorrectcurrentpassword", // Error message constant
+      "confirmationpasswordnotmatch", // Error message constant
+      // Form input fields (user input, not server response with actual codes)
+      // Note: These are commonly used as field names in registration/verification forms
+      // The actual verification should happen server-side with hashed codes
+      // Database metadata fields (counters, flags, not sensitive data)
+      "failedpasswordattempts", // Password attempt counter
+      "failedloginattempts", // Login attempt counter
+      "passwordattempts", // Attempt counter
+      "loginattempts", // Attempt counter
+      // Swagger/Validation schema properties (not actual data)
+      "ispassword", // Swagger schema validation flag
+      "isotp", // Swagger schema validation flag
+      "isotpcode", // Swagger schema validation flag
+      "isactivationcode", // Swagger schema validation flag
+      "isverificationcode", // Swagger schema validation flag
+      // Validation constants
+      "password_min_length", // Validation constant
+      "password_max_length", // Validation constant
+      "otp_length", // Validation constant
+      "code_length", // Validation constant
     ]);
 
-    // Safe password-related patterns (template names, route names, not actual passwords)
+    // Safe password-related patterns (template names, route names, form fields, not actual passwords)
     this.safePasswordPatterns = [
       "forgotpassword",
       "resetpassword",
@@ -75,6 +122,12 @@ class S006SymbolBasedAnalyzer {
       "passwordchange",
       "passwordupdate",
       "passwordrecovery",
+      "registerpassword", // Registration route/form
+      "currentpassword", // Form field for current password
+      "newpassword", // Form field for new password
+      "confirmpassword", // Form field for password confirmation
+      "confirmationpassword", // Form field for password confirmation
+      "passwordconfirm", // Form field for password confirmation
     ];
 
     // Safe token types (JWT, session tokens, etc.)
@@ -134,6 +187,16 @@ class S006SymbolBasedAnalyzer {
       "validatecode",
       "verifycode",
       "checkcode",
+      // Encoding operations (base64, etc.)
+      "btoa", // Base64 encoding (often used with env vars for Basic Auth)
+      "atob", // Base64 decoding
+      "base64",
+      // Parsing operations (input processing, not output exposure)
+      "json.parse",
+      "json.stringify",
+      "parse(",
+      "parseint",
+      "parsefloat",
       // Audit/internal logging (not external exposure)
       "logadminpointhistory",
       "adminpointhistory",
@@ -143,6 +206,15 @@ class S006SymbolBasedAnalyzer {
       "logger.warn", // Warning logs are typically business messages, not sensitive data exposure
       "logger.debug", // Debug logs are for development, not production exposure
       "logger.info", // Info logs are for general information
+      "logger.error", // Error logs are internal, not user-facing
+      // Configuration and endpoint definitions
+      "config.",
+      "endpoint.",
+      "_url",
+      "_api",
+      "_endpoint",
+      // Environment variables (should be managed separately)
+      "process.env",
     ];
 
     // Safe return/response patterns (just success messages, no actual codes)
@@ -170,6 +242,11 @@ class S006SymbolBasedAnalyzer {
     const violations = [];
 
     try {
+      // Skip configuration files - they contain config structures, not actual sensitive data
+      if (this.isConfigFile(filePath)) {
+        return violations; // Config files are safe
+      }
+
       // Check return statements with sensitive codes
       this.checkReturnStatements(sourceFile, filePath, violations);
 
@@ -194,6 +271,32 @@ class S006SymbolBasedAnalyzer {
     return violations;
   }
 
+  /**
+   * Check if file is a configuration file or Swagger schema file
+   */
+  isConfigFile(filePath) {
+    const configPatterns = [
+      "/config/",
+      "/configs/",
+      "/configuration/",
+      "config.ts",
+      "config.js",
+      ".config.ts",
+      ".config.js",
+      "Config.ts",
+      "Config.js",
+      // Swagger/OpenAPI schema files - contain validation schema, not actual data
+      "/swagger/",
+      ".swagger.ts",
+      ".swagger.js",
+      "swagger.config",
+      "/openapi/",
+      ".openapi.ts",
+      ".openapi.js",
+    ];
+    return configPatterns.some((pattern) => filePath.includes(pattern));
+  }
+
   /**
    * Check return statements that expose sensitive codes
    * e.g., return { activationCode };
@@ -212,6 +315,22 @@ class S006SymbolBasedAnalyzer {
         const objLiteral = expression;
         const properties = objLiteral.getProperties();
 
+        // Skip if in infrastructure config builder function
+        const parentFunc = this.findParentFunctionName(returnStmt);
+        if (parentFunc) {
+          const funcNameLower = parentFunc.toLowerCase();
+          if (
+            funcNameLower.includes("buildenv") ||
+            funcNameLower.includes("getenv") ||
+            funcNameLower.includes("loadenv") ||
+            funcNameLower.includes("config") ||
+            funcNameLower.includes("setup") ||
+            funcNameLower === "env"
+          ) {
+            continue; // Infrastructure config builders are safe
+          }
+        }
+
         // Skip if return object contains only safe messages (success, message, etc.)
         const hasOnlySafeProperties = properties.every((prop) => {
           const name = prop.getName?.() || "";
@@ -283,6 +402,41 @@ class S006SymbolBasedAnalyzer {
           const normalizedName = this.normalizeIdentifier(name);
 
           if (this.isSensitiveIdentifier(normalizedName)) {
+            // Skip error constants, configuration objects, and form states
+            const parentVarName = this.findParentVariableName(objLiteral);
+            if (
+              parentVarName &&
+              (parentVarName.includes("ERROR") ||
+                parentVarName.includes("ERRORS") ||
+                parentVarName.includes("MESSAGE") ||
+                parentVarName.includes("MESSAGES") ||
+                parentVarName.includes("MAPPING") ||
+                parentVarName.includes("FIELDS") ||
+                parentVarName.includes("CONFIG") ||
+                parentVarName.includes("CONSTANT") ||
+                parentVarName.includes("ENDPOINT") ||
+                parentVarName.includes("API") ||
+                parentVarName.includes("URL") ||
+                parentVarName.includes("ROUTE") ||
+                parentVarName.includes("ROUTES") ||
+                parentVarName.includes("INITIAL") ||
+                parentVarName.includes("DEFAULT") ||
+                parentVarName.includes("STATE") ||
+                parentVarName.includes("FORM"))
+            ) {
+              continue; // Error constants, configs, routes, and form states are safe
+            }
+
+            // Skip URL/endpoint configurations (e.g., set_password_url, generate_otp_api)
+            if (
+              normalizedName.endsWith("url") ||
+              normalizedName.endsWith("api") ||
+              normalizedName.endsWith("endpoint") ||
+              normalizedName.includes("apiname")
+            ) {
+              continue; // URL/API endpoint configurations are not sensitive data
+            }
+
             // Check if in exposure context (e.g., res.json, send, etc.)
             const parent = this.findParentContext(objLiteral);
             if (parent && this.isExposureContext(parent)) {
@@ -291,10 +445,75 @@ class S006SymbolBasedAnalyzer {
               let currentParent = parent;
               let depth = 0;
               let isRequestBody = false;
+              let isFormState = false;
+              let isStateDispatch = false;
+              let isServiceCall = false;
 
               while (currentParent && depth < 10) {
                 const parentText = currentParent.getText().toLowerCase();
 
+                // Check if this is a service/API call (client sending data to server)
+                // Method calls: AuthService.verify(), apiClient.post()
+                if (
+                  parentText.includes("service.") ||
+                  parentText.includes("api.") ||
+                  parentText.includes("client.") ||
+                  parentText.match(/\w+service\./i)
+                ) {
+                  isServiceCall = true;
+                  break;
+                }
+
+                // Function calls for authentication/verification (client to server)
+                // e.g., confirmResetPassword(), verifyOtp(), loginUser(), registerUser()
+                if (currentParent.getKind() === SyntaxKind.CallExpression) {
+                  const callExpr = currentParent;
+                  const expression = callExpr.getExpression();
+                  const funcName = expression.getText().toLowerCase();
+
+                  // Check if function name indicates API call
+                  if (
+                    funcName.includes("verify") ||
+                    funcName.includes("confirm") ||
+                    funcName.includes("reset") ||
+                    funcName.includes("login") ||
+                    funcName.includes("signup") ||
+                    funcName.includes("register") ||
+                    funcName.includes("authenticate") ||
+                    funcName.includes("validate") ||
+                    funcName.includes("check")
+                  ) {
+                    isServiceCall = true;
+                    break;
+                  }
+                }
+
+                // Check if this is state management dispatch
+                // e.g., dispatch(setRegisterInfo({})), setState({})
+                if (
+                  parentText.includes("dispatch(") ||
+                  parentText.includes("setstate") ||
+                  parentText.includes("updatestate") ||
+                  parentText.includes("setregister") ||
+                  parentText.includes("setuser") ||
+                  parentText.includes("setform")
+                ) {
+                  isStateDispatch = true;
+                  break;
+                }
+
+                // Check if this is form state (useState, useForm, etc.)
+                if (
+                  parentText.includes("usestate") ||
+                  parentText.includes("useform") ||
+                  parentText.includes("initialstate") ||
+                  parentText.includes("defaultvalues") ||
+                  parentText.includes("formdata")
+                ) {
+                  isFormState = true;
+                  break;
+                }
+
                 // Check if this object is being passed to JSON.stringify
                 // and is part of a fetch/axios request body
                 if (parentText.includes("json.stringify")) {
@@ -321,13 +540,24 @@ class S006SymbolBasedAnalyzer {
                   }
                 }
 
-                if (isRequestBody) break;
+                if (
+                  isRequestBody ||
+                  isFormState ||
+                  isStateDispatch ||
+                  isServiceCall
+                )
+                  break;
                 currentParent = currentParent.getParent();
                 depth++;
               }
 
-              if (isRequestBody) {
-                // This is request body - user sending code to server for verification
+              if (
+                isRequestBody ||
+                isFormState ||
+                isStateDispatch ||
+                isServiceCall
+              ) {
+                // This is request body, form state, state dispatch, or service call - user input data
                 // Not an exposure, so skip
                 continue;
               }
@@ -370,23 +600,69 @@ class S006SymbolBasedAnalyzer {
       const expression = callExpr.getExpression();
       const expressionText = expression.getText().toLowerCase();
 
-      // Skip safe methods
+      // Skip safe methods (parsing, configuration, internal logging)
       if (
         this.safePatterns.some((pattern) => expressionText.includes(pattern))
       ) {
         continue;
       }
 
-      // Check for exposure methods
+      // Skip parsing operations (JSON.parse, parseInt, etc.) - these are INPUT processing, not OUTPUT exposure
+      if (
+        expressionText.includes("parse") ||
+        expressionText.includes("json.stringify") ||
+        expressionText.includes(".map(") ||
+        expressionText.includes(".filter(") ||
+        expressionText.includes(".reduce(")
+      ) {
+        continue; // Data processing/transformation, not exposure
+      }
+
+      // Skip internal logging methods
+      if (
+        expressionText.includes("logger.") ||
+        expressionText.includes("httplog") ||
+        expressionText.includes("requestlog") ||
+        expressionText.includes("console.debug") ||
+        expressionText.includes("console.info")
+      ) {
+        continue; // Internal logging is not external exposure
+      }
+
+      // Skip AWS Cognito admin operations (internal service management, not client exposure)
+      if (
+        expressionText.includes("cognito") &&
+        (expressionText.includes("adminsetuserpassword") ||
+          expressionText.includes("admindeleteuser") ||
+          expressionText.includes("adminresetuser") ||
+          expressionText.includes("deleteuserbyemail") ||
+          expressionText.includes("createuser") ||
+          expressionText.includes("updateuser"))
+      ) {
+        continue; // AWS Cognito admin SDK calls - server-side operations, not client exposure
+      }
+
+      // Skip UI rendering functions (not data exposure)
+      if (
+        expressionText.startsWith("render") &&
+        !expressionText.includes("response") &&
+        !expressionText.includes("send") &&
+        !expressionText.includes("json")
+      ) {
+        continue; // UI rendering components are safe
+      }
+
+      // Check for exposure methods (only actual external transmission)
       const isExposureMethod =
-        expressionText.includes("json") ||
-        expressionText.includes("send") ||
-        expressionText.includes("log") ||
-        expressionText.includes("console") ||
+        expressionText.includes("res.json") ||
+        expressionText.includes("res.send") ||
+        expressionText.includes("response.json") ||
+        expressionText.includes("response.send") ||
         expressionText.includes("email") ||
         expressionText.includes("sms") ||
         expressionText.includes("notify") ||
-        expressionText.includes("render");
+        expressionText.includes("ws.send") ||
+        expressionText.includes("websocket.send");
 
       if (!isExposureMethod) continue;
 
@@ -440,6 +716,7 @@ class S006SymbolBasedAnalyzer {
         }
 
         if (this.containsSensitiveCode(arg)) {
+          // For other methods, use general check
           const argText = arg.getText();
           const match = argText.match(
             /\b(activation|recovery|reset|verification|otp|code)\w*/i
@@ -498,10 +775,81 @@ class S006SymbolBasedAnalyzer {
           continue;
         }
 
+        // Skip safe patterns (btoa, process.env, etc.)
+        if (
+          this.safePatterns.some((pattern) => expressionText.includes(pattern))
+        ) {
+          continue; // Safe encoding/config patterns
+        }
+
+        // Skip metadata access (.name, .length, .type, etc.) - these are not sensitive data
+        if (
+          expressionText.includes(".name") ||
+          expressionText.includes(".length") ||
+          expressionText.includes(".type") ||
+          expressionText.includes(".id") ||
+          expressionText.includes(".status") ||
+          expressionText.includes(".method")
+        ) {
+          continue; // Metadata properties are not sensitive codes
+        }
+
+        // Skip if this is user input data (registerInfo, formData, etc.)
+        if (
+          expressionText.includes("registerinfo.") ||
+          expressionText.includes("formdata.") ||
+          expressionText.includes("formvalues.") ||
+          expressionText.includes("inputdata.")
+        ) {
+          continue; // User input data, not server response
+        }
+
         if (this.isSensitiveIdentifier(normalizedExpr)) {
           // Check if in exposure context
           const parent = this.findParentContext(template);
           if (parent && this.isExposureContext(parent)) {
+            // Check if this is in fetch/axios body (server-to-server API call)
+            let currentParent = parent;
+            let depth = 0;
+            let isServerToServerCall = false;
+
+            while (currentParent && depth < 10) {
+              const parentText = currentParent.getText().toLowerCase();
+
+              // Check if this is fetch/axios body for external API
+              if (
+                (parentText.includes("body:") ||
+                  parentText.includes("data:")) &&
+                (parentText.includes("fetch(") ||
+                  parentText.includes("axios.") ||
+                  parentText.includes("http.") ||
+                  parentText.includes("https.") ||
+                  parentText.includes("request("))
+              ) {
+                // Check if calling external API (not internal endpoint)
+                if (
+                  parentText.includes("http://") ||
+                  parentText.includes("https://") ||
+                  parentText.includes("api.") ||
+                  parentText.includes("siteverify") ||
+                  parentText.includes("oauth") ||
+                  parentText.includes("recaptcha")
+                ) {
+                  isServerToServerCall = true;
+                  break;
+                }
+              }
+
+              currentParent = currentParent.getParent();
+              depth++;
+            }
+
+            if (isServerToServerCall) {
+              // This is server-to-server API call (e.g., verify captcha with Google)
+              // Secret keys in external API calls are acceptable
+              continue;
+            }
+
             violations.push({
               ruleId: this.ruleId,
               severity: "error",
@@ -530,12 +878,39 @@ class S006SymbolBasedAnalyzer {
       const name = iface.getName();
       const normalizedName = name.toLowerCase();
 
-      // Check if it's a response/DTO type
+      // Skip request/input payloads - these are data sent TO the server (not exposed BY server)
+      if (
+        normalizedName.includes("request") ||
+        normalizedName.includes("input") ||
+        normalizedName.includes("update") ||
+        normalizedName.includes("create") ||
+        normalizedName.includes("submit") ||
+        normalizedName.includes("login") ||
+        normalizedName.includes("signup") ||
+        normalizedName.includes("register") ||
+        normalizedName.includes("change") ||
+        normalizedName.includes("reset") ||
+        normalizedName.includes("forgot") ||
+        normalizedName.includes("verify") ||
+        (normalizedName.includes("payload") &&
+          (normalizedName.includes("update") ||
+            normalizedName.includes("create") ||
+            normalizedName.includes("input") ||
+            normalizedName.includes("request")))
+      ) {
+        continue; // Input payloads are safe - user sends data to server
+      }
+
+      // Check if it's a response/DTO type (output from server)
       if (
         normalizedName.includes("response") ||
         normalizedName.includes("result") ||
-        normalizedName.includes("dto") ||
-        normalizedName.includes("payload")
+        normalizedName.includes("output") ||
+        (normalizedName.includes("dto") && !normalizedName.includes("input")) ||
+        (normalizedName.includes("payload") &&
+          (normalizedName.includes("response") ||
+            normalizedName.includes("result") ||
+            normalizedName.includes("output")))
       ) {
         const properties = iface.getProperties();
 
@@ -656,12 +1031,31 @@ class S006SymbolBasedAnalyzer {
       return false; // Will be caught by containsSensitiveCode if it's actual password value
     }
 
-    return (
-      this.sensitiveIdentifiers.has(normalizedName) ||
-      Array.from(this.sensitiveIdentifiers).some((sensitive) =>
-        normalizedName.includes(sensitive)
-      )
-    );
+    // Exact match first
+    if (this.sensitiveIdentifiers.has(normalizedName)) {
+      return true;
+    }
+
+    // For partial match, be more strict to avoid false positives
+    // Only match if sensitive word is at start or end, or clearly separated
+    return Array.from(this.sensitiveIdentifiers).some((sensitive) => {
+      // Skip very short words (2-3 chars) to avoid matching inside other words
+      // e.g., "pin" should not match "dedupingInterval", "shopping", etc.
+      if (sensitive.length <= 3) {
+        // For short words, only match if:
+        // 1. Exact match (already checked above)
+        // 2. At start: "pin" matches "pincode", "pintester"
+        // 3. At end: "pin" matches "loginpin", "resetpin"
+        // 4. Standalone with separators (camelCase boundaries)
+        return (
+          normalizedName.startsWith(sensitive) ||
+          normalizedName.endsWith(sensitive)
+        );
+      }
+
+      // For longer sensitive words (4+ chars), use includes as before
+      return normalizedName.includes(sensitive);
+    });
   }
 
   /**
@@ -724,6 +1118,54 @@ class S006SymbolBasedAnalyzer {
     return false;
   }
 
+  /**
+   * Helper: Find parent variable name for object literals
+   */
+  findParentVariableName(node) {
+    let current = node.getParent();
+    let depth = 0;
+
+    while (current && depth < 5) {
+      if (current.getKind() === SyntaxKind.VariableDeclaration) {
+        return current.getName?.() || "";
+      }
+      current = current.getParent();
+      depth++;
+    }
+
+    return null;
+  }
+
+  /**
+   * Helper: Find parent function name for config builder detection
+   */
+  findParentFunctionName(node) {
+    let current = node.getParent();
+    let depth = 0;
+
+    while (current && depth < 10) {
+      if (
+        current.getKind() === SyntaxKind.FunctionDeclaration ||
+        current.getKind() === SyntaxKind.FunctionExpression ||
+        current.getKind() === SyntaxKind.ArrowFunction
+      ) {
+        // For named functions
+        const funcName = current.getName?.();
+        if (funcName) return funcName;
+
+        // For arrow functions assigned to const/let/var
+        const parent = current.getParent();
+        if (parent && parent.getKind() === SyntaxKind.VariableDeclaration) {
+          return parent.getName?.() || "";
+        }
+      }
+      current = current.getParent();
+      depth++;
+    }
+
+    return null;
+  }
+
   /**
    * Helper: Find parent context (call expression, return, etc.)
    */
@@ -764,7 +1206,7 @@ class S006SymbolBasedAnalyzer {
     const text = node.getText().toLowerCase();
     const normalized = this.normalizeIdentifier(text);
 
-    // Check for sensitive identifiers
+    // Check for sensitive identifiers (variable/property access)
     if (this.isSensitiveIdentifier(normalized)) {
       return true;
     }