@sun-asterisk/sunlint 1.3.18 → 1.3.19

package/rules/security/S011_secure_guid_generation/symbol-based-analyzer.js

@@ -0,0 +1,609 @@
+/**
+ * S011 - Secure GUID Generation (Symbol-based Analyzer)
+ *
+ * Detects weak or predictable GUID/UUID generation methods used for security purposes.
+ * Security-critical GUIDs must use UUID v4 with CSPRNG.
+ *
+ * Based on:
+ * - OWASP A02:2021 - Cryptographic Failures
+ * - CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
+ */
+
+const { SyntaxKind } = require("ts-morph");
+
+class S011SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S011";
+    this.semanticEngine = semanticEngine;
+
+    // Security-related variable name patterns
+    this.securityKeywords = [
+      "session",
+      "token",
+      "apikey",
+      "api_key",
+      "resettoken",
+      "reset_token",
+      "authtoken",
+      "auth_token",
+      "accesstoken",
+      "access_token",
+      "refreshtoken",
+      "refresh_token",
+      "verificationtoken",
+      "verification_token",
+      "activationtoken",
+      "activation_token",
+      "secret",
+      "credential",
+      "password",
+      "otp",
+      "nonce",
+      "csrf",
+      "jwt",
+    ];
+
+    // Weak/unsafe GUID generation patterns
+    this.unsafeMethods = [
+      "math.random",
+      "date.now",
+      "new date().gettime",
+      "uuidv1",
+      "uuid.v1",
+      "v1(",
+    ];
+
+    // Timestamp/time utility functions (NOT random generation - business logic)
+    this.timeUtilityPatterns = [
+      "getcurrenttimestamp",
+      "gettimestamp",
+      "getstartof",
+      "getendof",
+      "timestampto",
+      "totimestamp",
+      "datetotimestamp",
+      "moment(",
+      "dayjs(",
+    ];
+
+    // Safe GUID generation patterns (CSPRNG-based)
+    this.safeMethods = [
+      "crypto.randomuuid",
+      "randomuuid",
+      "crypto.randombytes",
+      "randombytes",
+      "uuidv4",
+      "uuid.v4",
+      "v4(",
+      "securerandom",
+      "secrets.token",
+      "guid.newguid", // .NET
+      "uuid.randomuuid", // Java
+    ];
+
+    // Safe contexts where weak random is acceptable
+    this.safeContexts = [
+      "test",
+      "mock",
+      "stub",
+      "fixture",
+      "example",
+      "demo",
+      "sample",
+      "display",
+      "temp",
+      "temporary",
+      "ui",
+      "client",
+      "view",
+      "order", // Business IDs
+      "invoice",
+      "transaction",
+      "record",
+      "trace", // Tracing/logging IDs
+      "request",
+      "correlation",
+    ];
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+  }
+
+  async analyze(sourceFile, filePath) {
+    const violations = [];
+    const reportedLines = new Set(); // Track reported lines to avoid duplicates
+
+    try {
+      // Check variable declarations with weak GUID generation (highest priority)
+      this.checkVariableDeclarations(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines
+      );
+
+      // Check call expressions only if not already reported at variable level
+      this.checkCallExpressions(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines
+      );
+
+      // Check custom GUID generation functions
+      this.checkCustomGuidFunctions(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines
+      );
+    } catch (error) {
+      console.warn(`⚠ [S011] Analysis error in ${filePath}: ${error.message}`);
+    }
+
+    return violations;
+  }
+
+  /**
+   * Check variable declarations for weak GUID generation
+   * e.g., const sessionId = Math.random().toString(36)
+   */
+  checkVariableDeclarations(sourceFile, filePath, violations, reportedLines) {
+    const varDeclarations = sourceFile.getDescendantsOfKind(
+      SyntaxKind.VariableDeclaration
+    );
+
+    for (const varDecl of varDeclarations) {
+      const varName = varDecl.getName();
+      const normalizedName = this.normalizeIdentifier(varName);
+
+      // Check if variable name suggests security usage
+      if (!this.isSecurityRelated(normalizedName)) {
+        continue;
+      }
+
+      // Skip safe contexts
+      if (this.isSafeContext(varName)) {
+        continue;
+      }
+
+      // Get initializer
+      const initializer = varDecl.getInitializer();
+      if (!initializer) continue;
+
+      const initText = initializer.getText().toLowerCase();
+
+      // Skip React components (arrow functions returning JSX)
+      if (this.isReactComponent(initText)) {
+        continue;
+      }
+
+      // Check if using unsafe methods
+      if (this.isUnsafeGuidGeneration(initText)) {
+        // Make sure it's not using safe method
+        if (!this.isSafeGuidGeneration(initText)) {
+          const line = varDecl.getStartLineNumber();
+
+          violations.push({
+            ruleId: this.ruleId,
+            severity: "error",
+            message: `Variable '${varName}' uses weak random generation for security purposes - use crypto.randomUUID() or UUID v4 with CSPRNG`,
+            line: line,
+            column: varDecl.getStart() - varDecl.getStartLinePos() + 1,
+            filePath: filePath,
+            file: filePath,
+          });
+
+          // Mark this line as reported to avoid duplicate reports from nested calls
+          reportedLines.add(line);
+        }
+      }
+    }
+  }
+
+  /**
+   * Check call expressions for unsafe random methods
+   * e.g., Math.random(), Date.now(), uuidv1()
+   */
+  checkCallExpressions(sourceFile, filePath, violations, reportedLines) {
+    const callExprs = sourceFile.getDescendantsOfKind(
+      SyntaxKind.CallExpression
+    );
+
+    for (const callExpr of callExprs) {
+      const line = callExpr.getStartLineNumber();
+
+      // Skip if already reported at variable level
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      const expression = callExpr.getExpression();
+      const expressionText = expression.getText().toLowerCase();
+
+      // Check if this is an unsafe method call
+      if (!this.isUnsafeMethod(expressionText)) {
+        continue;
+      }
+
+      // Check if this is timestamp arithmetic (time calculation, not generation)
+      // e.g., expiry - Date.now(), Date.now() - start, if (time > Date.now())
+      if (this.isTimestampArithmetic(callExpr, expressionText)) {
+        continue;
+      }
+
+      // Check if used in security context
+      const parent = this.findParentContext(callExpr);
+      if (!parent) continue;
+
+      const parentText = parent.getText();
+      const parentVarName = this.extractVariableName(parent);
+
+      // Check if parent context is security-related
+      if (
+        parentVarName &&
+        this.isSecurityRelated(this.normalizeIdentifier(parentVarName))
+      ) {
+        // Skip safe contexts
+        if (this.isSafeContext(parentVarName)) {
+          continue;
+        }
+
+        violations.push({
+          ruleId: this.ruleId,
+          severity: "error",
+          message: `Unsafe method '${expression.getText()}' used for security-critical GUID generation - use crypto.randomUUID() or UUID v4`,
+          line: line,
+          column: callExpr.getStart() - callExpr.getStartLinePos() + 1,
+          filePath: filePath,
+          file: filePath,
+        });
+
+        // Mark as reported
+        reportedLines.add(line);
+        continue; // Don't check function context if already reported
+      }
+
+      // Also check if call expression is in security-related function
+      const funcName = this.findParentFunctionName(callExpr);
+      if (
+        funcName &&
+        this.isSecurityRelated(this.normalizeIdentifier(funcName))
+      ) {
+        if (!this.isSafeContext(funcName)) {
+          violations.push({
+            ruleId: this.ruleId,
+            severity: "error",
+            message: `Function '${funcName}' uses weak random method '${expression.getText()}' for security purposes - use CSPRNG`,
+            line: line,
+            column: callExpr.getStart() - callExpr.getStartLinePos() + 1,
+            filePath: filePath,
+            file: filePath,
+          });
+
+          // Mark as reported
+          reportedLines.add(line);
+        }
+      }
+    }
+  }
+
+  /**
+   * Check custom GUID generation functions using Math.random()
+   * e.g., function generateGuid() { return 'xxx'.replace(/x/g, () => Math.random()) }
+   */
+  checkCustomGuidFunctions(sourceFile, filePath, violations, reportedLines) {
+    const functions = [
+      ...sourceFile.getDescendantsOfKind(SyntaxKind.FunctionDeclaration),
+      ...sourceFile.getDescendantsOfKind(SyntaxKind.FunctionExpression),
+      ...sourceFile.getDescendantsOfKind(SyntaxKind.ArrowFunction),
+    ];
+
+    for (const func of functions) {
+      const line = func.getStartLineNumber();
+
+      // Skip if already reported
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      const funcName =
+        func.getName?.() || this.extractVariableName(func.getParent());
+      if (!funcName) continue;
+
+      const normalizedName = this.normalizeIdentifier(funcName);
+
+      // Check if function name suggests GUID/UUID generation
+      if (
+        !normalizedName.includes("guid") &&
+        !normalizedName.includes("uuid") &&
+        !normalizedName.includes("id") &&
+        !normalizedName.includes("token")
+      ) {
+        continue;
+      }
+
+      // Skip safe contexts
+      if (this.isSafeContext(funcName)) {
+        continue;
+      }
+
+      // Skip non-generation functions (validation, checking, saving, updating)
+      // Only check functions that actually GENERATE GUIDs
+      if (this.isNonGenerationFunction(normalizedName)) {
+        continue;
+      }
+
+      // Check if function body uses weak random
+      const funcText = func.getText().toLowerCase();
+
+      // Skip React components
+      if (this.isReactComponent(funcText)) {
+        continue;
+      }
+
+      if (this.isUnsafeGuidGeneration(funcText)) {
+        // Make sure it's not using safe method
+        if (!this.isSafeGuidGeneration(funcText)) {
+          violations.push({
+            ruleId: this.ruleId,
+            severity: "error",
+            message: `Function '${funcName}' implements weak GUID generation using Math.random() - use crypto.randomUUID() or UUID v4`,
+            line: line,
+            column: func.getStart() - func.getStartLinePos() + 1,
+            filePath: filePath,
+            file: filePath,
+          });
+
+          // Mark as reported
+          reportedLines.add(line);
+        }
+      }
+    }
+  }
+
+  /**
+   * Helper: Normalize identifier name (lowercase, remove underscores)
+   */
+  normalizeIdentifier(name) {
+    return name.toLowerCase().replace(/[_-]/g, "");
+  }
+
+  /**
+   * Helper: Check if identifier name is security-related
+   */
+  isSecurityRelated(normalizedName) {
+    return this.securityKeywords.some((keyword) =>
+      normalizedName.includes(keyword)
+    );
+  }
+
+  /**
+   * Helper: Check if context is safe (non-security usage)
+   */
+  isSafeContext(name) {
+    const normalized = this.normalizeIdentifier(name);
+    return this.safeContexts.some((ctx) => normalized.includes(ctx));
+  }
+
+  /**
+   * Helper: Check if text contains unsafe GUID generation
+   */
+  isUnsafeGuidGeneration(text) {
+    // Skip if it's just timestamp utility functions (business logic, not random)
+    if (this.isTimeUtilityFunction(text)) {
+      return false;
+    }
+    return this.unsafeMethods.some((method) => text.includes(method));
+  }
+
+  /**
+   * Helper: Check if text is timestamp utility function (not random generation)
+   */
+  isTimeUtilityFunction(text) {
+    return this.timeUtilityPatterns.some((pattern) => text.includes(pattern));
+  }
+
+  /**
+   * Helper: Check if text contains safe GUID generation
+   */
+  isSafeGuidGeneration(text) {
+    return this.safeMethods.some((method) => text.includes(method));
+  }
+
+  /**
+   * Helper: Check if function is non-generation (validate, check, save, update)
+   */
+  isNonGenerationFunction(normalizedName) {
+    const nonGenPatterns = [
+      "validate",
+      "check",
+      "verify",
+      "isvalid",
+      "save",
+      "update",
+      "set",
+      "get",
+      "fetch",
+      "load",
+      "find",
+      "search",
+      "query",
+      "delete",
+      "remove",
+    ];
+    return nonGenPatterns.some((pattern) => normalizedName.includes(pattern));
+  }
+
+  /**
+   * Helper: Check if method call is unsafe
+   */
+  isUnsafeMethod(methodText) {
+    return this.unsafeMethods.some((method) => methodText.includes(method));
+  }
+
+  /**
+   * Helper: Check if code is React component (arrow function with props/JSX)
+   */
+  isReactComponent(text) {
+    // React component patterns:
+    // - Arrow function with props parameter
+    // - Contains JSX (return <, return null, return (, useEffect, useState, etc.)
+    const reactPatterns = [
+      "useeffect",
+      "usestate",
+      "usecontext",
+      "usememo",
+      "usecallback",
+      "useref",
+      "return null",
+      "return <",
+      "return (",
+      "props:",
+      "props.",
+    ];
+
+    return reactPatterns.some((pattern) => text.includes(pattern));
+  }
+
+  /**
+   * Helper: Check if Date.now()/timestamp is used in arithmetic operation (time calculation)
+   * e.g., expiry - Date.now(), Date.now() - start, time > Date.now()
+   */
+  isTimestampArithmetic(callExpr, expressionText) {
+    // Only check for Date.now() and timestamp methods
+    if (
+      !expressionText.includes("date.now") &&
+      !expressionText.includes("gettime")
+    ) {
+      return false;
+    }
+
+    // Check if parent is binary expression (arithmetic or comparison)
+    let parent = callExpr.getParent();
+    let depth = 0;
+
+    while (parent && depth < 3) {
+      const kind = parent.getKind();
+
+      // Check for binary expressions: +, -, *, /, %, <, >, <=, >=, ==, !=
+      if (kind === SyntaxKind.BinaryExpression) {
+        const binaryExpr = parent;
+        const operator = binaryExpr.getOperatorToken().getText();
+
+        // Arithmetic operators or comparison operators
+        if (
+          [
+            "-",
+            "+",
+            "*",
+            "/",
+            "%",
+            "<",
+            ">",
+            "<=",
+            ">=",
+            "==",
+            "===",
+            "!=",
+            "!==",
+          ].includes(operator)
+        ) {
+          return true; // This is timestamp arithmetic/comparison
+        }
+      }
+
+      parent = parent.getParent();
+      depth++;
+    }
+
+    return false;
+  }
+
+  /**
+   * Helper: Find parent context (variable declaration, assignment)
+   */
+  findParentContext(node) {
+    let current = node.getParent();
+    let depth = 0;
+
+    while (current && depth < 10) {
+      const kind = current.getKind();
+      if (
+        kind === SyntaxKind.VariableDeclaration ||
+        kind === SyntaxKind.PropertyAssignment ||
+        kind === SyntaxKind.BinaryExpression
+      ) {
+        return current;
+      }
+      current = current.getParent();
+      depth++;
+    }
+
+    return null;
+  }
+
+  /**
+   * Helper: Extract variable name from context
+   */
+  extractVariableName(node) {
+    if (!node) return null;
+
+    const kind = node.getKind();
+
+    if (kind === SyntaxKind.VariableDeclaration) {
+      return node.getName?.() || null;
+    }
+
+    if (kind === SyntaxKind.PropertyAssignment) {
+      return node.getName?.() || null;
+    }
+
+    if (kind === SyntaxKind.BinaryExpression) {
+      const left = node.getLeft();
+      return left.getText();
+    }
+
+    return null;
+  }
+
+  /**
+   * Helper: Find parent function name
+   */
+  findParentFunctionName(node) {
+    let current = node.getParent();
+    let depth = 0;
+
+    while (current && depth < 10) {
+      const kind = current.getKind();
+      if (
+        kind === SyntaxKind.FunctionDeclaration ||
+        kind === SyntaxKind.FunctionExpression ||
+        kind === SyntaxKind.ArrowFunction
+      ) {
+        // For named functions
+        const funcName = current.getName?.();
+        if (funcName) return funcName;
+
+        // For arrow functions assigned to const/let/var
+        const parent = current.getParent();
+        if (parent && parent.getKind() === SyntaxKind.VariableDeclaration) {
+          return parent.getName?.() || null;
+        }
+
+        return null;
+      }
+      current = current.getParent();
+      depth++;
+    }
+
+    return null;
+  }
+
+  cleanup() {
+    // Cleanup if needed
+  }
+}
+
+module.exports = S011SymbolBasedAnalyzer;