@sun-asterisk/sunlint 1.3.18 → 1.3.19

package/rules/security/S028_file_upload_size_limits/analyzer.js

@@ -0,0 +1,202 @@
+/**
+ * S028 Main Analyzer - Limit upload file size and number of files per user
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S028 --input=examples/rule-test-fixtures/rules/S028_file_upload_size_limits --engine=heuristic
+ */
+
+const S028SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+
+class S028Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S028] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S028] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S028";
+    this.ruleName = "Limit upload file size and number of files per user";
+    this.description =
+      "File uploads must enforce size limits and file quantity limits to prevent resource exhaustion and DoS attacks. Both file size and number of files should be limited at the server-side.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      maxFileSize: 10 * 1024 * 1024, // 10MB recommended
+      maxFiles: 10, // 10 files recommended
+      highRiskThreshold: 50 * 1024 * 1024, // 50MB
+      mediumRiskThreshold: 20 * 1024 * 1024, // 20MB
+    };
+
+    // Initialize analyzer
+    try {
+      this.symbolAnalyzer = new S028SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S028] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S028] Error creating symbol analyzer:`, error);
+    }
+  }
+
+  async initialize(semanticEngine = null) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S028] Initialize called`);
+    }
+
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+      if (this.symbolAnalyzer) {
+        await this.symbolAnalyzer.initialize(semanticEngine);
+      }
+    }
+
+    return this;
+  }
+
+  /**
+   * Analyze array of files (legacy interface)
+   */
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    const fileArray = Array.isArray(files) ? files : [files];
+
+    for (const filePath of fileArray) {
+      try {
+        const vs = await this.analyzeFile(filePath, options);
+        violations.push(...vs);
+      } catch (error) {
+        console.warn(
+          `⚠️ [S028] Analysis error for ${filePath}: ${error.message}`
+        );
+      }
+    }
+
+    return violations;
+  }
+
+  /**
+   * Main analyze method - analyzes a single file
+   */
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S028] Analyzing file:`, filePath);
+    }
+
+    // Skip test files, node_modules, etc.
+    if (this.shouldSkipFile(filePath)) {
+      return [];
+    }
+
+    try {
+      if (!this.symbolAnalyzer) {
+        console.warn(`⚠️ [S028] Symbol analyzer not initialized`);
+        return [];
+      }
+
+      let sourceFile = null;
+
+      // Try to get from semantic engine first
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      }
+
+      // Fallback: create temporary ts-morph project
+      if (!sourceFile) {
+        const fs = require("fs");
+        const path = require("path");
+        const { Project } = require("ts-morph");
+
+        if (!fs.existsSync(filePath)) {
+          throw new Error(`File not found: ${filePath}`);
+        }
+
+        const content = fs.readFileSync(filePath, "utf8");
+        const tmpProject = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: { allowJs: true },
+        });
+        sourceFile = tmpProject.createSourceFile(
+          path.basename(filePath),
+          content
+        );
+      }
+
+      if (!sourceFile) {
+        console.warn(`⚠️ [S028] Could not load source file: ${filePath}`);
+        return [];
+      }
+
+      // Analyze with symbol-based analyzer
+      const violations = await this.symbolAnalyzer.analyze(
+        sourceFile,
+        filePath
+      );
+
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(
+          `🔧 [S028] Found ${violations.length} violations in ${filePath}`
+        );
+      }
+
+      return violations;
+    } catch (error) {
+      console.error(`❌ [S028] Analysis error:`, error.message);
+      if (process.env.SUNLINT_DEBUG) {
+        console.error(error.stack);
+      }
+      return [];
+    }
+  }
+
+  /**
+   * Analyze a single file (compatibility method)
+   */
+  async analyzeSingle(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
+  }
+
+  /**
+   * Should skip file check
+   */
+  shouldSkipFile(filePath) {
+    // Skip test files, node_modules, etc.
+    const skipPatterns = [
+      /node_modules/,
+      /\.test\./,
+      /\.spec\./,
+      /test\//,
+      /__tests__\//,
+      /\.min\./,
+      /\.bundle\./,
+      /dist\//,
+      /build\//,
+    ];
+
+    return skipPatterns.some((pattern) => pattern.test(filePath));
+  }
+
+  /**
+   * Cleanup method
+   */
+  async cleanup() {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S028] Cleanup called`);
+    }
+
+    if (
+      this.symbolAnalyzer &&
+      typeof this.symbolAnalyzer.cleanup === "function"
+    ) {
+      await this.symbolAnalyzer.cleanup();
+    }
+  }
+}
+
+module.exports = S028Analyzer;

package/rules/security/S028_file_upload_size_limits/config.json

@@ -0,0 +1,186 @@
+{
+  "ruleId": "S028",
+  "name": "Limit upload file size and number of files per user",
+  "description": "File uploads must enforce size limits and file quantity limits to prevent resource exhaustion and DoS attacks. Both file size and number of files should be limited at the server-side.",
+  "category": "security",
+  "severity": "medium",
+  "languages": ["typescript", "javascript", "java"],
+  "tags": [
+    "security",
+    "file-upload",
+    "dos-prevention",
+    "resource-limits",
+    "owasp"
+  ],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A04:2021 - Insecure Design",
+    "cweId": "CWE-400",
+    "description": "File uploads without proper size and quantity limits can lead to Denial of Service (DoS) attacks, resource exhaustion, and storage abuse. Attackers can upload extremely large files or numerous files to consume server resources.",
+    "impact": "High - DoS attacks, storage exhaustion, service disruption",
+    "likelihood": "Medium",
+    "remediation": "Implement server-side file size limits (≤ 10MB recommended) and file quantity limits (≤ 10 files recommended) using framework-specific middleware or configuration"
+  },
+  "limits": {
+    "recommended": {
+      "maxFileSize": "10MB",
+      "maxFileSizeBytes": 10485760,
+      "maxFiles": 10,
+      "maxRequestSize": "20MB"
+    },
+    "thresholds": {
+      "highRisk": {
+        "fileSize": 52428800,
+        "files": 50,
+        "description": "File size > 50MB or > 50 files - High risk"
+      },
+      "mediumRisk": {
+        "fileSize": 20971520,
+        "files": 20,
+        "description": "File size > 20MB or > 20 files - Medium risk"
+      }
+    }
+  },
+  "patterns": {
+    "nodejs": {
+      "multer": {
+        "required": ["limits.fileSize", "limits.files"],
+        "violations": [
+          "Missing limits object",
+          "Missing limits.fileSize",
+          "Missing limits.files",
+          "File size exceeds 10MB threshold",
+          "File count exceeds 10 files threshold"
+        ]
+      },
+      "express": {
+        "required": [
+          "express.json({ limit })",
+          "express.urlencoded({ limit })"
+        ],
+        "violations": [
+          "Missing body size limit",
+          "Body size limit exceeds 10MB"
+        ]
+      }
+    },
+    "nestjs": {
+      "fileInterceptor": {
+        "required": ["limits.fileSize", "limits.files"],
+        "violations": [
+          "FileInterceptor missing limits option",
+          "File size exceeds 10MB threshold"
+        ]
+      }
+    },
+    "java": {
+      "spring": {
+        "required": [
+          "spring.servlet.multipart.max-file-size",
+          "spring.servlet.multipart.max-request-size"
+        ],
+        "violations": [
+          "Missing multipart configuration",
+          "File size exceeds 10MB threshold"
+        ]
+      }
+    }
+  },
+  "validationIndicators": {
+    "nodejs": [
+      "multer",
+      "limits.fileSize",
+      "limits.files",
+      "express.json({ limit })",
+      "express.urlencoded({ limit })"
+    ],
+    "nestjs": [
+      "FileInterceptor",
+      "FilesInterceptor",
+      "FileFieldsInterceptor",
+      "limits"
+    ],
+    "java": [
+      "spring.servlet.multipart.max-file-size",
+      "spring.servlet.multipart.max-request-size",
+      "MultipartConfigElement"
+    ]
+  },
+  "examples": {
+    "violations": [
+      {
+        "code": "const upload = multer({ dest: 'uploads/' });",
+        "issue": "Multer configuration missing size limits - vulnerable to DoS",
+        "severity": "high"
+      },
+      {
+        "code": "const upload = multer({ limits: { fileSize: 100 * 1024 * 1024 } });",
+        "issue": "File size limit too high (100MB) - recommend ≤ 10MB",
+        "severity": "medium"
+      },
+      {
+        "code": "@UseInterceptors(FileInterceptor('file')) uploadFile(@UploadedFile() file) {}",
+        "issue": "FileInterceptor missing size limits",
+        "severity": "high"
+      },
+      {
+        "code": "app.use(express.json());",
+        "issue": "Express middleware missing body size limit",
+        "severity": "medium"
+      }
+    ],
+    "fixes": [
+      {
+        "code": "const upload = multer({ limits: { fileSize: 10 * 1024 * 1024, files: 5 } });",
+        "description": "Add size and quantity limits to multer (10MB, 5 files)"
+      },
+      {
+        "code": "@UseInterceptors(FileInterceptor('file', { limits: { fileSize: 5 * 1024 * 1024 } })) uploadFile(@UploadedFile() file) {}",
+        "description": "Add size limit to FileInterceptor (5MB)"
+      },
+      {
+        "code": "app.use(express.json({ limit: '10mb' })); app.use(express.urlencoded({ limit: '10mb', extended: true }));",
+        "description": "Add body size limit to Express middleware (10MB)"
+      },
+      {
+        "code": "spring.servlet.multipart.max-file-size=10MB\nspring.servlet.multipart.max-request-size=20MB",
+        "description": "Configure Spring Boot multipart limits"
+      }
+    ]
+  },
+  "frameworkSupport": {
+    "multer": {
+      "patterns": ["multer(", "multer({"],
+      "limitKeys": ["limits.fileSize", "limits.files", "limits"],
+      "configPath": "First argument object"
+    },
+    "fileInterceptor": {
+      "patterns": [
+        "@UseInterceptors(FileInterceptor",
+        "@UseInterceptors(FilesInterceptor",
+        "@UseInterceptors(FileFieldsInterceptor"
+      ],
+      "limitKeys": ["limits.fileSize", "limits.files"],
+      "configPath": "Second argument object"
+    },
+    "express": {
+      "patterns": ["express.json(", "express.urlencoded("],
+      "limitKeys": ["limit"],
+      "configPath": "First argument object"
+    },
+    "spring": {
+      "patterns": [
+        "spring.servlet.multipart.max-file-size",
+        "spring.servlet.multipart.max-request-size"
+      ],
+      "configFiles": ["application.properties", "application.yml"]
+    }
+  },
+  "owaspMapping": {
+    "category": "A04:2021 – Insecure Design",
+    "subcategories": ["A05:2021 – Security Misconfiguration"],
+    "description": "Validates that file upload endpoints have proper size and quantity limits to prevent resource exhaustion attacks"
+  }
+}