npm - @sun-asterisk/sunlint - Versions diffs - 1.3.2 → 1.3.3 - Mend

@sun-asterisk/sunlint 1.3.2 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/rules/security/S031_secure_session_cookies/README.md ADDED Viewed

@@ -0,0 +1,127 @@
+# S031 - Set Secure flag for Session Cookies
+## Rule Description
+**S031** ensures that session cookies have the `Secure` flag set to protect them via HTTPS. This prevents cookies from being transmitted over unencrypted connections, reducing the risk of session hijacking and cookie interception.
+## Security Impact
+- **High**: Session cookies without Secure flag can be intercepted over HTTP
+- **Attack Vector**: Man-in-the-middle attacks, network sniffing
+- **Compliance**: OWASP Top 10, PCI DSS requirements
+## Detection Patterns
+### Vulnerable Code Examples
+```javascript
+// ❌ Express.js - Missing Secure flag
+res.cookie("sessionid", sessionValue, {
+  httpOnly: true,
+  // Missing: secure: true
+});
+// ❌ Set-Cookie header - No Secure flag
+res.setHeader("Set-Cookie", "sessionid=abc123; HttpOnly");
+// ❌ Document.cookie - Insecure assignment
+document.cookie = "auth=token123; path=/";
+// ❌ Session middleware - Missing security
+app.use(
+  session({
+    secret: "secret-key",
+    name: "sessionid",
+    // Missing: cookie: { secure: true }
+  })
+);
+```
+### Secure Code Examples
+```javascript
+// ✅ Express.js - With Secure flag
+res.cookie("sessionid", sessionValue, {
+  httpOnly: true,
+  secure: true,
+  sameSite: "strict",
+});
+// ✅ Set-Cookie header - With Secure flag
+res.setHeader("Set-Cookie", "sessionid=abc123; HttpOnly; Secure");
+// ✅ Session middleware - Secure configuration
+app.use(
+  session({
+    secret: "secret-key",
+    name: "sessionid",
+    cookie: {
+      secure: true,
+      httpOnly: true,
+      sameSite: "strict",
+    },
+  })
+);
+// ✅ Conditional Secure flag based on environment
+res.cookie("sessionid", sessionValue, {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+});
+```
+## Session Cookie Indicators
+The rule detects cookies that are likely session-related based on:
+- **Cookie Names**: `session`, `sessionid`, `sessid`, `jsessionid`, `phpsessid`
+- **Framework Patterns**: `connect.sid`, `asp.net_sessionid`
+- **Authentication**: `auth`, `token`, `jwt`, `csrf`
+## Supported Frameworks
+- **Express.js**: `res.cookie()`, `res.setHeader()`
+- **Koa**: Cookie setting methods
+- **Fastify**: Cookie plugins
+- **Next.js**: API routes cookie handling
+- **Native**: `document.cookie`, Set-Cookie headers
+## Configuration
+The rule can be configured in `config.json`:
+```json
+{
+  "validation": {
+    "sessionIndicators": ["session", "sessionid", "auth", "token"],
+    "cookieMethods": ["setCookie", "cookie", "setHeader"]
+  }
+}
+```
+## Best Practices
+1. **Always use Secure flag in production**
+2. **Combine with HttpOnly flag** to prevent XSS access
+3. **Use SameSite attribute** for CSRF protection
+4. **Conditional setting** based on environment:
+   ```javascript
+   const isProduction = process.env.NODE_ENV === "production";
+   res.cookie("session", value, {
+     secure: isProduction,
+     httpOnly: true,
+     sameSite: "strict",
+   });
+   ```
+## Related Rules
+- **S032**: HttpOnly flag for cookies
+- **S033**: SameSite attribute for CSRF protection
+- **S034**: Cookie expiration and domain settings
+## References
+- [OWASP Session Management](https://owasp.org/www-project-cheat-sheets/cheatsheets/Session_Management_Cheat_Sheet.html)
+- [MDN Secure Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
+- [RFC 6265 - HTTP State Management](https://tools.ietf.org/html/rfc6265)

package/rules/security/S031_secure_session_cookies/analyzer.js ADDED Viewed

@@ -0,0 +1,245 @@
+/**
+ * S031 Main Analyzer - Set Secure flag for Session Cookies
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S031 --input=examples/rule-test-fixtures/rules/S031_secure_session_cookies --engine=heuristic
+ */
+const S031SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S031RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+class S031Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S031] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S031] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S031";
+    this.ruleName = "Set Secure flag for Session Cookies";
+    this.description =
+      "Set Secure flag for Session Cookies to protect via HTTPS. This ensures cookies are only transmitted over secure connections, preventing interception.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Secondary approach
+      regexBasedOnly: false, // Can be set to true for pure mode
+    };
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S031SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S031] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S031] Error creating symbol analyzer:`, error);
+    }
+    try {
+      this.regexAnalyzer = new S031RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S031] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S031] Error creating regex analyzer:`, error);
+    }
+  }
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S031] Main analyzer initializing...`);
+    }
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+    // Clean up if needed
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S031] Main analyzer initialized successfully`);
+    }
+  }
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S031] analyzeSingle() called for: ${filePath}`);
+    }
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S031] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S031] Processing file: ${filePath}`);
+        }
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S031] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S031] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S031] Total violations found: ${violations.length}`);
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S031] analyzeFile() called for: ${filePath}`);
+    }
+    // Create a Map to track unique violations and prevent duplicates
+    const violationMap = new Map();
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S031] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S031] Source file found, analyzing...`);
+          }
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          // Add to violation map with deduplication
+          symbolViolations.forEach((violation) => {
+            const key = `${violation.line}:${violation.column}:${violation.message}`;
+            if (!violationMap.has(key)) {
+              violationMap.set(key, violation);
+            }
+          });
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S031] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S031] Source file not found, falling back...`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠ [S031] Symbol analysis failed:`, error.message);
+      }
+    }
+    // 2. Try Regex-based analysis (fallback or additional)
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S031] Trying regex-based analysis...`);
+        }
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        // Add to violation map with deduplication
+        regexViolations.forEach((violation) => {
+          const key = `${violation.line}:${violation.column}:${violation.message}`;
+          if (!violationMap.has(key)) {
+            violationMap.set(key, violation);
+          }
+        });
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S031] Regex analysis completed: ${regexViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S031] Regex analysis failed:`, error.message);
+      }
+    }
+    // Convert Map values to array and add filePath to each violation
+    const finalViolations = Array.from(violationMap.values()).map(
+      (violation) => ({
+        ...violation,
+        filePath: filePath,
+        file: filePath, // Also add 'file' for compatibility
+      })
+    );
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S031] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    }
+    return finalViolations;
+  }
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+    if (this.regexAnalyzer?.cleanup) {
+      this.regexAnalyzer.cleanup();
+    }
+  }
+}
+module.exports = S031Analyzer;

package/rules/security/S031_secure_session_cookies/config.json ADDED Viewed

@@ -0,0 +1,86 @@
+{
+  "id": "S031",
+  "name": "Set Secure flag for Session Cookies",
+  "category": "security",
+  "description": "S031 - Set Secure flag for Session Cookies to protect via HTTPS. This ensures cookies are only transmitted over secure connections, preventing interception.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 2,
+    "timeout": 5000
+  },
+  "validation": {
+    "cookieMethods": [
+      "setCookie",
+      "cookie",
+      "set",
+      "append",
+      "session",
+      "setHeader",
+      "writeHead"
+    ],
+    "cookieLibraries": [
+      "express",
+      "koa",
+      "fastify",
+      "hapi",
+      "next",
+      "nuxt",
+      "cookie",
+      "cookie-parser",
+      "express-session",
+      "connect-session",
+      "passport"
+    ],
+    "sessionIndicators": [
+      "session",
+      "sessionid",
+      "sessid",
+      "jsessionid",
+      "phpsessid",
+      "asp.net_sessionid",
+      "connect.sid",
+      "auth",
+      "token",
+      "jwt",
+      "csrf"
+    ],
+    "securePatterns": [
+      "secure:\\s*true",
+      "secure:true",
+      "Secure",
+      "secure=true",
+      "httpOnly:\\s*true",
+      "httpOnly:true",
+      "HttpOnly",
+      "httpOnly=true"
+    ],
+    "insecurePatterns": [
+      "secure:\\s*false",
+      "secure:false",
+      "secure=false",
+      "(?<!secure[\\s=:]+)(?<!Secure[\\s;])Set-Cookie",
+      "res\\.cookie\\([^)]*\\)(?![^{]*secure)",
+      "document\\.cookie\\s*="
+    ]
+  }
+}

package/rules/security/S031_secure_session_cookies/regex-based-analyzer.js ADDED Viewed

@@ -0,0 +1,196 @@
+/**
+ * S031 Regex-Based Analyzer - Set Secure flag for Session Cookies
+ * Fallback analysis using regex patterns
+ */
+const fs = require("fs");
+class S031RegexBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S031";
+    this.category = "security";
+    // Session cookie indicators
+    this.sessionIndicators = [
+      "session",
+      "sessionid",
+      "sessid",
+      "jsessionid",
+      "phpsessid",
+      "asp.net_sessionid",
+      "connect.sid",
+      "auth",
+      "token",
+      "jwt",
+      "csrf",
+    ];
+    // Regex patterns for cookie detection
+    this.cookiePatterns = [
+      // Express/Node.js patterns
+      /res\.cookie\s*\(\s*['"`]([^'"`]+)['"`]\s*,([^)]+)\)/gi,
+      /response\.cookie\s*\(\s*['"`]([^'"`]+)['"`]\s*,([^)]+)\)/gi,
+      /\.setCookie\s*\(\s*['"`]([^'"`]+)['"`]\s*,([^)]+)\)/gi,
+      // Set-Cookie header patterns
+      /setHeader\s*\(\s*['"`]Set-Cookie['"`]\s*,\s*['"`]([^'"`]+)['"`]\s*\)/gi,
+      /writeHead\s*\([^,]*,\s*{[^}]*['"`]Set-Cookie['"`]\s*:\s*['"`]([^'"`]+)['"`]/gi,
+      // Document.cookie assignments
+      /document\.cookie\s*=\s*['"`]([^'"`]+)['"`]/gi,
+      // Session middleware patterns
+      /session\s*\(\s*{([^}]+)}/gi,
+      /\.use\s*\(\s*session\s*\(\s*{([^}]+)}/gi,
+    ];
+  }
+  /**
+   * Initialize analyzer
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S031] Regex-based analyzer initialized`);
+    }
+  }
+  /**
+   * Analyze file content using regex patterns
+   */
+  async analyze(filePath) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S031] Regex-based analysis for: ${filePath}`);
+    }
+    let content;
+    try {
+      content = fs.readFileSync(filePath, "utf8");
+    } catch (error) {
+      if (process.env.SUNLINT_DEBUG) {
+        console.error(`❌ [S031] File read error:`, error);
+      }
+      throw error;
+    }
+    const violations = [];
+    const lines = content.split("\n");
+    // Check each pattern
+    for (const pattern of this.cookiePatterns) {
+      this.checkPattern(pattern, content, lines, violations, filePath);
+    }
+    return violations;
+  }
+  /**
+   * Check specific regex pattern for violations
+   */
+  checkPattern(pattern, content, lines, violations, filePath) {
+    let match;
+    pattern.lastIndex = 0; // Reset regex state
+    while ((match = pattern.exec(content)) !== null) {
+      const matchText = match[0];
+      const cookieName = match[1] || "";
+      const cookieOptions = match[2] || match[1] || "";
+      // Check if this is a session cookie
+      if (!this.isSessionCookie(cookieName, matchText)) {
+        continue;
+      }
+      // Check if secure flag is present
+      if (!this.hasSecureFlag(cookieOptions, matchText)) {
+        const lineNumber = this.getLineNumber(content, match.index);
+        this.addViolation(
+          matchText,
+          lineNumber,
+          violations,
+          `Session cookie "${cookieName || "unknown"}" missing Secure flag`
+        );
+      }
+    }
+  }
+  /**
+   * Check if cookie name or context indicates session cookie
+   */
+  isSessionCookie(cookieName, matchText) {
+    const textToCheck = (cookieName + " " + matchText).toLowerCase();
+    return this.sessionIndicators.some((indicator) =>
+      textToCheck.includes(indicator.toLowerCase())
+    );
+  }
+  /**
+   * Check if secure flag is present in cookie options
+   */
+  hasSecureFlag(cookieOptions, fullMatch) {
+    const textToCheck = cookieOptions + " " + fullMatch;
+    // Check for secure config references (likely safe)
+    const secureConfigPatterns = [
+      /\bcookieConfig\b/i,
+      /\bsecureConfig\b/i,
+      /\bsafeConfig\b/i,
+      /\bdefaultConfig\b/i,
+      /\.\.\..*config/i, // spread operator with config
+      /config.*secure/i,
+    ];
+    // If using a secure config reference, assume it's safe
+    if (secureConfigPatterns.some((pattern) => pattern.test(textToCheck))) {
+      return true;
+    }
+    // Check for various secure flag patterns
+    const securePatterns = [
+      /secure\s*:\s*true/i,
+      /secure\s*=\s*true/i,
+      /;\s*secure\s*[;\s]/i,
+      /;\s*secure$/i,
+      /['"`]\s*secure\s*['"`]/i,
+      /"secure"\s*:\s*true/i,
+      /'secure'\s*:\s*true/i,
+      /\bsecure\b/i, // Simple secure keyword
+    ];
+    return securePatterns.some((pattern) => pattern.test(textToCheck));
+  }
+  /**
+   * Get line number from content position
+   */
+  getLineNumber(content, position) {
+    const beforeMatch = content.substring(0, position);
+    return beforeMatch.split("\n").length;
+  }
+  /**
+   * Add violation to results
+   */
+  addViolation(source, lineNumber, violations, message) {
+    violations.push({
+      ruleId: this.ruleId,
+      source: source.trim(),
+      category: this.category,
+      line: lineNumber,
+      column: 1,
+      message: `Insecure session cookie: ${message}`,
+      severity: "error",
+    });
+  }
+}
+module.exports = S031RegexBasedAnalyzer;