npm - @sun-asterisk/sunlint - Versions diffs - 1.3.2 → 1.3.3 - Mend

@sun-asterisk/sunlint 1.3.2 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/rules/security/S033_samesite_session_cookies/README.md ADDED Viewed

@@ -0,0 +1,227 @@
+# S033 - Set SameSite attribute for Session Cookies
+## Overview
+Rule S033 enforces the presence of the `SameSite` attribute on session cookies to reduce Cross-Site Request Forgery (CSRF) risk. The SameSite attribute controls whether cookies are sent with cross-site requests, providing protection against CSRF attacks.
+## Security Impact
+**CSRF Protection**: The SameSite attribute helps prevent CSRF attacks by controlling when cookies are sent:
+- `Strict`: Cookies are never sent with cross-site requests
+- `Lax`: Cookies are sent with top-level navigation but not with sub-requests
+- `None`: Cookies are sent with all cross-site requests (requires Secure flag)
+**Recommended Values**: For session cookies, `strict` or `lax` are recommended for optimal security.
+## Rule Details
+### Detected Patterns
+✅ **Secure Examples:**
+```typescript
+// ✅ GOOD: SameSite with strict value
+res.cookie("session", sessionId, {
+  secure: true,
+  httpOnly: true,
+  sameSite: "strict",
+});
+// ✅ GOOD: SameSite with lax value
+res.cookie("auth", token, {
+  secure: true,
+  httpOnly: true,
+  sameSite: "lax",
+});
+// ✅ GOOD: Set-Cookie header with SameSite
+res.setHeader(
+  "Set-Cookie",
+  "session=abc123; HttpOnly; Secure; SameSite=Strict"
+);
+// ✅ GOOD: Express session with SameSite
+app.use(
+  session({
+    secret: "secret",
+    cookie: {
+      secure: true,
+      httpOnly: true,
+      sameSite: "strict",
+    },
+  })
+);
+```
+❌ **Violation Examples:**
+```typescript
+// ❌ BAD: Missing SameSite attribute
+res.cookie("session", sessionId, {
+  secure: true,
+  httpOnly: true,
+  // Missing: sameSite: "strict"
+});
+// ❌ BAD: No options object
+res.cookie("auth", token);
+// ❌ BAD: Set-Cookie header without SameSite
+res.setHeader("Set-Cookie", "session=abc123; HttpOnly; Secure");
+// ❌ BAD: Express session missing SameSite
+app.use(
+  session({
+    secret: "secret",
+    cookie: {
+      secure: true,
+      httpOnly: true,
+      // Missing: sameSite: 'strict'
+    },
+  })
+);
+// ❌ BAD: Session middleware without cookie config
+app.use(
+  session({
+    secret: "secret",
+    // Missing: cookie configuration with sameSite
+  })
+);
+```
+### Supported Cookie Methods
+The rule detects SameSite violations in:
+- `res.cookie()` - Express cookie method
+- `res.setCookie()` - Generic cookie setting
+- `res.setHeader("Set-Cookie", ...)` - Raw Set-Cookie headers
+- `session()` - Express-session middleware
+- Other cookie-related methods: `set`, `append`, `writeHead`
+### Session Cookie Detection
+The rule identifies session cookies by names containing:
+- `session`, `sessionid`, `sessid`
+- `jsessionid`, `phpsessid`, `asp.net_sessionid`
+- `connect.sid` (Express session default)
+- `auth`, `token`, `jwt`
+- `csrf`, `refresh`
+### SameSite Values
+**Acceptable Values:**
+- `"strict"` - Strictest protection, cookies never sent cross-site
+- `"lax"` - Moderate protection, cookies sent with top-level navigation
+- `"none"` - No protection, cookies sent with all requests (requires Secure)
+**Recommended Values for Session Cookies:**
+- `"strict"` - For maximum security
+- `"lax"` - For better UX while maintaining security
+## Analysis Approach
+### Symbol-based Analysis (Primary)
+- Uses TypeScript AST parsing via ts-morph
+- Provides semantic understanding of code structure
+- Handles complex patterns like object references and spread syntax
+- Analyzes method calls, object literals, and configuration references
+### Regex-based Analysis (Fallback)
+- Pattern-matching approach for various cookie patterns
+- Handles Set-Cookie headers and express-session middleware
+- Fallback when semantic analysis is unavailable
+- Covers edge cases that might be missed by AST analysis
+## Implementation Details
+### Class-based Configuration Support
+```typescript
+// ✅ Detects missing SameSite in class properties
+class SessionManager {
+  private cookieConfig = {
+    secure: true,
+    httpOnly: true,
+    // Missing: sameSite: "strict"
+  };
+  setSession(res: Response, token: string) {
+    res.cookie("session", token, this.cookieConfig); // ❌ Violation
+  }
+}
+```
+### Spread Syntax Support
+```typescript
+// ✅ Detects missing SameSite in spread configurations
+res.cookie("auth", token, {
+  ...baseCookieConfig, // If baseCookieConfig lacks sameSite
+  path: "/api",
+  // Still missing sameSite
+}); // ❌ Violation
+```
+### Multiple Cookie Headers
+```typescript
+// ✅ Detects individual cookies missing SameSite
+res.setHeader("Set-Cookie", [
+  "auth=token1; Secure; HttpOnly", // ❌ Missing SameSite
+  "session=token2; HttpOnly; SameSite=Strict", // ✅ Has SameSite
+  "csrf=token3; Secure", // ❌ Missing SameSite
+]);
+```
+## Configuration
+The rule supports various configuration options in `config.json`:
+- **Session Indicators**: Patterns that identify session cookies
+- **Acceptable Values**: Valid SameSite attribute values
+- **Cookie Methods**: Methods that accept cookie configurations
+- **Analysis Depth**: How deep to analyze nested configurations
+## Integration
+This rule integrates with:
+- **SunLint Engine**: Main analysis framework
+- **TypeScript Semantic Engine**: For AST-based analysis
+- **ts-morph**: TypeScript compiler API wrapper
+- **Heuristic Engine**: Fallback analysis approach
+## Performance
+- **Analysis Timeout**: 5 seconds per file
+- **Memory Optimized**: Uses semantic engine caching
+- **Selective Analysis**: Only analyzes session-related cookies
+- **Duplicate Detection**: Removes duplicate violations
+## Related Rules
+- **S031**: Secure flag for session cookies
+- **S032**: HttpOnly attribute for session cookies
+- **S029**: CSRF protection mechanisms
+## Best Practices
+1. **Always set SameSite**: Use `strict` or `lax` for session cookies
+2. **Combine with other flags**: Use with `secure` and `httpOnly`
+3. **Consider UX impact**: `strict` may break some legitimate cross-site flows
+4. **Test thoroughly**: Verify application functionality after enabling
+5. **Update legacy code**: Retrofit existing cookie implementations
+## References
+- [MDN SameSite Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)
+- [OWASP Session Management](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/)
+- [RFC 6265bis SameSite](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis)

package/rules/security/S033_samesite_session_cookies/analyzer.js ADDED Viewed

@@ -0,0 +1,242 @@
+/**
+ * S033 Main Analyzer - Set SameSite attribute for Session Cookies
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S033 --input=examples/rule-test-fixtures/rules/S033_samesite_session_cookies --engine=heuristic
+ */
+const S033SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S033RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+class S033Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S033] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S033] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S033";
+    this.ruleName = "Set SameSite attribute for Session Cookies";
+    this.description =
+      "Set SameSite attribute for Session Cookies to reduce CSRF risk. This prevents the browser from sending cookies along with cross-site requests, mitigating CSRF attacks.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Secondary approach
+      regexBasedOnly: false, // Can be set to true for pure mode
+    };
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S033SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S033] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S033] Error creating symbol analyzer:`, error);
+    }
+    try {
+      this.regexAnalyzer = new S033RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S033] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S033] Error creating regex analyzer:`, error);
+    }
+  }
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S033] Main analyzer initializing...`);
+    }
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+    // Clean up if needed
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S033] Main analyzer initialized successfully`);
+    }
+  }
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`� [S033] analyzeSingle() called for: ${filePath}`);
+    }
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S033] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S033] Processing file: ${filePath}`);
+        }
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S033] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S033] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S033] Total violations found: ${violations.length}`);
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S033] analyzeFile() called for: ${filePath}`);
+    }
+    // Create a Map to track unique violations and prevent duplicates
+    const violationMap = new Map();
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S033] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S033] Source file found, analyzing...`);
+          }
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          // Add to violation map with deduplication
+          symbolViolations.forEach((violation) => {
+            const key = `${violation.line}:${violation.column}:${violation.message}`;
+            if (!violationMap.has(key)) {
+              violationMap.set(key, violation);
+            }
+          });
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S033] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S033] Source file not found, falling back...`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠ [S033] Symbol analysis failed:`, error.message);
+      }
+    }
+    // 2. Try Regex-based analysis (fallback or additional)
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S033] Trying regex-based analysis...`);
+        }
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        // Add to violation map with deduplication
+        regexViolations.forEach((violation) => {
+          const key = `${violation.line}:${violation.column}:${violation.message}`;
+          if (!violationMap.has(key)) {
+            violationMap.set(key, violation);
+          }
+        });
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S033] Regex analysis completed: ${regexViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S033] Regex analysis failed:`, error.message);
+      }
+    }
+    // Convert Map values to array and add filePath to each violation
+    const finalViolations = Array.from(violationMap.values()).map(
+      (violation) => ({
+        ...violation,
+        filePath: filePath,
+        file: filePath, // Also add 'file' for compatibility
+      })
+    );
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S033] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    }
+    return finalViolations;
+  }
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+    if (this.regexAnalyzer?.cleanup) {
+      this.regexAnalyzer.cleanup();
+    }
+  }
+}
+module.exports = S033Analyzer;

package/rules/security/S033_samesite_session_cookies/config.json ADDED Viewed

@@ -0,0 +1,87 @@
+{
+  "id": "S033",
+  "name": "Set SameSite attribute for Session Cookies",
+  "category": "security",
+  "description": "S033 - Set SameSite attribute for Session Cookies to reduce CSRF risk. This prevents the browser from sending cookies along with cross-site requests, mitigating CSRF attacks.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 2,
+    "timeout": 5000
+  },
+  "validation": {
+    "cookieMethods": [
+      "setCookie",
+      "cookie",
+      "set",
+      "append",
+      "session",
+      "setHeader",
+      "writeHead"
+    ],
+    "cookieLibraries": [
+      "express",
+      "koa",
+      "fastify",
+      "hapi",
+      "next",
+      "nuxt",
+      "cookie",
+      "cookie-parser",
+      "express-session",
+      "connect-session",
+      "passport"
+    ],
+    "sessionIndicators": [
+      "session",
+      "sessionid",
+      "sessid",
+      "jsessionid",
+      "phpsessid",
+      "asp.net_sessionid",
+      "connect.sid",
+      "auth",
+      "token",
+      "jwt",
+      "csrf",
+      "refresh"
+    ],
+    "sameSitePatterns": [
+      "sameSite:\\s*['\"]strict['\"]",
+      "sameSite:\\s*['\"]lax['\"]",
+      "sameSite:\\s*['\"]none['\"]",
+      "sameSite:['\"]strict['\"]",
+      "sameSite:['\"]lax['\"]",
+      "sameSite:['\"]none['\"]",
+      "SameSite=Strict",
+      "SameSite=Lax",
+      "SameSite=None"
+    ],
+    "insecurePatterns": [
+      "(?<!sameSite[\\s=:]+)(?<!SameSite=)Set-Cookie",
+      "res\\.cookie\\([^)]*\\)(?![^{]*sameSite)",
+      "document\\.cookie\\s*="
+    ],
+    "acceptableValues": ["strict", "lax", "none"],
+    "recommendedValues": ["strict", "lax"]
+  }
+}