npm - @sun-asterisk/sunlint - Versions diffs - 1.3.2 → 1.3.3 - Mend

@sun-asterisk/sunlint 1.3.2 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/rules/security/S034_host_prefix_session_cookies/README.md ADDED Viewed

@@ -0,0 +1,204 @@
+# S034: Use \_\_Host- prefix for Session Cookies
+## Overview
+This rule enforces the use of `__Host-` prefix for session cookies to prevent subdomain sharing attacks. The `__Host-` prefix is a security feature that ensures cookies are only sent to the exact domain that set them.
+## Rule Details
+**Rule ID**: S034
+**Category**: Security
+**Severity**: Warning
+**Confidence**: High
+## Description
+The `__Host-` prefix is a cookie security feature that:
+- Prevents subdomain cookie sharing
+- Requires the cookie to be secure (HTTPS only)
+- Requires path to be `/` (root path)
+- Prohibits the Domain attribute
+- Ensures cookies are only sent to the exact domain that set them
+## Examples
+### ❌ Violations
+```javascript
+// Express.js - Missing __Host- prefix for session cookie
+res.cookie("sessionid", token, {
+  secure: true,
+  httpOnly: true,
+});
+// NestJS - Authentication cookie without __Host- prefix
+@Post('login')
+login(@Res() response: Response) {
+  response.cookie('auth_token', value, {
+    secure: true,
+    path: '/',
+  });
+}
+// Next.js - Session cookie missing __Host- prefix
+export async function POST() {
+  const response = NextResponse.json({ success: true });
+  response.cookies.set('sessionid', token, {
+    secure: true,
+    httpOnly: true,
+  });
+  return response;
+}
+// NextAuth.js - Session token without __Host- prefix
+export default NextAuth({
+  cookies: {
+    sessionToken: {
+      name: 'next-auth.session-token',
+      options: {
+        secure: true,
+        httpOnly: true,
+      }
+    }
+  }
+});
+```
+### ✅ Correct Usage
+```javascript
+// Express.js - Proper __Host- prefix for session cookie
+res.cookie("__Host-sessionid", token, {
+  secure: true,
+  httpOnly: true,
+  path: "/",
+});
+// NestJS - Authentication cookie with __Host- prefix
+@Post('login')
+login(@Res() response: Response) {
+  response.cookie('__Host-auth_token', value, {
+    secure: true,
+    httpOnly: true,
+    path: '/',
+  });
+}
+// Next.js - Session cookie with __Host- prefix
+export async function POST() {
+  const response = NextResponse.json({ success: true });
+  response.cookies.set('__Host-sessionid', token, {
+    secure: true,
+    httpOnly: true,
+    path: '/',
+  });
+  return response;
+}
+// NextAuth.js - Session token with __Host- prefix
+export default NextAuth({
+  cookies: {
+    sessionToken: {
+      name: '__Host-next-auth.session-token',
+      options: {
+        secure: true,
+        httpOnly: true,
+        path: '/',
+      }
+    }
+  }
+});
+```
+## \_\_Host- Prefix Requirements
+When using the `__Host-` prefix, the following requirements must be met:
+1. **Secure**: Cookie must have the `Secure` attribute (HTTPS only)
+2. **Path**: Must be set to `/` (root path)
+3. **Domain**: Must NOT have a Domain attribute
+4. **Exact Domain**: Cookie will only be sent to the exact domain that set it
+## Detected Patterns
+This rule detects session cookies without `__Host-` prefix in multiple frameworks:
+### Express.js
+- `res.cookie()` calls with session cookie names without `__Host-` prefix
+- `res.setHeader()` with `Set-Cookie` headers missing `__Host-` prefix
+- Session middleware configuration with cookie names missing `__Host-` prefix
+- Array of Set-Cookie headers with session cookies missing `__Host-` prefix
+### NestJS
+- `@Res()` decorator response cookie methods
+- `@Cookies()` decorator usage with session cookies
+- Response object cookie setting methods
+- NestJS session middleware configuration
+### Next.js
+- `response.cookies.set()` method calls
+- `cookies().set()` from next/headers
+- NextAuth.js session and CSRF token configuration
+- API route response cookie setting
+### NextAuth.js
+- Session token configuration without `__Host-` prefix
+- CSRF token configuration missing `__Host-` prefix
+- Cookie configuration in NextAuth providers
+## Session Cookie Detection
+The rule identifies session cookies based on common naming patterns:
+- `session`, `sessionid`, `session_id`
+- `sid`, `connect.sid`
+- `auth`, `auth_token`, `authentication`
+- `jwt`, `token`
+- `csrf`, `csrf_token`, `xsrf`
+- `login`, `user`, `userid`, `user_id`
+- `sessionToken`, `csrfToken` (NextAuth specific)
+## Configuration
+The rule uses regex-based analysis for comprehensive framework support:
+- **Regex-based**: Pattern matching for framework-specific cookie patterns
+- **Framework Support**: Express.js, NestJS, Next.js, NextAuth.js
+## Security Impact
+**Without \_\_Host- prefix:**
+- Subdomain cookie sharing vulnerabilities
+- Session fixation attacks from subdomains
+- Cross-subdomain session hijacking
+**With \_\_Host- prefix:**
+- Cookies isolated to exact domain
+- Prevention of subdomain attacks
+- Enhanced session security
+## Compatibility
+- **Node.js**: All versions
+- **Frameworks**: Express.js, NestJS, Next.js, NextAuth.js
+- **Browsers**: Modern browsers supporting \_\_Host- prefix
+- **Languages**: JavaScript, TypeScript
+## References
+- [MDN: \_\_Host- prefix](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#__Host-)
+- [RFC Draft: Cookie Prefixes](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00)
+- [OWASP: Secure Cookie Attribute](https://owasp.org/www-community/controls/SecureCookieAttribute)
+## Related Rules
+- **S031**: Set Secure attribute for Session Cookies
+- **S032**: Set HttpOnly attribute for Session Cookies
+- **S033**: Set SameSite attribute for Session Cookies

package/rules/security/S034_host_prefix_session_cookies/analyzer.js ADDED Viewed

@@ -0,0 +1,290 @@
+/**
+ * S034 Main Analyzer - Use __Host- prefix for Session Cookies
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S034 --input=examples/rule-test-fixtures/rules/S034_host_prefix_session_cookies --engine=heuristic
+ */
+const S034SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S034RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+class S034Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S034] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S034] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S034";
+    this.ruleName = "Use __Host- prefix for Session Cookies";
+    this.description =
+      "Use __Host- prefix for Session Cookies to prevent subdomain sharing. The __Host- prefix ensures cookies are only sent to the exact domain that set them, preventing subdomain cookie sharing attacks.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    // Configuration - Use symbol-based as primary, regex for additional coverage
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Additional coverage
+      regexBasedOnly: false, // Can be set to true for pure mode
+    };
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S034SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S034] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S034] Error creating symbol analyzer:`, error);
+    }
+    try {
+      this.regexAnalyzer = new S034RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S034] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S034] Error creating regex analyzer:`, error);
+    }
+  }
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S034] Main analyzer initializing...`);
+    }
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+    // Clean up if needed
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S034] Main analyzer initialized successfully`);
+    }
+  }
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S034] analyzeSingle() called for: ${filePath}`);
+    }
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S034] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S034] Processing file: ${filePath}`);
+        }
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S034] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S034] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S034] Total violations found: ${violations.length}`);
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S034] analyzeFile() called for: ${filePath}`);
+    }
+    // Create a Map to track unique violations and prevent duplicates
+    const violationMap = new Map();
+    const lineToViolationMap = new Map(); // Track which lines already have violations
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S034] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S034] Source file found, analyzing...`);
+          }
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          // Add symbol violations first (higher priority)
+          symbolViolations.forEach((violation) => {
+            // Extract cookie name from message for better deduplication
+            const cookieNameMatch =
+              violation.message.match(
+                /(?:Session (?:cookie|middleware cookie name)|Set-Cookie.*?|NextAuth.*?) "([^"]+)"/
+              ) ||
+              violation.message.match(
+                /Insecure session cookie:.*?(?:Session cookie|NextAuth.*?) "([^"]+)"/
+              );
+            const cookieName = cookieNameMatch ? cookieNameMatch[1] : "unknown";
+            // Use specific key including column for exact match
+            const specificKey = `${violation.line}:${
+              violation.column || 1
+            }:${cookieName}`;
+            const lineKey = `${violation.line}:${cookieName}`;
+            if (!violationMap.has(specificKey)) {
+              violationMap.set(specificKey, {
+                ...violation,
+                source: "symbol", // Track source for debugging
+              });
+              // Also track by line for regex deduplication
+              lineToViolationMap.set(lineKey, specificKey);
+            }
+          });
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S034] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S034] Source file not found, falling back...`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠ [S034] Symbol analysis failed:`, error.message);
+      }
+    }
+    // 2. Try Regex-based analysis (fallback or additional)
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S034] Trying regex-based analysis...`);
+        }
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        // Add regex violations only if not already covered by symbol analysis
+        regexViolations.forEach((violation) => {
+          // Extract cookie name from message for better deduplication
+          const cookieNameMatch =
+            violation.message.match(
+              /(?:Session (?:cookie|middleware cookie name)|Set-Cookie.*?|NextAuth.*?) "([^"]+)"/
+            ) ||
+            violation.message.match(
+              /Insecure session cookie:.*?(?:Session cookie|NextAuth.*?) "([^"]+)"/
+            );
+          const cookieName = cookieNameMatch ? cookieNameMatch[1] : "unknown";
+          // Check if this line+cookie already has a violation from symbol analyzer
+          const lineKey = `${violation.line}:${cookieName}`;
+          if (!lineToViolationMap.has(lineKey)) {
+            // No symbol violation for this line+cookie, add regex violation
+            const specificKey = `${violation.line}:${
+              violation.column || 1
+            }:${cookieName}:regex`;
+            if (!violationMap.has(specificKey)) {
+              violationMap.set(specificKey, {
+                ...violation,
+                source: "regex", // Track source for debugging
+              });
+            }
+          } else if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S034] Skipping duplicate regex violation at ${lineKey} (already covered by symbol)`
+            );
+          }
+        });
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S034] Regex analysis completed: ${regexViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S034] Regex analysis failed:`, error.message);
+      }
+    }
+    // Convert Map values to array and add filePath to each violation
+    const finalViolations = Array.from(violationMap.values()).map(
+      (violation) => ({
+        ...violation,
+        filePath: filePath,
+        file: filePath, // Also add 'file' for compatibility
+      })
+    );
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S034] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    }
+    return finalViolations;
+  }
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+    if (this.regexAnalyzer?.cleanup) {
+      this.regexAnalyzer.cleanup();
+    }
+  }
+}
+module.exports = S034Analyzer;

package/rules/security/S034_host_prefix_session_cookies/config.json ADDED Viewed

@@ -0,0 +1,62 @@
+{
+  "id": "S034",
+  "name": "Use __Host- prefix for Session Cookies",
+  "description": "Use __Host- prefix for Session Cookies to prevent subdomain sharing. The __Host- prefix ensures cookies are only sent to the exact domain that set them, preventing subdomain cookie sharing attacks.",
+  "category": "security",
+  "severity": "warning",
+  "confidence": "high",
+  "tags": ["cookie", "security", "session", "subdomain", "host-prefix"],
+  "languages": ["javascript", "typescript"],
+  "patterns": {
+    "cookieNamePatterns": [
+      "session",
+      "sessionid",
+      "session_id",
+      "sid",
+      "connect.sid",
+      "auth",
+      "auth_token",
+      "authentication",
+      "jwt",
+      "token",
+      "csrf",
+      "csrf_token",
+      "xsrf",
+      "login",
+      "user",
+      "userid",
+      "user_id"
+    ],
+    "hostPrefixPattern": "^__Host-",
+    "violationPatterns": [
+      "res\\.cookie\\s*\\(\\s*['\"`](?!__Host-)",
+      "Set-Cookie:\\s*(?!__Host-)",
+      "cookie:\\s*{[^}]*name\\s*:\\s*['\"`](?!__Host-)"
+    ]
+  },
+  "validation": {
+    "hostPrefixRequirements": {
+      "secure": true,
+      "path": "/",
+      "domain": null,
+      "description": "__Host- prefix requires Secure=true, Path=/, and no Domain attribute"
+    }
+  },
+  "examples": {
+    "violation": [
+      "res.cookie('sessionid', token, { secure: true, httpOnly: true })",
+      "res.cookie('auth_token', value, { secure: true, path: '/' })",
+      "res.setHeader('Set-Cookie', 'session=value; Secure; HttpOnly')"
+    ],
+    "clean": [
+      "res.cookie('__Host-sessionid', token, { secure: true, httpOnly: true, path: '/' })",
+      "res.cookie('__Host-auth_token', value, { secure: true, path: '/', domain: undefined })",
+      "res.setHeader('Set-Cookie', '__Host-session=value; Secure; HttpOnly; Path=/')"
+    ]
+  },
+  "references": [
+    "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#__Host-",
+    "https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00",
+    "https://owasp.org/www-community/controls/SecureCookieAttribute"
+  ]
+}