npm - @sun-asterisk/sunlint - Versions diffs - 1.3.2 → 1.3.3 - Mend

@sun-asterisk/sunlint 1.3.2 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/rules/security/S017_use_parameterized_queries/README.md ADDED Viewed

@@ -0,0 +1,128 @@
+# S017 - Always use parameterized queries
+## Rule Description
+Always use parameterized queries instead of string concatenation to build SQL queries. This prevents SQL injection attacks by separating SQL logic from data.
+## Risk Level
+**HIGH** - SQL injection is one of the most critical security vulnerabilities
+## Rule Details
+This rule detects potentially vulnerable SQL query construction patterns:
+### ❌ Violations (Dangerous Patterns)
+```javascript
+// String concatenation with user input
+const query = "SELECT * FROM users WHERE id = " + userId;
+db.query(query);
+// Template literals with interpolation
+const sql = `SELECT * FROM products WHERE name = '${productName}'`;
+connection.execute(sql);
+// Direct variable insertion
+const deleteQuery = "DELETE FROM orders WHERE status = '" + status + "'";
+mysql.query(deleteQuery);
+// Complex concatenation
+const updateSql =
+  "UPDATE users SET name = '" +
+  name +
+  "', email = '" +
+  email +
+  "' WHERE id = " +
+  id;
+```
+### ✅ Correct Usage (Safe Patterns)
+```javascript
+// Using parameterized queries with placeholders
+const query = "SELECT * FROM users WHERE id = ?";
+db.query(query, [userId]);
+// Using named parameters
+const sql = "SELECT * FROM products WHERE name = $1";
+client.query(sql, [productName]);
+// Using prepared statements
+const stmt = db.prepare("DELETE FROM orders WHERE status = ?");
+stmt.run(status);
+// ORM usage (usually safe)
+const user = await User.findOne({ where: { id: userId } });
+// Using parameter objects
+const updateSql = "UPDATE users SET name = ?, email = ? WHERE id = ?";
+db.query(updateSql, [name, email, id]);
+```
+## Detected Libraries
+- **Database drivers**: mysql, mysql2, pg, sqlite3, mssql, oracle
+- **ORMs**: sequelize, typeorm, prisma, mongoose
+- **Query builders**: knex, objection
+## Security Impact
+- **SQL Injection attacks**: Malicious SQL code execution
+- **Data breach**: Unauthorized access to sensitive data
+- **Data manipulation**: Unauthorized data modification/deletion
+- **Authentication bypass**: Circumventing login mechanisms
+- **Privilege escalation**: Gaining admin access
+## Best Practices
+1. **Always use parameterized queries** with placeholders (?, $1, etc.)
+2. **Use prepared statements** when available
+3. **Validate and sanitize** all user inputs
+4. **Use ORMs** that handle parameterization automatically
+5. **Apply principle of least privilege** for database accounts
+6. **Regular security audits** of SQL query patterns
+## Examples by Library
+### MySQL/MySQL2
+```javascript
+// ❌ Vulnerable
+const query = `SELECT * FROM users WHERE email = '${email}'`;
+connection.query(query);
+// ✅ Safe
+const query = "SELECT * FROM users WHERE email = ?";
+connection.query(query, [email]);
+```
+### PostgreSQL (pg)
+```javascript
+// ❌ Vulnerable
+const text = `SELECT * FROM users WHERE id = ${id}`;
+client.query(text);
+// ✅ Safe
+const text = "SELECT * FROM users WHERE id = $1";
+client.query(text, [id]);
+```
+### SQLite
+```javascript
+// ❌ Vulnerable
+const sql = "INSERT INTO logs (message) VALUES ('" + message + "')";
+db.run(sql);
+// ✅ Safe
+const sql = "INSERT INTO logs (message) VALUES (?)";
+db.run(sql, [message]);
+```
+## References
+- [OWASP SQL Injection Prevention](https://owasp.org/www-community/attacks/SQL_Injection)
+- [CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html)
+- [Node.js Security Best Practices](https://nodejs.org/en/docs/guides/security/)

package/rules/security/S017_use_parameterized_queries/analyzer.js ADDED Viewed

@@ -0,0 +1,286 @@
+/**
+ * S017 Main Analyzer - Always use parameterized queries
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S017 --input=examples/rule-test-fixtures/rules/S017_use_parameterized_queries --engine=heuristic
+ */
+const S017SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S017RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+class S017Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S017] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S017] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S017";
+    this.ruleName = "Always use parameterized queries";
+    this.description =
+      "Always use parameterized queries instead of string concatenation to build SQL queries. This prevents SQL injection attacks by separating SQL logic from data";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Secondary approach
+      regexBasedOnly: false, // Can be set to true for pure mode
+    };
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S017SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S017] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S017] Error creating symbol analyzer:`, error);
+    }
+    try {
+      this.regexAnalyzer = new S017RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S017] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S017] Error creating regex analyzer:`, error);
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S017] Constructor completed`);
+    }
+  }
+  /**
+   * Initialize with semantic engine
+   */
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+    // Ensure verbose flag is propagated
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.verbose = this.verbose;
+    }
+    if (this.symbolAnalyzer) {
+      this.symbolAnalyzer.verbose = this.verbose;
+    }
+    if (this.verbose) {
+      console.log(
+        `🔧 [S017 Hybrid] Analyzer initialized - verbose: ${this.verbose}`
+      );
+    }
+  }
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S017] analyzeSingle() called for: ${filePath}`);
+    }
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S017] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S017] Processing file: ${filePath}`);
+        }
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S017] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S017] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S017] Total violations found: ${violations.length}`);
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S017] analyzeFile() called for: ${filePath}`);
+    }
+    // Create a Set to track unique violations and prevent duplicates
+    const violationMap = new Map();
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S017] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S017] Source file found, analyzing with symbol-based...`
+            );
+          }
+          // Read file content for symbol analyzer
+          const fs = require("fs");
+          const fileContent = fs.readFileSync(filePath, "utf8");
+          const violations = await this.symbolAnalyzer.analyzeFile(
+            filePath,
+            fileContent,
+            { ...options, verbose: options.verbose }
+          );
+          // Add violations to map to deduplicate
+          violations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
+            if (!violationMap.has(key)) {
+              v.analysisStrategy = "symbol-based";
+              violationMap.set(key, v);
+            }
+          });
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `✅ [S017] Symbol-based analysis: ${violations.length} violations`
+            );
+          }
+          return Array.from(violationMap.values()); // Return deduplicated violations
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`⚠️ [S017] Source file not found in project`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠️ [S017] Symbol analysis failed: ${error.message}`);
+        // Continue to fallback
+      }
+    } else {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔄 [S017] Symbol analysis conditions check:`);
+        console.log(`  - useSymbolBased: ${this.config.useSymbolBased}`);
+        console.log(`  - semanticEngine: ${!!this.semanticEngine}`);
+        console.log(
+          `  - semanticEngine.project: ${!!this.semanticEngine?.project}`
+        );
+        console.log(
+          `  - semanticEngine.initialized: ${this.semanticEngine?.initialized}`
+        );
+        console.log(
+          `🔄 [S017] Symbol analysis unavailable, using regex fallback`
+        );
+      }
+    }
+    // 2. Fallback to regex-based analysis (only if symbol-based failed or unavailable)
+    if (this.config.fallbackToRegex) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S017] Trying regex-based analysis...`);
+        }
+        // Read file content for regex analyzer
+        const fs = require("fs");
+        const fileContent = fs.readFileSync(filePath, "utf8");
+        const violations = await this.regexAnalyzer.analyzeFile(
+          filePath,
+          fileContent,
+          options
+        );
+        // Add violations to map to deduplicate
+        violations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) {
+            v.analysisStrategy = "regex-fallback";
+            violationMap.set(key, v);
+          }
+        });
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔄 [S017] Regex-based analysis: ${violations.length} violations`
+          );
+        }
+        return Array.from(violationMap.values()); // Return deduplicated violations
+      } catch (error) {
+        console.error(`⚠ [S017] Regex analysis failed: ${error.message}`);
+      }
+    }
+    console.log(`🔧 [S017] No analysis methods succeeded, returning empty`);
+    return [];
+  }
+  /**
+   * Methods for compatibility with different engine invocation patterns
+   */
+  async analyzeFileWithSymbols(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
+  }
+  async analyzeWithSemantics(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
+  }
+  /**
+   * Get analyzer metadata
+   */
+  getMetadata() {
+    return {
+      rule: "S017",
+      name: "Always use parameterized queries",
+      category: "security",
+      type: "hybrid",
+      description:
+        "Uses symbol-based and regex analysis to detect SQL injection vulnerabilities",
+    };
+  }
+}
+module.exports = S017Analyzer;

package/rules/security/S017_use_parameterized_queries/config.json ADDED Viewed

@@ -0,0 +1,109 @@
+{
+  "id": "S017",
+  "name": "Always use parameterized queries",
+  "category": "security",
+  "description": "S017 - Always use parameterized queries instead of string concatenation to build SQL queries. This prevents SQL injection attacks by separating SQL logic from data",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 2,
+    "timeout": 5000
+  },
+  "validation": {
+    "sqlMethods": [
+      "query",
+      "execute",
+      "exec",
+      "run",
+      "all",
+      "get",
+      "prepare",
+      "createQuery",
+      "executeQuery",
+      "executeSql",
+      "rawQuery"
+    ],
+    "dangerousPatterns": [
+      "SELECT.*\\+",
+      "INSERT.*\\+",
+      "UPDATE.*\\+",
+      "DELETE.*\\+",
+      "WHERE.*\\+",
+      "ORDER BY.*\\+",
+      "GROUP BY.*\\+",
+      "HAVING.*\\+",
+      "\\$\\{.*\\}",
+      "\\`.*\\$\\{.*\\}.*\\`"
+    ],
+    "sqlKeywords": [
+      "SELECT",
+      "INSERT",
+      "UPDATE",
+      "DELETE",
+      "DROP",
+      "CREATE",
+      "ALTER",
+      "UNION",
+      "WHERE",
+      "ORDER BY",
+      "GROUP BY",
+      "HAVING",
+      "FROM",
+      "JOIN",
+      "INNER JOIN",
+      "LEFT JOIN",
+      "RIGHT JOIN",
+      "FULL JOIN"
+    ],
+    "databaseLibraries": [
+      "mysql",
+      "mysql2",
+      "pg",
+      "postgres",
+      "sqlite3",
+      "sqlite",
+      "mssql",
+      "tedious",
+      "oracle",
+      "mongodb",
+      "mongoose",
+      "sequelize",
+      "typeorm",
+      "prisma",
+      "knex",
+      "objection"
+    ],
+    "safePatterns": [
+      "\\?",
+      "\\$1",
+      "\\$2",
+      "\\$3",
+      "\\$4",
+      "\\$5",
+      "prepare",
+      "bind",
+      "params",
+      "parameters",
+      "values"
+    ]
+  }
+}