npm - @sun-asterisk/sunlint - Versions diffs - 1.3.2 → 1.3.4 - Mend

@sun-asterisk/sunlint 1.3.2 → 1.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/rules/security/S034_host_prefix_session_cookies/symbol-based-analyzer.js ADDED Viewed

@@ -0,0 +1,277 @@
+/**
+ * S034 Symbol-based Analyzer - Use __Host- prefix for Session Cookies
+ * Detects session cookies without __Host- prefix using TypeScript AST analysis
+ */
+const { SyntaxKind } = require("typescript");
+class S034SymbolBasedAnalyzer {
+  constructor(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S034";
+    this.ruleName = "Use __Host- prefix for Session Cookies";
+    // Session cookie name patterns
+    this.sessionCookiePatterns = [
+      /^session$/i,
+      /^sessionid$/i,
+      /^session_id$/i,
+      /^sid$/i,
+      /^connect\.sid$/i,
+      /^auth$/i,
+      /^auth_token$/i,
+      /^authentication$/i,
+      /^jwt$/i,
+      /^token$/i,
+      /^csrf$/i,
+      /^csrf_token$/i,
+      /^xsrf$/i,
+      /^login$/i,
+      /^user$/i,
+      /^userid$/i,
+      /^user_id$/i,
+    ];
+    this.violations = [];
+  }
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+  }
+  async analyze(sourceFile, filePath) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S034] Symbol analysis starting for: ${filePath}`);
+    }
+    this.violations = [];
+    try {
+      // Visit all nodes in the source file
+      this.visitNode(sourceFile);
+    } catch (error) {
+      console.warn(`⚠ [S034] Symbol analysis error:`, error.message);
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔍 [S034] Symbol analysis completed: ${this.violations.length} violations`
+      );
+    }
+    return this.violations;
+  }
+  visitNode(node) {
+    // Check for res.cookie() calls
+    if (this.isCallExpression(node)) {
+      this.checkCookieCall(node);
+      this.checkSetHeaderCall(node);
+    }
+    // Check for session middleware configuration
+    if (this.isSessionMiddleware(node)) {
+      this.checkSessionMiddleware(node);
+    }
+    // Recursively visit child nodes
+    node.forEachChild((child) => this.visitNode(child));
+  }
+  isCallExpression(node) {
+    return node.getKind() === SyntaxKind.CallExpression;
+  }
+  checkCookieCall(node) {
+    const expression = node.getExpression();
+    // Check if it's res.cookie() call
+    if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+      const propertyAccess = expression;
+      const property = propertyAccess.getName();
+      if (property === "cookie") {
+        const args = node.getArguments();
+        if (args.length >= 1) {
+          const cookieName = this.extractStringValue(args[0]);
+          if (
+            cookieName &&
+            this.isSessionCookie(cookieName) &&
+            !this.hasHostPrefix(cookieName)
+          ) {
+            this.addViolation(
+              node,
+              `Session cookie "${cookieName}" should use __Host- prefix to prevent subdomain sharing`
+            );
+          }
+        }
+      }
+    }
+  }
+  checkSetHeaderCall(node) {
+    const expression = node.getExpression();
+    if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+      const propertyAccess = expression;
+      const property = propertyAccess.getName();
+      if (property === "setHeader") {
+        const args = node.getArguments();
+        if (args.length >= 2) {
+          const headerName = this.extractStringValue(args[0]);
+          if (headerName && headerName.toLowerCase() === "set-cookie") {
+            const headerValue = this.extractStringValue(args[1]);
+            if (headerValue) {
+              this.checkSetCookieHeader(node, headerValue);
+            } else if (
+              args[1].getKind() === SyntaxKind.ArrayLiteralExpression
+            ) {
+              // Handle array of Set-Cookie headers
+              const arrayElements = args[1].getElements();
+              arrayElements.forEach((element) => {
+                const cookieString = this.extractStringValue(element);
+                if (cookieString) {
+                  this.checkSetCookieHeader(node, cookieString);
+                }
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  checkSetCookieHeader(node, cookieString) {
+    // Extract cookie name from Set-Cookie header
+    const cookieMatch = cookieString.match(/^([^=]+)=/);
+    if (cookieMatch) {
+      const cookieName = cookieMatch[1].trim();
+      if (this.isSessionCookie(cookieName) && !this.hasHostPrefix(cookieName)) {
+        this.addViolation(
+          node,
+          `Session cookie "${cookieName}" in Set-Cookie header should use __Host- prefix`
+        );
+      }
+    }
+  }
+  checkSessionMiddleware(node) {
+    // Check for session() middleware configuration
+    const args = node.getArguments();
+    if (
+      args.length >= 1 &&
+      args[0].getKind() === SyntaxKind.ObjectLiteralExpression
+    ) {
+      const config = args[0];
+      const nameProperty = this.findProperty(config, "name");
+      if (nameProperty) {
+        const cookieName = this.extractStringValue(
+          nameProperty.getInitializer()
+        );
+        if (
+          cookieName &&
+          this.isSessionCookie(cookieName) &&
+          !this.hasHostPrefix(cookieName)
+        ) {
+          this.addViolation(
+            node,
+            `Session middleware cookie name "${cookieName}" should use __Host- prefix`
+          );
+        }
+      }
+    }
+  }
+  isSessionMiddleware(node) {
+    if (node.getKind() !== SyntaxKind.CallExpression) {
+      return false;
+    }
+    const expression = node.getExpression();
+    const expressionText = expression.getText();
+    return expressionText === "session" || expressionText.includes("session");
+  }
+  isSessionCookie(cookieName) {
+    return this.sessionCookiePatterns.some((pattern) =>
+      pattern.test(cookieName)
+    );
+  }
+  hasHostPrefix(cookieName) {
+    return cookieName.startsWith("__Host-");
+  }
+  extractStringValue(node) {
+    if (!node) return null;
+    const kind = node.getKind();
+    if (kind === SyntaxKind.StringLiteral) {
+      return node.getLiteralValue();
+    }
+    if (kind === SyntaxKind.NoSubstitutionTemplateLiteral) {
+      return node.getLiteralValue();
+    }
+    return null;
+  }
+  findProperty(objectLiteral, propertyName) {
+    const properties = objectLiteral.getProperties();
+    for (const property of properties) {
+      if (property.getKind() === SyntaxKind.PropertyAssignment) {
+        const name = property.getName();
+        if (name === propertyName) {
+          return property;
+        }
+      }
+    }
+    return null;
+  }
+  addViolation(node, message) {
+    const start = node.getStart();
+    const sourceFile = node.getSourceFile();
+    const lineAndColumn = sourceFile.getLineAndColumnAtPos(start);
+    // Debug output to understand position issues
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔍 [S034] Violation at node kind: ${node.getKindName()}, text: "${node
+          .getText()
+          .substring(0, 50)}..."`
+      );
+      console.log(
+        `🔍 [S034] Position: line ${lineAndColumn.line + 1}, column ${
+          lineAndColumn.column + 1
+        }`
+      );
+    }
+    this.violations.push({
+      ruleId: this.ruleId,
+      ruleName: this.ruleName,
+      severity: "warning",
+      message: message,
+      line: lineAndColumn.line + 1,
+      column: lineAndColumn.column + 1,
+      source: "symbol-based",
+    });
+  }
+  cleanup() {
+    this.violations = [];
+  }
+}
+module.exports = S034SymbolBasedAnalyzer;

package/rules/security/S035_path_session_cookies/README.md ADDED Viewed

@@ -0,0 +1,257 @@
+# S035 - Set Path attribute for Session Cookies
+## Overview
+This rule enforces the use of the `Path` attribute for session cookies to limit their access scope and reduce the attack surface.
+## Description
+The `Path` attribute restricts where cookies can be sent by specifying the URL path for which the cookie is valid. This security measure helps prevent:
+- **Unintended cookie exposure** to different parts of the application
+- **Cross-path cookie attacks** where malicious code in one path accesses cookies from another
+- **Privilege escalation** through cookie access from less secure paths
+## Rule Details
+**Rule ID**: S035
+**Category**: Security
+**Severity**: Warning
+**Type**: Hybrid Analysis (Symbol-based + Regex-based)
+## Examples
+### ❌ Violations
+```typescript
+// Express.js - Missing Path attribute
+res.cookie("sessionid", sessionId, {
+  secure: true,
+  httpOnly: true,
+  sameSite: "strict",
+  // Missing: path attribute
+});
+// NestJS - Authentication cookie without Path attribute
+@Post('login')
+login(@Res() response: Response) {
+  response.cookie('auth_token', value, {
+    secure: true,
+    httpOnly: true,
+    // Missing: path attribute
+  });
+}
+// Next.js - Session cookie missing Path attribute
+export async function POST() {
+  const response = NextResponse.json({ success: true });
+  response.cookies.set('sessionid', token, {
+    secure: true,
+    httpOnly: true,
+    // Missing: path attribute
+  });
+  return response;
+}
+// NextAuth.js - Session token without Path attribute
+export default NextAuth({
+  cookies: {
+    sessionToken: {
+      name: 'next-auth.session-token',
+      options: {
+        secure: true,
+        httpOnly: true,
+        // Missing: path attribute
+      }
+    }
+  }
+});
+// Using root path (not recommended)
+res.cookie("auth", authToken, {
+  secure: true,
+  httpOnly: true,
+  path: "/", // Too broad - exposes cookie to entire domain
+  sameSite: "strict",
+});
+```
+### ✅ Correct Usage
+```typescript
+// Express.js - Specific path for admin area
+res.cookie("admin_session", sessionId, {
+  secure: true,
+  httpOnly: true,
+  path: "/admin",
+  sameSite: "strict",
+});
+// NestJS - API-specific cookie with path
+@Post('login')
+login(@Res() response: Response) {
+  response.cookie('auth_token', value, {
+    secure: true,
+    httpOnly: true,
+    path: '/api',
+    sameSite: 'strict',
+  });
+}
+// Next.js - Session cookie with specific path
+export async function POST() {
+  const response = NextResponse.json({ success: true });
+  response.cookies.set('sessionid', token, {
+    secure: true,
+    httpOnly: true,
+    path: '/app',
+    sameSite: 'strict',
+  });
+  return response;
+}
+// NextAuth.js - Session token with path
+export default NextAuth({
+  cookies: {
+    sessionToken: {
+      name: 'next-auth.session-token',
+      options: {
+        secure: true,
+        httpOnly: true,
+        path: '/auth',
+        sameSite: 'lax',
+      }
+    }
+  }
+});
+```
+## Configuration
+### Detected Patterns
+This rule detects session cookies without Path attribute in multiple frameworks:
+### Express.js
+- `res.cookie()` calls with session cookie names without Path attribute
+- `res.setHeader()` with `Set-Cookie` headers missing Path attribute
+- Session middleware configuration without Path attribute
+- Array of Set-Cookie headers with session cookies missing Path attribute
+### NestJS
+- `@Res()` decorator response cookie methods
+- `@Cookies()` decorator usage with session cookies
+- Response object cookie setting methods
+- NestJS session middleware configuration
+### Next.js
+- `response.cookies.set()` method calls
+- `cookies().set()` from next/headers
+- NextAuth.js session and CSRF token configuration
+- API route response cookie setting
+### NextAuth.js
+- Session token configuration without Path attribute
+- CSRF token configuration missing Path attribute
+- Cookie configuration in NextAuth providers
+**Session Cookie Names:**
+- `session`, `sessionid`, `session_id`
+- `sid`, `connect.sid`
+- `auth`, `auth_token`, `authentication`
+- `jwt`, `token`, `csrf`, `csrf_token`, `xsrf`
+- `user`, `userid`, `user_id`, `login`
+- `sessionToken`, `csrfToken` (NextAuth specific)
+- `next-auth.session-token`, `next-auth.csrf-token`
+**Cookie Methods:**
+- Express.js: `res.cookie()`, `res.setHeader()`, session middleware
+- NestJS: `@Res()` response methods, `@Cookies()` decorators
+- Next.js: `response.cookies.set()`, `cookies().set()`
+- NextAuth.js: sessionToken/csrfToken configuration
+### Recommended Path Values
+**Specific Paths** (Recommended):
+- `/app` - Application-specific
+- `/admin` - Administrative areas
+- `/api` - API endpoints
+- `/auth` - Authentication flows
+- `/user` - User-specific areas
+**Root Path** (`/`):
+- Acceptable but triggers warning
+- Should be avoided for security
+## Security Benefits
+1. **Scope Limitation**: Restricts cookie access to specific application areas
+2. **Attack Surface Reduction**: Prevents cookie exposure to unintended paths
+3. **Privilege Separation**: Isolates cookies between different functional areas
+4. **Defense in Depth**: Adds another layer of security control
+## Analysis Approach
+### Symbol-based Analysis (Primary)
+- Uses TypeScript AST for semantic analysis
+- Detects cookie configurations in object literals
+- Analyzes session middleware setups
+- Provides precise line/column positions
+### Regex-based Analysis (Fallback)
+- Pattern-based detection for complex cases
+- Handles Set-Cookie headers and arrays
+- Covers edge cases missed by AST analysis
+- Maintains line number accuracy
+## Best Practices
+1. **Use specific paths** instead of root path `/`
+2. **Match paths to functionality** (e.g., `/admin` for admin cookies)
+3. **Avoid overly broad paths** that expose cookies unnecessarily
+4. **Consider path hierarchy** for nested application structures
+5. **Document path conventions** in your application
+## Testing
+Run the rule on test fixtures:
+```bash
+# Test violations (Express.js)
+node cli.js --rule=S035 --input=examples/rule-test-fixtures/rules/S035_path_session_cookies/violations --engine=heuristic
+# Test clean examples
+node cli.js --rule=S035 --input=examples/rule-test-fixtures/rules/S035_path_session_cookies/clean --engine=heuristic
+# Framework-specific testing
+# Test with ESLint engine (fast)
+node cli.js --rule=S035 --input=path/to/your/files
+# Test with heuristic engine (comprehensive)
+node cli.js --rule=S035 --input=path/to/your/files --engine=heuristic
+```
+## Framework Compatibility
+- **Node.js**: All versions
+- **Frameworks**: Express.js, NestJS, Next.js, NextAuth.js
+- **Languages**: JavaScript, TypeScript
+- **Analysis Engines**: ESLint (fast), Heuristic (comprehensive)
+## Related Rules
+- **S032**: Set Secure flag for Session Cookies
+- **S033**: Set SameSite attribute for Session Cookies
+- **S034**: Use \_\_Host- prefix for Session Cookies
+Together, these rules provide comprehensive session cookie security.