npm - @sun-asterisk/sunlint - Versions diffs - 1.3.26 → 1.3.28 - Mend

@sun-asterisk/sunlint 1.3.26 → 1.3.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/rules/security/S005_no_origin_auth/analyzer.js CHANGED Viewed

@@ -1,183 +1,132 @@
 /**
- * Hybrid analyzer for S005 - No Origin Header Authentication
- * Uses AST analysis with regex fallback for comprehensive coverage
- * Detects usage of Origin header for authentication/access control
+ * S005 - No Origin Header Authentication
+ *
+ * Main analyzer using symbol-based analysis to detect use of Origin header
+ * for authentication or authorization decisions.
+ *
+ * Based on:
+ * - OWASP A07:2021 - Identification and Authentication Failures
+ * - CWE-290: Authentication Bypass by Spoofing
  */
-const S005ASTAnalyzer = require('./ast-analyzer');
+const S005SymbolBasedAnalyzer = require("./symbol-based-analyzer");
 class S005Analyzer {
-  constructor() {
-    this.ruleId = 'S005';
-    this.ruleName = 'No Origin Header Authentication';
-    this.description = 'Do not use Origin header for authentication or access control';
-    this.astAnalyzer = new S005ASTAnalyzer();
+  constructor(options = {}) {
+    this.ruleId = "S005";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    try {
+      this.symbolAnalyzer = new S005SymbolBasedAnalyzer(this.semanticEngine);
+    } catch (e) {
+      console.warn(`⚠ [S005] Failed to create symbol analyzer: ${e.message}`);
+    }
   }
-  async analyze(files, language, options = {}) {
-    const violations = [];
-    if (options.verbose) {
-      console.log(`🔍 Running S005 analysis on ${files.length} files...`);
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.symbolAnalyzer && this.symbolAnalyzer.initialize) {
+      await this.symbolAnalyzer.initialize(semanticEngine);
     }
+  }
-    // Use AST analysis as primary method
-    const astViolations = await this.astAnalyzer.analyze(files, language, options);
-    violations.push(...astViolations);
+  analyzeSingle(filePath, options = {}) {
+    return this.analyze([filePath], "typescript", options);
+  }
-    // Add regex-based patterns for edge cases AST might miss
+  async analyze(files, language, options = {}) {
+    const violations = [];
     for (const filePath of files) {
       try {
-        const content = require('fs').readFileSync(filePath, 'utf8');
-        const regexViolations = this.analyzeWithRegexPatterns(content, filePath, options);
-        // Filter out duplicates (same line, same type)
-        const filteredRegexViolations = regexViolations.filter(regexViolation =>
-          !astViolations.some(astViolation =>
-            astViolation.line === regexViolation.line &&
-            astViolation.filePath === regexViolation.filePath
-          )
-        );
-        violations.push(...filteredRegexViolations);
-      } catch (error) {
-        if (options.verbose) {
-          console.warn(`⚠️ S005 regex analysis failed for ${filePath}: ${error.message}`);
-        }
+        const vs = await this.analyzeFile(filePath, options);
+        violations.push(...vs);
+      } catch (e) {
+        console.warn(`⚠ [S005] Analysis error for ${filePath}: ${e.message}`);
       }
     }
-    if (options.verbose && violations.length > 0) {
-      console.log(`📊 S005 found ${violations.length} violations`);
-    }
     return violations;
   }
-  analyzeWithRegexPatterns(content, filePath, options = {}) {
-    const violations = [];
-    const lines = content.split('\n');
-    lines.forEach((line, index) => {
-      const lineNumber = index + 1;
-      // Pattern 1: Direct origin header access for authentication
-      // req.headers.origin, req.get('origin'), req.header('origin')
-      const originHeaderPattern = /(?:req\.headers\.origin|req\.get\s*\(\s*['"`]origin['"`]\s*\)|req\.header\s*\(\s*['"`]origin['"`]\s*\)|headers\[['"`]origin['"`]\])/i;
-      if (originHeaderPattern.test(line)) {
-        // Check if this line is used for authentication/authorization
-        const authContextPattern = /(?:auth|login|verify|check|validate|permission|access|allow|deny|secure|token|session)/i;
-        if (authContextPattern.test(line) || this.isInAuthContext(lines, index)) {
-          violations.push({
-            ruleId: this.ruleId,
-            severity: 'error',
-            message: 'Origin header should not be used for authentication. Origin can be spoofed and is not secure for access control.',
-            line: lineNumber,
-            column: line.search(originHeaderPattern) + 1,
-            filePath: filePath,
-            type: 'origin_header_auth'
-          });
-        }
-      }
+  async analyzeFile(filePath, options = {}) {
+    const violationMap = new Map();
-      // Pattern 2: Origin-based CORS validation for authentication
-      const corsOriginAuthPattern = /(?:cors|origin).*(?:auth|login|permission|access|allow|token)/i;
-      if (corsOriginAuthPattern.test(line) && !line.includes('//') && !line.includes('*')) {
-        violations.push({
-          ruleId: this.ruleId,
-          severity: 'warning',
-          message: 'CORS origin validation should not replace proper authentication mechanisms.',
-          line: lineNumber,
-          column: line.search(corsOriginAuthPattern) + 1,
-          filePath: filePath,
-          type: 'cors_origin_auth'
-        });
-      }
+    if (!this.symbolAnalyzer) {
+      return [];
+    }
-      // Pattern 3: Origin header in conditional authentication logic
-      const conditionalAuthPattern = /if\s*\([^)]*origin[^)]*\)\s*\{[^}]*(?:auth|login|token|permission|access)/i;
-      if (conditionalAuthPattern.test(line)) {
-        violations.push({
-          ruleId: this.ruleId,
-          severity: 'error',
-          message: 'Conditional authentication based on Origin header is insecure. Use proper authentication tokens.',
-          line: lineNumber,
-          column: line.search(/origin/i) + 1,
-          filePath: filePath,
-          type: 'conditional_origin_auth'
-        });
-      }
+    // Skip test files, build directories, and node_modules
+    if (this.shouldSkipFile(filePath)) {
+      return [];
+    }
-      // Pattern 4: Origin in middleware authentication
-      const middlewarePattern = /(middleware|auth|guard).*origin.*(?:next\(\)|return|allow|permit)/i;
-      if (middlewarePattern.test(line)) {
-        violations.push({
-          ruleId: this.ruleId,
-          severity: 'error',
-          message: 'Authentication middleware should not rely on Origin header. Use proper authentication mechanisms.',
-          line: lineNumber,
-          column: line.search(/origin/i) + 1,
-          filePath: filePath,
-          type: 'middleware_origin_auth'
-        });
+    try {
+      let sourceFile = null;
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
       }
-      // Pattern 5: Origin header whitelisting for access control
-      const whitelistPattern = /(?:whitelist|allowlist|allowed.*origins?).*(?:auth|access|permission)/i;
-      if (whitelistPattern.test(line) && /origin/i.test(line)) {
-        violations.push({
-          ruleId: this.ruleId,
-          severity: 'warning',
-          message: 'Origin whitelisting should complement, not replace, proper authentication and authorization.',
-          line: lineNumber,
-          column: line.search(/origin/i) + 1,
-          filePath: filePath,
-          type: 'origin_whitelist_auth'
+      if (!sourceFile) {
+        // Create temporary ts-morph source file
+        const fs = require("fs");
+        const path = require("path");
+        const { Project } = require("ts-morph");
+        if (!fs.existsSync(filePath)) {
+          throw new Error(`File not found: ${filePath}`);
+        }
+        const content = fs.readFileSync(filePath, "utf8");
+        const tmp = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: { allowJs: true },
         });
+        sourceFile = tmp.createSourceFile(path.basename(filePath), content);
       }
-      // Pattern 6: Express.js specific patterns
-      const expressPattern = /(?:app\.use|router\.).*origin.*(?:auth|protect|secure)/i;
-      if (expressPattern.test(line)) {
-        violations.push({
-          ruleId: this.ruleId,
-          severity: 'error',
-          message: 'Express routes should not use Origin header for authentication or authorization.',
-          line: lineNumber,
-          column: line.search(/origin/i) + 1,
-          filePath: filePath,
-          type: 'express_origin_auth'
+      if (sourceFile) {
+        const symbolViolations = await this.symbolAnalyzer.analyze(
+          sourceFile,
+          filePath
+        );
+        symbolViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
         });
       }
-    });
+    } catch (e) {
+      console.warn(`⚠ [S005] Symbol analysis failed: ${e.message}`);
+    }
-    return violations;
+    return Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
   }
-  /**
-   * Check if the current line is within an authentication context
-   * by looking at surrounding lines
-   */
-  isInAuthContext(lines, currentIndex) {
-    const contextRange = 3; // Check 3 lines before and after
-    const startIndex = Math.max(0, currentIndex - contextRange);
-    const endIndex = Math.min(lines.length - 1, currentIndex + contextRange);
-    const authKeywords = [
-      'authenticate', 'authorize', 'login', 'logout', 'auth',
-      'permission', 'access', 'token', 'session', 'user',
-      'verify', 'validate', 'check', 'guard', 'protect',
-      'middleware', 'passport', 'jwt', 'bearer'
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      "test/",
+      "tests/",
+      "__tests__/",
+      ".test.",
+      ".spec.",
+      "node_modules/",
+      "build/",
+      "dist/",
+      ".next/",
+      "coverage/",
+      "vendor/",
+      "mocks/",
+      ".mock.",
     ];
-    for (let i = startIndex; i <= endIndex; i++) {
-      const line = lines[i].toLowerCase();
-      if (authKeywords.some(keyword => line.includes(keyword))) {
-        return true;
-      }
+    return skipPatterns.some((pattern) => filePath.includes(pattern));
+  }
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
     }
-    return false;
   }
 }

package/rules/security/S005_no_origin_auth/config.json CHANGED Viewed

@@ -1,85 +1,46 @@
 {
   "ruleId": "S005",
   "name": "No Origin Header Authentication",
-  "description": "Do not use Origin header for authentication or access control",
+  "description": "Prevent using Origin header for authentication or authorization decisions",
   "category": "security",
   "severity": "error",
   "languages": ["typescript", "javascript"],
-  "version": "1.0.0",
-  "status": "stable",
-  "tags": ["security", "authentication", "headers", "origin", "access-control"],
+  "tags": ["security", "owasp", "authentication", "authorization", "spoofing", "headers"],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A07:2021 - Identification and Authentication Failures",
+    "cweId": "CWE-290",
+    "description": "Origin header can be easily spoofed by attackers and should not be used for authentication or authorization decisions. Use verified tokens, sessions, or cryptographic signatures instead.",
+    "impact": "High - Authentication bypass, unauthorized access",
+    "likelihood": "Medium",
+    "remediation": "Use secure authentication methods: JWT tokens, session cookies, API keys with cryptographic signatures. Origin header should only be used for CORS/CSRF protection, not for access control."
+  },
   "patterns": {
     "vulnerable": [
-      "req.headers.origin in authentication context",
-      "req.get('origin') for access control",
-      "Origin-based conditional authentication",
-      "CORS origin configuration mixed with auth",
-      "Express middleware using origin for security"
+      "if (req.headers.origin === 'trusted.com') { authenticate() }",
+      "const isAuthorized = allowedOrigins.includes(origin)",
+      "if (origin.includes('admin')) { grantAccess() }",
+      "switch(origin) { case 'internal': allow() }"
     ],
     "secure": [
-      "JWT token authentication",
-      "Session-based authentication",
-      "API key authentication",
-      "OAuth 2.0 flows",
-      "Proper CORS configuration without auth reliance"
+      "Use for CORS: res.setHeader('Access-Control-Allow-Origin', origin)",
+      "Use for CSRF: if (allowedOrigins.includes(origin)) { /* CSRF check */ }",
+      "Use verified tokens: const user = await verifyJWT(req.headers.authorization)",
+      "Use sessions: const user = await getSessionUser(req.session.id)"
     ]
   },
-  "configuration": {
-    "checkAuthContext": true,
-    "checkMiddleware": true,
-    "checkConditionals": true,
-    "checkCORSMixing": true,
-    "contextDepth": 3,
-    "ignoreComments": true
-  },
   "examples": {
     "violations": [
-      {
-        "code": "if (req.headers.origin === 'trusted.com') { req.authenticated = true; }",
-        "reason": "Using Origin header for authentication is insecure"
-      },
-      {
-        "code": "const authMiddleware = (req, res, next) => { if (req.get('origin') === 'admin.com') next(); }",
-        "reason": "Middleware should not rely on Origin header for access control"
-      }
-    ],
-    "valid": [
-      {
-        "code": "const token = req.headers.authorization; jwt.verify(token, secret, callback);",
-        "reason": "Proper JWT token authentication"
-      },
-      {
-        "code": "console.log('Request from:', req.headers.origin);",
-        "reason": "Using Origin header for logging only, not authentication"
-      }
-    ]
-  },
-  "remediation": {
-    "recommendations": [
-      "Use JWT tokens for authentication",
-      "Implement session-based authentication",
-      "Use API keys for service authentication",
-      "Implement OAuth 2.0 for third-party authentication",
-      "Use proper CORS configuration without relying on it for authentication"
+      "if (req.headers.origin === 'admin.example.com') { req.user = adminUser; }",
+      "const hasAccess = trustedOrigins.includes(req.get('origin'))",
+      "if (origin.endsWith('.internal.com')) { bypassAuth() }"
     ],
-    "resources": [
-      "https://owasp.org/www-community/vulnerabilities/CORS_OriginHeaderScrutiny",
-      "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin",
-      "https://auth0.com/docs/secure/tokens/json-web-tokens"
+    "fixes": [
+      "const user = await verifyToken(req.headers.authorization)",
+      "const session = await validateSession(req.cookies.sessionId)",
+      "const apiKey = await verifyApiKey(req.headers['x-api-key'])"
     ]
-  },
-  "performance": {
-    "complexity": "O(n)",
-    "accuracy": {
-      "ast": 95,
-      "regex": 85
-    },
-    "falsePositiveRate": "< 5%",
-    "coverage": "High for TypeScript/JavaScript"
   }
 }