@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S005_no_origin_auth/symbol-based-analyzer.js

@@ -0,0 +1,708 @@
+/**
+ * S005 - No Origin Header Authentication (Symbol-based Analyzer)
+ *
+ * Detects use of Origin header for authentication or authorization decisions.
+ * Origin header can be easily spoofed and should only be used for CORS/CSRF.
+ *
+ * Based on:
+ * - OWASP A07:2021 - Identification and Authentication Failures
+ * - CWE-290: Authentication Bypass by Spoofing
+ */
+
+const { SyntaxKind } = require("ts-morph");
+
+class S005SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S005";
+    this.semanticEngine = semanticEngine;
+
+    // Origin header access patterns
+    this.originAccessPatterns = [
+      "origin",
+      "req.headers.origin",
+      "req.headers['origin']",
+      'req.headers["origin"]',
+      "request.headers.origin",
+      "request.headers['origin']",
+      'request.headers["origin"]',
+      "headers.origin",
+      "headers['origin']",
+      'headers["origin"]',
+      "req.header('origin')",
+      'req.header("origin")',
+      "req.get('origin')",
+      'req.get("origin")',
+      "request.getHeader('origin')",
+      'request.getHeader("origin")',
+      "ctx.headers.origin", // Koa
+      "ctx.request.headers.origin",
+      "event.headers.origin", // AWS Lambda/Nuxt.js
+    ];
+
+    // Authentication/Authorization keywords (UNSAFE use cases)
+    this.authKeywords = [
+      "auth",
+      "authenticate",
+      "authorization",
+      "login",
+      "signin",
+      "user",
+      "session",
+      "token",
+      "permission",
+      "role",
+      "access",
+      "allow",
+      "deny",
+      "grant",
+      "check",
+      "verify",
+      "validate",
+      "isallowed",
+      "isauthorized",
+      "hasaccess",
+      "haspermission",
+      "canaccess",
+    ];
+
+    // SAFE use cases (CORS/CSRF protection)
+    this.safeUseCasePatterns = [
+      "cors",
+      "csrf",
+      "allowedorigins",
+      "allowed_origins",
+      "trustedorigins",
+      "trusted_origins",
+      "whitelistorigins",
+      "whitelist_origins",
+      "originwhitelist",
+      "origin_whitelist",
+      "checkorigin", // CORS check
+      "verifyorigin", // CORS verification
+      "validateorigin", // CORS validation
+      "setaccesscontrolalloworigin",
+      "access-control-allow-origin",
+      "sameorigin",
+      "crossorigin",
+    ];
+
+    // Framework CORS configuration (SAFE)
+    this.corsConfigPatterns = [
+      "cors(",
+      "enablecors",
+      "usecors",
+      "corsOptions",
+      "cors_options",
+      "CorsMiddleware",
+      "corsconfig",
+    ];
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+  }
+
+  async analyze(sourceFile, filePath) {
+    const violations = [];
+    const reportedLines = new Set();
+
+    try {
+      // Step 1: Build a map of variables that hold origin values
+      const originVariables = this.buildOriginVariablesMap(sourceFile);
+
+      // Step 2: Find all property access expressions (e.g., req.headers.origin)
+      this.checkPropertyAccess(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines
+      );
+
+      // Step 3: Find all element access expressions (e.g., req.headers['origin'])
+      this.checkElementAccess(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines
+      );
+
+      // Step 4: Find all call expressions (e.g., req.get('origin'))
+      this.checkCallExpressions(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines
+      );
+
+      // Step 5: Check usage of variables that contain origin
+      this.checkOriginVariableUsage(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines,
+        originVariables
+      );
+    } catch (error) {
+      console.warn(`⚠ [S005] Analysis error in ${filePath}: ${error.message}`);
+    }
+
+    return violations;
+  }
+
+  /**
+   * Build a map of variables that contain origin values
+   * Returns: Set of variable names
+   */
+  buildOriginVariablesMap(sourceFile) {
+    const originVars = new Set();
+
+    // Find variable declarations
+    const variableDeclarations = sourceFile.getDescendantsOfKind(
+      SyntaxKind.VariableDeclaration
+    );
+
+    for (const varDecl of variableDeclarations) {
+      const varName = varDecl.getName();
+      const initializer = varDecl.getInitializer();
+
+      if (!initializer) continue;
+
+      const initText = initializer.getText().toLowerCase();
+
+      // Check if initializer is origin access
+      if (this.isOriginAccess(initText) ||
+          initText.includes("req.get('origin')") ||
+          initText.includes('req.get("origin")') ||
+          initText.includes("req.header('origin')") ||
+          initText.includes('req.header("origin")') ||
+          initText.includes("req.headers['origin']") ||
+          initText.includes('req.headers["origin"]')) {
+        originVars.add(varName.toLowerCase());
+      }
+    }
+
+    return originVars;
+  }
+
+  /**
+   * Check usage of variables that contain origin
+   */
+  checkOriginVariableUsage(sourceFile, filePath, violations, reportedLines, originVariables) {
+    if (originVariables.size === 0) return;
+
+    // Find all identifiers (variable usages)
+    const identifiers = sourceFile.getDescendantsOfKind(
+      SyntaxKind.Identifier
+    );
+
+    for (const identifier of identifiers) {
+      const idText = identifier.getText().toLowerCase();
+
+      // Skip if not an origin variable
+      if (!originVariables.has(idText)) {
+        continue;
+      }
+
+      const line = identifier.getStartLineNumber();
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      // Get context
+      const context = this.getContext(identifier);
+
+      // Check if it's a safe use case
+      if (this.isSafeUseCase(context)) {
+        continue;
+      }
+
+      // Check if used in auth context
+      if (this.isAuthContext(context)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: "error",
+          message: `Origin header authentication: variable '${identifier.getText()}' (containing Origin header) should not be used for authentication or authorization - Origin can be spoofed.`,
+          line: line,
+          column: identifier.getStart() - identifier.getStartLinePos() + 1,
+          filePath: filePath,
+          file: filePath,
+        });
+        reportedLines.add(line);
+      }
+    }
+  }
+
+  /**
+   * Check property access: req.headers.origin
+   */
+  checkPropertyAccess(sourceFile, filePath, violations, reportedLines) {
+    const propertyAccesses = sourceFile.getDescendantsOfKind(
+      SyntaxKind.PropertyAccessExpression
+    );
+
+    for (const propAccess of propertyAccesses) {
+      const fullText = propAccess.getText().toLowerCase();
+
+      // Check if accessing origin header
+      if (!this.isOriginAccess(fullText)) {
+        continue;
+      }
+
+      const line = propAccess.getStartLineNumber();
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      // Get surrounding context
+      const context = this.getContext(propAccess);
+
+      // Check if it's a safe use case (CORS/CSRF)
+      if (this.isSafeUseCase(context)) {
+        continue;
+      }
+
+      // Check if used in authentication/authorization context
+      if (this.isAuthContext(context)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: "error",
+          message: `Origin header authentication: '${propAccess.getText()}' should not be used for authentication or authorization - Origin header can be spoofed. Use verified tokens or sessions instead.`,
+          line: line,
+          column: propAccess.getStart() - propAccess.getStartLinePos() + 1,
+          filePath: filePath,
+          file: filePath,
+        });
+        reportedLines.add(line);
+      }
+    }
+  }
+
+  /**
+   * Check element access: req.headers['origin']
+   */
+  checkElementAccess(sourceFile, filePath, violations, reportedLines) {
+    const elementAccesses = sourceFile.getDescendantsOfKind(
+      SyntaxKind.ElementAccessExpression
+    );
+
+    for (const elemAccess of elementAccesses) {
+      const fullText = elemAccess.getText().toLowerCase();
+
+      // Check if accessing origin header
+      if (!fullText.includes("origin")) {
+        continue;
+      }
+
+      // Verify it's actually accessing 'origin' key
+      const arg = elemAccess.getArgumentExpression();
+      if (!arg) continue;
+
+      const argText = arg.getText().toLowerCase();
+      if (
+        !argText.includes("'origin'") &&
+        !argText.includes('"origin"')
+      ) {
+        continue;
+      }
+
+      const line = elemAccess.getStartLineNumber();
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      // Get context
+      const context = this.getContext(elemAccess);
+
+      // Check safe use cases
+      if (this.isSafeUseCase(context)) {
+        continue;
+      }
+
+      // Check auth context
+      if (this.isAuthContext(context)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: "error",
+          message: `Origin header authentication: '${elemAccess.getText()}' should not be used for authentication or authorization - use verified credentials instead.`,
+          line: line,
+          column: elemAccess.getStart() - elemAccess.getStartLinePos() + 1,
+          filePath: filePath,
+          file: filePath,
+        });
+        reportedLines.add(line);
+      }
+    }
+  }
+
+  /**
+   * Check call expressions: req.get('origin'), req.header('origin')
+   */
+  checkCallExpressions(sourceFile, filePath, violations, reportedLines) {
+    const callExprs = sourceFile.getDescendantsOfKind(
+      SyntaxKind.CallExpression
+    );
+
+    for (const callExpr of callExprs) {
+      const expression = callExpr.getExpression();
+      const exprText = expression.getText().toLowerCase();
+
+      // Check if it's a header getter method
+      if (
+        !exprText.includes("getheader") &&
+        !exprText.includes(".get") &&
+        !exprText.includes(".header")
+      ) {
+        continue;
+      }
+
+      // Check arguments for 'origin'
+      const args = callExpr.getArguments();
+      if (args.length === 0) continue;
+
+      const firstArg = args[0].getText().toLowerCase();
+      if (
+        !firstArg.includes("'origin'") &&
+        !firstArg.includes('"origin"')
+      ) {
+        continue;
+      }
+
+      const line = callExpr.getStartLineNumber();
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      // Get context
+      const context = this.getContext(callExpr);
+
+      // Check safe use cases
+      if (this.isSafeUseCase(context)) {
+        continue;
+      }
+
+      // Check auth context
+      if (this.isAuthContext(context)) {
+        violations.push({
+          ruleId: this.ruleId,
+          severity: "error",
+          message: `Origin header authentication: '${callExpr.getText()}' should not be used for authentication decisions - Origin can be spoofed by attackers.`,
+          line: line,
+          column: callExpr.getStart() - callExpr.getStartLinePos() + 1,
+          filePath: filePath,
+          file: filePath,
+        });
+        reportedLines.add(line);
+      }
+    }
+  }
+
+  /**
+   * Check if the text is accessing origin header
+   */
+  isOriginAccess(text) {
+    // Must contain "origin" and some header access pattern
+    if (!text.includes("origin")) return false;
+
+    // Check for header access patterns
+    return (
+      text.includes("headers.origin") ||
+      text.includes("header('origin')") ||
+      text.includes('header("origin")') ||
+      text.includes(".get('origin')") ||
+      text.includes('.get("origin")') ||
+      text.includes("getheader('origin')") ||
+      text.includes('getheader("origin")')
+    );
+  }
+
+  /**
+   * Get surrounding code context
+   */
+  getContext(node) {
+    try {
+      // Get parent function/method/block
+      let parent = node.getParent();
+      let depth = 0;
+      const maxDepth = 20;
+
+      while (parent && depth < maxDepth) {
+        const kind = parent.getKind();
+        if (
+          kind === SyntaxKind.FunctionDeclaration ||
+          kind === SyntaxKind.FunctionExpression ||
+          kind === SyntaxKind.ArrowFunction ||
+          kind === SyntaxKind.MethodDeclaration ||
+          kind === SyntaxKind.Block
+        ) {
+          return parent.getText().toLowerCase();
+        }
+        parent = parent.getParent();
+        depth++;
+      }
+
+      // Fallback: get surrounding 500 chars
+      const sourceFile = node.getSourceFile();
+      const pos = node.getStart();
+      const text = sourceFile.getText();
+      const start = Math.max(0, pos - 250);
+      const end = Math.min(text.length, pos + 250);
+      return text.substring(start, end).toLowerCase();
+    } catch {
+      return "";
+    }
+  }
+
+  /**
+   * Check if it's a safe use case (CORS/CSRF protection)
+   */
+  isSafeUseCase(context) {
+    // Check for CORS/CSRF patterns
+    if (this.safeUseCasePatterns.some((pattern) => context.includes(pattern))) {
+      return true;
+    }
+
+    // Check for CORS configuration
+    if (this.corsConfigPatterns.some((pattern) => context.includes(pattern))) {
+      return true;
+    }
+
+    // Check if setting response headers (CORS response)
+    if (
+      context.includes("setHeader") &&
+      context.includes("access-control-allow-origin")
+    ) {
+      return true;
+    }
+
+    // Check if it's just logging/debugging
+    if (
+      (context.includes("console.log") || context.includes("logger")) &&
+      context.includes("origin")
+    ) {
+      // Only safe if not used in conditional logic
+      const originIndex = context.indexOf("origin");
+      const beforeOrigin = context.substring(
+        Math.max(0, originIndex - 100),
+        originIndex
+      );
+      if (
+        beforeOrigin.includes("console.log") ||
+        beforeOrigin.includes("logger.")
+      ) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if used in authentication/authorization context
+   */
+  isAuthContext(context) {
+    // Check for auth keywords
+    const hasAuthKeyword = this.authKeywords.some((keyword) =>
+      context.includes(keyword)
+    );
+
+    if (!hasAuthKeyword) {
+      // No auth context detected, but check for suspicious patterns
+      return this.hasSuspiciousAuthPattern(context);
+    }
+
+    // Has auth keyword - check if origin is used in conditional/assignment
+    const originIndex = context.indexOf("origin");
+    if (originIndex === -1) return false;
+
+    // Get text around origin usage
+    const beforeOrigin = context.substring(
+      Math.max(0, originIndex - 150),
+      originIndex
+    );
+    const afterOrigin = context.substring(
+      originIndex,
+      Math.min(context.length, originIndex + 150)
+    );
+
+    // Check for conditional usage (if statements)
+    if (
+      beforeOrigin.includes("if") ||
+      beforeOrigin.includes("else") ||
+      beforeOrigin.includes("switch")
+    ) {
+      return true;
+    }
+
+    // Check for comparison operators
+    if (
+      afterOrigin.includes("===") ||
+      afterOrigin.includes("==") ||
+      afterOrigin.includes("!==") ||
+      afterOrigin.includes("!=") ||
+      afterOrigin.includes("includes")
+    ) {
+      return true;
+    }
+
+    // Check for assignment to auth-related variables
+    if (
+      beforeOrigin.includes("const") ||
+      beforeOrigin.includes("let") ||
+      beforeOrigin.includes("var")
+    ) {
+      // Check if assigned to auth-related variable
+      const assignmentMatch = beforeOrigin.match(/(?:const|let|var)\s+(\w+)/);
+      if (assignmentMatch) {
+        const varName = assignmentMatch[1].toLowerCase();
+        if (this.authKeywords.some((kw) => varName.includes(kw))) {
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check for suspicious authentication patterns even without explicit auth keywords
+   */
+  hasSuspiciousAuthPattern(context) {
+    // Pattern 1: if (origin === something) { allow/deny }
+    if (
+      context.includes("if") &&
+      context.includes("origin") &&
+      (context.includes("===") || context.includes("==") || context.includes("includes"))
+    ) {
+      // Check if followed by access control logic
+      const originIndex = context.indexOf("origin");
+      const afterOrigin = context.substring(originIndex);
+
+      // Strong indicators of access control
+      if (
+        afterOrigin.includes("return") ||
+        afterOrigin.includes("throw") ||
+        afterOrigin.includes("error") ||
+        afterOrigin.includes("403") ||
+        afterOrigin.includes("401") ||
+        afterOrigin.includes("unauthorized") ||
+        afterOrigin.includes("forbidden") ||
+        afterOrigin.includes("hasaccess") ||
+        afterOrigin.includes("canaccess") ||
+        afterOrigin.includes("req.user") ||
+        afterOrigin.includes("request.user")
+      ) {
+        return true;
+      }
+
+      // Check for suspicious return values
+      // Pattern: return { hasAccess: true }, return { verified: true }, etc.
+      if (
+        afterOrigin.match(/return\s*\{[^}]*(access|verified|valid|authorized|authenticated|permission|granted|allowed)/i)
+      ) {
+        return true;
+      }
+    }
+
+    // Pattern 2: switch/case on origin
+    if (context.includes("switch") && context.includes("origin")) {
+      return true;
+    }
+
+    // Pattern 3: origin-based routing/logic with req.user assignment
+    if (
+      context.includes("origin") &&
+      (context.includes("req.user") ||
+       context.includes("request.user") ||
+       context.includes("route") ||
+       context.includes("redirect") ||
+       context.includes("next("))
+    ) {
+      return true;
+    }
+
+    // Pattern 4: Array.includes() with origin - likely allowlist check
+    // This is VERY likely to be auth-related even if no explicit keywords
+    if (
+      context.match(/\.includes\([^)]*origin[^)]*\)/i)
+    ) {
+      // Check if followed by return/access control
+      const includesIndex = context.indexOf(".includes");
+      const afterIncludes = context.substring(includesIndex);
+
+      if (
+        afterIncludes.match(/return\s*\{/) ||
+        afterIncludes.includes("return true") ||
+        afterIncludes.includes("return false") ||
+        afterIncludes.includes("req.user") ||
+        afterIncludes.includes("throw") ||
+        afterIncludes.includes("next(") ||
+        afterIncludes.includes("unauthorized") ||
+        afterIncludes.includes("forbidden")
+      ) {
+        // But still exclude if it's clearly CORS
+        const hasCorsCors = context.includes("setaccesscontrolalloworigin") ||
+                            context.includes("access-control-allow-origin") ||
+                            context.includes("corsOptions") ||
+                            context.includes("cors(");
+
+        if (!hasCorsCors) {
+          return true;
+        }
+      }
+    }
+
+    // Pattern 5: origin?.includes(), origin?.endsWith(), origin?.startsWith()
+    // These are often used for domain/subdomain checks for access control
+    if (
+      context.match(/origin\??\.(includes|endswith|startswith)\(/i)
+    ) {
+      // Check if followed by access control logic
+      const originIndex = context.indexOf("origin");
+      const afterOrigin = context.substring(originIndex);
+
+      if (
+        afterOrigin.match(/return\s*\{/) ||  // Returning object
+        afterOrigin.includes("return true") ||
+        afterOrigin.includes("return false") ||
+        afterOrigin.includes("req.user") ||
+        afterOrigin.includes("permission")
+      ) {
+        return true;
+      }
+    }
+
+    // Pattern 6: Function name suggests auth/access control
+    // Even without keywords in code, function name tells us the intent
+    const functionNamePatterns = [
+      'checkaccess',
+      'hasaccess',
+      'canaccess',
+      'verifyuser',
+      'identifyuser',
+      'getuser',
+      'authenticate',
+      'authorize',
+      'validate',
+    ];
+
+    const lowerContext = context.toLowerCase();
+    if (
+      functionNamePatterns.some(pattern => lowerContext.includes(`function ${pattern}`)) ||
+      functionNamePatterns.some(pattern => lowerContext.includes(`async function ${pattern}`)) ||
+      functionNamePatterns.some(pattern => lowerContext.includes(`const ${pattern} =`))
+    ) {
+      // Function name suggests access control, and it uses origin
+      if (lowerContext.includes("origin")) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  cleanup() {
+    // Cleanup if needed
+  }
+}
+
+module.exports = S005SymbolBasedAnalyzer;