@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S006_no_plaintext_recovery_codes/symbol-based-analyzer.js

@@ -39,6 +39,10 @@ class S006SymbolBasedAnalyzer {
       "responsecode",
       "agencycode",
       "companycode",
+      "groupcode",        // Group identifier (business code)
+      "teamcode",         // Team identifier
+      "organizationcode", // Organization identifier
+      "secretariat",      // Secretariat role/position name (not a secret code)
       "eventcode",
       "productcode",
       "itemcode",
@@ -331,6 +335,45 @@ class S006SymbolBasedAnalyzer {
           }
         }
 
+        // Skip validation schemas returned from React hooks or validation builders
+        // Check if this is inside a React hook (useMemo, useCallback, etc.) or validation function
+        let currentParent = returnStmt.getParent();
+        let isValidationContext = false;
+        let depth = 0;
+
+        while (currentParent && depth < 10) {
+          const parentText = currentParent.getText().toLowerCase();
+
+          // Check for React hooks that typically return configuration/schema objects
+          if (
+            parentText.startsWith("usememo(") ||
+            parentText.startsWith("usecallback(") ||
+            parentText.startsWith("useeffect(")
+          ) {
+            // Check if the returned object contains validation properties
+            const returnedText = expression.getText().toLowerCase();
+            if (
+              returnedText.includes("validate:") ||
+              returnedText.includes("validator:") ||
+              returnedText.includes("rules:") ||
+              returnedText.includes("onblur:") ||
+              returnedText.includes("onchange:") ||
+              returnedText.includes("checkRequired") ||
+              returnedText.includes("checkMinLength")
+            ) {
+              isValidationContext = true;
+              break;
+            }
+          }
+
+          currentParent = currentParent.getParent();
+          depth++;
+        }
+
+        if (isValidationContext) {
+          continue; // Validation schema from React hook - safe
+        }
+
         // Skip if return object contains only safe messages (success, message, etc.)
         const hasOnlySafeProperties = properties.every((prop) => {
           const name = prop.getName?.() || "";
@@ -404,27 +447,63 @@ class S006SymbolBasedAnalyzer {
           if (this.isSensitiveIdentifier(normalizedName)) {
             // Skip error constants, configuration objects, and form states
             const parentVarName = this.findParentVariableName(objLiteral);
+            const parentVarNameUpper = parentVarName?.toUpperCase() || "";
             if (
               parentVarName &&
-              (parentVarName.includes("ERROR") ||
-                parentVarName.includes("ERRORS") ||
-                parentVarName.includes("MESSAGE") ||
-                parentVarName.includes("MESSAGES") ||
-                parentVarName.includes("MAPPING") ||
-                parentVarName.includes("FIELDS") ||
-                parentVarName.includes("CONFIG") ||
-                parentVarName.includes("CONSTANT") ||
-                parentVarName.includes("ENDPOINT") ||
-                parentVarName.includes("API") ||
-                parentVarName.includes("URL") ||
-                parentVarName.includes("ROUTE") ||
-                parentVarName.includes("ROUTES") ||
-                parentVarName.includes("INITIAL") ||
-                parentVarName.includes("DEFAULT") ||
-                parentVarName.includes("STATE") ||
-                parentVarName.includes("FORM"))
+              (parentVarNameUpper.includes("ERROR") ||
+                parentVarNameUpper.includes("ERRORS") ||
+                parentVarNameUpper.includes("MESSAGE") ||
+                parentVarNameUpper.includes("MESSAGES") ||
+                parentVarNameUpper.includes("MAPPING") ||
+                parentVarNameUpper.includes("FIELDS") ||
+                parentVarNameUpper.includes("CONFIG") ||
+                parentVarNameUpper.includes("CONSTANT") ||
+                parentVarNameUpper.includes("ENDPOINT") ||
+                parentVarNameUpper.includes("API") ||
+                parentVarNameUpper.includes("URL") ||
+                parentVarNameUpper.includes("ROUTE") ||
+                parentVarNameUpper.includes("ROUTES") ||
+                parentVarNameUpper.includes("INITIAL") ||
+                parentVarNameUpper.includes("DEFAULT") ||
+                parentVarNameUpper.includes("STATE") ||
+                parentVarNameUpper.includes("FORM") ||
+                parentVarNameUpper.includes("VALIDATION") ||
+                parentVarNameUpper.includes("SCHEMA") ||
+                parentVarNameUpper.includes("RULES") ||
+                parentVarNameUpper.includes("PATTERN") ||
+                parentVarNameUpper.includes("REGEX") ||
+                parentVarNameUpper.includes("REGEXP"))
             ) {
-              continue; // Error constants, configs, routes, and form states are safe
+              continue; // Error constants, configs, routes, form states, validation schemas, and regex patterns are safe
+            }
+
+            // Skip masking/sanitization utility configurations
+            // These are security utilities that PROTECT sensitive data, not expose them
+            if (
+              parentVarName &&
+              (parentVarNameUpper.includes("MASK") ||
+                parentVarNameUpper.includes("SANITIZE") ||
+                parentVarNameUpper.includes("REDACT") ||
+                parentVarNameUpper.includes("HIDE") ||
+                parentVarNameUpper.includes("OBFUSCATE"))
+            ) {
+              continue; // Masking/sanitization utilities are safe
+            }
+
+            // Check if inside a masking/sanitization function
+            const parentFuncName = this.findParentFunctionName(objLiteral);
+            const parentFuncNameUpper = parentFuncName?.toUpperCase() || "";
+            if (
+              parentFuncName &&
+              (parentFuncNameUpper.includes("MASK") ||
+                parentFuncNameUpper.includes("SANITIZE") ||
+                parentFuncNameUpper.includes("REDACT") ||
+                parentFuncNameUpper.includes("HIDE") ||
+                parentFuncNameUpper.includes("OBFUSCATE") ||
+                parentFuncNameUpper.includes("STRIP") ||
+                parentFuncNameUpper.includes("REMOVE"))
+            ) {
+              continue; // Inside masking/sanitization function - safe
             }
 
             // Skip URL/endpoint configurations (e.g., set_password_url, generate_otp_api)
@@ -437,6 +516,32 @@ class S006SymbolBasedAnalyzer {
               continue; // URL/API endpoint configurations are not sensitive data
             }
 
+            // Skip validation schema configurations
+            // Check if this property's value contains validation-related properties
+            const propValue = prop.getInitializer();
+            if (propValue && propValue.getKind() === SyntaxKind.ObjectLiteralExpression) {
+              const valueText = propValue.getText().toLowerCase();
+              // If the property value contains validation keywords, it's a validation schema
+              if (
+                valueText.includes("validate:") ||
+                valueText.includes("validator:") ||
+                valueText.includes("rules:") ||
+                valueText.includes("onblur:") ||
+                valueText.includes("onchange:") ||
+                valueText.includes("checkRequired") ||
+                valueText.includes("checkMinLength") ||
+                valueText.includes("checkMaxLength")
+              ) {
+                continue; // Validation schema configuration - safe
+              }
+            }
+
+            // Skip regex pattern definitions
+            // If the property value is a RegExp literal (e.g., PASSWORD: /^[a-z]+$/), it's a pattern definition
+            if (propValue && propValue.getKind() === SyntaxKind.RegularExpressionLiteral) {
+              continue; // Regex pattern definition - safe
+            }
+
             // Check if in exposure context (e.g., res.json, send, etc.)
             const parent = this.findParentContext(objLiteral);
             if (parent && this.isExposureContext(parent)) {
@@ -1026,10 +1131,9 @@ class S006SymbolBasedAnalyzer {
       return false; // Generic "code" alone is not sensitive
     }
 
-    // Skip if it's "password" alone in object key context (likely config/route name)
-    if (normalizedName === "password") {
-      return false; // Will be caught by containsSensitiveCode if it's actual password value
-    }
+    // Note: "password" as a property name in data objects IS sensitive
+    // Only skip "password" in very specific safe contexts (handled by safePasswordPatterns)
+    // This is checked below via sensitiveIdentifiers.has()
 
     // Exact match first
     if (this.sensitiveIdentifiers.has(normalizedName)) {
@@ -1203,24 +1307,59 @@ class S006SymbolBasedAnalyzer {
    * Helper: Check if argument contains sensitive code
    */
   containsSensitiveCode(node) {
-    const text = node.getText().toLowerCase();
-    const normalized = this.normalizeIdentifier(text);
-
-    // Check for sensitive identifiers (variable/property access)
-    if (this.isSensitiveIdentifier(normalized)) {
-      return true;
-    }
-
-    // Check child nodes (for object literals, etc.)
+    // PRIORITY 1: For object literals, check property names AND values
+    // This prevents false positives from matching keywords in surrounding context
     if (node.getKind() === SyntaxKind.ObjectLiteralExpression) {
       const properties = node.getProperties();
       for (const prop of properties) {
+        // Check property name
         const propName = prop.getName?.() || "";
         const normalizedPropName = this.normalizeIdentifier(propName);
         if (this.isSensitiveIdentifier(normalizedPropName)) {
           return true;
         }
+
+        // ALSO check property value (important for nested structures)
+        // e.g., { htmlBody: mapDataToTemplate({ password }) }
+        if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+          const initializer = prop.getInitializer();
+          if (initializer && this.containsSensitiveCode(initializer)) {
+            return true;
+          }
+        }
       }
+      return false; // Object literal checked, no sensitive props or values
+    }
+
+    // PRIORITY 2: For call expressions, recursively check arguments
+    // This handles cases like mapDataToTemplate({ password })
+    if (node.getKind() === SyntaxKind.CallExpression) {
+      const args = node.getArguments();
+      for (const arg of args) {
+        if (this.containsSensitiveCode(arg)) {
+          return true;
+        }
+      }
+      return false; // Call expression checked, no sensitive args
+    }
+
+    // PRIORITY 3: For simple identifiers, check the identifier name only
+    if (node.getKind() === SyntaxKind.Identifier) {
+      const text = node.getText().toLowerCase();
+      const normalized = this.normalizeIdentifier(text);
+      return this.isSensitiveIdentifier(normalized);
+    }
+
+    // PRIORITY 4: For other node types, only check if text is short (not complex expression)
+    const text = node.getText();
+    if (text.length > 100) {
+      // Long text likely contains surrounding context - skip to avoid false positives
+      return false;
+    }
+
+    const normalized = this.normalizeIdentifier(text.toLowerCase());
+    if (this.isSensitiveIdentifier(normalized)) {
+      return true;
     }
 
     // Check template spans

package/rules/security/S010_no_insecure_encryption/analyzer.js

@@ -519,8 +519,14 @@ class S010Analyzer {
       return true;
     }
     
-    // Check for performance.now() - High-resolution timestamp (also predictable)
-    if (/performance\.now\s*\(\)/.test(text)) {
+    // Check for performance.now() - ONLY flag if used for random generation, NOT for timing
+    // Safe: const start = performance.now(); const duration = performance.now() - start;
+    // Unsafe: const token = performance.now().toString();
+    if (/performance\.now\s*\(\).*\.(?:toString|toFixed|toPrecision|slice|substr|substring)/.test(text)) {
+      return true;
+    }
+    // Also flag if used with encoding: btoa(performance.now())
+    if (/btoa\s*\(.*performance\.now/.test(text)) {
       return true;
     }
     

package/rules/security/S012_hardcoded_secrets/analyzer.js

@@ -0,0 +1,149 @@
+/**
+ * Rule S012: Hardcoded Secrets Detection - Analyzer Wrapper
+ *
+ * This analyzer wraps the symbol-based analyzer to provide a consistent
+ * interface for the SunLint engine.
+ */
+// Command: node cli.js --rule=S012 --input=examples/rule-test-fixtures/rules/S012_hardcoded_secrets --engine=heuristic
+
+const fs = require("fs");
+const path = require("path");
+const { Project } = require("ts-morph");
+const S012SymbolBasedAnalyzer = require("./symbol-based-analyzer");
+
+class S012Analyzer {
+  constructor(options = {}) {
+    this.ruleId = "S012";
+    this.semanticEngine = options.semanticEngine || null;
+    this.symbolAnalyzer = new S012SymbolBasedAnalyzer(this.semanticEngine);
+  }
+
+  /**
+   * Analyze multiple files
+   */
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      try {
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.error(
+          `[S012] Error analyzing file ${filePath}:`,
+          error.message
+        );
+      }
+    }
+
+    return violations;
+  }
+
+  /**
+   * Analyze a single file
+   */
+  async analyzeFile(filePath, options = {}) {
+    // Skip files that shouldn't be analyzed
+    if (this.shouldSkipFile(filePath)) {
+      return [];
+    }
+
+    try {
+      // Check if file exists
+      if (!fs.existsSync(filePath)) {
+        return [];
+      }
+
+      const content = fs.readFileSync(filePath, "utf-8");
+
+      // Try to get source file from semantic engine
+      let sourceFile = this.semanticEngine?.project?.getSourceFile(filePath);
+
+      // If not available, create a temporary ts-morph source file
+      if (!sourceFile) {
+        const tempProject = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: {
+            allowJs: true,
+            noLib: true,
+            target: 99, // ESNext
+          },
+        });
+
+        sourceFile = tempProject.createSourceFile(
+          path.basename(filePath),
+          content
+        );
+      }
+
+      // Run the symbol-based analyzer
+      const symbolViolations = await this.symbolAnalyzer.analyze(
+        sourceFile,
+        filePath
+      );
+
+      // Add file path to each violation
+      return symbolViolations.map((violation) => ({
+        ...violation,
+        filePath,
+        file: filePath,
+      }));
+    } catch (error) {
+      console.error(
+        `[S012] Error in analyzeFile for ${filePath}:`,
+        error.message
+      );
+      return [];
+    }
+  }
+
+  /**
+   * Check if file should be skipped
+   */
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      /test\//i,
+      /tests\//i,
+      /__tests__\//i,
+      /\.test\./i,
+      /\.spec\./i,
+      /node_modules\//i,
+      /dist\//i,
+      /build\//i,
+      /\.next\//i,
+      /\.nuxt\//i,
+      /coverage\//i,
+      /\.d\.ts$/i,
+      /\.min\.js$/i,
+      /\.bundle\.js$/i,
+      /\.example\./i,
+      /\.sample\./i,
+      /\.template\./i,
+      /vendor\//i,
+      /third[_-]party\//i,
+      /\.git\//i,
+    ];
+
+    return skipPatterns.some((pattern) => pattern.test(filePath));
+  }
+
+  /**
+   * Get rule metadata
+   */
+  getRuleMetadata() {
+    const configPath = path.join(__dirname, "config.json");
+    if (fs.existsSync(configPath)) {
+      const config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+      return config;
+    }
+    return {
+      ruleId: this.ruleId,
+      name: "Hardcoded Secrets Protection",
+      description: "Detects hardcoded secrets in source code",
+      category: "security",
+      severity: "error",
+    };
+  }
+}
+
+module.exports = S012Analyzer;

package/rules/security/S012_hardcoded_secrets/config.json

@@ -0,0 +1,75 @@
+{
+  "ruleId": "S012",
+  "name": "Hardcoded Secrets Protection",
+  "description": "Detects hardcoded secrets, API keys, passwords, tokens, and credentials in source code to prevent accidental exposure through version control",
+  "category": "security",
+  "severity": "error",
+  "languages": ["All languages"],
+  "tags": [
+    "security",
+    "owasp",
+    "secrets",
+    "credentials",
+    "cryptographic-failures",
+    "hardcoded-secrets",
+    "api-keys",
+    "passwords",
+    "tokens"
+  ],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A02:2021 - Cryptographic Failures",
+    "cweId": "CWE-798",
+    "cweDescription": "Use of Hard-coded Credentials",
+    "description": "Hardcoding secrets in source code is a critical security vulnerability. Secrets can be exposed through version control history, code sharing, or unauthorized access. This rule detects various patterns of hardcoded credentials including API keys, passwords, tokens, private keys, and connection strings.",
+    "impact": "Critical - Credential exposure, unauthorized access, data breaches, compliance violations (SOC2, ISO27001, PCI-DSS)",
+    "likelihood": "High",
+    "remediation": "Use environment variables (process.env), secret management systems (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, GCP Secret Manager), or configuration management tools. Never commit secrets to version control. Use .gitignore for .env files. Consider using git-secrets or similar tools to prevent accidental commits.",
+    "examples": {
+      "bad": [
+        "const API_KEY = 'AIzaSyD-1234567890abcdef';",
+        "const password = 'MySecretPassword123!';",
+        "const connectionString = 'mongodb://admin:password@localhost:27017';",
+        "const token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...';",
+        "const awsKey = 'AKIAIOSFODNN7EXAMPLE';"
+      ],
+      "good": [
+        "const API_KEY = process.env.API_KEY;",
+        "const password = config.get('database.password');",
+        "const connectionString = process.env.MONGODB_URI;",
+        "const token = await secretsManager.getSecret('jwt-secret');",
+        "const awsKey = process.env.AWS_ACCESS_KEY_ID;"
+      ]
+    },
+    "references": [
+      "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/",
+      "https://cwe.mitre.org/data/definitions/798.html",
+      "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
+    ],
+    "frameworks": [
+      "Node.js",
+      "Express",
+      "NestJS",
+      "Next.js",
+      "React",
+      "Vue",
+      "Angular"
+    ],
+    "secretTypes": [
+      "API Keys",
+      "Passwords",
+      "Access Tokens",
+      "Private Keys",
+      "JWT Secrets",
+      "Database Credentials",
+      "OAuth Secrets",
+      "AWS Keys",
+      "GitHub Tokens",
+      "Slack Tokens"
+    ],
+    "detectionPatterns": 50,
+    "testCases": 30
+  }
+}