@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S012_hardcoded_secrets/symbol-based-analyzer.js

@@ -0,0 +1,1204 @@
+/**
+ * Rule S012: Hardcoded Secrets Detection
+ *
+ * Detects hardcoded secrets, API keys, passwords, tokens, and other sensitive
+ * credentials in source code. This rule helps prevent accidental exposure of
+ * secrets through version control and reduces security risks.
+ *
+ * OWASP: A02:2021 - Cryptographic Failures
+ * CWE: CWE-798 - Use of Hard-coded Credentials
+ */
+
+const { SyntaxKind } = require("ts-morph");
+
+class S012SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S012";
+    this.semanticEngine = semanticEngine;
+
+    // Patterns for secret variable names
+    this.secretVariablePatterns = [
+      'password',
+      'passwd',
+      'pwd',
+      'secret',
+      'api_key',
+      'apikey',
+      'api-key',
+      'access_key',
+      'accesskey',
+      'secret_key',
+      'secretkey',
+      'private_key',
+      'privatekey',
+      'token',
+      'auth_token',
+      'authtoken',
+      'access_token',
+      'accesstoken',
+      'refresh_token',
+      'refreshtoken',
+      'jwt_secret',
+      'jwtsecret',
+      'encryption_key',
+      'encryptionkey',
+      'database_password',
+      'db_password',
+      'db_pass',
+      'connection_string',
+      'connectionstring',
+      'credentials',
+      'auth_token',
+      'auth_key',
+      'auth_secret',
+      'bearer_token',
+      'bearer',
+      'certificate',
+      'ssh_key',
+      'sshkey',
+      'oauth_secret',
+      'oauthsecret',
+      'client_secret',
+      'clientsecret',
+      'master_key',
+      'masterkey',
+      'admin_password',
+      'root_password',
+      'app_secret',
+      'appsecret',
+    ];
+
+    // Patterns for secret values (high entropy strings)
+    this.secretValuePatterns = [
+      // AWS Access Keys
+      /AKIA[0-9A-Z]{16}/,
+      // AWS Secret Keys (40 characters base64)
+      /aws(.{0,20})?['\"][0-9a-zA-Z\/+]{40}['\"]/i,
+      // Generic API Keys (32+ chars with mixed case/numbers)
+      /['\"][a-z0-9_-]{32,}['\"]/i,
+      // JWT tokens
+      /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/,
+      // Generic secrets (high entropy, 20+ chars)
+      /['\"][a-zA-Z0-9+/=_-]{20,}['\"]/,
+      // GitHub tokens
+      /gh[pousr]_[A-Za-z0-9_]{36,}/,
+      // Slack tokens
+      /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,}/,
+      // Google API keys
+      /AIza[0-9A-Za-z_-]{35}/,
+      // Firebase URLs with secrets
+      /[a-z0-9-]+\.firebaseio\.com/,
+      // Private keys
+      /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+      // Connection strings with passwords
+      /(mongodb|postgres|mysql):\/\/[^:]+:[^@]+@/i,
+    ];
+
+    // Safe patterns to exclude (environment variables, function calls, etc.)
+    this.safePatterns = [
+      'process.env',
+      'env.',
+      'getenv',
+      'config.get',
+      'configservice.get',  // NestJS ConfigService
+      '.get(',               // Any .get() method call
+      '.getstring(',
+      '.getnumber(',
+      'vault.get',
+      'secrets.get',
+      'secretsmanager',
+      'keyvault',
+      'parameter.store',
+      'ssm.get',
+      'dotenv',
+      '.env',
+      'import.meta.env',
+      'vite_',
+      'next_public_',
+      'react_app_',
+      'vue_app_',
+      'example',
+      'test',
+      'mock',
+      'dummy',
+      'fake',
+      'placeholder',
+      'your_',
+      'your-',
+      '<your',
+      'xxx',
+      '***',
+      '...',
+      'todo',
+      'fixme',
+      'changeme',
+      'replace',
+      'insert',
+      '.split(',            // token.split() is not a secret
+      '.slice(',            // string slicing
+      '.substring(',        // string operations
+    ];
+
+    // Common test/example values that are safe
+    this.safeTestValues = [
+      'test',
+      'testing',
+      'example',
+      'demo',
+      'sample',
+      'mock',
+      'dummy',
+      'fake',
+      'localhost',
+      '127.0.0.1',
+      '0.0.0.0',
+      'admin',
+      '12345',
+      'password',
+      'secret',
+      'changeme',
+      'your-secret-here',
+      'your-key-here',
+      'xxx',
+      '***',
+    ];
+
+    // Minimum entropy threshold for considering a string as secret
+    this.minEntropy = 3.5;
+
+    // Minimum length for secret strings
+    this.minSecretLength = 16;
+  }
+
+  /**
+   * Main analysis method
+   */
+  async analyze(sourceFile, filePath = "") {
+    const violations = [];
+
+    // Skip test files and config files that commonly have example secrets
+    if (this.shouldSkipFile(filePath)) {
+      return violations;
+    }
+
+    // Check variable declarations
+    const variableDeclarations = sourceFile.getDescendantsOfKind(SyntaxKind.VariableDeclaration);
+    for (const varDecl of variableDeclarations) {
+      const violation = this.checkVariableDeclaration(varDecl, filePath);
+      if (violation) {
+        violations.push(violation);
+      }
+    }
+
+    // Check property assignments
+    const propertyAssignments = sourceFile.getDescendantsOfKind(SyntaxKind.PropertyAssignment);
+    for (const propAssign of propertyAssignments) {
+      const violation = this.checkPropertyAssignment(propAssign, filePath);
+      if (violation) {
+        violations.push(violation);
+      }
+    }
+
+    // Check string literals for hardcoded secrets
+    const stringLiterals = sourceFile.getDescendantsOfKind(SyntaxKind.StringLiteral);
+    for (const strLit of stringLiterals) {
+      const violation = this.checkStringLiteral(strLit, filePath);
+      if (violation) {
+        violations.push(violation);
+      }
+    }
+
+    return violations;
+  }
+
+  /**
+   * Check if file should be skipped
+   */
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      /test\//i,
+      /tests\//i,
+      /__tests__\//i,
+      /\.test\./i,
+      /\.spec\./i,
+      /node_modules\//i,
+      /\.example\./i,
+      /\.sample\./i,
+      /\.template\./i,
+      /dist\//i,
+      /build\//i,
+      /coverage\//i,
+    ];
+
+    return skipPatterns.some(pattern => pattern.test(filePath));
+  }
+
+  /**
+   * Check variable declarations for hardcoded secrets
+   */
+  checkVariableDeclaration(varDecl, filePath) {
+    const name = varDecl.getName();
+    const initializer = varDecl.getInitializer();
+
+    if (!initializer) {
+      return null;
+    }
+
+    const nameLower = name.toLowerCase();
+
+    // Skip error constant names
+    if (this.isErrorConstant(name)) {
+      return null;
+    }
+
+    // Skip destructuring patterns like { token } or { password }
+    if (this.isDestructuringPattern(name)) {
+      return null;
+    }
+
+    // Skip documentation/schema variables (Swagger, Docs, Schema, Dto)
+    if (this.isDocumentationVariable(name)) {
+      return null;
+    }
+
+    // Skip counter/attempt variables (failedPasswordAttempts, loginAttempts)
+    if (this.isCounterVariable(name)) {
+      return null;
+    }
+
+    // Skip error collection variables (tokenErrors, passwordErrors)
+    if (this.isErrorCollectionVariable(name)) {
+      return null;
+    }
+
+    // Skip boolean check variables (isValidToken, hasPassword)
+    if (this.isBooleanCheckVariable(name)) {
+      return null;
+    }
+
+    // Skip utility function/class names (generatePassword, IsPassword)
+    if (this.isUtilityFunctionOrClass(name)) {
+      return null;
+    }
+
+    // Skip framework-specific internal variables (__next_navigation_guard_token)
+    if (this.isFrameworkInternalVariable(name)) {
+      return null;
+    }
+
+    // Skip error constant properties (tokenExpired, invalidToken)
+    if (this.isErrorConstantProperty(name)) {
+      return null;
+    }
+
+    // Skip React/Vue state variables and selectors
+    if (this.isStateVariableOrSelector(name)) {
+      return null;
+    }
+
+    // Skip format/pattern/regex definitions
+    if (this.isFormatOrPatternDefinition(name)) {
+      return null;
+    }
+
+    // Check if variable name suggests it's a secret
+    const isSuspiciousName = this.secretVariablePatterns.some(pattern =>
+      nameLower.includes(pattern)
+    );
+
+    if (!isSuspiciousName) {
+      return null;
+    }
+
+    // Check if it's using a safe pattern (env variable, config, etc.)
+    const initText = initializer.getText();
+    if (this.isSafePattern(initText)) {
+      return null;
+    }
+
+    // Skip if it's a URL/endpoint variable (apiGetTokenUrl = '/api/token')
+    if (this.isURLOrEndpointVariable(name, initText)) {
+      return null;
+    }
+
+    // Skip if extracting from query parameters (get(searchParams, 'token'))
+    if (this.isQueryParameterExtraction(initText)) {
+      return null;
+    }
+
+    // Skip if accessing framework internal property (nextState?.__next_navigation_guard_token)
+    if (this.isAccessingFrameworkInternal(initText)) {
+      return null;
+    }
+
+    // Skip if initializer is a property access (e.g., AWS.config.credentials)
+    if (this.isPropertyAccess(initText)) {
+      return null;
+    }
+
+    // Skip if initializer is a constructor call (e.g., new SecretClient(...))
+    if (this.isConstructorCall(initText)) {
+      return null;
+    }
+
+    // Skip if initializer is an await expression for secret retrieval
+    if (this.isAsyncSecretRetrieval(initText)) {
+      return null;
+    }
+
+    // Skip if initializer is a function/method call
+    if (this.isFunctionOrMethodCall(initText)) {
+      return null;
+    }
+
+    // Skip if extracting from API response (response.data['...'].AccessToken)
+    if (this.isExtractingFromAPIResponse(initText)) {
+      return null;
+    }
+
+    // Skip if it's an object literal with only references (no hardcoded values)
+    if (this.isObjectLiteralWithOnlyReferences(initializer)) {
+      return null;
+    }
+
+    // For UPPERCASE constants, be more strict - only flag if value is actually hardcoded
+    // This allows PASSWORD_REGEX = /.../ but flags API_KEY = "hardcoded-key"
+    const isConstant = this.isConstantName(name);
+
+    // Check if the value looks like a hardcoded secret
+    if (this.isHardcodedSecret(initText, nameLower, isConstant)) {
+      return {
+        line: varDecl.getStartLineNumber(),
+        column: varDecl.getStart() - varDecl.getStartLinePos(),
+        message: `Hardcoded secret detected: Variable '${name}' appears to contain a hardcoded secret. Use environment variables or a secret management system instead.`,
+        severity: "error",
+        ruleId: this.ruleId,
+        secretType: this.identifySecretType(nameLower),
+      };
+    }
+
+    return null;
+  }
+
+  /**
+   * Check property assignments for hardcoded secrets
+   */
+  checkPropertyAssignment(propAssign, filePath) {
+    const name = propAssign.getName();
+    const initializer = propAssign.getInitializer();
+
+    if (!initializer) {
+      return null;
+    }
+
+    const nameLower = name.toLowerCase();
+
+    // Skip error constant property names
+    if (this.isErrorConstant(name)) {
+      return null;
+    }
+
+    // Skip function-like property names (verbs + nouns)
+    if (this.isFunctionName(name)) {
+      return null;
+    }
+
+    // Skip documentation/schema properties
+    if (this.isDocumentationVariable(name)) {
+      return null;
+    }
+
+    // Skip counter/attempt properties
+    if (this.isCounterVariable(name)) {
+      return null;
+    }
+
+    // Skip error collection properties
+    if (this.isErrorCollectionVariable(name)) {
+      return null;
+    }
+
+    // Skip boolean check properties
+    if (this.isBooleanCheckVariable(name)) {
+      return null;
+    }
+
+    // Skip utility function/class names
+    if (this.isUtilityFunctionOrClass(name)) {
+      return null;
+    }
+
+    // Skip framework-specific internal variables
+    if (this.isFrameworkInternalVariable(name)) {
+      return null;
+    }
+
+    // Skip error constant properties (tokenExpired, invalidToken)
+    if (this.isErrorConstantProperty(name)) {
+      return null;
+    }
+
+    // Skip if this is part of an error object structure
+    if (this.isPartOfErrorObject(propAssign)) {
+      return null;
+    }
+
+    // Skip if this is just a property name (not a hardcoded value)
+    if (this.isPropertyNameOnly(propAssign)) {
+      return null;
+    }
+
+    // Skip React/Vue state variables and selectors
+    if (this.isStateVariableOrSelector(name)) {
+      return null;
+    }
+
+    // Skip format/pattern/regex definitions
+    if (this.isFormatOrPatternDefinition(name)) {
+      return null;
+    }
+
+    // Check if property name suggests it's a secret
+    const isSuspiciousName = this.secretVariablePatterns.some(pattern =>
+      nameLower.includes(pattern)
+    );
+
+    if (!isSuspiciousName) {
+      return null;
+    }
+
+    const initText = initializer.getText();
+    if (this.isSafePattern(initText)) {
+      return null;
+    }
+
+    // Skip if initializer is a function/method call
+    if (this.isFunctionOrMethodCall(initText)) {
+      return null;
+    }
+
+    // Skip if it's a simple string literal in constant definitions (message strings)
+    if (this.isMessageString(initText)) {
+      return null;
+    }
+
+    if (this.isHardcodedSecret(initText, nameLower)) {
+      return {
+        line: propAssign.getStartLineNumber(),
+        column: propAssign.getStart() - propAssign.getStartLinePos(),
+        message: `Hardcoded secret detected: Property '${name}' appears to contain a hardcoded secret. Use environment variables or a secret management system instead.`,
+        severity: "error",
+        ruleId: this.ruleId,
+        secretType: this.identifySecretType(nameLower),
+      };
+    }
+
+    return null;
+  }
+
+  /**
+   * Check string literals for patterns that look like secrets
+   */
+  checkStringLiteral(strLit, filePath) {
+    const text = strLit.getText();
+    const literalValue = strLit.getLiteralValue();
+
+    // Skip short strings
+    if (literalValue.length < this.minSecretLength) {
+      return null;
+    }
+
+    // Skip if it's a safe test value
+    if (this.isSafeTestValue(literalValue)) {
+      return null;
+    }
+
+    // Skip if this is part of SQL query (addSelect, select, query strings)
+    if (this.isPartOfSQLQuery(strLit)) {
+      return null;
+    }
+
+    // Check if parent is using safe patterns
+    const parent = strLit.getParent();
+    if (parent) {
+      const parentText = parent.getText();
+      if (this.isSafePattern(parentText)) {
+        return null;
+      }
+    }
+
+    // Check for known secret patterns
+    for (const pattern of this.secretValuePatterns) {
+      if (pattern.test(literalValue)) {
+        // Additional validation for high entropy
+        if (this.calculateEntropy(literalValue) >= this.minEntropy) {
+          return {
+            line: strLit.getStartLineNumber(),
+            column: strLit.getStart() - strLit.getStartLinePos(),
+            message: `Potential hardcoded secret detected: String literal matches known secret pattern. Consider using environment variables or a secret management system.`,
+            severity: "error",
+            ruleId: this.ruleId,
+            secretType: "unknown",
+          };
+        }
+      }
+    }
+
+    return null;
+  }
+
+  /**
+   * Check if text contains safe patterns
+   */
+  isSafePattern(text) {
+    const textLower = text.toLowerCase();
+    return this.safePatterns.some(pattern => textLower.includes(pattern));
+  }
+
+  /**
+   * Check if value is a safe test value
+   */
+  isSafeTestValue(value) {
+    const valueLower = value.toLowerCase();
+    return this.safeTestValues.some(testVal => valueLower === testVal);
+  }
+
+  /**
+   * Check if a value is likely a hardcoded secret
+   */
+  isHardcodedSecret(value, variableName = '', isConstant = false) {
+    // Remove quotes if present
+    const cleanValue = value.replace(/^['"`]|['"`]$/g, '');
+
+    // Skip empty or very short values
+    if (cleanValue.length < 8) {
+      return false;
+    }
+
+    // Skip if it's a safe test value
+    if (this.isSafeTestValue(cleanValue)) {
+      return false;
+    }
+
+    // For UPPERCASE constants, skip if it's not a string literal
+    // This allows: PASSWORD_REGEX = /.../, TOKEN_STATUS = {...}
+    // But flags: API_KEY = "hardcoded-secret"
+    if (isConstant) {
+      // Only flag if it's a quoted string (likely a hardcoded secret)
+      if (!value.match(/^['"`]/)) {
+        return false;
+      }
+    }
+
+    // Check for specific secret patterns
+    for (const pattern of this.secretValuePatterns) {
+      if (pattern.test(value)) {
+        return true;
+      }
+    }
+
+    // Check entropy for generic secrets
+    if (cleanValue.length >= this.minSecretLength) {
+      const entropy = this.calculateEntropy(cleanValue);
+
+      // Higher entropy threshold if variable name is suspicious
+      const isSuspiciousVar = this.secretVariablePatterns.some(p =>
+        variableName.includes(p)
+      );
+
+      const threshold = isSuspiciousVar ? 3.0 : this.minEntropy;
+
+      if (entropy >= threshold) {
+        // Additional check: ensure it has mixed characters
+        const hasMixedCase = /[a-z]/.test(cleanValue) && /[A-Z]/.test(cleanValue);
+        const hasNumbers = /[0-9]/.test(cleanValue);
+        const hasSpecialChars = /[^a-zA-Z0-9]/.test(cleanValue);
+
+        // At least 2 of 3 characteristics for high confidence
+        const characteristics = [hasMixedCase, hasNumbers, hasSpecialChars].filter(Boolean).length;
+
+        if (characteristics >= 2) {
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Calculate Shannon entropy of a string
+   */
+  calculateEntropy(str) {
+    const len = str.length;
+    const frequencies = {};
+
+    for (let i = 0; i < len; i++) {
+      const char = str[i];
+      frequencies[char] = (frequencies[char] || 0) + 1;
+    }
+
+    let entropy = 0;
+    for (const char in frequencies) {
+      const probability = frequencies[char] / len;
+      entropy -= probability * Math.log2(probability);
+    }
+
+    return entropy;
+  }
+
+  /**
+   * Identify the type of secret based on variable name
+   */
+  identifySecretType(name) {
+    if (name.includes('password') || name.includes('passwd') || name.includes('pwd')) {
+      return 'password';
+    }
+    if (name.includes('api') && (name.includes('key') || name.includes('token'))) {
+      return 'api_key';
+    }
+    if (name.includes('access') && name.includes('key')) {
+      return 'access_key';
+    }
+    if (name.includes('secret') && name.includes('key')) {
+      return 'secret_key';
+    }
+    if (name.includes('private') && name.includes('key')) {
+      return 'private_key';
+    }
+    if (name.includes('token')) {
+      return 'token';
+    }
+    if (name.includes('jwt')) {
+      return 'jwt_secret';
+    }
+    if (name.includes('connection') && name.includes('string')) {
+      return 'connection_string';
+    }
+    if (name.includes('credentials')) {
+      return 'credentials';
+    }
+
+    return 'secret';
+  }
+
+  /**
+   * Check if name is a constant (UPPER_CASE style)
+   */
+  isConstantName(name) {
+    // All uppercase with underscores (e.g., TOKEN_STATUS, PASSWORD_REGEX, DB_PASSWORD)
+    return /^[A-Z_][A-Z0-9_]*$/.test(name);
+  }
+
+  /**
+   * Check if name is an error constant
+   */
+  isErrorConstant(name) {
+    // Pattern: *_E_* or FE_E_* or BE_E_* or ERROR_*
+    return /_E_/i.test(name) || /^(FE|BE|API)_E_/i.test(name) || /^ERROR_/i.test(name);
+  }
+
+  /**
+   * Check if name is a destructuring pattern
+   */
+  isDestructuringPattern(name) {
+    // Destructuring patterns like { token } will have curly braces
+    return name.includes('{') || name.includes('}');
+  }
+
+  /**
+   * Check if name looks like a function name
+   */
+  isFunctionName(name) {
+    // Common function name patterns (verb + noun)
+    const functionVerbs = [
+      'get', 'set', 'send', 'receive', 'fetch', 'update', 'delete', 'create',
+      'verify', 'validate', 'check', 'is', 'has', 'can', 'should',
+      'reset', 'change', 'generate', 'encode', 'decode', 'encrypt', 'decrypt',
+      'handle', 'process', 'execute', 'run', 'start', 'stop'
+    ];
+
+    const nameLower = name.toLowerCase();
+
+    // Check if starts with a verb
+    return functionVerbs.some(verb => {
+      const verbPattern = new RegExp(`^${verb}[A-Z]`);
+      return verbPattern.test(name) || nameLower.startsWith(verb + '_');
+    });
+  }
+
+  /**
+   * Check if text is a property access (e.g., AWS.config.credentials)
+   */
+  isPropertyAccess(text) {
+    // Contains dot notation and doesn't start with a quote
+    return /^[a-zA-Z_$][a-zA-Z0-9_$]*\.[a-zA-Z0-9_.]+$/.test(text.trim());
+  }
+
+  /**
+   * Check if text is a constructor call (e.g., new SecretClient(...))
+   */
+  isConstructorCall(text) {
+    return /^new\s+[A-Z][a-zA-Z0-9_]*\s*\(/.test(text.trim());
+  }
+
+  /**
+   * Check if text is an async secret retrieval (e.g., await secretClient.getSecret(...))
+   */
+  isAsyncSecretRetrieval(text) {
+    const textLower = text.toLowerCase();
+    return textLower.startsWith('await') &&
+           (textLower.includes('getsecret') ||
+            textLower.includes('get(') ||
+            textLower.includes('fetch'));
+  }
+
+  /**
+   * Check if text is a function or method call
+   */
+  isFunctionOrMethodCall(text) {
+    const trimmed = text.trim();
+    // Function call: functionName(...) or obj.method(...) or await func(...)
+    return /^(await\s+)?[a-zA-Z_$][a-zA-Z0-9_$.]*\s*\(/.test(trimmed) ||
+           // Method chain: obj.method1().method2()
+           /\)\s*\.\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*\(/.test(trimmed);
+  }
+
+  /**
+   * Check if text is a message string (descriptive text, not a secret)
+   */
+  isMessageString(text) {
+    const trimmed = text.trim();
+
+    // Must be a quoted string
+    if (!trimmed.match(/^['"`]/)) {
+      return false;
+    }
+
+    const content = trimmed.replace(/^['"`]|['"`]$/g, '').toLowerCase();
+
+    // Message strings typically contain spaces and common words
+    const messageIndicators = [
+      ' is ',
+      ' are ',
+      ' has ',
+      ' have ',
+      ' invalid',
+      ' expired',
+      ' not found',
+      ' failed',
+      ' error',
+      ' exceeded',
+      ' attempts',
+      ' required',
+      ' missing',
+    ];
+
+    return messageIndicators.some(indicator => content.includes(indicator));
+  }
+
+  /**
+   * Check if name is a documentation/schema variable
+   */
+  isDocumentationVariable(name) {
+    const docSuffixes = ['Swagger', 'Docs', 'Doc', 'Schema', 'Dto', 'Documentation', 'Spec'];
+    return docSuffixes.some(suffix => name.endsWith(suffix));
+  }
+
+  /**
+   * Check if name is a counter/attempt variable
+   */
+  isCounterVariable(name) {
+    const counterPatterns = [
+      /attempts?$/i,        // loginAttempts, failedAttempts
+      /count$/i,            // passwordCount, tokenCount
+      /counter$/i,          // loginCounter
+      /limit$/i,            // passwordLimit
+      /max.*attempts?/i,    // maxFailedAttempts
+      /failed.*attempts?/i, // failedPasswordAttempts
+    ];
+    return counterPatterns.some(pattern => pattern.test(name));
+  }
+
+  /**
+   * Check if name is an error collection variable
+   */
+  isErrorCollectionVariable(name) {
+    const nameLower = name.toLowerCase();
+    return nameLower.endsWith('errors') ||      // tokenErrors, passwordErrors
+           nameLower.endsWith('error') ||       // tokenError
+           nameLower.includes('errormessage') || // errorMessages
+           nameLower.includes('errorlist');     // errorList
+  }
+
+  /**
+   * Check if name is a boolean check variable
+   */
+  isBooleanCheckVariable(name) {
+    const booleanPrefixes = ['is', 'has', 'can', 'should', 'will', 'did'];
+    const nameLower = name.toLowerCase();
+
+    return booleanPrefixes.some(prefix => {
+      // Check camelCase: isValidToken, hasPassword
+      const camelPattern = new RegExp(`^${prefix}[A-Z]`);
+      // Check snake_case: is_valid_token
+      const snakePattern = new RegExp(`^${prefix}_`);
+      return camelPattern.test(name) || snakePattern.test(nameLower);
+    });
+  }
+
+  /**
+   * Check if name is an error constant property in error object
+   * Examples: tokenExpired, invalidToken, passwordSameAsMail, incorrectOldPassword
+   */
+  isErrorConstantProperty(name) {
+    // Common error property patterns
+    const errorPatterns = [
+      /^invalid/i,           // invalidToken, invalidRefreshToken
+      /^incorrect/i,         // incorrectOldPassword, incorrectPassword
+      /^empty/i,             // emptyAccessToken
+      /^missing/i,           // missingPassword
+      /expired$/i,           // tokenExpired, passwordExpired
+      /notfound$/i,          // tokenNotFound, userNotFound
+      /notactive$/i,         // tokenIsNotActive
+      /revoked$/i,           // tokenHasBeenRevoked
+      /locked$/i,            // userLocked, accountLocked
+      /sameas/i,             // passwordSameAsMail
+      /^forgot/i,            // forgotPassword
+      /^confirm.*reset/i,    // confirmResetPassword
+    ];
+
+    return errorPatterns.some(pattern => pattern.test(name));
+  }
+
+  /**
+   * Check if name is a utility function or class name
+   * Examples: generatePassword, IsPassword, validateToken, encodeJwt
+   */
+  isUtilityFunctionOrClass(name) {
+    // Utility function prefixes
+    const utilityPrefixes = [
+      'generate', 'create', 'build', 'make',
+      'validate', 'verify', 'check',
+      'encode', 'decode', 'encrypt', 'decrypt', 'hash',
+      'extract', 'parse', 'format',
+      'get', 'set', 'update', 'delete',
+    ];
+
+    // React/Vue hooks and handlers
+    const frameworkPrefixes = [
+      'use',         // React hooks: useToken, usePassword, useTokenExpiration
+      'handle',      // Event handlers: handleResetPassword, handleTokenChange
+      'on',          // Event handlers: onPasswordChange, onTokenSubmit
+    ];
+
+    // Check if it's a PascalCase class/decorator (starts with uppercase)
+    if (/^[A-Z]/.test(name)) {
+      // Decorator/Class patterns: IsPassword, ValidateToken
+      return true;
+    }
+
+    // Check if it has utility prefix
+    const nameLower = name.toLowerCase();
+    const allPrefixes = [...utilityPrefixes, ...frameworkPrefixes];
+    return allPrefixes.some(prefix => nameLower.startsWith(prefix));
+  }
+
+  /**
+   * Check if name is a framework-specific internal variable
+   * Examples: __next_navigation_guard_token, __webpack_*, __vite_*
+   */
+  isFrameworkInternalVariable(name) {
+    const internalPatterns = [
+      /^__next_/i,           // Next.js internals: __next_navigation_guard_token
+      /^__webpack_/i,        // Webpack internals
+      /^__vite_/i,           // Vite internals
+      /^__nuxt_/i,           // Nuxt internals
+      /^_app/i,              // Framework app internals
+      /^_document/i,         // Framework document internals
+    ];
+
+    return internalPatterns.some(pattern => pattern.test(name));
+  }
+
+  /**
+   * Check if variable is accessing framework internal property
+   * Examples: nextState?.__next_navigation_guard_token
+   */
+  isAccessingFrameworkInternal(initText) {
+    const frameworkPropertyPatterns = [
+      /\.__next_/i,          // nextState.__next_navigation_guard_token
+      /\??\.__next_/i,       // nextState?.__next_navigation_guard_token
+      /\['__next_/i,         // state['__next_navigation_guard_token']
+      /\["__next_/i,         // state["__next_navigation_guard_token"]
+    ];
+
+    return frameworkPropertyPatterns.some(pattern => pattern.test(initText));
+  }
+
+  /**
+   * Check if name is a React/Vue state variable or selector
+   * Examples: [token, setToken], receivedToken, selectPasswordState
+   */
+  isStateVariableOrSelector(name) {
+    // React state patterns
+    const statePatterns = [
+      /^\[.*,\s*set/i,         // [token, setToken], [password, setPassword]
+      /^set[A-Z]/,              // setToken, setPassword
+      /^received[A-Z]/i,        // receivedToken, receivedPassword
+      /^select.*state$/i,       // selectTokenState, selectPasswordState
+      /state$/i,                // tokenState, passwordState (if not part of API)
+    ];
+
+    return statePatterns.some(pattern => pattern.test(name));
+  }
+
+  /**
+   * Check if name is a format/pattern/regex definition
+   * Examples: passwordFormat, tokenPattern, PASSWORD_REGEX
+   */
+  isFormatOrPatternDefinition(name) {
+    const nameLower = name.toLowerCase();
+    const formatSuffixes = [
+      'format', 'pattern', 'regex', 'regexp',
+      'rule', 'rules', 'validation', 'validator',
+      'schema', 'constraint', 'character',
+    ];
+
+    return formatSuffixes.some(suffix => nameLower.endsWith(suffix));
+  }
+
+  /**
+   * Check if variable is a URL/endpoint/path string
+   * Examples: apiGetTokenUrl = '/api/token', tokenEndpoint = 'https://...'
+   */
+  isURLOrEndpointVariable(name, initText) {
+    const nameLower = name.toLowerCase();
+
+    // Check variable name patterns
+    const urlPatterns = [
+      'url', 'uri', 'endpoint', 'path', 'route', 'api',
+    ];
+
+    const hasUrlPattern = urlPatterns.some(pattern => nameLower.includes(pattern));
+
+    if (hasUrlPattern) {
+      // Check if value looks like a URL/path
+      const urlValuePatterns = [
+        /^['"`]\//, // Starts with forward slash: '/api/token'
+        /^['"`]http/, // Starts with http/https
+        /^['"`]\.\//, // Relative path: './token'
+        /^['"`]\.\.\//, // Parent path: '../token'
+      ];
+
+      return urlValuePatterns.some(pattern => pattern.test(initText.trim()));
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if variable is extracting from query parameters
+   * Examples: get(searchParams, 'token'), params.get('token'), get(params, 't', '')
+   */
+  isQueryParameterExtraction(initText) {
+    const queryPatterns = [
+      /get<[^>]+>\(.*?,\s*['"`]\w+['"`].*?\)/, // get<Type, string>(obj, 'key', default)
+      /\.get\(['"`]\w+['"`]\)/, // params.get('token')
+      /searchParams\[['"`]\w+['"`]\]/, // searchParams['token']
+      /query\[['"`]\w+['"`]\]/, // query['token']
+      /req\.query\./, // req.query.token
+      /router\.query\./, // router.query.token
+      /useSearchParams/, // useSearchParams hook
+    ];
+
+    return queryPatterns.some(pattern => pattern.test(initText));
+  }
+
+  /**
+   * Check if this is a property name in a data structure (not a hardcoded value)
+   * Detects patterns like: { accessToken: someVariable } vs { accessToken: "hardcoded-value" }
+   */
+  isPropertyNameOnly(propAssignment) {
+    try {
+      const initializer = propAssignment.getInitializer();
+      if (!initializer) return true; // No value assigned, just property name
+
+      const initText = initializer.getText().trim();
+
+      // If it's a variable reference (not a string literal), it's safe
+      // Examples: accessToken: token, password: userPassword
+      if (!initText.match(/^['"`]/)) {
+        return true;
+      }
+
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if this is part of an error constant object definition
+   * Detects: const errors = { tokenExpired: { code: '...', message: '...' } }
+   */
+  isPartOfErrorObject(node) {
+    try {
+      let parent = node.getParent();
+      let depth = 0;
+      const maxDepth = 5;
+
+      while (parent && depth < maxDepth) {
+        // Check if parent is an object literal with error-like properties
+        if (parent.getKind() === SyntaxKind.ObjectLiteralExpression) {
+          const parentText = parent.getText();
+
+          // Check for error object patterns
+          if (parentText.includes('code:') && parentText.includes('message:')) {
+            return true;
+          }
+
+          // Check for variable name containing 'error' or 'errors'
+          const grandParent = parent.getParent();
+          if (grandParent && grandParent.getKind() === SyntaxKind.VariableDeclaration) {
+            const varName = grandParent.getName ? grandParent.getName() : '';
+            if (/error/i.test(varName)) {
+              return true;
+            }
+          }
+        }
+
+        parent = parent.getParent();
+        depth++;
+      }
+
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if string literal is part of SQL query
+   * Detects: .addSelect([...]), .select([...]), SQL column aliases
+   */
+  isPartOfSQLQuery(stringLiteral) {
+    try {
+      let parent = stringLiteral.getParent();
+      let depth = 0;
+      const maxDepth = 10;
+
+      while (parent && depth < maxDepth) {
+        const parentText = parent.getText();
+
+        // Check for SQL query method calls
+        const sqlMethods = [
+          '.addSelect(',
+          '.select(',
+          '.where(',
+          '.andWhere(',
+          '.orWhere(',
+          '.orderBy(',
+          '.groupBy(',
+          '.having(',
+          '.leftJoin(',
+          '.innerJoin(',
+          '.rightJoin(',
+          'createQueryBuilder(',
+          '.from(',
+          '.into(',
+        ];
+
+        if (sqlMethods.some(method => parentText.includes(method))) {
+          return true;
+        }
+
+        // Check if inside array literal passed to SQL methods
+        if (parent.getKind() === SyntaxKind.ArrayLiteralExpression) {
+          const arrayParent = parent.getParent();
+          if (arrayParent) {
+            const arrayParentText = arrayParent.getText();
+            if (sqlMethods.some(method => arrayParentText.includes(method))) {
+              return true;
+            }
+          }
+        }
+
+        // Check for SQL alias pattern: "table.column as alias"
+        const literalValue = stringLiteral.getLiteralValue();
+        if (literalValue && /\s+as\s+["']?\w+["']?/i.test(literalValue)) {
+          return true;
+        }
+
+        parent = parent.getParent();
+        depth++;
+      }
+
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if variable is extracting data from API response
+   * Detects: response.data.token, (res.payload as Type).token
+   */
+  isExtractingFromAPIResponse(initText) {
+    const apiResponsePatterns = [
+      /\.data\[['"].*['"]\]\./,              // .data['AuthenticationResult'].
+      /\.data\.\w+\./,                        // .data.AuthenticationResult.
+      /\.payload\s+as\s+\w+\)\.\w+/,         // (res.payload as Type).token
+      /response\.\w+/,                        // response.token, response.AccessToken
+      /result\.\w+/,                          // result.token, result.RefreshToken
+      /authResult\./,                         // authResult.data.
+      /loginInCognito\./,                     // loginInCognito.data.
+      /\.AuthenticationResult\./,             // .AuthenticationResult.AccessToken
+      /\.Credentials\./,                      // .Credentials.AccessKeyId
+      /res\.payload/,                         // res.payload.token
+    ];
+
+    return apiResponsePatterns.some(pattern => pattern.test(initText));
+  }
+
+  /**
+   * Check if object literal only contains references (no hardcoded values)
+   * Returns true if ALL property values are variables/function calls, not string literals
+   */
+  isObjectLiteralWithOnlyReferences(initializer) {
+    try {
+      if (initializer.getKind() !== SyntaxKind.ObjectLiteralExpression) {
+        return false;
+      }
+
+      const properties = initializer.getProperties();
+      let hasHardcodedString = false;
+
+      for (const prop of properties) {
+        if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+          const propInit = prop.getInitializer();
+          if (propInit) {
+            const propText = propInit.getText().trim();
+
+            // If it's a string literal (not a variable), mark as having hardcoded string
+            if (propText.match(/^['"`]/) && !propText.match(/^['"`]\s*$/)) {
+              // Check if it's a short descriptive string (likely not a secret)
+              const cleanValue = propText.replace(/^['"`]|['"`]$/g, '');
+              if (cleanValue.length > this.minSecretLength &&
+                  !this.isMessageString(propText)) {
+                hasHardcodedString = true;
+                break;
+              }
+            }
+          }
+        }
+      }
+
+      return !hasHardcodedString;
+    } catch {
+      return false;
+    }
+  }
+}
+
+module.exports = S012SymbolBasedAnalyzer;