npm - @sun-asterisk/sunlint - Versions diffs - 1.3.26 → 1.3.28 - Mend

@sun-asterisk/sunlint 1.3.26 → 1.3.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/rules/security/S019_smtp_injection_protection/analyzer.js ADDED Viewed

@@ -0,0 +1,120 @@
+/**
+ * Rule S019: SMTP Injection Protection - Analyzer Wrapper
+ *
+ * This analyzer wraps the symbol-based analyzer to provide a consistent
+ * interface for the SunLint engine.
+ */
+// Command: node cli.js --rule=S019 --input=examples/rule-test-fixtures/rules/S019_smtp_injection_protection --engine=heuristic
+const fs = require("fs");
+const path = require("path");
+const { Project } = require("ts-morph");
+const S019SymbolBasedAnalyzer = require("./symbol-based-analyzer");
+class S019Analyzer {
+  constructor(options = {}) {
+    this.ruleId = "S019";
+    this.semanticEngine = options.semanticEngine || null;
+    this.symbolAnalyzer = new S019SymbolBasedAnalyzer(this.semanticEngine);
+  }
+  /**
+   * Analyze multiple files
+   */
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.error(
+          `[S019] Error analyzing file ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    return violations;
+  }
+  /**
+   * Analyze a single file
+   */
+  async analyzeFile(filePath, options = {}) {
+    // Skip files that shouldn't be analyzed
+    if (this.shouldSkipFile(filePath)) {
+      return [];
+    }
+    try {
+      // Check if file exists
+      if (!fs.existsSync(filePath)) {
+        return [];
+      }
+      const content = fs.readFileSync(filePath, "utf-8");
+      // Try to get source file from semantic engine
+      let sourceFile = this.semanticEngine?.project?.getSourceFile(filePath);
+      // If not available, create a temporary ts-morph source file
+      if (!sourceFile) {
+        const tempProject = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: {
+            allowJs: true,
+            noLib: true,
+            target: 99, // ESNext
+          },
+        });
+        sourceFile = tempProject.createSourceFile(
+          path.basename(filePath),
+          content
+        );
+      }
+      // Run the symbol-based analyzer
+      const symbolViolations = await this.symbolAnalyzer.analyze(
+        sourceFile,
+        filePath
+      );
+      // Format violations to include file path
+      return symbolViolations.map((violation) => ({
+        ...violation,
+        filePath: filePath,
+        file: filePath,
+      }));
+    } catch (error) {
+      console.error(`[S019] Error processing ${filePath}:`, error.message);
+      return [];
+    }
+  }
+  /**
+   * Check if file should be skipped
+   */
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      "node_modules/",
+      "dist/",
+      "build/",
+      ".next/",
+      "coverage/",
+      "__tests__/",
+      "test/",
+      "tests/",
+      ".test.",
+      ".spec.",
+      ".min.js",
+      ".bundle.js",
+    ];
+    return skipPatterns.some((pattern) => filePath.includes(pattern));
+  }
+}
+module.exports = S019Analyzer;

package/rules/security/S019_smtp_injection_protection/config.json ADDED Viewed

@@ -0,0 +1,35 @@
+{
+  "ruleId": "S019",
+  "name": "SMTP Injection Protection",
+  "description": "Detects potential SMTP/IMAP injection vulnerabilities by identifying unsanitized user input in email fields and direct SMTP protocol manipulation",
+  "category": "security",
+  "severity": "error",
+  "languages": ["typescript", "javascript"],
+  "tags": ["security", "owasp", "injection", "smtp", "email", "crlf"],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A03:2021 - Injection",
+    "cweId": "CWE-93, CWE-144",
+    "impact": "High - Email spoofing, unauthorized email sending, header injection, spam",
+    "remediation": "Remove CRLF characters (\\r\\n) from user input before using in email fields. Use secure email service APIs (SendGrid, AWS SES, Mailgun) instead of direct SMTP manipulation. Validate email addresses with proper regex patterns.",
+    "references": [
+      "https://owasp.org/www-community/attacks/SMTP_Injection",
+      "https://cwe.mitre.org/data/definitions/93.html",
+      "https://cwe.mitre.org/data/definitions/144.html"
+    ],
+    "examples": {
+      "vulnerable": [
+        "sendMail({ to: req.body.email, subject: req.body.subject })",
+        "message.setSubject(userInput)",
+        "const headers = 'To: ' + req.query.recipient"
+      ],
+      "safe": [
+        "sendMail({ to: sanitize(req.body.email), subject: escape(req.body.subject) })",
+        "const cleanEmail = email.replace(/[\\r\\n]/g, '')",
+        "if (/^[a-zA-Z0-9@._-]+$/.test(email)) { sendMail({ to: email }) }"
+      ]
+    }
+  }
+}