@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S019_smtp_injection_protection/symbol-based-analyzer.js

@@ -0,0 +1,687 @@
+const { Project, SyntaxKind } = require("ts-morph");
+
+/**
+ * S019 - SMTP Injection Protection (Symbol-Based Analyzer)
+ *
+ * Detects potential SMTP/IMAP injection vulnerabilities by identifying:
+ * - Unsanitized user input in email fields (to, subject, cc, bcc, reply-to)
+ * - Missing input validation for CRLF characters (\r\n)
+ * - Direct SMTP protocol manipulation without proper sanitization
+ * - Email sending without using secure email service APIs
+ *
+ * OWASP: A03:2021 - Injection
+ * CWE: CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers)
+ *      CWE-144 (Improper Neutralization of Line Delimiters)
+ */
+class S019SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S019";
+    this.semanticEngine = semanticEngine;
+
+    // Email field names that are vulnerable to SMTP injection
+    this.emailFields = [
+      'to', 'from', 'subject', 'cc', 'bcc', 'replyTo', 'reply-to',
+      'sender', 'recipients', 'recipient', 'email', 'emailAddress',
+      'toAddress', 'fromAddress', 'ccAddress', 'bccAddress',
+    ];
+
+    // SMTP/email library methods
+    this.emailMethods = [
+      'sendMail', 'sendEmail', 'send',
+      'setTo', 'setFrom', 'setSubject', 'setCc', 'setBcc', 'setReplyTo',
+      'addTo', 'addCc', 'addBcc', 'addRecipient',
+      'createTransport', 'createMessage',
+      'dispatchEmail', 'dispatchMail', // Use specific email dispatch, not generic 'dispatch'
+    ];
+
+    // Popular email service libraries
+    this.emailLibraries = [
+      'nodemailer', 'sendgrid', '@sendgrid/mail',
+      'mailgun', 'mailgun-js', '@mailgun',
+      'aws-sdk', '@aws-sdk/client-ses',
+      'postmark', '@postmark',
+      'mailchimp', '@mailchimp',
+      'sparkpost', 'node-ses',
+    ];
+
+    // Dangerous SMTP protocol commands
+    this.smtpCommands = [
+      'MAIL FROM', 'RCPT TO', 'DATA', 'RSET', 'VRFY', 'EXPN',
+    ];
+
+    // Safe sanitization functions
+    this.sanitizationFunctions = [
+      'sanitize', 'clean', 'escape', 'strip', 'remove',
+      'validate', 'filter', 'normalize',
+      'replaceCRLF', 'removeCRLF', 'stripNewlines',
+      'encodeHeader', 'escapeHeader',
+    ];
+
+    // User input sources
+    this.userInputSources = [
+      'req.body', 'req.query', 'req.params',
+      'request.body', 'request.query', 'request.params',
+      'ctx.request.body', 'ctx.query', 'ctx.params',
+      'input', 'formData', 'userData', 'userInput',
+    ];
+
+    // Safe library patterns (libraries with built-in sanitization)
+    this.safeLibraryPatterns = [
+      'safe', 'secure', 'validated', 'sanitized',
+      'createSafe', 'getSafe', 'withSanitization',
+    ];
+  }
+
+  async analyze(sourceFile, filePath = "") {
+    const violations = [];
+
+    // Check 1: Function calls with email methods
+    const callExpressions = sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression);
+    for (const callExpr of callExpressions) {
+      const violation = this.checkEmailMethodCall(callExpr, filePath);
+      if (violation) violations.push(violation);
+    }
+
+    // Check 2: Object literals for email configuration
+    const objectLiterals = sourceFile.getDescendantsOfKind(SyntaxKind.ObjectLiteralExpression);
+    for (const objLit of objectLiterals) {
+      const violation = this.checkEmailConfigObject(objLit, filePath);
+      if (violation) violations.push(violation);
+    }
+
+    // Check 3: Variable assignments to email fields
+    const propertyAssignments = sourceFile.getDescendantsOfKind(SyntaxKind.PropertyAssignment);
+    for (const propAssign of propertyAssignments) {
+      const violation = this.checkEmailFieldAssignment(propAssign, filePath);
+      if (violation) violations.push(violation);
+    }
+
+    // Check 4: String concatenation with SMTP commands
+    const binaryExpressions = sourceFile.getDescendantsOfKind(SyntaxKind.BinaryExpression);
+    for (const binExpr of binaryExpressions) {
+      const violation = this.checkSMTPCommandConcatenation(binExpr, filePath);
+      if (violation) violations.push(violation);
+    }
+
+    return violations;
+  }
+
+  /**
+   * Check email method calls for unsanitized input
+   */
+  checkEmailMethodCall(callExpr, filePath) {
+    try {
+      const expression = callExpr.getExpression();
+      const methodName = this.getMethodName(expression);
+
+      if (!methodName || !this.isEmailMethod(methodName)) {
+        return null;
+      }
+
+      // Check if the method is called on a safe library object
+      if (this.isCalledOnSafeObject(expression)) {
+        return null;
+      }
+
+      // Get arguments passed to the email method
+      const args = callExpr.getArguments();
+      if (args.length === 0) return null;
+
+      // Check if arguments contain unsanitized user input
+      for (const arg of args) {
+        const argText = arg.getText();
+
+        // Skip if argument is sanitized
+        if (this.isSanitized(argText)) {
+          continue;
+        }
+
+        // Check if argument comes from user input
+        if (this.containsUserInput(argText)) {
+          return {
+            line: callExpr.getStartLineNumber(),
+            column: callExpr.getStart() - callExpr.getStartLinePos(),
+            message: `Potential SMTP injection: Email method '${methodName}' receives unsanitized user input. Sanitize input to remove CRLF characters (\\r\\n) before using in email fields.`,
+            severity: "error",
+            ruleId: this.ruleId,
+            method: methodName,
+            suggestion: "Use email service APIs (SendGrid, SES) or sanitize input with replaceCRLF/stripNewlines",
+          };
+        }
+
+        // Check if argument is an object literal with email fields
+        if (arg.getKind() === SyntaxKind.ObjectLiteralExpression) {
+          const objViolation = this.checkEmailConfigObject(arg, filePath);
+          if (objViolation) {
+            return objViolation;
+          }
+        }
+      }
+
+      return null;
+    } catch (error) {
+      return null;
+    }
+  }
+
+  /**
+   * Check email configuration objects
+   */
+  checkEmailConfigObject(objLit, filePath) {
+    try {
+      const properties = objLit.getProperties();
+
+      // Check if this object is used within a safe library context
+      if (this.isWithinSafeLibraryContext(objLit)) {
+        return null;
+      }
+
+      // Check if this object is passed to an email method
+      // If not, it's likely just a data object, not an email config
+      if (!this.isPassedToEmailMethod(objLit)) {
+        return null;
+      }
+
+      for (const prop of properties) {
+        if (prop.getKind() !== SyntaxKind.PropertyAssignment) continue;
+
+        const propName = prop.getName();
+        const initializer = prop.getInitializer();
+
+        if (!initializer || !this.isEmailField(propName)) continue;
+
+        const initText = initializer.getText();
+
+        // Skip if value is sanitized
+        if (this.isSanitized(initText)) continue;
+
+        // Skip if value is a constant string
+        if (this.isConstantString(initText)) continue;
+
+        // Skip if the variable was previously validated
+        if (this.isPreviouslyValidated(initializer, initText)) continue;
+
+        // Check if value contains user input
+        if (this.containsUserInput(initText)) {
+          return {
+            line: prop.getStartLineNumber(),
+            column: prop.getStart() - prop.getStartLinePos(),
+            message: `Potential SMTP injection: Email field '${propName}' contains unsanitized user input. Remove CRLF characters (\\r\\n) to prevent header injection.`,
+            severity: "error",
+            ruleId: this.ruleId,
+            field: propName,
+            suggestion: "Sanitize with: value.replace(/[\\r\\n]/g, '')",
+          };
+        }
+
+        // Check if value contains template literal with expressions
+        if (initializer.getKind() === SyntaxKind.TemplateExpression) {
+          const hasUnsafeExpression = this.hasUnsafeTemplateExpression(initializer);
+          if (hasUnsafeExpression) {
+            return {
+              line: prop.getStartLineNumber(),
+              column: prop.getStart() - prop.getStartLinePos(),
+              message: `Potential SMTP injection: Email field '${propName}' uses template literal with potentially unsafe expressions. Sanitize all dynamic values.`,
+              severity: "error",
+              ruleId: this.ruleId,
+              field: propName,
+              suggestion: "Sanitize each expression before interpolation",
+            };
+          }
+        }
+      }
+
+      return null;
+    } catch (error) {
+      return null;
+    }
+  }
+
+  /**
+   * Check email field assignments
+   */
+  checkEmailFieldAssignment(propAssign, filePath) {
+    try {
+      const name = propAssign.getName();
+      const initializer = propAssign.getInitializer();
+
+      if (!initializer || !this.isEmailField(name)) {
+        return null;
+      }
+
+      // Check if this assignment is within a safe library context
+      if (this.isWithinSafeLibraryContext(propAssign)) {
+        return null;
+      }
+
+      // Check if this assignment is in an object that will be passed to an email method
+      // Find the parent object literal
+      let parentObj = propAssign.getFirstAncestor(n =>
+        n.getKind() === SyntaxKind.ObjectLiteralExpression
+      );
+      if (parentObj && !this.isPassedToEmailMethod(parentObj)) {
+        return null;
+      }
+
+      const initText = initializer.getText();
+
+      // Skip if sanitized
+      if (this.isSanitized(initText)) return null;
+
+      // Skip constant strings
+      if (this.isConstantString(initText)) return null;
+
+      // Skip if the variable was previously validated
+      if (this.isPreviouslyValidated(initializer, initText)) return null;
+
+      // Check for user input
+      if (this.containsUserInput(initText)) {
+        return {
+          line: propAssign.getStartLineNumber(),
+          column: propAssign.getStart() - propAssign.getStartLinePos(),
+          message: `Potential SMTP injection: Assignment to '${name}' contains unsanitized user input. Validate and sanitize to prevent SMTP header injection.`,
+          severity: "error",
+          ruleId: this.ruleId,
+          field: name,
+          suggestion: "Use validation: /^[a-zA-Z0-9@._ -]+$/.test(value)",
+        };
+      }
+
+      return null;
+    } catch (error) {
+      return null;
+    }
+  }
+
+  /**
+   * Check string concatenation with SMTP commands
+   */
+  checkSMTPCommandConcatenation(binExpr, filePath) {
+    try {
+      if (binExpr.getOperatorToken().getText() !== '+') {
+        return null;
+      }
+
+      const leftText = binExpr.getLeft().getText();
+      const rightText = binExpr.getRight().getText();
+      const fullText = `${leftText} ${rightText}`;
+
+      // Check if concatenation involves SMTP commands
+      const hasSMTPCommand = this.smtpCommands.some(cmd =>
+        fullText.includes(cmd)
+      );
+
+      if (!hasSMTPCommand) return null;
+
+      // Check if right side contains user input
+      if (this.containsUserInput(rightText) && !this.isSanitized(rightText)) {
+        return {
+          line: binExpr.getStartLineNumber(),
+          column: binExpr.getStart() - binExpr.getStartLinePos(),
+          message: `Critical SMTP injection risk: Direct SMTP command manipulation with unsanitized user input. This allows arbitrary email injection and command execution.`,
+          severity: "error",
+          ruleId: this.ruleId,
+          suggestion: "Never concatenate user input with SMTP commands. Use email service APIs instead.",
+        };
+      }
+
+      return null;
+    } catch (error) {
+      return null;
+    }
+  }
+
+  /**
+   * Get method name from expression
+   */
+  getMethodName(expression) {
+    try {
+      if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+        return expression.getName();
+      }
+      if (expression.getKind() === SyntaxKind.Identifier) {
+        return expression.getText();
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Check if method is called on a safe object (e.g., safeMailer.send())
+   */
+  isCalledOnSafeObject(expression) {
+    try {
+      if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+        // Get the object part (e.g., "safeMailer" from "safeMailer.send")
+        const objectExpr = expression.getExpression();
+        const objectText = objectExpr.getText();
+        const objectLower = objectText.toLowerCase();
+
+        // Check if object name contains safe patterns
+        return this.safeLibraryPatterns.some(pattern =>
+          objectLower.includes(pattern.toLowerCase())
+        );
+      }
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if method name is an email-related method
+   */
+  isEmailMethod(methodName) {
+    const nameLower = methodName.toLowerCase();
+
+    // Exclude methods that are clearly not email-related
+    const excludePatterns = [
+      'csv', 'excel', 'pdf', 'json', 'xml', // File format methods
+      'message', 'msg', // Generic message methods (could be chat, notifications)
+    ];
+
+    // If method contains excluded patterns, it's likely not email
+    if (excludePatterns.some(pattern => nameLower.includes(pattern))) {
+      return false;
+    }
+
+    return this.emailMethods.some(method =>
+      nameLower.includes(method.toLowerCase())
+    );
+  }
+
+  /**
+   * Check if property name is an email field
+   * Uses exact matching or very specific patterns to avoid false positives
+   */
+  isEmailField(propName) {
+    const nameLower = propName.toLowerCase();
+
+    // Exact match for common email fields
+    const exactMatches = [
+      'to', 'from', 'subject', 'cc', 'bcc', 'replyto', 'reply-to',
+      'sender', 'recipients', 'recipient', 'email', 'emailaddress',
+      'toaddress', 'fromaddress', 'ccaddress', 'bccaddress',
+      'toaddresses', 'ccaddresses', 'bccaddresses',
+    ];
+
+    if (exactMatches.includes(nameLower)) {
+      return true;
+    }
+
+    // Specific patterns that clearly indicate email fields
+    // Only match if it's a clear email-related property
+    const emailPatterns = [
+      /^to$/i,           // Exact "to"
+      /^from$/i,         // Exact "from"
+      /^subject$/i,      // Exact "subject"
+      /^cc$/i,           // Exact "cc"
+      /^bcc$/i,          // Exact "bcc"
+      /^reply[-_]?to$/i, // replyTo, reply-to, reply_to
+      /^email$/i,        // Exact "email"
+      /^.*email.*address$/i,  // Contains "email" and ends with "address"
+      /^to[-_]address(es)?$/i,  // to_address, toAddress, toAddresses
+      /^from[-_]address$/i,     // from_address, fromAddress
+      /^cc[-_]address(es)?$/i,  // cc_address, ccAddress
+      /^bcc[-_]address(es)?$/i, // bcc_address, bccAddress
+    ];
+
+    return emailPatterns.some(pattern => pattern.test(propName));
+  }
+
+  /**
+   * Check if text contains user input sources
+   */
+  containsUserInput(text) {
+    return this.userInputSources.some(source => text.includes(source));
+  }
+
+  /**
+   * Check if text is sanitized
+   */
+  isSanitized(text) {
+    // Check for sanitization function calls
+    const hasSanitization = this.sanitizationFunctions.some(func =>
+      text.includes(func)
+    );
+
+    // Check for CRLF removal patterns
+    const hasCRLFRemoval = /replace\([^)]*[\\r\\n][^)]*\)/i.test(text) ||
+                          /replace\([^)]*[\r\n][^)]*\)/i.test(text);
+
+    // Check for validation patterns
+    const hasValidation = /test\(/.test(text) || /match\(/.test(text);
+
+    return hasSanitization || hasCRLFRemoval || hasValidation;
+  }
+
+  /**
+   * Check if text is a constant string (not dynamic)
+   */
+  isConstantString(text) {
+    // Check if it's a simple string literal
+    if (/^['"`][^${}]*['"`]$/.test(text)) return true;
+
+    // Check if it's an environment variable or config
+    if (text.includes('process.env') || text.includes('config.')) return true;
+
+    return false;
+  }
+
+  /**
+   * Check if template expression has unsafe parts
+   */
+  hasUnsafeTemplateExpression(templateExpr) {
+    try {
+      const templateSpans = templateExpr.getTemplateSpans();
+
+      for (const span of templateSpans) {
+        const expression = span.getExpression();
+        const exprText = expression.getText();
+
+        // Skip if expression is sanitized
+        if (this.isSanitized(exprText)) continue;
+
+        // Check if expression contains user input
+        if (this.containsUserInput(exprText)) return true;
+      }
+
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if node is within a safe library context (method call or variable)
+   */
+  isWithinSafeLibraryContext(node) {
+    try {
+      let parent = node.getParent();
+      let depth = 0;
+      const maxDepth = 5;
+
+      while (parent && depth < maxDepth) {
+        const parentText = parent.getText();
+        const parentLower = parentText.toLowerCase();
+
+        // Check if parent is a call expression with a safe library pattern
+        if (parent.getKind() === SyntaxKind.CallExpression) {
+          const callExpr = parent;
+          const expression = callExpr.getExpression();
+          const exprText = expression.getText();
+          const exprLower = exprText.toLowerCase();
+
+          // Check if method/function name contains safe patterns
+          if (this.safeLibraryPatterns.some(pattern => exprLower.includes(pattern))) {
+            return true;
+          }
+        }
+
+        // Check if parent variable declaration has safe pattern in name
+        if (parent.getKind() === SyntaxKind.VariableDeclaration) {
+          const varDecl = parent;
+          const varName = varDecl.getName();
+          const varNameLower = varName.toLowerCase();
+
+          if (this.safeLibraryPatterns.some(pattern => varNameLower.includes(pattern))) {
+            return true;
+          }
+        }
+
+        parent = parent.getParent();
+        depth++;
+      }
+
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if object literal is passed to an email method
+   * This helps reduce false positives for data objects that happen to have 'email' fields
+   */
+  isPassedToEmailMethod(objLit) {
+    try {
+      let parent = objLit.getParent();
+      let depth = 0;
+      const maxDepth = 3;
+
+      while (parent && depth < maxDepth) {
+        // Check if parent is a call expression
+        if (parent.getKind() === SyntaxKind.CallExpression) {
+          const callExpr = parent;
+          const expression = callExpr.getExpression();
+          const methodName = this.getMethodName(expression);
+
+          // Check if it's an email method
+          if (methodName && this.isEmailMethod(methodName)) {
+            return true;
+          }
+        }
+
+        parent = parent.getParent();
+        depth++;
+      }
+
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if a variable was validated before usage
+   * This helps reduce false positives for validated inputs
+   */
+  isPreviouslyValidated(node, valueText) {
+    try {
+      // Get the full path and just the variable name
+      const fullPath = valueText.trim();
+      const variableName = this.extractVariableName(valueText);
+      if (!variableName) return false;
+
+      // Get the containing function or block
+      let functionScope = node.getFirstAncestor(n =>
+        n.getKind() === SyntaxKind.FunctionDeclaration ||
+        n.getKind() === SyntaxKind.FunctionExpression ||
+        n.getKind() === SyntaxKind.ArrowFunction ||
+        n.getKind() === SyntaxKind.MethodDeclaration
+      );
+
+      if (!functionScope) return false;
+
+      // Get the current line number
+      const currentLine = node.getStartLineNumber();
+
+      // Look for validation patterns before the current line
+      const functionText = functionScope.getText();
+      const functionStart = functionScope.getStartLineNumber();
+
+      // Split function text into lines
+      const lines = functionText.split('\n');
+      const relevantLines = lines.slice(0, currentLine - functionStart);
+
+      // Check for validation patterns in preceding lines
+      for (const line of relevantLines) {
+        // Check if the full path or variable name is mentioned
+        const hasFullPath = line.includes(fullPath);
+        const hasVariableName = line.includes(variableName);
+
+        if (!hasFullPath && !hasVariableName) continue;
+
+        // Pattern 1: if (!regex.test(variable))
+        if (/test\s*\(/.test(line) && /if\s*\(/.test(line)) {
+          return true;
+        }
+
+        // Pattern 2: if (regex.test(variable))
+        if (/test\s*\(/.test(line)) {
+          return true;
+        }
+
+        // Pattern 3: const validated = validate(variable)
+        if (this.sanitizationFunctions.some(func => line.includes(func))) {
+          return true;
+        }
+
+        // Pattern 4: if (!validator.isEmail(variable))
+        if (/isEmail|isValid/.test(line)) {
+          return true;
+        }
+
+        // Pattern 5: throw/return in conditional after check
+        if (/throw|return/.test(line) && /if\s*\(/.test(line)) {
+          return true;
+        }
+      }
+
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Extract variable name from text (e.g., "req.query.recipient" -> "recipient")
+   */
+  extractVariableName(text) {
+    try {
+      // Remove whitespace
+      text = text.trim();
+
+      // Pattern: req.query.recipient, request.body.email, etc.
+      const dotAccessMatch = text.match(/\.([\w]+)$/);
+      if (dotAccessMatch) {
+        return dotAccessMatch[1];
+      }
+
+      // Pattern: req.query['recipient'], request.body["email"]
+      const bracketMatch = text.match(/\[['"](\w+)['"]\]$/);
+      if (bracketMatch) {
+        return bracketMatch[1];
+      }
+
+      // Pattern: userData.email
+      const simpleMatch = text.match(/^(\w+)\.(\w+)$/);
+      if (simpleMatch) {
+        return simpleMatch[2];
+      }
+
+      // Simple variable name
+      if (/^\w+$/.test(text)) {
+        return text;
+      }
+
+      return null;
+    } catch {
+      return null;
+    }
+  }
+}
+
+module.exports = S019SymbolBasedAnalyzer;