@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S020_no_eval_dynamic_code/analyzer.js

@@ -6,7 +6,6 @@
  */
 
 const S020SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
-const S020RegexBasedAnalyzer = require("./regex-based-analyzer.js");
 
 class S020Analyzer {
   constructor(options = {}) {
@@ -26,14 +25,6 @@ class S020Analyzer {
     this.semanticEngine = options.semanticEngine || null;
     this.verbose = options.verbose || false;
 
-    this.config = {
-      useSymbolBased: true,
-      fallbackToRegex: true,
-      regexBasedOnly: false,
-      prioritizeSymbolic: true, // Prefer symbol-based when available
-      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
-    };
-
     try {
       this.symbolAnalyzer = new S020SymbolBasedAnalyzer(this.semanticEngine);
       if (process.env.SUNLINT_DEBUG)
@@ -41,14 +32,6 @@ class S020Analyzer {
     } catch (error) {
       console.error(`🔧 [S020] Error creating symbol analyzer:`, error);
     }
-
-    try {
-      this.regexAnalyzer = new S020RegexBasedAnalyzer(this.semanticEngine);
-      if (process.env.SUNLINT_DEBUG)
-        console.log(`🔧 [S020] Regex analyzer created successfully`);
-    } catch (error) {
-      console.error(`🔧 [S020] Error creating regex analyzer:`, error);
-    }
   }
 
   async initialize(semanticEngine) {
@@ -58,9 +41,6 @@ class S020Analyzer {
 
     if (this.symbolAnalyzer)
       await this.symbolAnalyzer.initialize?.(semanticEngine);
-    if (this.regexAnalyzer)
-      await this.regexAnalyzer.initialize?.(semanticEngine);
-    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
 
     if (process.env.SUNLINT_DEBUG)
       console.log(`🔧 [S020] Main analyzer initialized successfully`);
@@ -108,138 +88,84 @@ class S020Analyzer {
       console.log(`🔍 [S020] analyzeFile() called for: ${filePath}`);
     const violationMap = new Map();
 
-    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(
-        `🔧 [S020] Symbol check: useSymbolBased=${
-          this.config.useSymbolBased
-        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
-          .semanticEngine?.project}, initialized=${!!this.semanticEngine
-          ?.initialized}`
-      );
-    }
+    try {
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S020] Running symbol-based analysis...`);
 
-    const canUseSymbol =
-      this.config.useSymbolBased &&
-      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
-        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
+      let sourceFile = null;
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S020] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
+          );
+        }
+      }
 
-    if (canUseSymbol) {
-      try {
+      if (!sourceFile) {
+        // Create a minimal ts-morph project for this analysis
         if (process.env.SUNLINT_DEBUG)
-          console.log(`🔧 [S020] Trying symbol-based analysis...`);
-
-        let sourceFile = null;
-        if (this.semanticEngine?.project) {
-          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
-          if (process.env.SUNLINT_DEBUG) {
-            console.log(
-              `🔧 [S020] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
-            );
+          console.log(
+            `🔧 [S020] Creating temporary ts-morph project for: ${filePath}`
+          );
+        try {
+          const fs = require("fs");
+          const path = require("path");
+          const { Project } = require("ts-morph");
+
+          // Check if file exists and read content
+          if (!fs.existsSync(filePath)) {
+            throw new Error(`File not found: ${filePath}`);
           }
-        }
 
-        if (!sourceFile) {
-          // Create a minimal ts-morph project for this analysis
-          if (process.env.SUNLINT_DEBUG)
-            console.log(
-              `🔧 [S020] Creating temporary ts-morph project for: ${filePath}`
-            );
-          try {
-            const fs = require("fs");
-            const path = require("path");
-            const { Project } = require("ts-morph");
-
-            // Check if file exists and read content
-            if (!fs.existsSync(filePath)) {
-              throw new Error(`File not found: ${filePath}`);
-            }
-
-            const fileContent = fs.readFileSync(filePath, "utf8");
-            const fileName = path.basename(filePath);
-
-            const tempProject = new Project({
-              useInMemoryFileSystem: true,
-              compilerOptions: {
-                allowJs: true,
-                allowSyntheticDefaultImports: true,
-              },
-            });
-
-            // Add file content to in-memory project
-            sourceFile = tempProject.createSourceFile(fileName, fileContent);
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S020] Temporary project created successfully with file: ${fileName}`
-              );
-          } catch (projectError) {
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S020] Failed to create temporary project:`,
-                projectError.message
-              );
-            throw projectError;
-          }
-        }
+          const fileContent = fs.readFileSync(filePath, "utf8");
+          const fileName = path.basename(filePath);
 
-        if (sourceFile) {
-          const symbolViolations = await this.symbolAnalyzer.analyze(
-            sourceFile,
-            filePath
-          );
-          symbolViolations.forEach((v) => {
-            const key = `${v.line}:${v.column}:${v.message}`;
-            if (!violationMap.has(key)) violationMap.set(key, v);
+          const tempProject = new Project({
+            useInMemoryFileSystem: true,
+            compilerOptions: {
+              allowJs: true,
+              allowSyntheticDefaultImports: true,
+            },
           });
+
+          // Add file content to in-memory project
+          sourceFile = tempProject.createSourceFile(fileName, fileContent);
           if (process.env.SUNLINT_DEBUG)
             console.log(
-              `🔧 [S020] Symbol analysis completed: ${symbolViolations.length} violations`
-            );
-
-          // If symbol-based found violations AND prioritizeSymbolic is true, skip regex
-          // But still run regex if symbol-based didn't find any violations
-          if (this.config.prioritizeSymbolic && symbolViolations.length > 0) {
-            const finalViolations = Array.from(violationMap.values()).map(
-              (v) => ({
-                ...v,
-                filePath,
-                file: filePath,
-              })
+              `🔧 [S020] Temporary project created successfully with file: ${fileName}`
             );
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S020] Symbol-based analysis prioritized: ${finalViolations.length} violations`
-              );
-            return finalViolations;
-          }
-        } else {
+        } catch (projectError) {
           if (process.env.SUNLINT_DEBUG)
             console.log(
-              `🔧 [S020] No source file found, skipping symbol analysis`
+              `🔧 [S020] Failed to create temporary project:`,
+              projectError.message
             );
+          throw projectError;
         }
-      } catch (error) {
-        console.warn(`⚠ [S020] Symbol analysis failed:`, error.message);
       }
-    }
 
-    // Fallback to regex-based analysis
-    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
-      try {
-        if (process.env.SUNLINT_DEBUG)
-          console.log(`🔧 [S020] Trying regex-based analysis...`);
-        const regexViolations = await this.regexAnalyzer.analyze(filePath);
-        regexViolations.forEach((v) => {
+      if (sourceFile) {
+        const symbolViolations = await this.symbolAnalyzer.analyze(
+          sourceFile,
+          filePath
+        );
+        symbolViolations.forEach((v) => {
           const key = `${v.line}:${v.column}:${v.message}`;
           if (!violationMap.has(key)) violationMap.set(key, v);
         });
         if (process.env.SUNLINT_DEBUG)
           console.log(
-            `🔧 [S020] Regex analysis completed: ${regexViolations.length} violations`
+            `🔧 [S020] Symbol analysis completed: ${symbolViolations.length} violations`
+          );
+      } else {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S020] No source file found, skipping symbol analysis`
           );
-      } catch (error) {
-        console.warn(`⚠ [S020] Regex analysis failed:`, error.message);
       }
+    } catch (error) {
+      console.warn(`⚠ [S020] Symbol analysis failed:`, error.message);
     }
 
     const finalViolations = Array.from(violationMap.values()).map((v) => ({
@@ -256,7 +182,6 @@ class S020Analyzer {
 
   cleanup() {
     if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
-    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
   }
 }
 

package/rules/security/S020_no_eval_dynamic_code/symbol-based-analyzer.js

@@ -182,7 +182,8 @@ class S020SymbolBasedAnalyzer {
           if (args.length > 0) {
             const firstArg = args[0];
 
-            // Check if first argument is a string literal
+            // ONLY flag if first argument is a string literal
+            // This is the only truly dangerous case for setTimeout/setInterval
             if (firstArg.getKind() === SyntaxKind.StringLiteral) {
               const startLine = call.getStartLineNumber();
               violations.push({
@@ -193,24 +194,8 @@ class S020SymbolBasedAnalyzer {
                 column: 1,
               });
             }
-            // Check if first argument contains dynamic code indicators
-            else {
-              const argText = firstArg.getText().toLowerCase();
-              const hasDynamicIndicator = this.dynamicCodeIndicators.some(
-                (indicator) => argText.includes(indicator)
-              );
-
-              if (hasDynamicIndicator) {
-                const startLine = call.getStartLineNumber();
-                violations.push({
-                  ruleId: this.ruleId,
-                  message: `Function '${functionName}()' may be executing dynamic code based on variable naming`,
-                  severity: "warning",
-                  line: startLine,
-                  column: 1,
-                });
-              }
-            }
+            // NOTE: Removed variable name checking as it causes too many false positives
+            // Functions like setTimeout with arrow functions or function references are safe
           }
         }
       }

package/rules/security/S022_escape_output_context/README.md

@@ -0,0 +1,254 @@
+# S022 - Escape Data Properly Based on Output Context
+
+## Overview
+
+**Rule ID:** S022
+**Category:** Security
+**Severity:** Error
+**OWASP:** A03:2021 – Injection (XSS)
+**CWE:** CWE-79 - Improper Neutralization of Input During Web Page Generation
+
+## Description
+
+This rule ensures that all data output to different contexts (HTML, JavaScript, URL, CSS, attributes) is properly escaped or sanitized to prevent Cross-Site Scripting (XSS) attacks. Different output contexts require different escaping mechanisms.
+
+XSS vulnerabilities occur when untrusted data is included in a web page without proper validation or escaping, allowing attackers to inject malicious scripts that execute in victims' browsers.
+
+## Why This Matters
+
+### Security Impact
+
+- **Data Theft**: Attackers can steal sensitive information (cookies, session tokens, credentials)
+- **Account Hijacking**: Session tokens can be stolen for account takeover
+- **Malware Distribution**: Inject scripts that download malware
+- **Defacement**: Modify page content to damage reputation
+- **Phishing**: Redirect users to malicious sites
+
+### Context-Specific Escaping
+
+Different contexts require different escaping methods:
+
+1. **HTML Context**: `<div>{data}</div>` → Escape `<`, `>`, `&`, `"`, `'`
+2. **JavaScript Context**: `<script>var x = '{data}'</script>` → JSON encoding
+3. **URL Context**: `<a href="{data}">` → URL encoding + validation
+4. **CSS Context**: `<style>{data}</style>` → CSS escaping
+5. **Attribute Context**: `<div title="{data}">` → Attribute escaping
+
+## What It Detects
+
+### 1. HTML Context Violations
+
+```javascript
+// ❌ BAD: Unsafe innerHTML with user input
+element.innerHTML = req.query.name;
+element.outerHTML = userInput;
+document.write(req.body.content);
+
+// ❌ BAD: React dangerouslySetInnerHTML without sanitization
+<div dangerouslySetInnerHTML={{__html: userInput}} />
+
+// ❌ BAD: Vue v-html without sanitization
+<div v-html="userInput"></div>
+
+// ✅ GOOD: Use textContent for plain text
+element.textContent = req.query.name;
+
+// ✅ GOOD: Sanitize HTML with DOMPurify
+element.innerHTML = DOMPurify.sanitize(userInput);
+
+// ✅ GOOD: React with sanitization
+<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(userInput)}} />
+
+// ✅ GOOD: Vue with v-text
+<div v-text="userInput"></div>
+```
+
+### 2. JavaScript Context Violations
+
+```javascript
+// ❌ BAD: eval with user input
+eval(req.query.code);
+new Function(userInput)();
+setTimeout(req.body.script, 1000);
+
+// ❌ BAD: Even dynamic eval is dangerous
+const code = getCodeFromSomewhere();
+eval(code);
+
+// ✅ GOOD: Never use eval - use JSON.parse for data
+const data = JSON.parse(jsonString);
+
+// ✅ GOOD: Use safe alternatives
+const func = functionMap[safeKey];
+func();
+```
+
+### 3. URL Context Violations
+
+```javascript
+// ❌ BAD: Unvalidated URL redirect (Open Redirect)
+window.location = req.query.redirect;
+location.href = userInput;
+window.open(req.query.url);
+
+// ✅ GOOD: Validate URLs against whitelist
+const allowedHosts = ['example.com', 'trusted.com'];
+const url = new URL(req.query.redirect);
+if (allowedHosts.includes(url.hostname)) {
+  window.location = url.href;
+}
+
+// ✅ GOOD: Use relative URLs only
+if (redirectUrl.startsWith('/')) {
+  window.location = redirectUrl;
+}
+```
+
+### 4. Event Handler Violations
+
+```javascript
+// ❌ BAD: Dynamic event handler with user input
+element.setAttribute('onclick', userInput);
+element.setAttribute('onerror', req.query.handler);
+
+// ✅ GOOD: Use addEventListener
+element.addEventListener('click', function() {
+  // Safe handler logic
+});
+
+// ✅ GOOD: Use data attributes
+element.dataset.action = userInput;
+```
+
+## Framework-Specific Guidance
+
+### React
+
+```javascript
+// ❌ Avoid dangerouslySetInnerHTML
+<div dangerouslySetInnerHTML={{__html: userInput}} />
+
+// ✅ Use children or textContent
+<div>{userInput}</div>
+
+// ✅ If HTML is needed, sanitize it
+import DOMPurify from 'dompurify';
+<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(html)}} />
+```
+
+### Vue
+
+```javascript
+// ❌ Avoid v-html with user input
+<div v-html="userInput"></div>
+
+// ✅ Use interpolation or v-text
+<div>{{ userInput }}</div>
+<div v-text="userInput"></div>
+
+// ✅ If HTML is needed, sanitize it
+<div v-html="$sanitize(html)"></div>
+```
+
+### Angular
+
+```javascript
+// ❌ Avoid [innerHTML] with user input
+<div [innerHTML]="userInput"></div>
+
+// ✅ Use interpolation
+<div>{{ userInput }}</div>
+
+// ✅ Use DomSanitizer if HTML is needed
+import { DomSanitizer } from '@angular/platform-browser';
+this.safeHtml = this.sanitizer.sanitize(SecurityContext.HTML, html);
+```
+
+## Recommended Sanitization Libraries
+
+1. **DOMPurify** (Browser & Node.js)
+   ```javascript
+   import DOMPurify from 'dompurify';
+   const clean = DOMPurify.sanitize(dirty);
+   ```
+
+2. **xss** (Node.js)
+   ```javascript
+   const xss = require('xss');
+   const clean = xss(dirty);
+   ```
+
+3. **validator.js** (Node.js)
+   ```javascript
+   const validator = require('validator');
+   const escaped = validator.escape(input);
+   ```
+
+## Safe Alternatives
+
+| Unsafe Method | Safe Alternative |
+|--------------|------------------|
+| `innerHTML` | `textContent` or `innerText` |
+| `outerHTML` | `textContent` |
+| `document.write()` | DOM manipulation methods |
+| `eval()` | `JSON.parse()` |
+| `setTimeout(string)` | `setTimeout(function)` |
+| `dangerouslySetInnerHTML` | React children or DOMPurify |
+| `v-html` | `v-text` or sanitization |
+
+## How to Fix
+
+1. **Identify the Context**: Determine where the data will be output (HTML, JS, URL, etc.)
+2. **Choose Appropriate Method**:
+   - HTML: Use `textContent` or sanitize with DOMPurify
+   - JavaScript: Avoid dynamic code execution
+   - URL: Validate and whitelist
+3. **Apply Escaping/Sanitization**: Use context-appropriate escaping
+4. **Test**: Verify XSS payloads don't execute
+
+## Testing
+
+Create test files with common XSS payloads:
+
+```javascript
+const testPayloads = [
+  '<script>alert("XSS")</script>',
+  '<img src=x onerror=alert("XSS")>',
+  'javascript:alert("XSS")',
+  '<svg onload=alert("XSS")>',
+  '"><script>alert("XSS")</script>',
+];
+
+// Test that these are properly escaped/sanitized
+testPayloads.forEach(payload => {
+  const result = sanitize(payload);
+  assert(!result.includes('<script'));
+});
+```
+
+## References
+
+- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
+- [OWASP DOM XSS Prevention](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html)
+- [DOMPurify Documentation](https://github.com/cure53/DOMPurify)
+- [CWE-79: Improper Neutralization of Input](https://cwe.mitre.org/data/definitions/79.html)
+
+## Configuration
+
+This rule can be configured in `.sunlint.json`:
+
+```json
+{
+  "rules": {
+    "S022": {
+      "enabled": true,
+      "severity": "error",
+      "contexts": {
+        "html": { "severity": "error" },
+        "javascript": { "severity": "error" },
+        "url": { "severity": "warning" }
+      }
+    }
+  }
+}
+```