@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S022_escape_output_context/analyzer.js

@@ -0,0 +1,510 @@
+/**
+ * Heuristic analyzer for: S022 – Escape data properly based on output context
+ * Purpose: Prevent XSS attacks by ensuring proper escaping/sanitization based on output context
+ * Detects: unsafe innerHTML, eval, location assignments, dangerous attributes, etc.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+class S022Analyzer {
+  constructor() {
+    this.ruleId = 'S022';
+    this.ruleName = 'Escape data properly based on output context';
+    this.description = 'Ensure data is properly escaped based on output context to prevent XSS';
+
+    // HTML context - dangerous methods
+    this.htmlDangerousMethods = [
+      'innerHTML',
+      'outerHTML',
+      'insertAdjacentHTML',
+      'document.write',
+      'document.writeln'
+    ];
+
+    // JavaScript context - dangerous methods
+    this.jsDangerousMethods = [
+      'eval',
+      'Function',
+      'setTimeout',
+      'setInterval',
+      'execScript'
+    ];
+
+    // URL context - dangerous assignments
+    this.urlDangerousMethods = [
+      'location.href',
+      'window.location',
+      'location.assign',
+      'location.replace',
+      'window.open'
+    ];
+
+    // Framework-specific patterns
+    this.frameworkPatterns = {
+      react: /dangerouslySetInnerHTML\s*=\s*\{\{?\s*__html\s*:\s*([^}]+)\}\}?/g,
+      vue: /v-html\s*=\s*["']([^"']+)["']/g,
+      angular: /\[innerHTML\]\s*=\s*["']([^"']+)["']/g
+    };
+
+    // User input patterns
+    this.userInputPatterns = [
+      /req\.(body|query|params)/,
+      /request\.(body|query|params)/,
+      /localStorage\.getItem/,
+      /sessionStorage\.getItem/,
+      /window\.location/,
+      /location\.(search|hash|href)/,
+      /URLSearchParams/,
+      /document\.cookie/,
+      /window\.name/
+    ];
+
+    // Safe escaping/sanitization functions
+    this.safeEscapingFunctions = [
+      'escape',
+      'escapeHtml',
+      'sanitize',
+      'DOMPurify.sanitize',
+      'textContent',
+      'innerText',
+      'setAttribute',
+      'encodeURIComponent',
+      'encodeURI',
+      'validator.escape',
+      'xss.filterXSS',
+      'xss-filters'
+    ];
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`🔍 Running S022 analysis on ${path.basename(filePath)}`);
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = await this.analyzeFile(filePath, content, language, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  async analyzeFile(filePath, content, language, options = {}) {
+    switch (language) {
+      case 'typescript':
+      case 'javascript':
+        return this.analyzeJavaScript(filePath, content, options);
+      default:
+        return [];
+    }
+  }
+
+  async analyzeJavaScript(filePath, content, options = {}) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    // 1. Check HTML context violations
+    violations.push(...this.checkHtmlContext(content, lines, filePath));
+
+    // 2. Check JavaScript context violations
+    violations.push(...this.checkJavaScriptContext(content, lines, filePath));
+
+    // 3. Check URL context violations
+    violations.push(...this.checkUrlContext(content, lines, filePath));
+
+    // 4. Check framework-specific violations
+    violations.push(...this.checkFrameworkPatterns(content, lines, filePath));
+
+    // 5. Check dangerous event handlers
+    violations.push(...this.checkDangerousEventHandlers(content, lines, filePath));
+
+    return violations;
+  }
+
+  checkHtmlContext(content, lines, filePath) {
+    const violations = [];
+
+    for (const method of this.htmlDangerousMethods) {
+      // Pattern: element.innerHTML = userInput
+      const pattern = new RegExp(`\\.${method}\\s*=\\s*([^;]+)`, 'gi');
+      let match;
+
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNumber = content.substring(0, match.index).split('\n').length;
+        const lineText = lines[lineNumber - 1] || '';
+        const assignment = match[1].trim();
+
+        // Check if value comes from user input
+        if (this.isUserInput(assignment)) {
+          // Check if there's sanitization
+          if (!this.hasSanitization(assignment)) {
+            violations.push({
+              ruleId: this.ruleId,
+              file: filePath,
+              line: lineNumber,
+              column: match.index - content.lastIndexOf('\n', match.index),
+              message: `Unsafe use of '${method}' with unsanitized user input. Use textContent or sanitize with DOMPurify.`,
+              severity: 'error',
+              code: lineText.trim(),
+              type: 'html_context_unsafe',
+              context: 'html',
+              confidence: 0.9,
+              suggestion: `Use 'textContent' instead of '${method}' or sanitize with DOMPurify.sanitize()`
+            });
+          }
+        }
+        // Even if not direct user input, innerHTML is risky
+        else if (!this.hasSanitization(assignment) && !this.isLiteralString(assignment)) {
+          violations.push({
+            ruleId: this.ruleId,
+            file: filePath,
+            line: lineNumber,
+            column: match.index - content.lastIndexOf('\n', match.index),
+            message: `Potentially unsafe use of '${method}'. Consider using textContent or sanitizing the input.`,
+            severity: 'warning',
+            code: lineText.trim(),
+            type: 'html_context_potential',
+            context: 'html',
+            confidence: 0.6,
+            suggestion: `Verify the source of data and use appropriate escaping/sanitization`
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  checkJavaScriptContext(content, lines, filePath) {
+    const violations = [];
+
+    // Check eval() - always dangerous
+    const evalPattern = /\beval\s*\(\s*([^)]+)\)/gi;
+    let match;
+
+    while ((match = evalPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[lineNumber - 1] || '';
+      const argument = match[1].trim();
+
+      // Skip if it's clearly safe (literal string)
+      if (!this.isLiteralString(argument)) {
+        const isUserInput = this.isUserInput(argument);
+
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: `Dangerous use of 'eval' with ${isUserInput ? 'user input' : 'dynamic code'}. Avoid using eval entirely.`,
+          severity: isUserInput ? 'error' : 'warning',
+          code: lineText.trim(),
+          type: 'javascript_context_unsafe',
+          context: 'javascript',
+          confidence: isUserInput ? 0.95 : 0.7,
+          suggestion: `Never use 'eval' with user input. Use safer alternatives like JSON.parse()`
+        });
+      }
+    }
+
+    // Check new Function() constructor - dangerous
+    const functionConstructorPattern = /new\s+Function\s*\(\s*([^)]+)\)/gi;
+
+    while ((match = functionConstructorPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[lineNumber - 1] || '';
+      const argument = match[1].trim();
+
+      const isUserInput = this.isUserInput(argument);
+
+      violations.push({
+        ruleId: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: match.index - content.lastIndexOf('\n', match.index),
+        message: `Dangerous use of 'Function' constructor with ${isUserInput ? 'user input' : 'dynamic code'}. Avoid using Function constructor.`,
+        severity: isUserInput ? 'error' : 'warning',
+        code: lineText.trim(),
+        type: 'javascript_context_unsafe',
+        context: 'javascript',
+        confidence: isUserInput ? 0.95 : 0.7,
+        suggestion: `Never use 'new Function()' with user input. Use safer alternatives.`
+      });
+    }
+
+    // Check setTimeout/setInterval with STRING arguments (not function callbacks)
+    // Only flag if the first argument is a string, not a function
+    const timerPatterns = [
+      { method: 'setTimeout', pattern: /\bsetTimeout\s*\(\s*['"`]([^'"`]+)['"`]/gi },
+      { method: 'setInterval', pattern: /\bsetInterval\s*\(\s*['"`]([^'"`]+)['"`]/gi }
+    ];
+
+    for (const { method, pattern } of timerPatterns) {
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNumber = content.substring(0, match.index).split('\n').length;
+        const lineText = lines[lineNumber - 1] || '';
+        const codeString = match[1].trim();
+
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: `Dangerous use of '${method}' with string code. Use function callback instead.`,
+          severity: 'error',
+          code: lineText.trim(),
+          type: 'javascript_context_unsafe',
+          context: 'javascript',
+          confidence: 0.95,
+          suggestion: `Use ${method}(() => { /* code */ }, delay) instead of ${method}("code", delay)`
+        });
+      }
+    }
+
+    return violations;
+  }
+
+  checkUrlContext(content, lines, filePath) {
+    const violations = [];
+
+    // Patterns for URL assignments
+    const urlPatterns = [
+      /location\.href\s*=\s*([^;]+)/gi,
+      /window\.location\s*=\s*([^;]+)/gi,
+      /location\.assign\s*\(\s*([^)]+)\)/gi,
+      /location\.replace\s*\(\s*([^)]+)\)/gi,
+      /window\.open\s*\(\s*([^,)]+)/gi
+    ];
+
+    for (const pattern of urlPatterns) {
+      let match;
+
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNumber = content.substring(0, match.index).split('\n').length;
+        const lineText = lines[lineNumber - 1] || '';
+        const urlValue = match[1].trim();
+
+        // Skip if it's a literal string or constant
+        if (this.isLiteralString(urlValue) || this.isConstantOrPropertyAccess(urlValue)) {
+          continue;
+        }
+
+        // Check if URL comes from user input
+        if (this.isUserInput(urlValue)) {
+          // Check if there's validation
+          if (!this.hasUrlValidation(content, match.index)) {
+            violations.push({
+              ruleId: this.ruleId,
+              file: filePath,
+              line: lineNumber,
+              column: match.index - content.lastIndexOf('\n', match.index),
+              message: `Unsafe URL assignment with user input. Validate and whitelist URLs to prevent open redirect vulnerabilities.`,
+              severity: 'error',
+              code: lineText.trim(),
+              type: 'url_context_unsafe',
+              context: 'url',
+              confidence: 0.85,
+              suggestion: 'Validate URLs against a whitelist of allowed hosts/domains'
+            });
+          }
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  checkFrameworkPatterns(content, lines, filePath) {
+    const violations = [];
+
+    // React: dangerouslySetInnerHTML
+    const reactPattern = this.frameworkPatterns.react;
+    let match;
+
+    while ((match = reactPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[lineNumber - 1] || '';
+      const htmlValue = match[1].trim();
+
+      // Check if sanitized
+      if (!this.hasSanitization(htmlValue)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: `React 'dangerouslySetInnerHTML' without sanitization. Use DOMPurify.sanitize() or avoid using this prop.`,
+          severity: 'error',
+          code: lineText.trim(),
+          type: 'react_unsafe_html',
+          context: 'html',
+          framework: 'react',
+          confidence: 0.9,
+          suggestion: 'Sanitize HTML with DOMPurify: dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(html)}}'
+        });
+      }
+    }
+
+    // Vue: v-html
+    const vuePattern = this.frameworkPatterns.vue;
+    while ((match = vuePattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[lineNumber - 1] || '';
+
+      violations.push({
+        ruleId: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: match.index - content.lastIndexOf('\n', match.index),
+        message: `Vue 'v-html' directive can lead to XSS. Use 'v-text' or sanitize with DOMPurify.`,
+        severity: 'warning',
+        code: lineText.trim(),
+        type: 'vue_unsafe_html',
+        context: 'html',
+        framework: 'vue',
+        confidence: 0.8,
+        suggestion: 'Use v-text for plain text or sanitize HTML before using v-html'
+      });
+    }
+
+    // Angular: [innerHTML]
+    const angularPattern = this.frameworkPatterns.angular;
+    while ((match = angularPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[lineNumber - 1] || '';
+
+      violations.push({
+        ruleId: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: match.index - content.lastIndexOf('\n', match.index),
+        message: `Angular '[innerHTML]' binding can lead to XSS. Use Angular's DomSanitizer or avoid innerHTML binding.`,
+        severity: 'warning',
+        code: lineText.trim(),
+        type: 'angular_unsafe_html',
+        context: 'html',
+        framework: 'angular',
+        confidence: 0.8,
+        suggestion: 'Use DomSanitizer.sanitize() or bind to textContent instead'
+      });
+    }
+
+    return violations;
+  }
+
+  checkDangerousEventHandlers(content, lines, filePath) {
+    const violations = [];
+
+    // Pattern: element.setAttribute('onclick', ...)
+    const eventHandlerPattern = /\.setAttribute\s*\(\s*['"]on\w+['"]\s*,\s*([^)]+)\)/gi;
+    let match;
+
+    while ((match = eventHandlerPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[lineNumber - 1] || '';
+      const handlerValue = match[1].trim();
+
+      // Check if handler contains user input
+      if (this.isUserInput(handlerValue) || !this.isLiteralString(handlerValue)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: `Dangerous dynamic event handler assignment. Avoid setting event handlers with user input.`,
+          severity: 'error',
+          code: lineText.trim(),
+          type: 'event_handler_unsafe',
+          context: 'attribute',
+          confidence: 0.85,
+          suggestion: 'Use addEventListener with proper event handling instead of setAttribute for events'
+        });
+      }
+    }
+
+    return violations;
+  }
+
+  isUserInput(code) {
+    return this.userInputPatterns.some(pattern => pattern.test(code));
+  }
+
+  hasSanitization(code) {
+    return this.safeEscapingFunctions.some(func =>
+      code.toLowerCase().includes(func.toLowerCase())
+    );
+  }
+
+  isLiteralString(code) {
+    // Check if it's a string literal (quoted)
+    const trimmed = code.trim();
+    return (trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+           (trimmed.startsWith("'") && trimmed.endsWith("'")) ||
+           (trimmed.startsWith('`') && trimmed.endsWith('`') && !trimmed.includes('${'));
+  }
+
+  isConstantOrPropertyAccess(code) {
+    // Check if it's accessing a constant or configuration object
+    const trimmed = code.trim();
+
+    // Common constant patterns: routes.X, CONSTANTS.X, config.X, CONFIG.X
+    const constantPatterns = [
+      /^routes\./i,
+      /^ROUTES\./,
+      /^constants\./i,
+      /^CONSTANTS\./,
+      /^config\./i,
+      /^CONFIG\./,
+      /^settings\./i,
+      /^SETTINGS\./,
+      /^[A-Z_]+\./,  // ALL_CAPS.something
+      /^process\.env\./,
+      /^environment\./i,
+    ];
+
+    // Check if matches constant patterns
+    if (constantPatterns.some(pattern => pattern.test(trimmed))) {
+      return true;
+    }
+
+    // Check if it's a simple variable without property access from user input
+    // e.g., "redirectUrl" (variable) vs "req.query.redirect" (user input)
+    if (!trimmed.includes('.') && !this.isUserInput(trimmed)) {
+      // Simple variable, likely from constants or params
+      return true;
+    }
+
+    return false;
+  }
+
+  hasUrlValidation(content, matchIndex) {
+    // Check surrounding code for URL validation patterns
+    const contextStart = Math.max(0, matchIndex - 300);
+    const contextEnd = Math.min(content.length, matchIndex + 100);
+    const context = content.substring(contextStart, contextEnd);
+
+    const validationPatterns = [
+      /new\s+URL\s*\(/i,
+      /allowedHosts/i,
+      /whitelist/i,
+      /validateUrl/i,
+      /isValidUrl/i,
+      /\.hostname/i,
+      /\.protocol/i
+    ];
+
+    return validationPatterns.some(pattern => pattern.test(context));
+  }
+}
+
+module.exports = new S022Analyzer();