npm - @sun-asterisk/sunlint - Versions diffs - 1.3.26 → 1.3.28 - Mend

@sun-asterisk/sunlint 1.3.26 → 1.3.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/rules/security/S022_escape_output_context/config.json ADDED Viewed

@@ -0,0 +1,229 @@
+{
+  "rule": {
+    "id": "S022",
+    "name": "Escape data properly based on output context",
+    "description": "Ensure data is properly escaped or sanitized based on the output context (HTML, JavaScript, CSS, URL) to prevent Cross-Site Scripting (XSS) attacks. Different contexts require different escaping methods.",
+    "category": "security",
+    "severity": "error",
+    "languages": ["typescript", "javascript"],
+    "frameworks": ["express", "nestjs", "react", "vue", "angular", "node"],
+    "version": "1.0.0",
+    "status": "stable",
+    "tags": ["security", "xss", "escaping", "sanitization", "owasp", "injection"],
+    "references": [
+      "https://owasp.org/www-community/attacks/xss/",
+      "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
+      "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html",
+      "https://portswigger.net/web-security/cross-site-scripting",
+      "https://cwe.mitre.org/data/definitions/79.html"
+    ]
+  },
+  "configuration": {
+    "contexts": {
+      "html": {
+        "dangerousMethods": [
+          "innerHTML",
+          "outerHTML",
+          "insertAdjacentHTML",
+          "document.write",
+          "document.writeln",
+          "v-html",
+          "dangerouslySetInnerHTML"
+        ],
+        "requireEscaping": true,
+        "severity": "error"
+      },
+      "javascript": {
+        "dangerousMethods": [
+          "eval",
+          "Function",
+          "setTimeout",
+          "setInterval",
+          "execScript"
+        ],
+        "requireEscaping": true,
+        "severity": "error"
+      },
+      "url": {
+        "dangerousMethods": [
+          "location.href",
+          "window.location",
+          "location.assign",
+          "location.replace",
+          "window.open"
+        ],
+        "requireValidation": true,
+        "severity": "warning"
+      },
+      "attribute": {
+        "dangerousAttributes": [
+          "onclick",
+          "onload",
+          "onerror",
+          "onmouseover",
+          "href",
+          "src"
+        ],
+        "requireEscaping": true,
+        "severity": "error"
+      }
+    },
+    "userInputSources": [
+      "req.body",
+      "req.query",
+      "req.params",
+      "request.body",
+      "request.query",
+      "request.params",
+      "localStorage",
+      "sessionStorage",
+      "window.location",
+      "location.search",
+      "location.hash",
+      "URLSearchParams",
+      "document.cookie",
+      "window.name",
+      "postMessage"
+    ],
+    "safeEscapingFunctions": [
+      "escape",
+      "escapeHtml",
+      "sanitize",
+      "DOMPurify.sanitize",
+      "textContent",
+      "innerText",
+      "setAttribute",
+      "encodeURIComponent",
+      "encodeURI",
+      "validator.escape",
+      "xss.filterXSS"
+    ],
+    "safeFrameworkMethods": {
+      "react": [
+        "textContent",
+        "children",
+        "{variable}"
+      ],
+      "vue": [
+        "{{ variable }}",
+        "v-text"
+      ],
+      "angular": [
+        "{{ variable }}",
+        "[textContent]"
+      ]
+    }
+  },
+  "examples": {
+    "violations": [
+      {
+        "description": "Unescaped user input in innerHTML",
+        "code": "element.innerHTML = userInput;",
+        "context": "html"
+      },
+      {
+        "description": "User input in eval without validation",
+        "code": "eval(req.query.code);",
+        "context": "javascript"
+      },
+      {
+        "description": "Unvalidated URL from user input",
+        "code": "window.location = req.query.redirect;",
+        "context": "url"
+      },
+      {
+        "description": "React dangerouslySetInnerHTML without sanitization",
+        "code": "<div dangerouslySetInnerHTML={{__html: userInput}} />",
+        "context": "html"
+      },
+      {
+        "description": "Vue v-html directive with user input",
+        "code": "<div v-html=\"userInput\"></div>",
+        "context": "html"
+      },
+      {
+        "description": "Dynamic event handler with user input",
+        "code": "element.setAttribute('onclick', userInput);",
+        "context": "attribute"
+      }
+    ],
+    "fixes": [
+      {
+        "description": "Use textContent instead of innerHTML",
+        "code": "element.textContent = userInput;",
+        "context": "html"
+      },
+      {
+        "description": "Sanitize HTML with DOMPurify",
+        "code": "element.innerHTML = DOMPurify.sanitize(userInput);",
+        "context": "html"
+      },
+      {
+        "description": "Never use eval with user input",
+        "code": "// Avoid eval entirely, use JSON.parse or safe alternatives",
+        "context": "javascript"
+      },
+      {
+        "description": "Validate and whitelist URLs",
+        "code": "const allowedHosts = ['example.com'];\nconst url = new URL(req.query.redirect);\nif (allowedHosts.includes(url.hostname)) {\n  window.location = url.href;\n}",
+        "context": "url"
+      },
+      {
+        "description": "React with proper sanitization",
+        "code": "<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(userInput)}} />",
+        "context": "html"
+      },
+      {
+        "description": "Vue using v-text for safe output",
+        "code": "<div v-text=\"userInput\"></div>",
+        "context": "html"
+      }
+    ]
+  },
+  "testing": {
+    "testCases": [
+      {
+        "name": "innerHTML_with_user_input",
+        "type": "violation",
+        "description": "Using innerHTML with unsanitized user input"
+      },
+      {
+        "name": "eval_with_user_input",
+        "type": "violation",
+        "description": "Using eval with user input"
+      },
+      {
+        "name": "location_with_user_input",
+        "type": "violation",
+        "description": "Setting location with unvalidated user input"
+      },
+      {
+        "name": "textContent_safe_output",
+        "type": "clean",
+        "description": "Using textContent for safe output"
+      },
+      {
+        "name": "dompurify_sanitization",
+        "type": "clean",
+        "description": "Using DOMPurify to sanitize HTML"
+      },
+      {
+        "name": "url_validation",
+        "type": "clean",
+        "description": "Validating URLs before redirect"
+      }
+    ]
+  },
+  "performance": {
+    "complexity": "O(n)",
+    "description": "Linear complexity based on number of DOM manipulation and output operations in the source code"
+  },
+  "owaspMapping": {
+    "category": "A03:2021 – Injection",
+    "subcategories": [
+      "A07:2021 – Identification and Authentication Failures"
+    ],
+    "cweId": "CWE-79",
+    "description": "Validates that all output is properly escaped or sanitized based on context to prevent XSS attacks"
+  }
+}

package/rules/security/S023_no_json_injection/analyzer.js CHANGED Viewed

@@ -82,6 +82,21 @@ class S023Analyzer {
   }
   async analyzeFile(filePath, language, options = {}) {
+    // Skip test files - they often use JSON.parse for testing purposes
+    const skipPatterns = [
+      /\.spec\.(ts|tsx|js|jsx)$/,
+      /\.test\.(ts|tsx|js|jsx)$/,
+      /__tests__\//,          // Test directories
+      /__mocks__\//,          // Mock directories
+      /\/tests?\//,           // Test directories
+      /\/fixtures?\//,        // Fixture directories
+    ];
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return [];
+    }
     switch (language) {
       case 'typescript':
       case 'javascript':

package/rules/security/S023_no_json_injection/ast-analyzer.js CHANGED Viewed

@@ -10,12 +10,27 @@ class S023ASTAnalyzer {
   async analyze(files, language, options = {}) {
     const violations = [];
+    // Skip patterns for test files
+    const skipPatterns = [
+      /\.spec\.(ts|tsx|js|jsx)$/,
+      /\.test\.(ts|tsx|js|jsx)$/,
+      /__tests__\//,
+      /__mocks__\//,
+      /\/tests?\//,
+      /\/fixtures?\//,
+    ];
     for (const filePath of files) {
+      // Skip test files
+      if (skipPatterns.some(pattern => pattern.test(filePath))) {
+        continue;
+      }
       if (options.verbose) {
         console.log(`🎯 Running S023 AST analysis on ${path.basename(filePath)}`);
       }
       try {
         const content = fs.readFileSync(filePath, 'utf8');
         const fileViolations = await this.analyzeFile(filePath, content, language, options);
@@ -24,7 +39,7 @@ class S023ASTAnalyzer {
         console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
       }
     }
     return violations;
   }

package/rules/security/S023_no_json_injection/config.json ADDED Viewed

@@ -0,0 +1,133 @@
+{
+  "rule": {
+    "id": "S023",
+    "name": "Prevent JSON Injection and JSON eval attacks",
+    "description": "Prevent JSON injection attacks and unsafe JSON handling. Detects unsafe JSON.parse(), eval() with JSON, JSON.stringify in HTML context, and JSON handling without proper validation.",
+    "category": "security",
+    "severity": "error",
+    "languages": ["typescript", "javascript"],
+    "frameworks": ["express", "nestjs", "node", "react", "vue", "angular"],
+    "version": "1.0.0",
+    "status": "stable",
+    "tags": ["security", "json", "injection", "xss", "owasp", "eval"],
+    "references": [
+      "https://owasp.org/www-community/vulnerabilities/JSON_Injection",
+      "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html",
+      "https://portswigger.net/web-security/dom-based/json-injection",
+      "https://cwe.mitre.org/data/definitions/94.html"
+    ]
+  },
+  "configuration": {
+    "checkJsonParse": true,
+    "checkEvalWithJson": true,
+    "checkJsonStringifyInHtml": true,
+    "userInputSources": [
+      "localStorage",
+      "sessionStorage",
+      "window.location",
+      "location.search",
+      "location.hash",
+      "URLSearchParams",
+      "req.body",
+      "req.query",
+      "req.params",
+      "request.body",
+      "request.query",
+      "document.cookie",
+      "window.name",
+      "postMessage",
+      "fetch",
+      "axios"
+    ],
+    "validationPatterns": [
+      "try",
+      "catch",
+      "typeof",
+      "instanceof",
+      "validate",
+      "check",
+      "isValid",
+      "sanitize",
+      "escape",
+      "filter"
+    ],
+    "htmlContextPatterns": [
+      "innerHTML",
+      "outerHTML",
+      "insertAdjacentHTML",
+      "document.write",
+      ".html(",
+      "<script",
+      "</script>"
+    ]
+  },
+  "examples": {
+    "violations": [
+      {
+        "description": "Unsafe JSON.parse with user input",
+        "code": "const data = JSON.parse(localStorage.getItem('userData'));"
+      },
+      {
+        "description": "Using eval() to parse JSON",
+        "code": "const obj = eval('(' + jsonString + ')');"
+      },
+      {
+        "description": "JSON.stringify in HTML context without escaping",
+        "code": "element.innerHTML = JSON.stringify(userInput);"
+      },
+      {
+        "description": "Parsing URL parameters without validation",
+        "code": "const params = JSON.parse(new URLSearchParams(window.location.search).get('data'));"
+      }
+    ],
+    "fixes": [
+      {
+        "description": "Validate input before parsing JSON",
+        "code": "try {\n  const data = JSON.parse(localStorage.getItem('userData'));\n  if (typeof data === 'object' && data !== null) {\n    // Use data\n  }\n} catch (e) {\n  // Handle error\n}"
+      },
+      {
+        "description": "Always use JSON.parse instead of eval",
+        "code": "const obj = JSON.parse(jsonString);"
+      },
+      {
+        "description": "Escape JSON output when used in HTML",
+        "code": "element.textContent = JSON.stringify(userInput);\n// or\nelement.innerHTML = escapeHtml(JSON.stringify(userInput));"
+      }
+    ]
+  },
+  "testing": {
+    "testCases": [
+      {
+        "name": "unsafe_json_parse_localstorage",
+        "type": "violation",
+        "description": "JSON.parse with localStorage without validation"
+      },
+      {
+        "name": "eval_with_json",
+        "type": "violation",
+        "description": "Using eval() to parse JSON data"
+      },
+      {
+        "name": "json_stringify_html_context",
+        "type": "violation",
+        "description": "JSON.stringify output in innerHTML"
+      },
+      {
+        "name": "safe_json_parse_with_trycatch",
+        "type": "clean",
+        "description": "JSON.parse with proper try-catch validation"
+      }
+    ]
+  },
+  "performance": {
+    "complexity": "O(n)",
+    "description": "Linear complexity based on number of JSON operations in the source code"
+  },
+  "owaspMapping": {
+    "category": "A03:2021 – Injection",
+    "subcategories": [
+      "A05:2021 – Security Misconfiguration"
+    ],
+    "description": "Validates that JSON parsing and handling is done safely to prevent injection attacks and XSS vulnerabilities"
+  }
+}

package/rules/security/S024_xpath_xxe_protection/regex-based-analyzer.js CHANGED Viewed

@@ -113,6 +113,12 @@ class S024RegexBasedAnalyzer {
     // Remove comments to avoid false positives
     const cleanContent = this.removeComments(content);
+    // PRE-FILTER: Skip files that don't use XPath or XML at all
+    // This prevents false positives on regular JavaScript code
+    if (!this.hasXPathOrXMLUsage(cleanContent)) {
+      return []; // Early return - no XPath/XML usage detected
+    }
     try {
       // Pattern 1: XPath Injection vulnerabilities
       violations.push(
@@ -146,6 +152,41 @@ class S024RegexBasedAnalyzer {
     return violations;
   }
+  hasXPathOrXMLUsage(content) {
+    // Check if file imports or uses XPath/XML libraries
+    const xpathXmlIndicators = [
+      // Library imports
+      /require\s*\(\s*['"]xpath['"]\s*\)/i,
+      /require\s*\(\s*['"]xmldom['"]\s*\)/i,
+      /require\s*\(\s*['"]libxmljs['"]\s*\)/i,
+      /require\s*\(\s*['"]xml2js['"]\s*\)/i,
+      /require\s*\(\s*['"]fast-xml-parser['"]\s*\)/i,
+      /from\s+['"]xpath['"]/i,
+      /from\s+['"]xmldom['"]/i,
+      /from\s+['"]libxmljs['"]/i,
+      /from\s+['"]xml2js['"]/i,
+      // XPath method calls
+      /xpath\s*\.\s*(?:evaluate|select|selectText|selectValue|selectNodes)/i,
+      /\.evaluate\s*\([^)]*\s*,\s*(?:XPathResult|doc|document)/i,
+      // XML parsing methods
+      /DOMParser\s*\(\s*\)/,
+      /parseFromString/i,
+      /parseXml/i,
+      /parseString\s*\(/,
+      /XSLTProcessor/,
+      /SAXParser/,
+      // XML document indicators
+      /<\?xml/i,
+      /xmlDoc/i,
+      /xmlDocument/i,
+    ];
+    return xpathXmlIndicators.some(pattern => pattern.test(content));
+  }
   analyzeXPathInjection(content, lines, filePath) {
     const violations = [];

package/rules/security/S027_no_hardcoded_secrets/analyzer.js CHANGED Viewed

@@ -74,7 +74,24 @@ class S027CategorizedAnalyzer {
       'coverage/', '.next/', '.cache/', 'tmp/',
       '.lock', '.log', '.min.js', '.bundle.js'
     ];
+    // Skip test files completely - they often contain mock/fake credentials
+    const testPatterns = [
+      /\.spec\.(ts|tsx|js|jsx)$/,
+      /\.test\.(ts|tsx|js|jsx)$/,
+      /__tests__\//,
+      /__mocks__\//,
+      /\/tests?\//,
+      /\/fixtures?\//,
+      /\/factories\//,        // Test factories
+      /setupTests\./,
+      /testSetup\./,
+    ];
+    if (testPatterns.some(pattern => pattern.test(filePath))) {
+      return true;
+    }
     return skipPatterns.some(pattern => filePath.includes(pattern));
   }
@@ -95,11 +112,16 @@ class S027CategorizedAnalyzer {
         return;
       }
+      // Skip NEXT_PUBLIC_ environment variables - these are public by design
+      if (this.isPublicEnvironmentVariable(line)) {
+        return;
+      }
       // Check global exclude patterns first
       if (this.matchesGlobalExcludes(line)) {
         return;
       }
       // Check each category
       this.categories.forEach(category => {
         const categoryViolations = this.checkCategory(
@@ -136,7 +158,39 @@ class S027CategorizedAnalyzer {
   matchesGlobalExcludes(line) {
     return this.globalExcludePatterns.some(pattern => pattern.test(line));
   }
+  isPublicEnvironmentVariable(line) {
+    // NEXT_PUBLIC_, REACT_APP_, VITE_, PUBLIC_ prefixed env vars are public by design
+    // These are intentionally exposed to the client-side and are not secrets
+    const publicEnvPatterns = [
+      /NEXT_PUBLIC_[A-Z0-9_]+\s*[:=]/i,      // Next.js public env vars
+      /REACT_APP_[A-Z0-9_]+\s*[:=]/i,        // Create React App public env vars
+      /VITE_[A-Z0-9_]+\s*[:=]/i,             // Vite public env vars
+      /PUBLIC_[A-Z0-9_]+\s*[:=]/i,           // Generic public prefix
+      /EXPO_PUBLIC_[A-Z0-9_]+\s*[:=]/i,      // Expo public env vars
+    ];
+    return publicEnvPatterns.some(pattern => pattern.test(line));
+  }
+  isEnvironmentVariableUsage(line) {
+    // Patterns that indicate environment variable or config service usage - these are SAFE
+    const safePatterns = [
+      /process\.env\./i,                    // process.env.DB_PASSWORD
+      /configService\.get/i,                // configService.get('DB_PASSWORD')
+      /config\.get/i,                       // config.get('API_KEY')
+      /getConfig\(/i,                       // getConfig('secret')
+      /env\(['"]([^'"]+)['"]\)/i,          // env('SECRET_KEY')
+      /process\.env\[['"]([^'"]+)['"]\]/i, // process.env['API_KEY']
+      /import\.meta\.env\./i,              // import.meta.env.VITE_API_KEY
+      /Deno\.env\.get/i,                   // Deno.env.get()
+      /os\.getenv/i,                       // Python os.getenv()
+      /System\.getenv/i,                   // Java System.getenv()
+    ];
+    return safePatterns.some(pattern => pattern.test(line));
+  }
   checkCategory(category, line, lineNumber, filePath, isTestFile) {
     const violations = [];
@@ -156,14 +210,19 @@ class S027CategorizedAnalyzer {
         }
         // Check category-specific excludes
-        if (category.compiledExcludePatterns &&
+        if (category.compiledExcludePatterns &&
             category.compiledExcludePatterns.some(pattern => pattern.test(matchedText))) {
           continue;
         }
-        // Be more lenient in test files for lower severity categories
-        // But still report critical/high severity issues even in test files
-        if (isTestFile && category.severity === 'low') {
+        // Check if this uses environment variables or config services - SAFE patterns
+        if (this.isEnvironmentVariableUsage(line)) {
+          continue;
+        }
+        // Be more lenient in test files - skip all but critical severity
+        // Test files commonly use hardcoded values for testing purposes
+        if (isTestFile && (category.severity === 'low' || category.severity === 'medium' || category.severity === 'high')) {
           continue;
         }

package/rules/security/S027_no_hardcoded_secrets/categorized-analyzer.js CHANGED Viewed

@@ -136,7 +136,25 @@ class S027CategorizedAnalyzer {
   matchesGlobalExcludes(line) {
     return this.globalExcludePatterns.some(pattern => pattern.test(line));
   }
+  isEnvironmentVariableUsage(line) {
+    // Patterns that indicate environment variable or config service usage - these are SAFE
+    const safePatterns = [
+      /process\.env\./i,                    // process.env.DB_PASSWORD
+      /configService\.get/i,                // configService.get('DB_PASSWORD')
+      /config\.get/i,                       // config.get('API_KEY')
+      /getConfig\(/i,                       // getConfig('secret')
+      /env\(['"]([^'"]+)['"]\)/i,          // env('SECRET_KEY')
+      /process\.env\[['"]([^'"]+)['"]\]/i, // process.env['API_KEY']
+      /import\.meta\.env\./i,              // import.meta.env.VITE_API_KEY
+      /Deno\.env\.get/i,                   // Deno.env.get()
+      /os\.getenv/i,                       // Python os.getenv()
+      /System\.getenv/i,                   // Java System.getenv()
+    ];
+    return safePatterns.some(pattern => pattern.test(line));
+  }
   checkCategory(category, line, lineNumber, filePath, isTestFile) {
     const violations = [];
@@ -156,14 +174,19 @@ class S027CategorizedAnalyzer {
         }
         // Check category-specific excludes
-        if (category.compiledExcludePatterns &&
+        if (category.compiledExcludePatterns &&
             category.compiledExcludePatterns.some(pattern => pattern.test(matchedText))) {
           continue;
         }
-        // Be more lenient in test files for lower severity categories
-        // But still report critical/high severity issues even in test files
-        if (isTestFile && category.severity === 'low') {
+        // Check if this uses environment variables or config services - SAFE patterns
+        if (this.isEnvironmentVariableUsage(line)) {
+          continue;
+        }
+        // Be more lenient in test files - skip all but critical severity
+        // Test files commonly use hardcoded values for testing purposes
+        if (isTestFile && (category.severity === 'low' || category.severity === 'medium' || category.severity === 'high')) {
           continue;
         }