npm - @sun-asterisk/sunlint - Versions diffs - 1.3.26 → 1.3.28 - Mend

@sun-asterisk/sunlint 1.3.26 → 1.3.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/rules/security/S029_csrf_protection/config.json ADDED Viewed

@@ -0,0 +1,127 @@
+{
+  "rule": {
+    "id": "S029",
+    "name": "CSRF Protection Required",
+    "description": "Require CSRF (Cross-Site Request Forgery) protection for state-changing operations. All POST, PUT, DELETE, and PATCH endpoints must implement CSRF token validation to prevent unauthorized requests from malicious sites.",
+    "category": "security",
+    "severity": "error",
+    "languages": ["typescript", "javascript"],
+    "frameworks": ["express", "nestjs", "node"],
+    "version": "1.0.0",
+    "status": "stable",
+    "tags": ["security", "csrf", "xsrf", "authentication", "owasp"],
+    "references": [
+      "https://owasp.org/www-community/attacks/csrf",
+      "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html",
+      "https://portswigger.net/web-security/csrf",
+      "https://cwe.mitre.org/data/definitions/352.html"
+    ]
+  },
+  "configuration": {
+    "checkStateChangingMethods": ["POST", "PUT", "DELETE", "PATCH"],
+    "csrfProtectionPatterns": [
+      "csurf()",
+      "csrfProtection",
+      "verifyCsrfToken",
+      "checkCsrf",
+      "csrf-token",
+      "_csrf",
+      "req.csrfToken",
+      "csrf.verify",
+      "validateCSRF",
+      "x-csrf-token",
+      "x-xsrf-token"
+    ],
+    "globalMiddlewarePatterns": [
+      "app.use(csurf())",
+      "app.use(csrfProtection)",
+      "router.use(csurf())"
+    ],
+    "routeHandlerPatterns": [
+      "app.post",
+      "app.put",
+      "app.delete",
+      "app.patch",
+      "router.post",
+      "router.put",
+      "router.delete",
+      "router.patch"
+    ],
+    "excludePatterns": [
+      "test",
+      "spec",
+      "mock",
+      "__tests__"
+    ]
+  },
+  "examples": {
+    "violations": [
+      {
+        "description": "POST endpoint without CSRF protection",
+        "code": "app.post('/api/transfer', (req, res) => {\n  transferMoney(req.body.amount);\n});"
+      },
+      {
+        "description": "DELETE endpoint without CSRF middleware",
+        "code": "router.delete('/api/user/:id', (req, res) => {\n  deleteUser(req.params.id);\n});"
+      },
+      {
+        "description": "PUT endpoint without token validation",
+        "code": "app.put('/api/profile', (req, res) => {\n  updateProfile(req.body);\n});"
+      }
+    ],
+    "fixes": [
+      {
+        "description": "Apply CSRF protection globally",
+        "code": "const csrf = require('csurf');\nconst csrfProtection = csrf({ cookie: true });\napp.use(csrfProtection);\n\napp.post('/api/transfer', (req, res) => {\n  // CSRF token is automatically validated\n  transferMoney(req.body.amount);\n});"
+      },
+      {
+        "description": "Apply CSRF protection per route",
+        "code": "const csrfProtection = csrf({ cookie: true });\n\napp.post('/api/transfer', csrfProtection, (req, res) => {\n  transferMoney(req.body.amount);\n});"
+      },
+      {
+        "description": "Manual CSRF token validation",
+        "code": "app.post('/api/transfer', (req, res) => {\n  const token = req.body._csrf || req.headers['x-csrf-token'];\n  if (!validateCsrfToken(token, req.session)) {\n    return res.status(403).send('Invalid CSRF token');\n  }\n  transferMoney(req.body.amount);\n});"
+      }
+    ]
+  },
+  "testing": {
+    "testCases": [
+      {
+        "name": "post_without_csrf",
+        "type": "violation",
+        "description": "POST endpoint without CSRF protection"
+      },
+      {
+        "name": "put_without_csrf",
+        "type": "violation",
+        "description": "PUT endpoint without CSRF protection"
+      },
+      {
+        "name": "delete_without_csrf",
+        "type": "violation",
+        "description": "DELETE endpoint without CSRF protection"
+      },
+      {
+        "name": "global_csrf_protection",
+        "type": "clean",
+        "description": "Global CSRF middleware applied"
+      },
+      {
+        "name": "route_specific_csrf",
+        "type": "clean",
+        "description": "Route-specific CSRF middleware"
+      }
+    ]
+  },
+  "performance": {
+    "complexity": "O(n)",
+    "description": "Linear complexity based on number of route handlers in the source code"
+  },
+  "owaspMapping": {
+    "category": "A01:2021 – Broken Access Control",
+    "subcategories": [
+      "A04:2021 – Insecure Design"
+    ],
+    "description": "Validates that all state-changing endpoints have proper CSRF protection to prevent unauthorized cross-site requests"
+  }
+}

package/rules/security/S030_directory_browsing_protection/regex-based-analyzer.js CHANGED Viewed

@@ -77,7 +77,7 @@ class S030RegexBasedAnalyzer {
       /config(?:s|uration)?/g,
       /settings?/g,
       /secrets?/g,
-      /keys?/g,
+      /\bkeys?\b/g, // Word boundary to avoid matching 'keyValidation', 'apiKey', etc.
       /backup(?:s)?/g,
       /database(?:s)?/g,
       /\\.aws/g,
@@ -133,8 +133,10 @@ class S030RegexBasedAnalyzer {
       /\\.types\\.ts$/,
       /\\.interface\\.ts$/,
       /\\.constants?\\.ts$/,
-      /\\.spec\\.ts$/,
-      /\\.test\\.ts$/,
+      /\\.spec\\.(ts|tsx|js|jsx)$/,
+      /\\.test\\.(ts|tsx|js|jsx)$/,
+      /__tests__\\//,          // Test directories
+      /__mocks__\\//,          // Mock directories
       /\\.min\\.js$/,
       /\\.bundle\\.js$/,
       /\\.model\\.ts$/,
@@ -302,19 +304,42 @@ class S030RegexBasedAnalyzer {
       const matches = [...line.matchAll(sensitivePattern)];
       for (const match of matches) {
+        const matchedText = match[0];
+        const matchIndex = match.index;
+        if (process.env.SUNLINT_DEBUG && matchedText.match(/^keys?$/i)) {
+          const beforeMatch = line.substring(Math.max(0, matchIndex - 20), matchIndex);
+          const afterMatch = line.substring(matchIndex + matchedText.length, matchIndex + matchedText.length + 20);
+          console.log(
+            `🔧 [S030-Regex] Found 'key' at line ${lineNumber}, col ${matchIndex}: "${line.substring(Math.max(0, matchIndex - 10), matchIndex + matchedText.length + 10)}"`
+          );
+          console.log(`🔧 [S030-Regex]   Before: "${beforeMatch}"`);
+          console.log(`🔧 [S030-Regex]   After: "${afterMatch}"`);
+        }
+        // Skip false positives
+        if (this.isFalsePositiveContext(line, matchedText, matchIndex)) {
+          if (process.env.SUNLINT_DEBUG && matchedText.match(/^keys?$/i)) {
+            console.log(
+              `🔧 [S030-Regex] ✓ Skipping 'key' as false positive at line ${lineNumber}`
+            );
+          }
+          continue;
+        }
         // Check if it's in a serving context (not just a string mention)
         if (this.isInServingContext(line)) {
           violations.push({
             ruleId: this.ruleId,
-            message: `Potential exposure of sensitive file/directory '${match[0]}' - ensure proper access controls`,
+            message: `Potential exposure of sensitive file/directory '${matchedText}' - ensure proper access controls`,
             severity: "warning",
             line: lineNumber,
-            column: match.index + 1,
+            column: matchIndex + 1,
           });
           if (process.env.SUNLINT_DEBUG) {
             console.log(
-              `🔧 [S030-Regex] Found sensitive file exposure at line ${lineNumber}: ${match[0]}`
+              `🔧 [S030-Regex] Found sensitive file exposure at line ${lineNumber}: ${matchedText}`
             );
           }
         }
@@ -322,6 +347,104 @@ class S030RegexBasedAnalyzer {
     }
   }
+  isFalsePositiveContext(line, matchedText, matchIndex) {
+    // Get context around the match (extended for minified code)
+    const beforeMatch = line.substring(Math.max(0, matchIndex - 20), matchIndex);
+    const afterMatch = line.substring(matchIndex + matchedText.length, matchIndex + matchedText.length + 20);
+    // Only check 'key' and 'keys' - other sensitive keywords are valid
+    if (!matchedText.match(/^keys?$/i)) {
+      return false; // Let other keywords be checked normally
+    }
+    // Skip if 'key' is in a comment or string literal (English text)
+    // Check for common English phrases with 'key'
+    const extendedBefore = line.substring(Math.max(0, matchIndex - 50), matchIndex);
+    const extendedAfter = line.substring(matchIndex + matchedText.length, matchIndex + matchedText.length + 50);
+    const context = extendedBefore + matchedText + extendedAfter;
+    // Skip common English phrases and technical terms where 'key' is not a security issue
+    const keyPhrases = [
+      // English phrases
+      /\breturn\s+(this|the)\s+keys?\b/i,
+      /\b(this|the|a)\s+keys?\b/i,
+      /\bkeys?\s+(to|for|of|in)\b/i,
+      /\bwithout\s+(a|the)\s+keys?\b/i,
+      /\blease.*keys?\b/i, // lease key (physical car key)
+      /\bcar\s+keys?\b/i,
+      /\bvehicle\s+keys?\b/i,
+      // Technical/programming terms
+      /\bkeys?\s+event\b/i, // key event, keyboard event
+      /\bkeys?\s+(press|down|up|code)\b/i, // key press, key down, key up, key code
+      /\bevent\.keys?\b/i, // event.key
+      /\bkeyboard\b/i,
+      // Keyboard key name comparisons
+      /\bkeys?\s*(===|!==|==|!=)\s*['\"]?(Enter|Escape|Backspace|Delete|Tab|Space|Arrow|Shift|Control|Alt|Meta)/i,
+      /['\"]?(Enter|Escape|Backspace|Delete|Tab|Space|Arrow|Shift|Control|Alt|Meta)['\"]?\s*(===|!==|==|!=)\s*\bkeys?\b/i,
+    ];
+    if (keyPhrases.some(pattern => pattern.test(context))) {
+      return true;
+    }
+    // Skip TypeScript index signatures: [key: string], [key: number], etc.
+    if (beforeMatch.match(/\[\s*$/) && afterMatch.match(/^\s*:\s*\w+\s*\]/)) {
+      return true;
+    }
+    // Skip TypeScript/JavaScript property names: "key:", "key:"  (with/without spaces)
+    if (afterMatch.match(/^\s*:/)) {
+      return true;
+    }
+    // Skip JSX attributes: key={...}, key="..."
+    if (afterMatch.match(/^\s*=/)) {
+      return true;
+    }
+    // Skip object/variable property access: obj.key, obj.keys, obj[key], arr[key], keys.reduce(), key.toString()
+    if (beforeMatch.match(/\.\s*$/) || beforeMatch.match(/\[\s*$/) || afterMatch.match(/^\s*\./)) {
+      return true;
+    }
+    // Skip destructuring: { key }, { key: value }
+    if (beforeMatch.match(/[{,]\s*$/) && afterMatch.match(/^\s*[,}:]/)) {
+      return true;
+    }
+    // Skip array map/forEach callbacks: .map((item, key) => ...), .forEach((value, key) => ...)
+    if (beforeMatch.match(/[,(]\s*\w+\s*,\s*$/)) {
+      return true;
+    }
+    // Skip variable declarations: const key = ..., let key = ..., var key = ...
+    if (beforeMatch.match(/(const|let|var)\s+$/)) {
+      return true;
+    }
+    // Skip function parameters: function(key), (key) =>, function foo(key)
+    if (beforeMatch.match(/[,(]\s*$/) && afterMatch.match(/^\s*[,)]/)) {
+      return true;
+    }
+    // Skip logical operators: sortKey || key, key && value
+    if (beforeMatch.match(/(\|\||&&)\s*$/) || afterMatch.match(/^\s*(\|\||&&)/)) {
+      return true;
+    }
+    // Skip import/export: import { key }, export { key }
+    if (beforeMatch.match(/(import|export)\s*{[^}]*$/)) {
+      return true;
+    }
+    // Skip type definitions: key?: string, key: string
+    if (afterMatch.match(/^\s*\?\s*:/) || afterMatch.match(/^\s*:\s*(string|number|boolean|any)/i)) {
+      return true;
+    }
+    return false;
+  }
   checkDangerousConfigurations(line, lineNumber, violations) {
     for (const [configName, pattern] of Object.entries(this.dangerousConfigs)) {
       const matches = [...line.matchAll(pattern)];
@@ -448,33 +571,42 @@ class S030RegexBasedAnalyzer {
       "private",
     ];
-    return sensitiveKeywords.some(
-      (keyword) =>
-        normalizedPath.includes(keyword) ||
-        normalizedPath.startsWith("./" + keyword) ||
-        normalizedPath.endsWith("/" + keyword)
-    );
+    return sensitiveKeywords.some((keyword) => {
+      // Create regex pattern to match:
+      // 1. Exact match (entire path is the sensitive keyword)
+      // 2. Preceded by path separator (/, ., -)
+      // 3. Followed by path separator (/, ., -)
+      // This prevents false positives like "settingStartDate" matching "setting"
+      const pattern = new RegExp(
+        `(^|[/.\-])${keyword.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}([/.\-]|$)`,
+        'i'
+      );
+      return pattern.test(normalizedPath);
+    });
   }
   isInServingContext(line) {
-    const servingKeywords = [
-      "static",
-      "serve",
-      "use",
-      "mount",
-      "register",
-      "get",
-      "post",
-      "put",
-      "delete",
-      "patch",
-      "sendFile",
-      "express",
-      "app",
-      "router",
+    // More restrictive patterns - check for actual file serving contexts
+    const servingPatterns = [
+      /express\.static\s*\(/i,
+      /\.use\s*\(\s*['"`]/i,              // app.use('/path', ...)
+      /\.serve/i,                          // serveStatic, serve-index
+      /sendFile\s*\(/i,
+      /ServeStatic/i,
+      /serve-index/i,
+      /koa-static/i,
+      /fastify.*static/i,
+      /\.register\s*\(\s*require/i,
+      /\.mount\s*\(/i,
+      /\.(get|post|put|delete|patch)\s*\(\s*['"`][^'"`]*\//i, // Route with path
+      /@(Get|Post|Put|Delete|Patch)\s*\(\s*['"`]/i,            // NestJS decorator
+      /root\s*:\s*['"`]/i,                                      // {root: 'path'}
+      /path\s*:\s*['"`]/i,                                      // {path: 'dir'}
+      /dir\s*:\s*['"`]/i,                                       // {dir: 'path'}
     ];
-    return servingKeywords.some((keyword) => line.includes(keyword));
+    return servingPatterns.some((pattern) => pattern.test(line));
   }
   cleanup() {}

package/rules/security/S030_directory_browsing_protection/symbol-based-analyzer.js CHANGED Viewed

@@ -77,8 +77,10 @@ class S030SymbolBasedAnalyzer {
       /\.types\.ts$/,
       /\.interface\.ts$/,
       /\.constants?\.ts$/,
-      /\.spec\.ts$/,
-      /\.test\.ts$/,
+      /\.spec\.(ts|tsx|js|jsx)$/,
+      /\.test\.(ts|tsx|js|jsx)$/,
+      /__tests__\//,          // Test directories
+      /__mocks__\//,          // Mock directories
       /\.model\.ts$/,
       /\.entity\.ts$/,
       /\.dto\.ts$/,
@@ -335,6 +337,13 @@ class S030SymbolBasedAnalyzer {
     ) {
       const path = initializer.getLiteralValue();
+      // Skip application routes (UI paths that are not file system paths)
+      // Application routes typically start with / and don't have file extensions
+      // Examples: /dashboard/settings, /api/users, /admin/config
+      if (this.isApplicationRoute(path)) {
+        return;
+      }
       if (this.isSensitivePath(path)) {
         const startLine = variable.getStartLineNumber();
         violations.push({
@@ -348,6 +357,29 @@ class S030SymbolBasedAnalyzer {
     }
   }
+  isApplicationRoute(path) {
+    if (!path || typeof path !== "string") return false;
+    // Application routes start with / and typically don't have file extensions
+    // and don't start with dotfiles or contain actual file indicators
+    if (path.startsWith("/")) {
+      // Check if it looks like a file path vs app route
+      const hasFileExtension = /\.[a-z0-9]+$/i.test(path);
+      const hasDotfile = /\/\.[a-z]/i.test(path) || path.startsWith("/.");
+      const hasFileIndicator = /\.(env|git|ssh|yml|yaml|json|xml|sql|log)($|\/)/i.test(path);
+      // If it has file indicators, it's a file path, not an app route
+      if (hasFileExtension || hasDotfile || hasFileIndicator) {
+        return false;
+      }
+      // Otherwise, it's likely an application route
+      return true;
+    }
+    return false;
+  }
   analyzeConfigurationObjects(objLiteral, violations, filePath) {
     const properties = objLiteral.getProperties();
@@ -397,19 +429,49 @@ class S030SymbolBasedAnalyzer {
   isSensitivePath(path) {
     if (!path || typeof path !== "string") return false;
+    // Skip application routes (URL paths that are not file references)
+    if (this.isApplicationRoute(path)) {
+      return false;
+    }
     const normalizedPath = path.toLowerCase();
     return this.sensitiveFiles.some((sensitive) => {
-      // Check if path contains sensitive file/directory patterns
-      return (
-        normalizedPath.includes(sensitive.toLowerCase()) ||
-        normalizedPath.startsWith("/" + sensitive.toLowerCase()) ||
-        normalizedPath.startsWith("./" + sensitive.toLowerCase()) ||
-        normalizedPath.endsWith("/" + sensitive.toLowerCase())
+      const sensitiveLower = sensitive.toLowerCase();
+      // Create regex pattern to match:
+      // 1. Exact match (entire path is the sensitive keyword)
+      // 2. Preceded by path separator (/, ., -)
+      // 3. Followed by path separator (/, ., -)
+      // This prevents false positives like "settingStartDate" matching "setting"
+      const pattern = new RegExp(
+        `(^|[/.\-])${sensitiveLower.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}([/.\-]|$)`,
+        'i'
       );
+      return pattern.test(normalizedPath);
     });
   }
+  isApplicationRoute(path) {
+    if (!path || typeof path !== "string") return false;
+    // If path starts with / and doesn't have file extensions or dotfiles, likely an app route
+    if (path.startsWith("/")) {
+      const hasFileExtension = /\.[a-z0-9]+$/i.test(path);
+      const hasDotfile = /\/\.[a-z]/i.test(path) || path.startsWith("/.");
+      const hasFileIndicator = /\.(env|git|ssh|yml|yaml|json|xml|sql|log)($|\/)/i.test(path);
+      if (hasFileExtension || hasDotfile || hasFileIndicator) {
+        return false; // It's a file reference
+      }
+      return true; // It's an application route
+    }
+    return false;
+  }
   isTruthyValue(valueNode) {
     const { SyntaxKind } = require("ts-morph");
@@ -500,28 +562,28 @@ class S030SymbolBasedAnalyzer {
     const httpMethods = ["GET", "POST", "PUT", "DELETE", "PATCH"];
     if (httpMethods.includes(funcName)) {
-      // Check function body for sensitive file operations
+      // Check function body for actual file serving operations (not just string mentions)
       const body = func.getBody();
       if (body) {
         const bodyText = body.getText();
-        // Check for sensitive file paths in the function body
-        const sensitivePatterns = [
-          /['"`][^'"`]*\.env[^'"`]*['"`]/g,
-          /['"`][^'"`]*\.git[^'"`]*['"`]/g,
-          /['"`][^'"`]*config[^'"`]*['"`]/g,
-          /['"`][^'"`]*backup[^'"`]*['"`]/g,
-          /['"`][^'"`]*secret[^'"`]*['"`]/g,
-          /['"`][^'"`]*\.ssh[^'"`]*['"`]/g,
+        // Only detect actual file operations that expose sensitive files
+        // (not just variable names or env vars containing "secret", "config", etc.)
+        const fileOperationPatterns = [
+          // File serving operations with sensitive paths
+          /(?:sendFile|readFile|writeFile|readFileSync|writeFileSync)\s*\(\s*['"`][^'"`]*(?:\.env|\.git|\.ssh|config\/|backup\/|secrets\/)[^'"`]*['"`]/g,
+          /(?:express\.static|serveStatic|staticFiles)\s*\(\s*['"`][^'"`]*(?:\.env|\.git|\.ssh|config|backup|secrets)[^'"`]*['"`]/g,
+          // Direct file path exposure in response
+          /(?:res|response)\.send(?:File)?\s*\(\s*['"`][^'"`]*(?:\.env|\.git|\.ssh)[^'"`]*['"`]/g,
         ];
-        for (const pattern of sensitivePatterns) {
+        for (const pattern of fileOperationPatterns) {
           const matches = [...bodyText.matchAll(pattern)];
           if (matches.length > 0) {
             const startLine = func.getStartLineNumber();
             violations.push({
               ruleId: this.ruleId,
-              message: `NextJS API route '${funcName}' contains sensitive file references - ensure proper access controls`,
+              message: `NextJS API route '${funcName}' contains file operations on sensitive paths - ensure proper access controls`,
               severity: "error",
               line: startLine,
               column: 1,

package/rules/security/S031_secure_session_cookies/analyzer.js CHANGED Viewed

@@ -163,7 +163,9 @@ class S031Analyzer {
           // Add to violation map with deduplication
           symbolViolations.forEach((violation) => {
-            const key = `${violation.line}:${violation.column}:${violation.message}`;
+            // Create a cookie-specific key to allow multiple violations for same cookie at different locations
+            const cookieName = this.extractCookieName(violation.message) || "";
+            const key = `cookie:${cookieName}:line:${violation.line}:secure`;
             if (!violationMap.has(key)) {
               violationMap.set(key, violation);
             }
@@ -194,7 +196,9 @@ class S031Analyzer {
         // Add to violation map with deduplication
         regexViolations.forEach((violation) => {
-          const key = `${violation.line}:${violation.column}:${violation.message}`;
+          // Create a cookie-specific key to allow multiple violations for same cookie at different locations
+          const cookieName = this.extractCookieName(violation.message) || "";
+          const key = `cookie:${cookieName}:line:${violation.line}:secure`;
           if (!violationMap.has(key)) {
             violationMap.set(key, violation);
           }
@@ -228,6 +232,20 @@ class S031Analyzer {
     return finalViolations;
   }
+  /**
+   * Extract cookie name from violation message for better deduplication
+   */
+  extractCookieName(message) {
+    try {
+      const match = message.match(
+        /Session cookie "([^"]+)"|Session cookie from "([^"]+)"/
+      );
+      return match ? match[1] || match[2] : "";
+    } catch (error) {
+      return "";
+    }
+  }
   /**
    * Clean up resources