@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S040_session_fixation_protection/analyzer.js

@@ -0,0 +1,153 @@
+const fs = require('fs');
+
+class S040Analyzer {
+  constructor() {
+    this.ruleId = 'S040';
+    this.ruleName = 'Session Fixation Protection';
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      // Skip test files
+      if (this.isTestFile(filePath)) {
+        continue;
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`S040: Error analyzing ${filePath}:`, error.message);
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  isTestFile(filePath) {
+    const testPatterns = [
+      /\.test\.(ts|tsx|js|jsx|php|py)$/,
+      /\.spec\.(ts|tsx|js|jsx|php|py)$/,
+      /__tests__\//,
+      /__mocks__\//,
+      /\/tests?\//,
+    ];
+    return testPatterns.some(p => p.test(filePath));
+  }
+
+  analyzeFile(content, filePath) {
+    const violations = [];
+
+    // Find login/authentication functions
+    const loginFunctions = this.findLoginFunctions(content);
+
+    loginFunctions.forEach(({ startLine, endLine, functionContent, functionName }) => {
+      // Check if session is regenerated
+      if (!this.hasSessionRegeneration(functionContent)) {
+        violations.push({
+          file: filePath,
+          line: startLine,
+          column: 1,
+          message: `Login function '${functionName}' does not regenerate session - vulnerable to Session Fixation. Use session.regenerate(), req.session.regenerate(), or create new JWT token.`,
+          severity: 2, // error
+          ruleId: this.ruleId,
+        });
+      }
+    });
+
+    return violations;
+  }
+
+  findLoginFunctions(content) {
+    const functions = [];
+    const lines = content.split(/\r?\n/);
+
+    // Patterns that indicate login/authentication functions
+    const loginPatterns = [
+      /(?:async\s+)?(?:function\s+)?(\w*login\w*|authenticate\w*|signin\w*)\s*\(/gi,
+      /(?:const|let|var)\s+(\w*login\w*|authenticate\w*|signin\w*)\s*=\s*(?:async\s+)?\(/gi,
+      /@Post\s*\(\s*['"`]\/?(login|signin|authenticate)/gi,
+      /router\.\w+\s*\(\s*['"`]\/?(login|signin|authenticate)/gi,
+    ];
+
+    let currentFunction = null;
+    let braceCount = 0;
+
+    lines.forEach((line, index) => {
+      // Check if this line starts a login function
+      if (!currentFunction) {
+        loginPatterns.forEach(pattern => {
+          const match = line.match(pattern);
+          if (match) {
+            currentFunction = {
+              startLine: index + 1,
+              functionName: match[1] || 'anonymous',
+              functionContent: '',
+            };
+            braceCount = 0;
+          }
+        });
+      }
+
+      if (currentFunction) {
+        currentFunction.functionContent += line + '\n';
+
+        // Count braces to find function end
+        braceCount += (line.match(/\{/g) || []).length;
+        braceCount -= (line.match(/\}/g) || []).length;
+
+        if (braceCount === 0 && currentFunction.functionContent.includes('{')) {
+          currentFunction.endLine = index + 1;
+          functions.push(currentFunction);
+          currentFunction = null;
+        }
+      }
+    });
+
+    return functions;
+  }
+
+  hasSessionRegeneration(functionContent) {
+    // Patterns that indicate session regeneration
+    const regenerationPatterns = [
+      /session\.regenerate\s*\(/,
+      /req\.session\.regenerate\s*\(/,
+      /request\.session\.regenerate\s*\(/,
+      /sessionStore\.regenerate\s*\(/,
+
+      // Express-session
+      /session\.destroy.*session\.save/s,
+      /req\.session\.destroy.*new\s+session/s,
+
+      // JWT token creation (new token after login)
+      /jwt\.sign\s*\(/,
+      /generateToken\s*\(/,
+      /createToken\s*\(/,
+      /signToken\s*\(/,
+
+      // PHP session regeneration
+      /session_regenerate_id\s*\(/,
+      /session_destroy.*session_start/s,
+
+      // Python Flask/Django
+      /session\.regenerate\s*\(/,
+      /session\.clear\s*\(.*session\[/s,
+      /login_user.*renew=True/,
+
+      // Passport.js (implicitly regenerates)
+      /passport\.authenticate/,
+      /req\.login\s*\(/,
+    ];
+
+    return regenerationPatterns.some(pattern => pattern.test(functionContent));
+  }
+
+  cleanup() {}
+}
+
+module.exports = S040Analyzer;

package/rules/security/S040_session_fixation_protection/config.json

@@ -0,0 +1,20 @@
+{
+  "id": "S040",
+  "name": "Session Fixation Protection - Regenerate Session on Login",
+  "category": "security",
+  "description": "S040 - Prevent Session Fixation attacks by regenerating session tokens after successful authentication.",
+  "severity": "error",
+  "enabled": true,
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx", "**/*.php", "**/*.py"],
+    "exclude": [
+      "**/*.test.*",
+      "**/*.spec.*",
+      "__tests__/**",
+      "__mocks__/**",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  }
+}

package/rules/security/S042_require_re_authentication_for_long_lived/README.md

@@ -0,0 +1,83 @@
+## Rule C042
+**Title:** Require re-authentication for long-lived sessions or sensitive actions
+
+---
+
+### Objective
+Reduce the risk of session hijacking or privilege misuse by forcing re-authentication after long idle periods or before critical actions.
+
+### Details
+- **Persistent Login or "Remember Me":**
+  - Require re-login after X hours (e.g., 12h, 24h)
+  - Re-authenticate after inactivity (e.g., 30 mins)
+  - Require password or 2FA for sensitive actions (password change, payments)
+- **For JWT:**
+  - Use short-lived tokens with secure refresh logic
+- **Best Practice:**
+  - Do not flag as a violation if re-authentication logic exists in downstream service/common methods even when the immediate controller/service does not show it directly.
+
+### Applies to
+- All programming languages
+- Critical for backend/auth REST API development
+
+### Detection
+- Detect session configs with excessive lifetime (e.g., session maxAge > 24h, JWT expiresIn > 1h for access tokens)
+- Detect missing re-authentication check on sensitive actions (by function name or endpoint path)
+- Should NOT flag data objects (e.g., session DB records with expiresAt)
+- Should follow method call chains to detect delegated re-authentication (service/deep method etc.)
+
+### Tools/Validation
+- Manual code review
+- Static analysis (for JWT expiry, session policy)
+- Security functional tests
+- SonarQube (custom rule integration)
+
+---
+
+### Example: Clean vs Violation
+
+#### Clean (no violation)
+```typescript
+async changePassword(userId: string, currentPassword: string, newPassword: string) {
+  // Re-authentication logic via password verification
+  const user = await this.userRepository.findById(userId);
+  if (!await bcrypt.compare(currentPassword, user.passwordHash)) {
+    throw new UnauthorizedException();
+  }
+  // ...
+}
+```
+
+#### Violation (should be flagged)
+```typescript
+async changePassword(userId: string, newPassword: string) {
+  // No password verification
+  await this.userRepository.updatePassword(userId, newPassword);
+}
+```
+
+#### Violation (configuration)
+```js
+app.use(session({ cookie: { maxAge: 90 * 24 * 60 * 60 * 1000 } })); // 90 days
+```
+
+---
+
+### Resources
+- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+- [JWT Best Practices](https://auth0.com/blog/jwt-best-practices/)
+
+### Severity
+Medium
+
+### Status
+Activated
+
+### Version
+1.0
+
+---
+
+### Labels
+- Security Custom Rules
+- documentation

package/rules/security/S042_require_re_authentication_for_long_lived/analyzer.js

@@ -0,0 +1,153 @@
+/**
+ * S042 Require re-authentication for long-lived sessions or sensitive actions
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Purpose: Reduce the risk of session hijacking or privilege misuse by forcing re-authentication after long idle periods or before critical actions.
+ * Command: node cli.js --rule=S042 --input=examples/rule-test-fixtures/rules/S042_require_re_authentication_for_long_lived --engine=heuristic --verbose
+ */
+
+const S042SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+
+class S042Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S042] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S042] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S042";
+    this.ruleName = "Require re-authentication for long-lived sessions or sensitive actions";
+    this.description =
+      "Reduce the risk of session hijacking or privilege misuse by forcing re-authentication after long idle periods or before critical actions.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: false,
+      regexBasedOnly: false,
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+
+    try {
+      this.symbolAnalyzer = new S042SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S042] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S042] Error creating symbol analyzer:`, error);
+    }
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+
+    // Initialize both analyzers
+    await this.symbolAnalyzer.initialize(semanticEngine);
+
+    // Ensure verbose flag is propagated
+    this.symbolAnalyzer.verbose = this.verbose;
+
+    if (this.verbose) {
+      console.log(`🔧 [S042 Hybrid] Analyzer initialized - verbose: ${this.verbose}`);
+    }
+  }
+
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S042] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S042] analyze() method called with ${files.length} files, language: ${language}`);
+    }
+
+    const violations = [];
+
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S042] Processing file: ${filePath}`);
+        }
+
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S042] File ${filePath}: Found ${fileViolations.length} violations`);
+        }
+      } catch (error) {
+        console.warn(`❌ [S042] Analysis failed for ${filePath}:`, error.message);
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S042] Total violations found: ${violations.length}`);
+    }
+
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S042] analyzeFile() called for: ${filePath}`);
+    }
+
+    // 1. Try Symbol-based analysis first (primary)
+    if (this.config.useSymbolBased &&
+        this.semanticEngine?.project &&
+        this.semanticEngine?.initialized) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S042] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S042] Source file found, analyzing with symbol-based...`);
+          }
+          const violations = await this.symbolAnalyzer.analyzeFileWithSymbols(filePath, { ...options, verbose: options.verbose });
+
+          // Mark violations with analysis strategy
+          violations.forEach(v => v.analysisStrategy = 'symbol-based');
+
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`✅ [S042] Symbol-based analysis: ${violations.length} violations`);
+          }
+          return violations; // Return even if 0 violations - symbol analysis completed successfully
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`⚠️ [S042] Source file not found in project`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠️ [S042] Symbol analysis failed: ${error.message}`);
+        // Continue to fallback
+      }
+    } else {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔄 [S042] Symbol analysis conditions check:`);
+        console.log(`  - useSymbolBased: ${this.config.useSymbolBased}`);
+        console.log(`  - semanticEngine: ${!!this.semanticEngine}`);
+        console.log(`  - semanticEngine.project: ${!!this.semanticEngine?.project}`);
+        console.log(`  - semanticEngine.initialized: ${this.semanticEngine?.initialized}`);
+        console.log(`🔄 [S042] Symbol analysis unavailable, using regex fallback`);
+      }
+    }
+
+    if (options?.verbose) {
+      console.log(`🔧 [S042] No analysis methods succeeded, returning empty`);
+    }
+    return [];
+  }
+}
+
+module.exports = S042Analyzer;

package/rules/security/S042_require_re_authentication_for_long_lived/config.json

@@ -0,0 +1,41 @@
+{
+  "id": "S042",
+  "name": "Require re-authentication for long-lived sessions or sensitive actions",
+  "category": "security",
+  "description": "S042 - Reduce the risk of session hijacking or privilege misuse by forcing re-authentication after long idle periods or before critical actions.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 1,
+    "timeout": 4000
+  },
+  "validation": {
+    "httpIndicators": [
+      "http://",
+      "require('http')",
+      "require(\"http\")",
+      "http.createServer"
+    ],
+    "httpsModules": ["https", "tls"],
+    "frameworks": ["express", "nextjs", "nuxtjs", "nestjs"]
+  }
+}