@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S042_require_re_authentication_for_long_lived/symbol-based-analyzer.js

@@ -0,0 +1,1139 @@
+/**
+ * S042
+ * Require re-authentication for long-lived sessions or sensitive actions
+ * Objective: Reduce the risk of session hijacking or privilege misuse by forcing
+ * re-authentication after long idle periods or before critical actions.
+ * 1. Excessive Session Duration: Detects sessions configured for more than 24 hours
+ * 2. JWT Without Expiration: Identifies JWT tokens created without expiry times
+ * 3. Excessive JWT Expiration: Flags access tokens with expiry > 1 hour
+ * 4. Sensitive Actions Without Re-auth: Detects functions like password changes without re-authentication
+ * 5. Persistent Sessions Without Re-auth: Flags "Remember Me" features without proper security
+ * 6. Missing Idle Timeout: Identifies session configurations without inactivity timeouts
+ */
+
+const { SyntaxKind } = require('ts-morph');
+
+class S042SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S042";
+    this.ruleName = 'Require re-authentication for long-lived sessions or sensitive actions';
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+    this.skipPatterns = [
+      /\/node_modules\//,
+      /\/tests?\//,
+      /\/dist\//,
+      /\/build\//,
+      /\.spec\.ts$/,
+      /\.test\.ts$/
+    ];
+
+    // Sensitive action patterns
+    this.sensitiveActions = [
+      /password.*change/i,
+      /update.*password/i,
+      /change.*password/i,
+      /reset.*password/i,
+      /delete.*account/i,
+      /remove.*account/i,
+      /payment/i,
+      /transfer.*fund/i,
+      /withdraw/i,
+      /deposit/i,
+      /update.*email/i,
+      /change.*email/i,
+      /two.*factor/i,
+      /2fa/i,
+      /security.*setting/i,
+      /role.*change/i,
+      /admin.*action/i
+    ];
+
+    // Session MIDDLEWARE configuration keys (express-session, cookie-session, etc.)
+    this.sessionConfigKeys = [
+      'secret',
+      'resave',
+      'saveUninitialized',
+      'cookie',
+      'rolling',
+      'store',
+      'genid',
+      'name',
+      'proxy',
+      'unset'
+    ];
+
+    // JWT configuration patterns
+    this.jwtConfigKeys = [
+      'expiresIn',
+      'expiry',
+      'exp',
+      'maxAge',
+      'tokenExpiration'
+    ];
+
+    // Time thresholds (in milliseconds)
+    this.MAX_SESSION_AGE = 24 * 60 * 60 * 1000; // 24 hours
+    this.MAX_IDLE_TIME = 30 * 60 * 1000; // 30 minutes
+    this.MAX_JWT_EXPIRY = 60 * 60 * 1000; // 1 hour for access tokens
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S042 Symbol-Based] Analyzer initialized, verbose: ${this.verbose}`);
+    }
+  }
+
+  async analyzeFileBasic(filePath, options = {}) {
+    return await this.analyzeFileWithSymbols(filePath, options);
+  }
+
+  analyzeFileWithSymbols(filePath, options = {}) {
+    const violations = [];
+    const verbose = options.verbose || this.verbose;
+
+    if (!this.semanticEngine?.project) {
+      if (verbose) {
+        console.warn('[S042 Symbol-Based] No semantic engine available, skipping analysis');
+      }
+      return violations;
+    }
+
+    if (this.shouldIgnoreFile(filePath)) {
+      if (verbose) console.log(`[${this.ruleId}] Ignoring ${filePath}`);
+      return violations;
+    }
+
+    if (verbose) {
+      console.log(`🔍 [S042 Symbol-Based] Starting analysis for ${filePath}`);
+    }
+
+    try {
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      if (!sourceFile) {
+        return violations;
+      }
+
+      // Check for session configuration issues
+      violations.push(...this.checkSessionConfiguration(sourceFile, verbose));
+
+      // Check for JWT configuration issues
+      violations.push(...this.checkJWTConfiguration(sourceFile, verbose));
+
+      // Check for sensitive actions without re-authentication
+      violations.push(...this.checkSensitiveActions(sourceFile, verbose));
+
+      // Check for Remember Me implementations
+      violations.push(...this.checkRememberMeImplementation(sourceFile, verbose));
+
+      // Check for idle timeout implementation
+      violations.push(...this.checkIdleTimeoutImplementation(sourceFile, verbose));
+
+      return violations;
+    } catch (error) {
+      if (verbose) {
+        console.warn(`[S042 Symbol-Based] Analysis failed for ${filePath}:`, error.message);
+      }
+      return violations;
+    }
+  }
+
+  checkSessionConfiguration(sourceFile, verbose) {
+    const violations = [];
+
+    // Find all object literals that might be session configuration
+    const objectLiterals = sourceFile.getDescendantsOfKind(SyntaxKind.ObjectLiteralExpression);
+
+    for (const objLiteral of objectLiterals) {
+      // Get context to understand what this object is for
+      const context = this.getObjectContext(objLiteral);
+
+      // Skip if this is clearly not a session middleware config
+      if (this.isSessionDataModel(context, objLiteral)) {
+        continue;
+      }
+
+      const properties = objLiteral.getProperties();
+      const sessionConfig = this.extractSessionConfig(properties, objLiteral, context);
+
+      // Only process if this is actually a session MIDDLEWARE configuration
+      if (sessionConfig.isSessionConfig) {
+        // Check for excessively long session duration
+        if (sessionConfig.maxAge && sessionConfig.maxAge > this.MAX_SESSION_AGE) {
+          const node = sessionConfig.maxAgeNode;
+          const startLine = node.getStartLineNumber();
+
+          violations.push({
+            ruleId: this.ruleId,
+            ruleName: this.ruleName,
+            severity: 'medium',
+            message: `Session maxAge is too long (${this.formatDuration(sessionConfig.maxAge)}). Consider limiting to 24 hours or less for security.`,
+            line: startLine,
+            column: node.getStart() - node.getStartLinePos() + 1,
+            filePath: sourceFile.getFilePath(),
+            type: 'EXCESSIVE_SESSION_DURATION',
+            details: `Long-lived sessions increase the risk of session hijacking. Recommended maximum: ${this.formatDuration(this.MAX_SESSION_AGE)}`
+          });
+        }
+
+        // Check if persistent/rememberMe is enabled without limits
+        if (sessionConfig.isPersistent && !sessionConfig.hasReauthCheck) {
+          const node = sessionConfig.persistentNode;
+          const startLine = node.getStartLineNumber();
+
+          violations.push({
+            ruleId: this.ruleId,
+            ruleName: this.ruleName,
+            severity: 'medium',
+            message: `Persistent session (Remember Me) enabled without re-authentication requirements for sensitive actions.`,
+            line: startLine,
+            column: node.getStart() - node.getStartLinePos() + 1,
+            filePath: sourceFile.getFilePath(),
+            type: 'PERSISTENT_SESSION_WITHOUT_REAUTH',
+            details: 'Persistent sessions should require re-authentication for sensitive operations like password changes or payments.'
+          });
+        }
+
+        // Check for missing idle timeout
+        if (!sessionConfig.hasIdleTimeout) {
+          const node = objLiteral;
+          const startLine = node.getStartLineNumber();
+
+          violations.push({
+            ruleId: this.ruleId,
+            ruleName: this.ruleName,
+            severity: 'medium',
+            message: `Session configuration missing idle timeout. Consider adding inactivity-based expiration.`,
+            line: startLine,
+            column: node.getStart() - node.getStartLinePos() + 1,
+            filePath: sourceFile.getFilePath(),
+            type: 'MISSING_IDLE_TIMEOUT',
+            details: `Recommended idle timeout: ${this.formatDuration(this.MAX_IDLE_TIME)} or less. Use 'rolling: true' or 'idleTimeout' option.`
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  isSessionDataModel(context, objLiteral) {
+    // Check if this is a data model object (not middleware config)
+    if (context) {
+      // Repository/database operations
+      if (context.match(/repository|repo|model|entity|database|db|create|save|update|insert/i)) {
+        return true;
+      }
+    }
+
+    // Check if object has data model indicators
+    const properties = objLiteral.getProperties();
+    const propNames = properties
+      .filter(p => p.getKind() === SyntaxKind.PropertyAssignment)
+      .map(p => p.getName());
+
+    // Data model indicators
+    const dataModelKeys = ['userId', 'token', 'expiresAt', 'createdAt', 'updatedAt', 'id'];
+    const hasDataModelKeys = propNames.filter(name =>
+      dataModelKeys.some(key => name === key)
+    ).length >= 2;
+
+    return hasDataModelKeys;
+  }
+
+  extractSessionConfig(properties, objLiteral, context) {
+    const config = {
+      isSessionConfig: false,
+      maxAge: null,
+      maxAgeNode: null,
+      isPersistent: false,
+      persistentNode: null,
+      hasReauthCheck: false,
+      hasIdleTimeout: false
+    };
+
+    let sessionKeyCount = 0;
+    let jwtKeyCount = 0;
+
+    for (const prop of properties) {
+      if (prop.getKind() !== SyntaxKind.PropertyAssignment) continue;
+
+      const name = prop.getName();
+      const initializer = prop.getInitializer();
+
+      // Count session-specific keys
+      if (this.sessionConfigKeys.some(key => name === key)) {
+        sessionKeyCount++;
+      }
+
+      // Count JWT-specific keys
+      if (this.jwtConfigKeys.some(key => name === key)) {
+        jwtKeyCount++;
+      }
+
+      // Check maxAge/expires in cookie object
+      if (name === 'cookie' && initializer && initializer.getKind() === SyntaxKind.ObjectLiteralExpression) {
+        const cookieProps = initializer.getProperties();
+        for (const cookieProp of cookieProps) {
+          if (cookieProp.getKind() !== SyntaxKind.PropertyAssignment) continue;
+
+          const cookiePropName = cookieProp.getName();
+          const cookieInitializer = cookieProp.getInitializer();
+
+          if (cookiePropName === 'maxAge') {
+            const value = this.extractNumericValue(cookieInitializer);
+            if (value !== null) {
+              config.maxAge = value;
+              config.maxAgeNode = cookieProp;
+            }
+          }
+        }
+      }
+
+      // Check for persistent/rememberMe (but only if not in a data model context)
+      if (name.match(/persistent|rememberMe/i) && name !== 'requiresReauthForSensitiveActions') {
+        const value = this.extractBooleanValue(initializer);
+        if (value === true) {
+          config.isPersistent = true;
+          config.persistentNode = prop;
+        }
+      }
+
+      // Check for idle timeout or rolling sessions
+      if (name.match(/idleTimeout|idle/i)) {
+        config.hasIdleTimeout = true;
+      }
+
+      if (name === 'rolling') {
+        const value = this.extractBooleanValue(initializer);
+        if (value === true) {
+          config.hasIdleTimeout = true;
+        }
+      }
+
+      // Check for re-authentication flags
+      if (name.match(/reauth|reauthenticate|requireAuth|requiresReauthForSensitiveActions/i)) {
+        config.hasReauthCheck = true;
+      }
+    }
+
+    // Determine if this is a session MIDDLEWARE config based on:
+    // 1. Has multiple session-specific keys
+    // 2. Context indicates session middleware
+    // 3. NOT dominated by JWT keys
+    if (sessionKeyCount >= 2 && jwtKeyCount < sessionKeyCount) {
+      config.isSessionConfig = true;
+    }
+
+    // Strong indicator: context mentions session middleware
+    if (context && context.match(/session\(|express.*session|cookie.*session|getSessionConfig|sessionConfig|sessionOptions|sessionMiddleware/i)) {
+      // Only mark as session config if it has at least one session key
+      if (sessionKeyCount >= 1) {
+        config.isSessionConfig = true;
+      }
+    }
+
+    return config;
+  }
+
+  getObjectContext(objLiteral) {
+    // Get the parent context to understand what this object is for
+    let parent = objLiteral.getParent();
+    let depth = 0;
+
+    while (parent && depth < 5) {
+      const kind = parent.getKind();
+
+      // Check variable declaration
+      if (kind === SyntaxKind.VariableDeclaration) {
+        const name = parent.getNameNode()?.getText();
+        return name;
+      }
+
+      // Check call expression (e.g., session(config), repository.create(data))
+      if (kind === SyntaxKind.CallExpression) {
+        const expr = parent.getExpression();
+        return expr.getText();
+      }
+
+      // Check property assignment
+      if (kind === SyntaxKind.PropertyAssignment) {
+        return parent.getName();
+      }
+
+      // Check method declaration
+      if (kind === SyntaxKind.MethodDeclaration) {
+        const name = parent.getNameNode()?.getText();
+        return name;
+      }
+
+      // Check return statement
+      if (kind === SyntaxKind.ReturnStatement) {
+        // Look for the parent function name
+        const func = parent.getParent();
+        if (func && (func.getKind() === SyntaxKind.MethodDeclaration ||
+                     func.getKind() === SyntaxKind.FunctionDeclaration)) {
+          const funcName = func.getNameNode()?.getText();
+          return funcName;
+        }
+      }
+
+      parent = parent.getParent();
+      depth++;
+    }
+
+    return null;
+  }
+
+  checkJWTConfiguration(sourceFile, verbose) {
+    const violations = [];
+
+    // Find JWT signing/creation patterns
+    const callExpressions = sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression);
+
+    for (const callExpr of callExpressions) {
+      const expression = callExpr.getExpression();
+      const expressionText = expression.getText();
+
+      // Check for jwt.sign() or similar
+      if (this.isJWTSignCall(expressionText)) {
+        const args = callExpr.getArguments();
+
+        if (args.length === 0) {
+          continue; // Skip if no arguments
+        }
+
+        // Determine which argument contains options
+        const optionsArg = this.findJWTOptionsArgument(args, expressionText);
+
+        if (!optionsArg) {
+          // No options argument found at all
+          const startLine = callExpr.getStartLineNumber();
+
+          violations.push({
+            ruleId: this.ruleId,
+            ruleName: this.ruleName,
+            severity: 'high',
+            message: `JWT token created without expiration configuration. Add expiresIn option.`,
+            line: startLine,
+            column: callExpr.getStart() - callExpr.getStartLinePos() + 1,
+            filePath: sourceFile.getFilePath(),
+            type: 'JWT_MISSING_OPTIONS',
+            details: 'Example: jwt.sign(payload, secret, { expiresIn: "1h" }) or jwtService.sign(payload, { expiresIn: "1h" })'
+          });
+          continue;
+        }
+
+        // Check if options argument is an object literal
+        if (optionsArg.getKind() === SyntaxKind.ObjectLiteralExpression) {
+          const jwtConfig = this.extractJWTConfig(optionsArg);
+
+          // Check for missing expiration
+          if (!jwtConfig.hasExpiration) {
+            const startLine = callExpr.getStartLineNumber();
+
+            violations.push({
+              ruleId: this.ruleId,
+              ruleName: this.ruleName,
+              severity: 'high',
+              message: `JWT token created without expiration time. Tokens should have short expiry (e.g., 1 hour).`,
+              line: startLine,
+              column: callExpr.getStart() - callExpr.getStartLinePos() + 1,
+              filePath: sourceFile.getFilePath(),
+              type: 'JWT_WITHOUT_EXPIRATION',
+              details: 'JWTs without expiration can be used indefinitely if compromised. Use short-lived access tokens with refresh token mechanism.'
+            });
+          }
+
+          // Check for excessively long JWT expiration (only for access tokens, not refresh tokens)
+          if (jwtConfig.expirationValue && jwtConfig.expirationValue > this.MAX_JWT_EXPIRY) {
+            // Check if this might be a refresh token (look for 'refresh' in variable names or comments)
+            const isLikelyRefreshToken = this.isLikelyRefreshToken(callExpr);
+
+            if (!isLikelyRefreshToken) {
+              const startLine = jwtConfig.expirationNode.getStartLineNumber();
+
+              violations.push({
+                ruleId: this.ruleId,
+                ruleName: this.ruleName,
+                severity: 'medium',
+                message: `JWT expiration is too long (${this.formatDuration(jwtConfig.expirationValue)}). Access tokens should expire within 1 hour.`,
+                line: startLine,
+                column: jwtConfig.expirationNode.getStart() - jwtConfig.expirationNode.getStartLinePos() + 1,
+                filePath: sourceFile.getFilePath(),
+                type: 'EXCESSIVE_JWT_EXPIRATION',
+                details: `Use short-lived access tokens (${this.formatDuration(this.MAX_JWT_EXPIRY)} or less) with refresh token rotation.`
+              });
+            }
+          }
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  findJWTOptionsArgument(args, expressionText) {
+    // For @nestjs/jwt JwtService.sign(payload, options)
+    // The options is the second argument (index 1)
+    if (expressionText.includes('jwtService') || expressionText.includes('JwtService')) {
+      return args[1] || null;
+    }
+
+    // For jsonwebtoken jwt.sign(payload, secret, options)
+    // The options is the third argument (index 2)
+    if (expressionText.match(/jwt\.sign|JWT\.sign/)) {
+      return args[2] || null;
+    }
+
+    // Default: check both positions
+    // Try third argument first (jsonwebtoken style)
+    if (args[2] && args[2].getKind() === SyntaxKind.ObjectLiteralExpression) {
+      return args[2];
+    }
+
+    // Try second argument (NestJS style)
+    if (args[1] && args[1].getKind() === SyntaxKind.ObjectLiteralExpression) {
+      return args[1];
+    }
+
+    return null;
+  }
+
+  isLikelyRefreshToken(callExpr) {
+    // Check parent variable declaration
+    const parent = callExpr.getParent();
+
+    if (parent) {
+      // Check variable name
+      if (parent.getKind() === SyntaxKind.VariableDeclaration) {
+        const varName = parent.getNameNode()?.getText() || '';
+        if (varName.toLowerCase().includes('refresh')) {
+          return true;
+        }
+      }
+
+      // Check property assignment
+      if (parent.getKind() === SyntaxKind.PropertyAssignment) {
+        const propName = parent.getName();
+        if (propName.toLowerCase().includes('refresh')) {
+          return true;
+        }
+      }
+    }
+
+    // Check preceding comments
+    const sourceFile = callExpr.getSourceFile();
+    const fullText = sourceFile.getFullText();
+    const pos = callExpr.getStart();
+    const precedingText = fullText.substring(Math.max(0, pos - 200), pos);
+
+    if (precedingText.toLowerCase().includes('refresh')) {
+      return true;
+    }
+
+    return false;
+  }
+
+  extractJWTConfig(optionsNode) {
+    const config = {
+      hasExpiration: false,
+      expirationValue: null,
+      expirationNode: null
+    };
+
+    if (optionsNode.getKind() !== SyntaxKind.ObjectLiteralExpression) {
+      return config;
+    }
+
+    const properties = optionsNode.getProperties();
+
+    for (const prop of properties) {
+      if (prop.getKind() !== SyntaxKind.PropertyAssignment) continue;
+
+      const name = prop.getName();
+      const initializer = prop.getInitializer();
+
+      if (this.jwtConfigKeys.some(key => name === key)) {
+        config.hasExpiration = true;
+        config.expirationNode = prop;
+
+        // Try to extract numeric value
+        const value = this.extractTimeValue(initializer);
+        if (value !== null) {
+          config.expirationValue = value;
+        }
+      }
+    }
+
+    return config;
+  }
+
+  checkSensitiveActions(sourceFile, verbose) {
+    const violations = [];
+
+    // Find function/method declarations
+    const functions = [
+      ...sourceFile.getDescendantsOfKind(SyntaxKind.FunctionDeclaration),
+      ...sourceFile.getDescendantsOfKind(SyntaxKind.MethodDeclaration),
+      ...sourceFile.getDescendantsOfKind(SyntaxKind.ArrowFunction)
+    ];
+
+    for (const func of functions) {
+      const funcName = this.getFunctionName(func);
+
+      if (!funcName) continue;
+
+      // Check if function name suggests sensitive action
+      if (this.isSensitiveAction(funcName)) {
+        const hasReauth = this.checkForReauthentication(func);
+
+        if (!hasReauth) {
+          const startLine = func.getStartLineNumber();
+
+          // Provide more context in the message
+          const params = func.getParameters().map(p => p.getName()).join(', ');
+          const hasPasswordParam = params.match(/password|auth|verify|confirm/i);
+
+          let suggestion = 'Sensitive operations like password changes, payments, or account deletion should require recent authentication or password verification.';
+
+          if (!hasPasswordParam) {
+            suggestion += ' Consider adding a currentPassword or twoFactorCode parameter.';
+          } else {
+            suggestion += ' Ensure the password parameter is verified against the user\'s current password.';
+          }
+
+          violations.push({
+            ruleId: this.ruleId,
+            ruleName: this.ruleName,
+            severity: 'high',
+            message: `Sensitive action '${funcName}' does not appear to require re-authentication.`,
+            line: startLine,
+            column: func.getStart() - func.getStartLinePos() + 1,
+            filePath: sourceFile.getFilePath(),
+            type: 'SENSITIVE_ACTION_WITHOUT_REAUTH',
+            details: suggestion
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  checkRememberMeImplementation(sourceFile, verbose) {
+    const violations = [];
+
+    const allNodes = sourceFile.getDescendantsOfKind(SyntaxKind.Identifier);
+    const processedLines = new Set(); // Avoid duplicate violations on same line
+
+    for (const node of allNodes) {
+      const text = node.getText();
+
+      if (text.match(/rememberMe|remember_me|persistentLogin/i)) {
+        const startLine = node.getStartLineNumber();
+
+        // Skip if already reported on this line
+        if (processedLines.has(startLine)) {
+          continue;
+        }
+
+        // Check if there's nearby re-authentication logic
+        const parent = this.findRelevantParent(node);
+
+        if (parent) {
+          const hasReauthLogic = this.hasReauthenticationLogic(parent);
+
+          if (!hasReauthLogic) {
+            processedLines.add(startLine);
+
+            violations.push({
+              ruleId: this.ruleId,
+              ruleName: this.ruleName,
+              severity: 'medium',
+              message: `Remember Me feature implemented without apparent re-authentication requirements.`,
+              line: startLine,
+              column: node.getStart() - node.getStartLinePos() + 1,
+              filePath: sourceFile.getFilePath(),
+              type: 'REMEMBER_ME_WITHOUT_REAUTH',
+              details: 'Remember Me sessions should require re-authentication after a maximum period (e.g., 24 hours) or before sensitive actions.'
+            });
+          }
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  checkIdleTimeoutImplementation(sourceFile, verbose) {
+    const violations = [];
+
+    // Look for session middleware or configuration
+    const hasSessionConfig = this.hasSessionConfiguration(sourceFile);
+    const hasIdleTimeout = this.hasIdleTimeoutLogic(sourceFile);
+
+    if (hasSessionConfig && !hasIdleTimeout) {
+      violations.push({
+        ruleId: this.ruleId,
+        ruleName: this.ruleName,
+        severity: 'medium',
+        message: `Session management detected but no idle timeout implementation found.`,
+        line: 1,
+        column: 1,
+        filePath: sourceFile.getFilePath(),
+        type: 'MISSING_IDLE_TIMEOUT_LOGIC',
+        details: `Implement idle timeout to automatically expire sessions after ${this.formatDuration(this.MAX_IDLE_TIME)} of inactivity.`
+      });
+    }
+
+    return violations;
+  }
+
+  // Helper methods
+
+  isJWTSignCall(expressionText) {
+    return expressionText.match(/jwt\.sign|jsonwebtoken\.sign|JWT\.sign|jwtService\.sign|JwtService\.sign/i) !== null;
+  }
+
+  isSensitiveAction(name) {
+    return this.sensitiveActions.some(pattern => pattern.test(name));
+  }
+
+  checkForReauthentication(functionNode) {
+    // First check: Does the function accept re-authentication parameters?
+    if (this.hasReauthenticationParameters(functionNode)) {
+      return true;
+    }
+
+    // Second check: Does the function body contain re-authentication logic?
+    const body = functionNode.getBody();
+    if (!body) return false;
+
+    const bodyText = body.getText();
+
+    // Direct re-authentication patterns
+    const reauthPatterns = [
+      /verifyPassword/i,
+      /checkPassword/i,
+      /requireAuth/i,
+      /reauth/i,
+      /verify.*credential/i,
+      /confirm.*password/i,
+      /validate.*password/i,
+      /authenticate.*again/i,
+      /require.*2fa/i,
+      /verify.*2fa/i,
+      /bcrypt\.compare/i,
+      /compareSync/i,
+      /passwordConfirmation/i,
+      /currentPassword/i,
+      /twoFactorCode/i
+    ];
+
+    if (reauthPatterns.some(pattern => pattern.test(bodyText))) {
+      return true;
+    }
+
+    // Third check: Does it call service methods that likely handle re-authentication?
+    if (this.callsReauthenticationService(functionNode)) {
+      return true;
+    }
+
+    return false;
+  }
+
+  hasReauthenticationParameters(functionNode) {
+    const parameters = functionNode.getParameters();
+
+    const reauthParamNames = [
+      'currentPassword',
+      'password',
+      'passwordConfirmation',
+      'oldPassword',
+      'verifyPassword',
+      'confirmPassword',
+      'twoFactorCode',
+      'twoFactorToken',
+      'otpCode',
+      'mfaCode',
+      'authCode',
+      'verificationCode'
+    ];
+
+    for (const param of parameters) {
+      const paramName = param.getName();
+
+      // Check if parameter name suggests re-authentication
+      if (reauthParamNames.some(name =>
+        paramName.toLowerCase().includes(name.toLowerCase())
+      )) {
+        return true;
+      }
+
+      // Check parameter type annotations for password-related types
+      const typeNode = param.getTypeNode();
+      if (typeNode) {
+        const typeText = typeNode.getText();
+        if (typeText.match(/password|auth|verification|2fa|mfa|otp/i)) {
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  callsReauthenticationService(functionNode) {
+    const body = functionNode.getBody();
+    if (!body) return false;
+
+    // Get all call expressions in the function
+    const callExpressions = body.getDescendantsOfKind(SyntaxKind.CallExpression);
+
+    for (const callExpr of callExpressions) {
+      const expression = callExpr.getExpression();
+      const callText = expression.getText();
+
+      // Check if calling a service method that handles re-authentication
+      const servicePatterns = [
+        /verifyPassword/i,
+        /checkPassword/i,
+        /validatePassword/i,
+        /authenticateUser/i,
+        /verifyCredentials/i,
+        /verify2FA/i,
+        /validateOTP/i,
+        /checkAuth/i,
+        /requireReauth/i,
+        /confirmIdentity/i,
+        /\.authenticate\(/i,
+        /\.verify\(/i,
+        /authService\./i,
+        /passwordService\./i,
+        /securityService\./i
+      ];
+
+      if (servicePatterns.some(pattern => pattern.test(callText))) {
+        return true;
+      }
+
+      // Check if the call passes password-related arguments
+      const args = callExpr.getArguments();
+      for (const arg of args) {
+        const argText = arg.getText();
+        if (argText.match(/currentPassword|passwordConfirmation|twoFactorCode|oldPassword/i)) {
+          return true;
+        }
+      }
+
+      // Try to resolve the called function and check its implementation
+      if (this.semanticEngine?.project) {
+        const resolvedFunction = this.tryResolveCalledFunction(callExpr);
+        if (resolvedFunction) {
+          // Recursively check if the called function has re-authentication logic
+          const resolvedBody = resolvedFunction.getBody();
+          if (resolvedBody) {
+            const resolvedBodyText = resolvedBody.getText();
+
+            const deepReauthPatterns = [
+              /bcrypt\.compare/i,
+              /compareSync/i,
+              /verifyPassword/i,
+              /checkPassword/i,
+              /verify.*2fa/i,
+              /totp\.verify/i,
+              /speakeasy\.verify/i,
+              /authenticator\.verify/i
+            ];
+
+            if (deepReauthPatterns.some(pattern => pattern.test(resolvedBodyText))) {
+              return true;
+            }
+          }
+        }
+      }
+    }
+
+    return false;
+  }
+
+  tryResolveCalledFunction(callExpr) {
+    try {
+      const expression = callExpr.getExpression();
+
+      // Handle property access expressions (e.g., this.authService.verifyPassword)
+      if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+        const nameNode = expression.getNameNode();
+        const methodName = nameNode.getText();
+
+        // Try to find the method definition
+        const sourceFile = callExpr.getSourceFile();
+
+        // Search in the same file
+        const methods = sourceFile.getDescendantsOfKind(SyntaxKind.MethodDeclaration);
+        for (const method of methods) {
+          const name = method.getName();
+          if (name === methodName) {
+            return method;
+          }
+        }
+
+        // Search for functions
+        const functions = sourceFile.getDescendantsOfKind(SyntaxKind.FunctionDeclaration);
+        for (const func of functions) {
+          const name = func.getName();
+          if (name === methodName) {
+            return func;
+          }
+        }
+
+        // Try to find in imported files (basic implementation)
+        const objectExpr = expression.getExpression();
+        if (objectExpr.getKind() === SyntaxKind.PropertyAccessExpression) {
+          const serviceName = objectExpr.getNameNode()?.getText();
+          if (serviceName) {
+            // Look for service injection and try to resolve
+            return this.findServiceMethod(sourceFile, serviceName, methodName);
+          }
+        }
+      }
+
+      // Handle direct function calls
+      if (expression.getKind() === SyntaxKind.Identifier) {
+        const functionName = expression.getText();
+        const sourceFile = callExpr.getSourceFile();
+
+        // Search for function declaration
+        const functions = sourceFile.getDescendantsOfKind(SyntaxKind.FunctionDeclaration);
+        for (const func of functions) {
+          if (func.getName() === functionName) {
+            return func;
+          }
+        }
+
+        // Search for arrow functions assigned to variables
+        const variables = sourceFile.getDescendantsOfKind(SyntaxKind.VariableDeclaration);
+        for (const variable of variables) {
+          if (variable.getName() === functionName) {
+            const initializer = variable.getInitializer();
+            if (initializer &&
+                (initializer.getKind() === SyntaxKind.ArrowFunction ||
+                 initializer.getKind() === SyntaxKind.FunctionExpression)) {
+              return initializer;
+            }
+          }
+        }
+      }
+    } catch (error) {
+      // Silently fail - resolution is best effort
+    }
+
+    return null;
+  }
+
+  findServiceMethod(sourceFile, serviceName, methodName) {
+    try {
+      // Look for constructor parameters (dependency injection)
+      const classes = sourceFile.getDescendantsOfKind(SyntaxKind.ClassDeclaration);
+
+      for (const classDecl of classes) {
+        const constructor = classDecl.getConstructors()[0];
+        if (!constructor) continue;
+
+        const params = constructor.getParameters();
+        for (const param of params) {
+          const paramName = param.getName();
+
+          // Check if this is the service we're looking for
+          if (paramName === serviceName || paramName.includes(serviceName)) {
+            const typeNode = param.getTypeNode();
+            if (!typeNode) continue;
+
+            const typeName = typeNode.getText();
+
+            // Try to find the service class in the project
+            if (this.semanticEngine?.project) {
+              const allSourceFiles = this.semanticEngine.project.getSourceFiles();
+
+              for (const file of allSourceFiles) {
+                const serviceClasses = file.getDescendantsOfKind(SyntaxKind.ClassDeclaration);
+
+                for (const serviceClass of serviceClasses) {
+                  const className = serviceClass.getName();
+                  if (className === typeName || typeName.includes(className)) {
+                    // Found the service class, now find the method
+                    const methods = serviceClass.getMethods();
+                    for (const method of methods) {
+                      if (method.getName() === methodName) {
+                        return method;
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    } catch (error) {
+      // Silently fail
+    }
+
+    return null;
+  }
+
+  getFunctionName(func) {
+    if (func.getKind() === SyntaxKind.FunctionDeclaration ||
+        func.getKind() === SyntaxKind.MethodDeclaration) {
+      const nameNode = func.getNameNode();
+      return nameNode ? nameNode.getText() : null;
+    }
+
+    // For arrow functions, try to get from parent variable declaration
+    const parent = func.getParent();
+    if (parent && parent.getKind() === SyntaxKind.VariableDeclaration) {
+      const nameNode = parent.getNameNode();
+      return nameNode ? nameNode.getText() : null;
+    }
+
+    return null;
+  }
+
+  findRelevantParent(node) {
+    let parent = node.getParent();
+    let depth = 0;
+
+    while (parent && depth < 5) {
+      const kind = parent.getKind();
+      if (kind === SyntaxKind.FunctionDeclaration ||
+          kind === SyntaxKind.MethodDeclaration ||
+          kind === SyntaxKind.ArrowFunction ||
+          kind === SyntaxKind.Block) {
+        return parent;
+      }
+      parent = parent.getParent();
+      depth++;
+    }
+
+    return null;
+  }
+
+  hasReauthenticationLogic(node) {
+    const text = node.getText();
+
+    const reauthKeywords = [
+      'reauth',
+      'verifyPassword',
+      'confirmPassword',
+      'requireAuth',
+      'checkPassword',
+      'validatePassword',
+      '2fa',
+      'twoFactor',
+      'requiresReauthForSensitiveActions'
+    ];
+
+    return reauthKeywords.some(keyword =>
+      text.toLowerCase().includes(keyword.toLowerCase())
+    );
+  }
+
+  hasSessionConfiguration(sourceFile) {
+    const text = sourceFile.getText();
+    return /session\(|express-session|cookie-session|getSessionConfig|sessionConfig/i.test(text);
+  }
+
+  hasIdleTimeoutLogic(sourceFile) {
+    const text = sourceFile.getText();
+    return /idle.*timeout|idleTimeout|inactivity|lastActivity|last.*access|rolling.*true|rolling:\s*true/i.test(text);
+  }
+
+  extractNumericValue(node) {
+    if (!node) return null;
+
+    if (node.getKind() === SyntaxKind.NumericLiteral) {
+      return parseInt(node.getText(), 10);
+    }
+
+    // Handle expressions like 1000 * 60 * 60
+    if (node.getKind() === SyntaxKind.BinaryExpression) {
+      try {
+        const text = node.getText();
+        // Simple eval for numeric expressions (be careful in production)
+        const value = Function(`"use strict"; return (${text})`)();
+        return typeof value === 'number' ? value : null;
+      } catch {
+        return null;
+      }
+    }
+
+    return null;
+  }
+
+  extractBooleanValue(node) {
+    if (!node) return null;
+
+    const kind = node.getKind();
+    if (kind === SyntaxKind.TrueKeyword) return true;
+    if (kind === SyntaxKind.FalseKeyword) return false;
+
+    return null;
+  }
+
+  extractTimeValue(node) {
+    if (!node) return null;
+
+    // Handle string literals like "1h", "24h", "30m"
+    if (node.getKind() === SyntaxKind.StringLiteral) {
+      const text = node.getText().replace(/['"]/g, '');
+      return this.parseTimeString(text);
+    }
+
+    // Handle numeric literals (assumed to be milliseconds)
+    return this.extractNumericValue(node);
+  }
+
+  parseTimeString(timeStr) {
+    const match = timeStr.match(/^(\d+)(ms|s|m|h|d|w|y)?$/i);
+    if (!match) return null;
+
+    const value = parseInt(match[1], 10);
+    const unit = (match[2] || 'ms').toLowerCase();
+
+    const multipliers = {
+      'ms': 1,
+      's': 1000,
+      'm': 60 * 1000,
+      'h': 60 * 60 * 1000,
+      'd': 24 * 60 * 60 * 1000,
+      'w': 7 * 24 * 60 * 60 * 1000,
+      'y': 365 * 24 * 60 * 60 * 1000
+    };
+
+    return value * (multipliers[unit] || 1);
+  }
+
+  formatDuration(ms) {
+    const seconds = ms / 1000;
+    const minutes = seconds / 60;
+    const hours = minutes / 60;
+    const days = hours / 24;
+
+    if (days >= 1) return `${days} day${days !== 1 ? 's' : ''}`;
+    if (hours >= 1) return `${hours} hour${hours !== 1 ? 's' : ''}`;
+    if (minutes >= 1) return `${Math.floor(minutes)} minute${Math.floor(minutes) !== 1 ? 's' : ''}`;
+    return `${Math.floor(seconds)} second${Math.floor(seconds) !== 1 ? 's' : ''}`;
+  }
+
+  shouldIgnoreFile(filePath) {
+    return this.skipPatterns.some((pattern) => pattern.test(filePath));
+  }
+}
+
+module.exports = S042SymbolBasedAnalyzer;