npm - @sun-asterisk/sunlint - Versions diffs - 1.3.26 → 1.3.28 - Mend

@sun-asterisk/sunlint 1.3.26 → 1.3.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/rules/security/S043_password_changes_invalidate_all_sessions/README.md ADDED Viewed

@@ -0,0 +1,107 @@
+# S043 - Password Changes Must Invalidate All Active Sessions
+## Overview
+**Rule ID:** S043
+**Severity:** Medium
+**Category:** Security
+**Status:** Activated
+**Version:** 1.0
+## Objective
+Ensure that attackers cannot continue using old session tokens after a password change. This rule enforces correct access control after sensitive password updates by requiring all active sessions to be invalidated.
+## Description
+When a user changes their password, all existing session tokens, JWT tokens, and cached credentials must be invalidated immediately. This prevents attackers who may have compromised an old session from continuing to access the account after the password has been changed.
+This rule performs **deep analysis** across multiple layers:
+- **Controller → Service → Repository → Third Party**
+- Traces up to 4 levels deep in the call chain
+- Resolves NestJS dependency injection to follow service calls
+- Detects session invalidation in any layer of the application
+## Violation Criteria
+A password change function is flagged if it does NOT:
+1. Invalidate all other active sessions (except current if necessary)
+2. Clear all session tokens from database, Redis, or memory storage
+3. For JWT: use token versioning or timestamp to revoke old tokens
+4. Require re-login across all devices
+5. Call logout or sign out operations
+6. Clear session cache (Redis, in-memory, etc.)
+7. Use third-party auth service global sign out (AWS Cognito, Auth0, Firebase)
+## Detected Patterns
+### ✅ Session Invalidation (PASS)
+The rule detects the following valid patterns:
+#### 1. Direct Session Invalidation Calls
+```typescript
+await sessionService.invalidateAllSessions(userId);
+await sessionService.clearAllSessions(userId);
+await sessionService.destroyAllSessions(userId);
+await sessionService.logoutAllDevices(userId);
+### 2. Database Session Deletion
+```typescript
+await sessionRepository.delete({ userId });
+await sessionRepository.deleteAllByUserId(userId);
+await this.sessionRepository
+  .createQueryBuilder()
+  .delete()
+  .where('userId = :userId', { userId })
+  .execute();
+```
+### 3. JWT Token Versioning
+```typescript
+user.tokenVersion = (user.tokenVersion || 0) + 1;
+user.tokenVersion++;
+await userRepository.update(userId, {
+  tokenVersion: () => 'tokenVersion + 1'
+});
+```
+### 4. Redis/Cache Clearing
+```typescript
+await redis.del(`session:${userId}:*`);
+await cacheManager.del(username);
+await redisService.clearUserSessions(userId);
+```
+### Deep Analysis Features
+```typescript
+// File: auth.controller.ts
+async changePassword(data) {
+  await this.authService.changePassword(data); // ← Traces into service
+}
+// File: auth.service.ts (different file)
+async changePassword(data) {
+  await this.userRepo.updatePassword(data);
+  await this.sessionService.clearAllSessions(data.userId); // ← Found! ✅
+}
+```
+### NestJS Dependency Injection Resolution
+```typescript
+@Injectable()
+export class AuthController {
+  constructor(
+    private readonly commonChangePasswordService: CommonChangePasswordService
+  ) {}
+  async changePassword() {
+    // Resolves: commonChangePasswordService → CommonChangePasswordService class
+    await this.commonChangePasswordService.changePassword();
+    // ↓ Deep traces into CommonChangePasswordService.changePassword() method
+  }
+}
+```

package/rules/security/S043_password_changes_invalidate_all_sessions/analyzer.js ADDED Viewed

@@ -0,0 +1,153 @@
+/**
+ * S043 Password changes must invalidate all other login sessions
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Purpose: Ensure attackers cannot continue using old session tokens after a password change. Enforce correct access control after sensitive updates.
+ * Command: node cli.js --rule=S043 --input=examples/rule-test-fixtures/rules/S043_password_changes_invalidate_all_sessions --engine=heuristic --verbose
+ */
+const S043SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+class S043Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S043] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S043] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S043";
+    this.ruleName = "Password changes must invalidate all other login sessions";
+    this.description =
+      "Ensure attackers cannot continue using old session tokens after a password change. Enforce correct access control after sensitive updates.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: false,
+      regexBasedOnly: false,
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+    try {
+      this.symbolAnalyzer = new S043SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S043] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S043] Error creating symbol analyzer:`, error);
+    }
+  }
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+    // Initialize both analyzers
+    await this.symbolAnalyzer.initialize(semanticEngine);
+    // Ensure verbose flag is propagated
+    this.symbolAnalyzer.verbose = this.verbose;
+    if (this.verbose) {
+      console.log(`🔧 [S043 Hybrid] Analyzer initialized - verbose: ${this.verbose}`);
+    }
+  }
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S043] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S043] analyze() method called with ${files.length} files, language: ${language}`);
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S043] Processing file: ${filePath}`);
+        }
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S043] File ${filePath}: Found ${fileViolations.length} violations`);
+        }
+      } catch (error) {
+        console.warn(`❌ [S043] Analysis failed for ${filePath}:`, error.message);
+      }
+    }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S043] Total violations found: ${violations.length}`);
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S043] analyzeFile() called for: ${filePath}`);
+    }
+    // 1. Try Symbol-based analysis first (primary)
+    if (this.config.useSymbolBased &&
+        this.semanticEngine?.project &&
+        this.semanticEngine?.initialized) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S043] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S043] Source file found, analyzing with symbol-based...`);
+          }
+          const violations = await this.symbolAnalyzer.analyzeFileWithSymbols(filePath, { ...options, verbose: options.verbose });
+          // Mark violations with analysis strategy
+          violations.forEach(v => v.analysisStrategy = 'symbol-based');
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`✅ [S043] Symbol-based analysis: ${violations.length} violations`);
+          }
+          return violations; // Return even if 0 violations - symbol analysis completed successfully
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`⚠️ [S043] Source file not found in project`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠️ [S043] Symbol analysis failed: ${error.message}`);
+        // Continue to fallback
+      }
+    } else {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔄 [S043] Symbol analysis conditions check:`);
+        console.log(`  - useSymbolBased: ${this.config.useSymbolBased}`);
+        console.log(`  - semanticEngine: ${!!this.semanticEngine}`);
+        console.log(`  - semanticEngine.project: ${!!this.semanticEngine?.project}`);
+        console.log(`  - semanticEngine.initialized: ${this.semanticEngine?.initialized}`);
+        console.log(`🔄 [S043] Symbol analysis unavailable, using regex fallback`);
+      }
+    }
+    if (options?.verbose) {
+      console.log(`🔧 [S043] No analysis methods succeeded, returning empty`);
+    }
+    return [];
+  }
+}
+module.exports = S043Analyzer;

package/rules/security/S043_password_changes_invalidate_all_sessions/config.json ADDED Viewed

@@ -0,0 +1,41 @@
+{
+  "id": "S043",
+  "name": "Password changes must invalidate all other login sessions",
+  "category": "security",
+  "description": "S043 - Ensure attackers cannot continue using old session tokens after a password change. Enforce correct access control after sensitive updates.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 1,
+    "timeout": 4000
+  },
+  "validation": {
+    "httpIndicators": [
+      "http://",
+      "require('http')",
+      "require(\"http\")",
+      "http.createServer"
+    ],
+    "httpsModules": ["https", "tls"],
+    "frameworks": ["express", "nextjs", "nuxtjs", "nestjs"]
+  }
+}