@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S043_password_changes_invalidate_all_sessions/symbol-based-analyzer.js

@@ -0,0 +1,541 @@
+/**
+ * S043
+ * Require re-authentication for long-lived sessions or sensitive actions
+ * Objective: Reduce the risk of session hijacking or privilege misuse by forcing
+ * Enforce correct access control after sensitive updates.
+ * 1. Detects password change functions by matching common naming patterns like changePassword, updatePassword, resetPassword, etc.
+ * 2. Checks for session invalidation through multiple methods:
+ *   - Direct session invalidation function calls
+ *   - Database/cache clear operations
+ *   - JWT token versioning or timestamp updates
+ *   - Function calls that might invalidate sessions
+ * 3. Reports violations when password change functions don't properly invalidate sessions, with detailed guidance on how to fix the issue.
+ * 4. Breaks down logic into smaller, focused functions:
+ *   - checkFunctionsAndMethods() - checks regular functions and class methods
+ *   - checkArrowFunctionsAndExpressions() - checks arrow functions and function expressions
+ *   - isPasswordChangeFunction() - identifies password change functions
+ *   - checkForSessionInvalidation() - main validation logic
+ *   - hasSessionInvalidationCall() - checks for direct invalidation calls
+ *   - hasSessionClearOperation() - checks for DB/cache operations
+ *   - hasTokenVersioningOrTimestamp() - checks for JWT versioning
+ *   - checkFunctionCallsForSessionInvalidation() - examines nested function calls
+ */
+
+const { SyntaxKind } = require('ts-morph');
+
+class S043SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S043";
+    this.ruleName = 'Password changes must invalidate all other login sessions';
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+    this.skipPatterns = [
+      /\/node_modules\//,
+      /\/tests?\//,
+      /\/dist\//,
+      /\/build\//,
+      /\.spec\.ts$/,
+      /\.test\.ts$/
+    ];
+
+    // Password change function patterns
+    this.passwordChangePatterns = [
+      'changePassword',
+      'updatePassword',
+      'resetPassword',
+      'setPassword',
+      'modifyPassword',
+      'passwordUpdate',
+      'changeUserPassword',
+      'updateUserPassword'
+    ];
+
+    // Session invalidation indicators
+    this.sessionInvalidationIndicators = [
+      'invalidateSession',
+      'clearSession',
+      'destroySession',
+      'deleteSession',
+      'removeSession',
+      'clearAllSessions',
+      'invalidateAllTokens',
+      'revokeAllTokens',
+      'deleteAllSessions',
+      'destroyAllSessions',
+      'clearUserSessions',
+      'deleteAllByUserId',
+      'logout',
+      'signOut',
+      'logoutAll',
+      'logoutAllDevices',
+      'signOutAll',
+      'revokeToken',
+      'revokeRefreshToken',
+      'invalidateToken',
+      'deleteToken',
+      'globalSignOut',
+      'adminUserGlobalSignOut',
+      'clearCache',
+      'deleteCache',
+      'removeCache'
+    ];
+
+    this.maxDepth = 4;
+    this.visited = new Set();
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+  }
+
+  async analyzeFileBasic(filePath, options = {}) {
+    return await this.analyzeFileWithSymbols(filePath, options);
+  }
+
+  analyzeFileWithSymbols(filePath, options = {}) {
+    const violations = [];
+
+    if (!this.semanticEngine?.project) {
+      return violations;
+    }
+
+    if (this.shouldIgnoreFile(filePath)) {
+      return violations;
+    }
+
+    try {
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      if (!sourceFile) {
+        return violations;
+      }
+
+      // Check functions and methods
+      const functions = [
+        ...sourceFile.getFunctions(),
+        ...sourceFile.getClasses().flatMap(cls => cls.getMethods())
+      ];
+
+      for (const func of functions) {
+        const funcName = func.getName();
+        if (funcName && this.isPasswordChangeFunction(funcName)) {
+          this.visited.clear();
+          if (!this.hasSessionInvalidation(func, 0)) {
+            this.addViolation(sourceFile, func, violations, funcName);
+          }
+        }
+      }
+
+      // Check arrow functions
+      sourceFile.forEachDescendant((node) => {
+        if (node.getKind() === SyntaxKind.ArrowFunction ||
+            node.getKind() === SyntaxKind.FunctionExpression) {
+          const parent = node.getParent();
+          if (parent?.getKind() === SyntaxKind.VariableDeclaration) {
+            const funcName = parent.getName();
+            if (funcName && this.isPasswordChangeFunction(funcName)) {
+              this.visited.clear();
+              if (!this.hasSessionInvalidation(node, 0)) {
+                this.addViolation(sourceFile, node, violations, funcName);
+              }
+            }
+          }
+        }
+      });
+
+      return violations;
+    } catch (error) {
+      return violations;
+    }
+  }
+
+  isPasswordChangeFunction(name) {
+    const lowerName = name.toLowerCase();
+    return this.passwordChangePatterns.some(pattern =>
+      lowerName === pattern.toLowerCase()
+    );
+  }
+
+  hasSessionInvalidation(node, depth) {
+    if (depth > this.maxDepth) return false;
+
+    const nodeId = this.getNodeId(node);
+    if (this.visited.has(nodeId)) return false;
+    this.visited.add(nodeId);
+
+    const text = node.getText();
+
+    // Check 1: Direct text patterns
+    if (this.checkTextForInvalidation(text)) {
+      return true;
+    }
+
+    // Check 2: Token versioning
+    if (this.hasTokenVersioning(text)) {
+      return true;
+    }
+
+    // Check 3: Logout + cache clear pattern
+    if (this.hasLogoutAndCacheClear(text)) {
+      return true;
+    }
+
+    // Check 4: Cognito operations
+    if (this.hasCognitoInvalidation(text)) {
+      return true;
+    }
+
+    // Check 5: Deep scan function calls
+    const calls = this.extractFunctionCalls(node);
+    for (const call of calls) {
+      // Check if call name indicates session invalidation
+      if (this.isInvalidationCall(call.name)) {
+        return true;
+      }
+
+      // Resolve and trace the called function
+      const calledNode = this.resolveAndFindFunction(call, node);
+      if (calledNode && this.hasSessionInvalidation(calledNode, depth + 1)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  checkTextForInvalidation(text) {
+    const lowerText = text.toLowerCase();
+
+    for (const indicator of this.sessionInvalidationIndicators) {
+      if (lowerText.includes(indicator.toLowerCase())) {
+        return true;
+      }
+    }
+
+    if ((lowerText.includes('delete') || lowerText.includes('remove') ||
+         lowerText.includes('destroy') || lowerText.includes('clear')) &&
+        (lowerText.includes('session') || lowerText.includes('token'))) {
+      return true;
+    }
+
+    if ((lowerText.includes('redis') || lowerText.includes('cache')) &&
+        (lowerText.includes('.del(') || lowerText.includes('.delete(') ||
+         lowerText.includes('.clear(') || lowerText.includes('.remove('))) {
+      return true;
+    }
+
+    return false;
+  }
+
+  hasTokenVersioning(text) {
+    const hasVersionField = /tokenVersion|token_version|jwtVersion|jwt_version|sessionVersion|passwordChangedAt|lastPasswordChange/i.test(text);
+    const hasIncrement = /\+\+|increment|\+ 1|\+= 1/i.test(text);
+    return hasVersionField && hasIncrement;
+  }
+
+  hasLogoutAndCacheClear(text) {
+    const lowerText = text.toLowerCase();
+    const hasLogout = /logout|signout/i.test(text);
+    const hasCacheDelete = /cache.*\.del\(|cachemanager\.del\(|cache.*\.delete\(|cache.*\.remove\(/i.test(text);
+    return hasLogout && hasCacheDelete;
+  }
+
+  hasCognitoInvalidation(text) {
+    const lowerText = text.toLowerCase();
+
+    if (lowerText.includes('cognito') && lowerText.includes('changepassword')) {
+      if (lowerText.includes('logout') || lowerText.includes('del(') ||
+          lowerText.includes('globalsignout')) {
+        return true;
+      }
+    }
+
+    if (/globalsignout|adminuserglobalsignout/i.test(text)) {
+      return true;
+    }
+
+    return false;
+  }
+
+  isInvalidationCall(callName) {
+    const lowerName = callName.toLowerCase();
+    return this.sessionInvalidationIndicators.some(indicator => {
+      const lowerIndicator = indicator.toLowerCase();
+      return lowerName === lowerIndicator || lowerName.includes(lowerIndicator);
+    });
+  }
+
+  extractFunctionCalls(node) {
+    const calls = [];
+    const seen = new Set();
+
+    node.forEachDescendant((child) => {
+      if (child.getKind() === SyntaxKind.CallExpression) {
+        const expr = child.getExpression();
+
+        if (expr.getKind() === SyntaxKind.Identifier) {
+          const name = expr.getText();
+          if (!seen.has(name)) {
+            calls.push({
+              name,
+              type: 'function',
+              node: child,
+              expression: expr
+            });
+            seen.add(name);
+          }
+        } else if (expr.getKind() === SyntaxKind.PropertyAccessExpression) {
+          const propAccess = expr;
+          const methodName = propAccess.getName();
+          const objectExpr = propAccess.getExpression();
+          const objectName = objectExpr.getText();
+          const fullName = expr.getText();
+
+          if (!seen.has(fullName)) {
+            calls.push({
+              name: methodName,
+              object: objectName,
+              fullName,
+              type: 'method',
+              node: child,
+              expression: expr,
+              objectExpression: objectExpr
+            });
+            seen.add(fullName);
+          }
+        }
+      }
+    });
+
+    return calls;
+  }
+
+  /**
+   * Resolve the actual function/method being called
+   * Handles: this.service.method(), service.method(), functionName()
+   */
+  resolveAndFindFunction(call, contextNode) {
+    if (!this.semanticEngine?.project) return null;
+
+    // Case 1: Direct function call - functionName()
+    if (call.type === 'function') {
+      return this.findFunctionByName(call.name);
+    }
+
+    // Case 2: Method call - object.method()
+    if (call.type === 'method') {
+      // Try to resolve the object (service/class instance)
+      const serviceClass = this.resolveServiceClass(call.object, contextNode);
+
+      if (serviceClass) {
+        // Find the method in the service class
+        const method = serviceClass.getMethod(call.name);
+        if (method) {
+          return method;
+        }
+      }
+
+      // Fallback: Search for method by name across all classes
+      return this.findMethodByName(call.name);
+    }
+
+    return null;
+  }
+
+  /**
+   * Resolve the service class from object name
+   * Example: this.commonChangePasswordService -> CommonChangePasswordService class
+   */
+  resolveServiceClass(objectName, contextNode) {
+    if (!objectName) return null;
+
+    try {
+      // Remove 'this.' prefix if exists
+      const cleanObjectName = objectName.replace(/^this\./, '');
+
+      // Get the containing class
+      let currentNode = contextNode;
+      while (currentNode && currentNode.getKind() !== SyntaxKind.ClassDeclaration) {
+        currentNode = currentNode.getParent();
+      }
+
+      if (!currentNode) return null;
+
+      const containingClass = currentNode;
+
+      // Find the property declaration (injected service)
+      const property = containingClass.getProperty(cleanObjectName);
+      if (property) {
+        const propertyType = property.getType();
+        const typeSymbol = propertyType.getSymbol();
+
+        if (typeSymbol) {
+          const declarations = typeSymbol.getDeclarations();
+          if (declarations && declarations.length > 0) {
+            const decl = declarations[0];
+            if (decl.getKind() === SyntaxKind.ClassDeclaration) {
+              return decl;
+            }
+          }
+        }
+      }
+
+      // Fallback: Try to find by constructor parameter
+      const constructor = containingClass.getConstructors()[0];
+      if (constructor) {
+        const param = constructor.getParameter(cleanObjectName);
+        if (param) {
+          const paramType = param.getType();
+          const typeSymbol = paramType.getSymbol();
+
+          if (typeSymbol) {
+            const declarations = typeSymbol.getDeclarations();
+            if (declarations && declarations.length > 0) {
+              const decl = declarations[0];
+              if (decl.getKind() === SyntaxKind.ClassDeclaration) {
+                return decl;
+              }
+            }
+          }
+        }
+      }
+
+      // Fallback: Search by service name pattern
+      return this.findClassByServiceName(cleanObjectName);
+
+    } catch (error) {
+      return null;
+    }
+  }
+
+  /**
+   * Find class by service variable name
+   * Example: commonChangePasswordService -> CommonChangePasswordService
+   */
+  findClassByServiceName(serviceName) {
+    if (!this.semanticEngine?.project) return null;
+
+    try {
+      // Convert camelCase service name to PascalCase class name
+      const className = serviceName.charAt(0).toUpperCase() + serviceName.slice(1);
+
+      // Also try common patterns
+      const possibleClassNames = [
+        className,
+        className.replace('Service', '') + 'Service',
+        serviceName.split(/(?=[A-Z])/).map(part =>
+          part.charAt(0).toUpperCase() + part.slice(1)
+        ).join('')
+      ];
+
+      const sourceFiles = this.semanticEngine.project.getSourceFiles();
+
+      for (const file of sourceFiles) {
+        if (this.shouldIgnoreFile(file.getFilePath())) continue;
+
+        for (const cls of file.getClasses()) {
+          const clsName = cls.getName();
+          if (clsName && possibleClassNames.some(name =>
+            name.toLowerCase() === clsName.toLowerCase()
+          )) {
+            return cls;
+          }
+        }
+      }
+    } catch (error) {
+      return null;
+    }
+
+    return null;
+  }
+
+  /**
+   * Find function by name across all files
+   */
+  findFunctionByName(functionName) {
+    if (!this.semanticEngine?.project || !functionName) return null;
+
+    try {
+      const sourceFiles = this.semanticEngine.project.getSourceFiles();
+
+      for (const file of sourceFiles) {
+        if (this.shouldIgnoreFile(file.getFilePath())) continue;
+
+        const func = file.getFunction(functionName);
+        if (func) return func;
+
+        const varDecl = file.getVariableDeclaration(functionName);
+        if (varDecl) {
+          const init = varDecl.getInitializer();
+          if (init && (init.getKind() === SyntaxKind.ArrowFunction ||
+                       init.getKind() === SyntaxKind.FunctionExpression)) {
+            return init;
+          }
+        }
+      }
+    } catch (error) {
+      return null;
+    }
+
+    return null;
+  }
+
+  /**
+   * Find method by name across all classes
+   */
+  findMethodByName(methodName) {
+    if (!this.semanticEngine?.project || !methodName) return null;
+
+    try {
+      const sourceFiles = this.semanticEngine.project.getSourceFiles();
+
+      for (const file of sourceFiles) {
+        if (this.shouldIgnoreFile(file.getFilePath())) continue;
+
+        for (const cls of file.getClasses()) {
+          const method = cls.getMethod(methodName);
+          if (method) return method;
+        }
+      }
+    } catch (error) {
+      return null;
+    }
+
+    return null;
+  }
+
+  getNodeId(node) {
+    try {
+      const sourceFile = node.getSourceFile();
+      const start = node.getStart();
+      return `${sourceFile.getFilePath()}:${start}`;
+    } catch {
+      return Math.random().toString();
+    }
+  }
+
+  addViolation(sourceFile, node, violations, functionName) {
+    const startLine = node.getStartLineNumber();
+    const column = node.getStart() - node.getStartLinePos() + 1;
+
+    violations.push({
+      ruleId: this.ruleId,
+      ruleName: this.ruleName,
+      severity: 'medium',
+      message: `Password change function "${functionName}" must invalidate all active sessions`,
+      line: startLine,
+      column: column,
+      filePath: sourceFile.getFilePath(),
+      type: 'SESSION_INVALIDATION_MISSING',
+      details: `After password change, you must invalidate sessions. Examples: invalidateAllSessions(userId), logout(user), sessionRepository.delete({userId}), user.tokenVersion++, redis.del('session:*'), cacheManager.del(key)`
+    });
+  }
+
+  shouldIgnoreFile(filePath) {
+    return this.skipPatterns.some(pattern => pattern.test(filePath));
+  }
+}
+
+module.exports = S043SymbolBasedAnalyzer;