npm - @sun-asterisk/sunlint - Versions diffs - 1.3.26 → 1.3.28 - Mend

@sun-asterisk/sunlint 1.3.26 → 1.3.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/rules/security/S020_no_eval_dynamic_code/regex-based-analyzer.js DELETED Viewed

@@ -1,307 +0,0 @@
-/**
- * S020 Regex-Based Analyzer - Avoid using eval() or executing dynamic code
- * Detects dangerous dynamic code execution patterns across different contexts
- */
-const fs = require("fs");
-class S020RegexBasedAnalyzer {
-  constructor() {
-    this.ruleId = "S020";
-    // Dangerous function patterns
-    this.dangerousPatterns = {
-      // Direct eval calls
-      eval: /\beval\s*\(/g,
-      // Function constructor
-      functionConstructor: /\bnew\s+Function\s*\(/g,
-      // Global eval access
-      globalEval: /\b(window|global|globalThis|self)\.eval\s*\(/g,
-      // setTimeout/setInterval with strings (but not function references)
-      timerWithString: /(setTimeout|setInterval)\s*\(\s*['"`]/g,
-      // execScript (IE legacy) - including type casting
-      execScript: /(\bexecScript\s*\(|\(\w+\s+as\s+any\)\.execScript\s*\()/g,
-      // setImmediate with strings (but not function references) - including type casting
-      setImmediateString:
-        /(\bsetImmediate\s*\(\s*['"`]|\(\s*setImmediate\s+as\s+any\)\s*\(\s*['"`])/g,
-    };
-    // Dynamic code indicators in variable names
-    this.dynamicCodeVariables =
-      /\b(code|script|expression|formula|template|eval)\w*\s*=/gi;
-    // Execution context patterns
-    this.executionPatterns = {
-      // Function.prototype.call/apply with dynamic strings
-      functionCall: /Function\.prototype\.(call|apply)/g,
-      // Code generation patterns
-      codeGeneration: /(generate|build|create)\w*\s*(code|script|function)/gi,
-      // Template execution
-      templateExecution: /(execute|run|eval)\w*\s*(template|expression)/gi,
-    };
-  }
-  async analyze(filePath) {
-    // Skip files that are unlikely to contain dynamic code execution
-    const skipPatterns = [
-      /\.d\.ts$/,
-      /\.types\.ts$/,
-      /\.interface\.ts$/,
-      /\.constants?\.ts$/,
-      /\.config\.ts$/,
-      /\.spec\.ts$/,
-      /\.test\.ts$/,
-      /\.min\.js$/,
-      /\.bundle\.js$/,
-    ];
-    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
-    if (shouldSkip) {
-      return [];
-    }
-    const content = fs.readFileSync(filePath, "utf8");
-    const lines = content.split(/\r?\n/);
-    const violations = [];
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      const lineNumber = i + 1;
-      // Skip comments and imports
-      if (this.shouldSkipLine(line)) {
-        continue;
-      }
-      // Check for dangerous function patterns
-      this.checkDangerousPatterns(line, lineNumber, violations);
-      // Check for dynamic code variable patterns
-      this.checkDynamicCodeVariables(line, lineNumber, violations);
-      // Check for execution context patterns
-      this.checkExecutionPatterns(line, lineNumber, violations);
-    }
-    return violations;
-  }
-  shouldSkipLine(line) {
-    const trimmed = line.trim();
-    // Skip empty lines
-    if (!trimmed) return true;
-    // Skip single-line comments
-    if (trimmed.startsWith("//")) return true;
-    // Skip import/export statements
-    if (trimmed.startsWith("import ") || trimmed.startsWith("export "))
-      return true;
-    // Skip require statements
-    if (trimmed.startsWith("const ") && trimmed.includes("require("))
-      return true;
-    // Skip JSDoc comments
-    if (
-      trimmed.startsWith("*") ||
-      trimmed.startsWith("/**") ||
-      trimmed.startsWith("*/")
-    )
-      return true;
-    return false;
-  }
-  checkDangerousPatterns(line, lineNumber, violations) {
-    // Debug log for setImmediate lines specifically
-    if (line.includes("setImmediate") && process.env.SUNLINT_DEBUG) {
-      console.log(
-        `🔍 [S020-Regex] Checking setImmediate line ${lineNumber}: ${line.trim()}`
-      );
-    }
-    for (const [patternName, pattern] of Object.entries(
-      this.dangerousPatterns
-    )) {
-      const matches = [...line.matchAll(pattern)];
-      // Debug log for setImmediate pattern specifically
-      if (
-        patternName === "setImmediateString" &&
-        line.includes("setImmediate") &&
-        process.env.SUNLINT_DEBUG
-      ) {
-        console.log(
-          `🔍 [S020-Regex] Testing setImmediateString pattern on line ${lineNumber}`
-        );
-        console.log(`🔍 [S020-Regex] Pattern: ${pattern}`);
-        console.log(`🔍 [S020-Regex] Matches found: ${matches.length}`);
-      }
-      for (const match of matches) {
-        let message;
-        let severity = "error";
-        switch (patternName) {
-          case "eval":
-            message =
-              "Direct eval() call can execute arbitrary code and poses security risks";
-            break;
-          case "functionConstructor":
-            message =
-              "Function constructor can create functions from strings and execute dynamic code";
-            break;
-          case "globalEval":
-            message = `Global eval access '${match[0]}' can execute arbitrary code and poses security risks`;
-            break;
-          case "timerWithString":
-            message = `${match[1]}() with string argument can execute dynamic code - use function reference instead`;
-            severity = "warning";
-            break;
-          case "execScript":
-            message =
-              "execScript() can execute arbitrary code and poses security risks";
-            break;
-          case "setImmediateString":
-            message =
-              "setImmediate() with string argument can execute dynamic code - use function reference instead";
-            severity = "warning";
-            break;
-          default:
-            message = "Potential dynamic code execution detected";
-        }
-        violations.push({
-          ruleId: this.ruleId,
-          message: message,
-          severity: severity,
-          line: lineNumber,
-          column: match.index + 1,
-        });
-        if (process.env.SUNLINT_DEBUG) {
-          console.log(
-            `🔧 [S020-Regex] Found ${patternName} at line ${lineNumber}: ${match[0]}`
-          );
-        }
-      }
-    }
-  }
-  checkDynamicCodeVariables(line, lineNumber, violations) {
-    const matches = [...line.matchAll(this.dynamicCodeVariables)];
-    for (const match of matches) {
-      // Additional context checking to reduce false positives
-      const context = line.toLowerCase();
-      // Check if it's actually related to code execution
-      if (this.isLikelyDynamicCode(context)) {
-        violations.push({
-          ruleId: this.ruleId,
-          message: `Variable '${match[0].trim()}' suggests dynamic code handling - review for potential code execution`,
-          severity: "warning",
-          line: lineNumber,
-          column: match.index + 1,
-        });
-        if (process.env.SUNLINT_DEBUG) {
-          console.log(
-            `🔧 [S020-Regex] Found dynamic code variable at line ${lineNumber}: ${match[0]}`
-          );
-        }
-      }
-    }
-  }
-  checkExecutionPatterns(line, lineNumber, violations) {
-    for (const [patternName, pattern] of Object.entries(
-      this.executionPatterns
-    )) {
-      const matches = [...line.matchAll(pattern)];
-      for (const match of matches) {
-        let message;
-        switch (patternName) {
-          case "functionCall":
-            message = `Function.prototype.${match[1]} may be used for dynamic code execution - review implementation`;
-            break;
-          case "codeGeneration":
-            message = `Code generation pattern '${match[0]}' detected - ensure no dynamic code execution`;
-            break;
-          case "templateExecution":
-            message = `Template execution pattern '${match[0]}' detected - ensure safe template handling`;
-            break;
-          default:
-            message = "Potential code execution pattern detected";
-        }
-        violations.push({
-          ruleId: this.ruleId,
-          message: message,
-          severity: "warning",
-          line: lineNumber,
-          column: match.index + 1,
-        });
-        if (process.env.SUNLINT_DEBUG) {
-          console.log(
-            `🔧 [S020-Regex] Found execution pattern ${patternName} at line ${lineNumber}: ${match[0]}`
-          );
-        }
-      }
-    }
-  }
-  isLikelyDynamicCode(context) {
-    // Keywords that suggest actual code execution
-    const codeExecutionKeywords = [
-      "execute",
-      "run",
-      "eval",
-      "compile",
-      "interpret",
-      "function",
-      "method",
-      "call",
-      "invoke",
-      "dynamic",
-      "runtime",
-      "generated",
-    ];
-    // Keywords that suggest benign usage (reduce false positives)
-    const benignKeywords = [
-      "html",
-      "css",
-      "style",
-      "markup",
-      "tag",
-      "error",
-      "message",
-      "text",
-      "string",
-      "config",
-      "setting",
-      "option",
-      "parameter",
-    ];
-    const hasExecutionKeyword = codeExecutionKeywords.some((keyword) =>
-      context.includes(keyword)
-    );
-    const hasBenignKeyword = benignKeywords.some((keyword) =>
-      context.includes(keyword)
-    );
-    // Only flag if there's execution context and no benign indicators
-    return hasExecutionKeyword && !hasBenignKeyword;
-  }
-  cleanup() {}
-}
-module.exports = S020RegexBasedAnalyzer;