npm - @sun-asterisk/sunlint - Versions diffs - 1.3.26 → 1.3.28 - Mend

@sun-asterisk/sunlint 1.3.26 → 1.3.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/rules/security/S003_open_redirect_protection/analyzer.js ADDED Viewed

@@ -0,0 +1,135 @@
+/**
+ * S003 - Open Redirect Protection
+ *
+ * Main analyzer using symbol-based analysis to detect unvalidated URL redirects
+ * from user input.
+ *
+ * Based on:
+ * - OWASP A03:2021 - Injection
+ * - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
+ */
+// Command: node cli.js --rule=S003 --input=examples/rule-test-fixtures/rules/S003_open_redirect_protection --engine=heuristic
+const S003SymbolBasedAnalyzer = require("./symbol-based-analyzer");
+class S003Analyzer {
+  constructor(options = {}) {
+    this.ruleId = "S003";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    try {
+      this.symbolAnalyzer = new S003SymbolBasedAnalyzer(this.semanticEngine);
+    } catch (e) {
+      console.warn(`⚠ [S003] Failed to create symbol analyzer: ${e.message}`);
+    }
+  }
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.symbolAnalyzer && this.symbolAnalyzer.initialize) {
+      await this.symbolAnalyzer.initialize(semanticEngine);
+    }
+  }
+  analyzeSingle(filePath, options = {}) {
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        const vs = await this.analyzeFile(filePath, options);
+        violations.push(...vs);
+      } catch (e) {
+        console.warn(`⚠ [S003] Analysis error for ${filePath}: ${e.message}`);
+      }
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    const violationMap = new Map();
+    if (!this.symbolAnalyzer) {
+      return [];
+    }
+    // Skip test files, build directories, and node_modules
+    if (this.shouldSkipFile(filePath)) {
+      return [];
+    }
+    try {
+      let sourceFile = null;
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      }
+      if (!sourceFile) {
+        // Create temporary ts-morph source file
+        const fs = require("fs");
+        const path = require("path");
+        const { Project } = require("ts-morph");
+        if (!fs.existsSync(filePath)) {
+          throw new Error(`File not found: ${filePath}`);
+        }
+        const content = fs.readFileSync(filePath, "utf8");
+        const tmp = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: { allowJs: true },
+        });
+        sourceFile = tmp.createSourceFile(path.basename(filePath), content);
+      }
+      if (sourceFile) {
+        const symbolViolations = await this.symbolAnalyzer.analyze(
+          sourceFile,
+          filePath
+        );
+        symbolViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+      }
+    } catch (e) {
+      console.warn(`⚠ [S003] Symbol analysis failed: ${e.message}`);
+    }
+    return Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+  }
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      "test/",
+      "tests/",
+      "__tests__/",
+      ".test.",
+      ".spec.",
+      "node_modules/",
+      "build/",
+      "dist/",
+      ".next/",
+      "coverage/",
+      "vendor/",
+      "mocks/",
+      ".mock.",
+    ];
+    return skipPatterns.some((pattern) => filePath.includes(pattern));
+  }
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+  }
+}
+module.exports = S003Analyzer;

package/rules/security/S003_open_redirect_protection/config.json ADDED Viewed

@@ -0,0 +1,58 @@
+{
+  "ruleId": "S003",
+  "name": "Open Redirect Protection",
+  "description": "URL redirects must validate against an allow list to prevent open redirect vulnerabilities",
+  "category": "security",
+  "severity": "warning",
+  "languages": ["All languages"],
+  "tags": [
+    "security",
+    "owasp",
+    "injection",
+    "open-redirect",
+    "phishing",
+    "url-validation"
+  ],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A03:2021 - Injection",
+    "cweId": "CWE-601",
+    "description": "Applications that redirect users to URLs from untrusted input without validation are vulnerable to phishing attacks. Attackers can create legitimate-looking links that redirect victims to malicious sites.",
+    "impact": "Medium - Phishing attacks, credential theft, malware distribution",
+    "likelihood": "High",
+    "remediation": "Use allow list (whitelist) to validate redirect URLs, or only allow relative URLs within the same domain"
+  },
+  "patterns": {
+    "vulnerable": [
+      "res.redirect(req.query.*) without validation",
+      "res.redirect(req.params.*) without validation",
+      "window.location = userInput without validation",
+      "response.sendRedirect(request.getParameter(*)) without validation",
+      "new RedirectView(userInput) without validation",
+      "res.setHeader('Location', req.query.*) without validation"
+    ],
+    "secure": [
+      "Validate against allow list (whitelist) of trusted domains",
+      "Only allow relative URLs (startsWith('/') && !startsWith('//'))",
+      "Use indirect mapping (key -> URL mapping)",
+      "Parse and validate URL with new URL() and check hostname",
+      "Use framework validation (e.g., @IsIn(['home', 'dashboard']))"
+    ]
+  },
+  "examples": {
+    "violations": [
+      "res.redirect(req.query.url);",
+      "window.location.href = params.get('redirect');",
+      "response.sendRedirect(request.getParameter('next'));",
+      "new RedirectView(request.getParameter('url'));"
+    ],
+    "fixes": [
+      "const url = req.query.url; if (ALLOWED_URLS.includes(url)) res.redirect(url);",
+      "if (isAllowedDomain(url)) window.location.href = url;",
+      "const destination = REDIRECT_MAP[req.query.key]; res.redirect(destination);",
+      "if (url.startsWith('/') && !url.startsWith('//')) res.redirect(url);"
+    ]
+  }
+}