@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S003_open_redirect_protection/symbol-based-analyzer.js

@@ -0,0 +1,884 @@
+/**
+ * S003 - Open Redirect Protection (Symbol-based Analyzer)
+ *
+ * Detects unvalidated URL redirects from user input that can lead to
+ * phishing attacks and malware distribution.
+ *
+ * Based on:
+ * - OWASP A03:2021 - Injection
+ * - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
+ */
+
+const { SyntaxKind } = require("ts-morph");
+
+class S003SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S003";
+    this.semanticEngine = semanticEngine;
+
+    // Redirect function patterns (server-side)
+    this.redirectFunctions = [
+      "redirect", // Express: res.redirect(), NestJS: @Redirect()
+      "sendredirect", // Java/Spring: response.sendRedirect()
+      "redirectview", // Spring: new RedirectView()
+      "setheader", // Generic: res.setHeader('Location', ...)
+      "@redirect", // NestJS decorator: @Redirect(url)
+      "permanentredirect", // Next.js: permanentRedirect()
+      "navigateto", // Nuxt.js: navigateTo()
+      "sendredirect", // Nuxt.js: sendRedirect()
+    ];
+
+    // Client-side redirect patterns
+    this.clientRedirectPatterns = [
+      "window.location",
+      "location.href",
+      "location.replace",
+      "location.assign",
+      "router.push", // Next.js/Nuxt.js router
+      "router.replace", // Next.js/Nuxt.js router
+      "navigateto", // Nuxt.js composable
+      "userouter", // Next.js/Nuxt.js hook
+    ];
+
+    // User input source patterns
+    this.userInputSources = [
+      "req.query",
+      "req.params",
+      "req.body",
+      "request.getparameter",
+      "request.getquerystring",
+      "urlsearchparams",
+      "searchparams.get",
+      "params.get",
+      "query.get",
+      "@requestparam", // Spring annotation
+      "@queryparam", // JAX-RS annotation
+      "@query", // NestJS decorator: @Query()
+      "@param", // NestJS decorator: @Param()
+      "@body", // NestJS decorator: @Body()
+      "usesearchparams", // Next.js hook
+      "useparams", // Next.js/React Router hook
+      "usequeryparams", // Next.js query params
+      "useroute", // Nuxt.js composable
+      "event.query", // Nuxt.js h3 event
+      "event.context.params", // Nuxt.js context
+    ];
+
+    // Validation/safe patterns that indicate proper validation
+    this.validationPatterns = [
+      "allowed", // ALLOWED_URLS, allowedDomains
+      "whitelist", // WHITELIST, whitelistedUrls
+      "allowlist", // allowList
+      "safe", // SAFE_URLS, safeRedirects
+      "includes", // array.includes(url)
+      "new url", // URL parsing for validation
+      "startswith('/')", // Relative URL check
+      "startswith(\"/\")", // Relative URL check (double quotes)
+      "isvalid", // isValidUrl(), isValidDomain()
+      "validate", // validateUrl(), validateRedirect()
+      "check", // checkUrl(), checkDomain()
+      "istrust", // isTrustedUrl()
+      "trusted", // TRUSTED_URLS
+      "verify", // verifyUrl()
+    ];
+
+    // Framework-specific safe patterns
+    this.safeFrameworkPatterns = [
+      "redirectmap", // Indirect mapping
+      "redirect_map",
+      "urlmap",
+      "destinationmap",
+    ];
+
+    // Safe URL construction patterns (not user-controllable)
+    this.safeUrlPatterns = [
+      "process.env.", // Environment variables
+      "env.", // Short env reference
+    ];
+
+    // Hardcoded path patterns (relative URLs are generally safe)
+    this.hardcodedPathPatterns = [
+      "'/", // Single quote relative path
+      '"//', // Double quote relative path (but not protocol)
+      "`/", // Template literal relative path
+    ];
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+  }
+
+  async analyze(sourceFile, filePath) {
+    const violations = [];
+    const reportedLines = new Set();
+
+    try {
+      // Build dataflow map: variable name -> user input source
+      const taintedVariables = this.buildTaintedVariablesMap(sourceFile);
+
+
+      // Check server-side redirect functions
+      this.checkServerRedirects(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines,
+        taintedVariables
+      );
+
+      // Check client-side redirects
+      this.checkClientRedirects(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines,
+        taintedVariables
+      );
+
+      // Check Location header assignments
+      this.checkLocationHeaders(
+        sourceFile,
+        filePath,
+        violations,
+        reportedLines,
+        taintedVariables
+      );
+    } catch (error) {
+      console.warn(`⚠ [S003] Analysis error in ${filePath}: ${error.message}`);
+    }
+
+    return violations;
+  }
+
+  /**
+   * Build a map of variables that are tainted with user input
+   * Returns: Map<variableName, userInputSource>
+   */
+  buildTaintedVariablesMap(sourceFile) {
+    const taintedVars = new Map();
+
+    // Find all variable declarations
+    const variableDeclarations = sourceFile.getDescendantsOfKind(
+      SyntaxKind.VariableDeclaration
+    );
+
+    for (const varDecl of variableDeclarations) {
+      const varName = varDecl.getName();
+      const initializer = varDecl.getInitializer();
+
+      if (!initializer) continue;
+
+      const initText = initializer.getText().toLowerCase();
+      const initOriginal = initializer.getText();
+
+      // Check if initializer is from user input (including chained calls and template literals)
+      const isUserInput = this.isUserInput(initText) ||
+                          this.isUserInputCall(initText) ||
+                          this.isChainedUserInputCall(initText) ||
+                          this.containsUserInputInTemplate(initText);
+
+      // But exclude if it's a safe URL construction
+      if (isUserInput && !this.isSafeUrlConstruction(initOriginal)) {
+        taintedVars.set(varName.toLowerCase(), initText);
+      }
+    }
+
+    // Also track binary expressions (assignments)
+    const binaryExprs = sourceFile.getDescendantsOfKind(
+      SyntaxKind.BinaryExpression
+    );
+
+    for (const binaryExpr of binaryExprs) {
+      const operator = binaryExpr.getOperatorToken().getText();
+      if (operator !== "=") continue;
+
+      const left = binaryExpr.getLeft();
+      const right = binaryExpr.getRight();
+
+      const leftText = left.getText();
+      const rightText = right.getText().toLowerCase();
+      const rightOriginal = right.getText();
+
+      // Check if right side is user input or tainted variable
+      const isUserInput = this.isUserInput(rightText) ||
+                          this.isUserInputCall(rightText) ||
+                          this.isChainedUserInputCall(rightText) ||
+                          this.containsUserInputInTemplate(rightText);
+
+      // But exclude if it's a safe URL construction
+      if (isUserInput && !this.isSafeUrlConstruction(rightOriginal)) {
+        taintedVars.set(leftText.toLowerCase(), rightText);
+      } else if (taintedVars.has(rightText)) {
+        // Propagate taint
+        taintedVars.set(leftText.toLowerCase(), taintedVars.get(rightText));
+      }
+    }
+
+    return taintedVars;
+  }
+
+  /**
+   * Check if text contains chained user input calls
+   * e.g., new URLSearchParams().get(), params.get()
+   */
+  isChainedUserInputCall(text) {
+    const chainedPatterns = [
+      "urlsearchparams",
+      "searchparams",
+      "params.get",
+      "query.get",
+    ];
+
+    return chainedPatterns.some(pattern => text.includes(pattern));
+  }
+
+  /**
+   * Check if template literal contains user input variable
+   * Now checks if variables inside template are from known user input sources
+   */
+  containsUserInputInTemplate(text, taintedVariables = new Map()) {
+    // Check if it's a template literal with ${...}
+    if (!text.includes('${') || !text.includes('}')) {
+      return false;
+    }
+
+    // Extract variable names from template literals
+    const varMatches = text.match(/\$\{([^}]+)\}/g);
+    if (!varMatches) {
+      return false;
+    }
+
+    // Check if any variable looks like user input
+    for (const varMatch of varMatches) {
+      const varContent = varMatch.slice(2, -1).toLowerCase(); // Remove ${ and }
+      const varName = varContent.split('.')[0].trim(); // Get variable name without properties
+
+      // Check if it's a known user input source
+      if (this.isUserInput(varContent) || this.isUserInputCall(varContent)) {
+        return true;
+      }
+
+      // Check if variable is in tainted variables map
+      if (taintedVariables.has(varName)) {
+        return true;
+      }
+
+      // Check for suspicious variable names that commonly hold user input
+      const suspiciousNames = ['redirect', 'url', 'next', 'return', 'callback', 'target', 'dest', 'destination'];
+      if (suspiciousNames.some(name => varName.includes(name))) {
+        // But exclude if it's clearly a hardcoded endpoint
+        const hasHardcodedEndpoint = /\/(register|login|account|auth|logout|home|dashboard|en|ja)/.test(text.toLowerCase());
+        if (!hasHardcodedEndpoint) {
+          return true;
+        }
+      }
+    }
+
+    // Conservative: if we can't determine, assume not tainted
+    // This reduces false positives
+    return false;
+  }
+
+  /**
+   * Check if text is a user input function call
+   * e.g., params.get(), getQueryParam(), new URLSearchParams().get()
+   */
+  isUserInputCall(text) {
+    const userInputCallPatterns = [
+      "getqueryParam",
+      ".get(",
+      "geturlparameter",
+      "getparameter(",
+      "getquerystring(",
+    ];
+
+    return userInputCallPatterns.some(pattern => text.includes(pattern.toLowerCase()));
+  }
+
+  /**
+   * Check if URL construction appears to be safe (not user-controllable)
+   * Returns true if the URL is constructed from:
+   * - Environment variables (process.env.*)
+   * - Hardcoded relative paths
+   * - Template literals with mostly hardcoded content
+   */
+  isSafeUrlConstruction(urlText) {
+    const lowerText = urlText.toLowerCase();
+
+    // Check for environment variables with hardcoded paths
+    if (this.safeUrlPatterns.some(pattern => lowerText.includes(pattern))) {
+      // If it contains env var + any path segments, check if paths are hardcoded
+      // e.g., `${process.env.BASE_URL}/en/account/login`
+      if (urlText.includes('/')) {
+        // Check for specific hardcoded endpoint patterns
+        const hasHardcodedEndpoint = /\/(register|login|account|auth|logout|home|dashboard|en|ja|profile|settings)/.test(lowerText);
+        if (hasHardcodedEndpoint) {
+          return true;
+        }
+
+        // Count template vars vs path segments
+        const templateVars = (urlText.match(/\$\{[^}]+\}/g) || []).length;
+        const pathSegments = urlText.split('/').filter(s => s.length > 0).length;
+
+        // If we have hardcoded path segments (more segments than template vars)
+        if (pathSegments > templateVars) {
+          return true;
+        }
+      }
+    }
+
+    // Check if it's a pure relative path construction
+    // e.g., `/register?fc_id=${fanclubId}` where only query param is dynamic
+    if (urlText.startsWith("'/") || urlText.startsWith('"/') || urlText.startsWith("`/")) {
+      // Extract the base path before query string
+      const pathMatch = urlText.match(/^['"`](\/[^?$}]+)/);
+      if (pathMatch) {
+        const basePath = pathMatch[1];
+        // If base path is hardcoded (no template vars), it's relatively safe
+        // Only dynamic parts should be query params or fragments
+        if (!basePath.includes('${')) {
+          return true;
+        }
+      }
+    }
+
+    // Check if it's a ternary with only hardcoded alternatives
+    // e.g., fanclubId ? '/register?fc_id=${fanclubId}' : '/register'
+    // This is safe because both branches have hardcoded base paths
+    if (urlText.includes('?') && urlText.includes(':')) {
+      // Count how many env vars or hardcoded paths
+      let safePatternCount = 0;
+      if (this.safeUrlPatterns.some(p => lowerText.includes(p))) safePatternCount++;
+      if (this.hardcodedPathPatterns.some(p => urlText.includes(p))) safePatternCount++;
+
+      // If multiple safe patterns, likely a safe ternary
+      if (safePatternCount >= 2) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check server-side redirect functions (res.redirect, response.sendRedirect, etc.)
+   */
+  checkServerRedirects(sourceFile, filePath, violations, reportedLines, taintedVariables) {
+    const callExprs = sourceFile.getDescendantsOfKind(
+      SyntaxKind.CallExpression
+    );
+
+    for (const callExpr of callExprs) {
+      const expression = callExpr.getExpression();
+      const expressionText = expression.getText().toLowerCase();
+
+      // Check if this is a redirect function call
+      if (!this.isRedirectFunction(expressionText)) {
+        continue;
+      }
+
+      // Get the redirect URL argument early for checks
+      const args = callExpr.getArguments();
+      if (args.length === 0) {
+        continue;
+      }
+
+      // Skip if this is a function definition (e.g., function redirect() or @Get() redirect())
+      // For decorated methods like "@Get() redirect(...)", the call expression is actually the function name
+      // Check if the expression is an identifier without property access (not res.redirect but just redirect)
+      const hasPropertyAccess = expressionText.includes('.');
+      const isStandaloneRedirect = expressionText === 'redirect' ||
+                                   expressionText === 'permanentredirect' ||
+                                   expressionText === 'navigateto';
+
+      // If it's a standalone redirect call and first arg is a decorator, skip (likely function def)
+      if (isStandaloneRedirect && !hasPropertyAccess) {
+        const firstArg = args[0];
+        const firstArgText = firstArg.getText();
+        // Check if first arg looks like a decorator parameter (@Query('url'))
+        if (firstArgText.includes('@')) {
+          continue;
+        }
+      }
+
+      const line = callExpr.getStartLineNumber();
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      const urlArg = args[0];
+      const urlArgText = urlArg.getText();
+      const urlArgTextLower = urlArgText.toLowerCase();
+
+      // Skip object-based navigation (e.g., navigateTo({ path: ... }))
+      // These are routing helpers, not direct redirects
+      if (this.isObjectBasedNavigation(urlArg)) {
+        continue;
+      }
+
+      // Check if URL comes from user input (direct or via tainted variable)
+      const isTainted = this.isUserInput(urlArgTextLower) ||
+                        this.isUserInputCall(urlArgTextLower) ||
+                        taintedVariables.has(urlArgTextLower);
+
+
+      if (!isTainted) {
+        continue;
+      }
+
+      // Check if there's validation in the surrounding context
+      const hasValidation = this.hasValidationInContext(callExpr);
+      if (hasValidation) {
+        continue; // Safe - has validation
+      }
+
+      // VIOLATION: Redirect with user input without validation
+      violations.push({
+        ruleId: this.ruleId,
+        severity: "warning",
+        message: `Open redirect vulnerability: '${expression.getText()}(${urlArgText})' uses user input without validation - validate against allow list or use relative URLs only`,
+        line: line,
+        column: callExpr.getStart() - callExpr.getStartLinePos() + 1,
+        filePath: filePath,
+        file: filePath,
+      });
+
+      reportedLines.add(line);
+    }
+
+    // Also check for new RedirectView() constructor calls
+    const newExprs = sourceFile.getDescendantsOfKind(
+      SyntaxKind.NewExpression
+    );
+
+    for (const newExpr of newExprs) {
+      const expression = newExpr.getExpression();
+      const expressionText = expression.getText().toLowerCase();
+
+      // Check if this is a RedirectView constructor
+      if (!expressionText.includes("redirectview")) {
+        continue;
+      }
+
+      const line = newExpr.getStartLineNumber();
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      const args = newExpr.getArguments();
+      if (!args || args.length === 0) {
+        continue;
+      }
+
+      const urlArg = args[0];
+      const urlArgText = urlArg.getText();
+      const urlArgTextLower = urlArgText.toLowerCase();
+
+      // Check if URL comes from user input
+      const isTainted = this.isUserInput(urlArgTextLower) ||
+                        this.isUserInputCall(urlArgTextLower) ||
+                        taintedVariables.has(urlArgTextLower);
+
+      if (!isTainted) {
+        continue;
+      }
+
+      const hasValidation = this.hasValidationInContext(newExpr);
+      if (hasValidation) {
+        continue;
+      }
+
+      violations.push({
+        ruleId: this.ruleId,
+        severity: "warning",
+        message: `Open redirect vulnerability: 'new ${expression.getText()}(${urlArgText})' uses user input without validation`,
+        line: line,
+        column: newExpr.getStart() - newExpr.getStartLinePos() + 1,
+        filePath: filePath,
+        file: filePath,
+      });
+
+      reportedLines.add(line);
+    }
+  }
+
+  /**
+   * Check client-side redirects (window.location, location.href, etc.)
+   */
+  checkClientRedirects(sourceFile, filePath, violations, reportedLines, taintedVariables) {
+    // Check binary expressions (assignments)
+    const binaryExprs = sourceFile.getDescendantsOfKind(
+      SyntaxKind.BinaryExpression
+    );
+
+    for (const binaryExpr of binaryExprs) {
+      const operator = binaryExpr.getOperatorToken().getText();
+      if (operator !== "=") {
+        continue;
+      }
+
+      const left = binaryExpr.getLeft();
+      const right = binaryExpr.getRight();
+      const leftText = left.getText().toLowerCase();
+      const rightText = right.getText().toLowerCase();
+
+      // Check if left side is a location redirect
+      if (!this.isClientRedirect(leftText)) {
+        continue;
+      }
+
+      const line = binaryExpr.getStartLineNumber();
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      // Check if right side is user input (direct or via tainted variable)
+      // Also check for template literals containing tainted variables
+      const rightOriginal = right.getText();
+      const isTainted = this.isUserInput(rightText) ||
+                        this.isUserInputCall(rightText) ||
+                        this.isChainedUserInputCall(rightText) ||
+                        this.containsUserInputInTemplate(rightOriginal) ||
+                        taintedVariables.has(rightText);
+
+      if (!isTainted) {
+        continue;
+      }
+
+      // Check if URL construction is safe (env vars + hardcoded paths)
+      if (this.isSafeUrlConstruction(rightOriginal)) {
+        continue;
+      }
+
+      // Check for validation
+      const hasValidation = this.hasValidationInContext(binaryExpr);
+      if (hasValidation) {
+        continue;
+      }
+
+      // VIOLATION: Client-side redirect with user input
+      violations.push({
+        ruleId: this.ruleId,
+        severity: "warning",
+        message: `Open redirect vulnerability: '${left.getText()} = ${right.getText()}' uses user input without validation - validate URL before redirecting`,
+        line: line,
+        column: binaryExpr.getStart() - binaryExpr.getStartLinePos() + 1,
+        filePath: filePath,
+        file: filePath,
+      });
+
+      reportedLines.add(line);
+    }
+
+    // Also check method calls (location.replace, location.assign)
+    const callExprs = sourceFile.getDescendantsOfKind(
+      SyntaxKind.CallExpression
+    );
+
+    for (const callExpr of callExprs) {
+      const expression = callExpr.getExpression();
+      const expressionText = expression.getText().toLowerCase();
+
+      if (!this.isClientRedirect(expressionText)) {
+        continue;
+      }
+
+      const line = callExpr.getStartLineNumber();
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      const args = callExpr.getArguments();
+      if (args.length === 0) {
+        continue;
+      }
+
+      const urlArg = args[0];
+      const urlArgText = urlArg.getText().toLowerCase();
+      const urlArgOriginal = urlArg.getText();
+
+      // Skip object-based navigation (e.g., navigateTo({ path: ... }))
+      // These are routing helpers, not direct redirects
+      if (this.isObjectBasedNavigation(urlArg)) {
+        continue;
+      }
+
+      // Check if argument is tainted
+      const isTainted = this.isUserInput(urlArgText) ||
+                        this.isUserInputCall(urlArgText) ||
+                        taintedVariables.has(urlArgText);
+
+      if (!isTainted) {
+        continue;
+      }
+
+      // Check if URL construction is safe
+      if (this.isSafeUrlConstruction(urlArgOriginal)) {
+        continue;
+      }
+
+      const hasValidation = this.hasValidationInContext(callExpr);
+      if (hasValidation) {
+        continue;
+      }
+
+      violations.push({
+        ruleId: this.ruleId,
+        severity: "warning",
+        message: `Open redirect vulnerability: '${expression.getText()}(${urlArg.getText()})' uses user input without validation`,
+        line: line,
+        column: callExpr.getStart() - callExpr.getStartLinePos() + 1,
+        filePath: filePath,
+        file: filePath,
+      });
+
+      reportedLines.add(line);
+    }
+  }
+
+  /**
+   * Check if argument is an object-based navigation (React Router style)
+   * e.g., navigateTo({ path: '/home', ... }) instead of navigateTo('/home')
+   */
+  isObjectBasedNavigation(arg) {
+    // Check if argument is an object literal
+    const kind = arg.getKind();
+    if (kind === SyntaxKind.ObjectLiteralExpression) {
+      // It's an object literal - this is likely a routing config object
+      // Not a direct URL redirect
+      return true;
+    }
+    return false;
+  }
+
+  /**
+   * Check Location header assignments (res.setHeader('Location', url))
+   */
+  checkLocationHeaders(sourceFile, filePath, violations, reportedLines, taintedVariables) {
+    const callExprs = sourceFile.getDescendantsOfKind(
+      SyntaxKind.CallExpression
+    );
+
+    for (const callExpr of callExprs) {
+      const expression = callExpr.getExpression();
+      const expressionText = expression.getText().toLowerCase();
+
+      // Check if this is setHeader call
+      if (!expressionText.includes("setheader")) {
+        continue;
+      }
+
+      const args = callExpr.getArguments();
+      if (args.length < 2) {
+        continue;
+      }
+
+      // Check if first argument is 'Location'
+      const firstArg = args[0].getText();
+      const firstArgLower = firstArg.toLowerCase();
+      if (
+        !firstArgLower.includes("location") &&
+        !firstArgLower.includes("'location'") &&
+        !firstArgLower.includes('"location"')
+      ) {
+        continue;
+      }
+
+      const line = callExpr.getStartLineNumber();
+      if (reportedLines.has(line)) {
+        continue;
+      }
+
+      // Check if second argument (URL) is from user input (direct or via tainted variable)
+      const urlArg = args[1];
+      const urlArgText = urlArg.getText().toLowerCase();
+
+      const isTainted = this.isUserInput(urlArgText) ||
+                        this.isUserInputCall(urlArgText) ||
+                        taintedVariables.has(urlArgText);
+
+      if (!isTainted) {
+        continue;
+      }
+
+      const hasValidation = this.hasValidationInContext(callExpr);
+      if (hasValidation) {
+        continue;
+      }
+
+      violations.push({
+        ruleId: this.ruleId,
+        severity: "warning",
+        message: `Open redirect vulnerability: setHeader('Location', ${urlArg.getText()}) uses user input without validation`,
+        line: line,
+        column: callExpr.getStart() - callExpr.getStartLinePos() + 1,
+        filePath: filePath,
+        file: filePath,
+      });
+
+      reportedLines.add(line);
+    }
+  }
+
+  /**
+   * Helper: Check if expression text is a redirect function
+   * Excludes validation functions that contain redirect in their name
+   */
+  isRedirectFunction(text) {
+    // Exclude validation functions
+    const validationFunctionPatterns = [
+      'isvalid',
+      'validate',
+      'check',
+      'verify',
+      'istrust',
+    ];
+
+    // If text contains validation patterns, it's not a redirect function
+    if (validationFunctionPatterns.some(pattern => text.includes(pattern))) {
+      return false;
+    }
+
+    // Exclude service/repository method calls (backend patterns)
+    // e.g., this.service.getRedirectById(), userRepository.findRedirect()
+    const servicePatterns = [
+      '.service.',
+      '.repository.',
+      'service.',
+      'repository.',
+      'getredirect',
+      'findredirect',
+      'fetchredirect',
+      'loadredirect',
+    ];
+
+    if (servicePatterns.some(pattern => text.includes(pattern))) {
+      return false;
+    }
+
+    return this.redirectFunctions.some((func) => text.includes(func));
+  }
+
+  /**
+   * Helper: Check if expression text is a client-side redirect
+   */
+  isClientRedirect(text) {
+    return this.clientRedirectPatterns.some((pattern) =>
+      text.includes(pattern)
+    );
+  }
+
+  /**
+   * Helper: Check if text represents user input
+   */
+  isUserInput(text) {
+    return this.userInputSources.some((source) => text.includes(source));
+  }
+
+  /**
+   * Helper: Check if there's validation in the surrounding context
+   * Looks for validation patterns in parent blocks (if statements, functions)
+   */
+  hasValidationInContext(node) {
+    // First check: if statement condition (most direct validation)
+    const parentIf = this.findParentIfStatement(node);
+    if (parentIf) {
+      const condition = parentIf.getExpression();
+      const conditionText = condition.getText().toLowerCase();
+
+      // Check for array.includes(), allowlist checks, validation functions etc.
+      if (
+        conditionText.includes("includes") ||
+        conditionText.includes("allowed") ||
+        conditionText.includes("whitelist") ||
+        conditionText.includes("startswith('/')") ||
+        conditionText.includes('startswith("/")') ||
+        conditionText.includes("isvalid") ||
+        conditionText.includes("validate") ||
+        conditionText.includes("check") ||
+        conditionText.includes("verify") ||
+        conditionText.includes("istrust") ||
+        conditionText.includes("safe")
+      ) {
+        return true;
+      }
+    }
+
+    // Second check: Get surrounding code context (parent statements/function)
+    const parentFunction = this.findParentFunction(node);
+    if (!parentFunction) {
+      return false;
+    }
+
+    const functionText = parentFunction.getText().toLowerCase();
+
+    // Check for validation patterns
+    const hasValidationPattern = this.validationPatterns.some((pattern) =>
+      functionText.includes(pattern)
+    );
+
+    if (hasValidationPattern) {
+      return true;
+    }
+
+    // Check for safe framework patterns (mapping)
+    const hasSafePattern = this.safeFrameworkPatterns.some((pattern) =>
+      functionText.includes(pattern)
+    );
+
+    if (hasSafePattern) {
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Helper: Find parent function
+   */
+  findParentFunction(node) {
+    let current = node.getParent();
+    let depth = 0;
+
+    while (current && depth < 15) {
+      const kind = current.getKind();
+      if (
+        kind === SyntaxKind.FunctionDeclaration ||
+        kind === SyntaxKind.FunctionExpression ||
+        kind === SyntaxKind.ArrowFunction ||
+        kind === SyntaxKind.MethodDeclaration
+      ) {
+        return current;
+      }
+      current = current.getParent();
+      depth++;
+    }
+
+    return null;
+  }
+
+  /**
+   * Helper: Find parent if statement
+   */
+  findParentIfStatement(node) {
+    let current = node.getParent();
+    let depth = 0;
+
+    while (current && depth < 10) {
+      const kind = current.getKind();
+      if (kind === SyntaxKind.IfStatement) {
+        return current;
+      }
+      current = current.getParent();
+      depth++;
+    }
+
+    return null;
+  }
+
+  cleanup() {
+    // Cleanup if needed
+  }
+}
+
+module.exports = S003SymbolBasedAnalyzer;