npm - @sun-asterisk/sunlint - Versions diffs - 1.3.26 → 1.3.28 - Mend

@sun-asterisk/sunlint 1.3.26 → 1.3.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/rules/security/S004_sensitive_data_logging/analyzer.js ADDED Viewed

@@ -0,0 +1,135 @@
+/**
+ * S004 - Sensitive Data Logging Protection
+ *
+ * Main analyzer using symbol-based analysis to detect logging of sensitive
+ * information without proper redaction.
+ *
+ * Based on:
+ * - OWASP A09:2021 - Security Logging and Monitoring Failures
+ * - CWE-532: Insertion of Sensitive Information into Log File
+ */
+// Command: node cli.js --rule=S004 --input=examples/rule-test-fixtures/rules/S004_sensitive_data_logging --engine=heuristic
+const S004SymbolBasedAnalyzer = require("./symbol-based-analyzer");
+class S004Analyzer {
+  constructor(options = {}) {
+    this.ruleId = "S004";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    try {
+      this.symbolAnalyzer = new S004SymbolBasedAnalyzer(this.semanticEngine);
+    } catch (e) {
+      console.warn(`⚠ [S004] Failed to create symbol analyzer: ${e.message}`);
+    }
+  }
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.symbolAnalyzer && this.symbolAnalyzer.initialize) {
+      await this.symbolAnalyzer.initialize(semanticEngine);
+    }
+  }
+  analyzeSingle(filePath, options = {}) {
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        const vs = await this.analyzeFile(filePath, options);
+        violations.push(...vs);
+      } catch (e) {
+        console.warn(`⚠ [S004] Analysis error for ${filePath}: ${e.message}`);
+      }
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    const violationMap = new Map();
+    if (!this.symbolAnalyzer) {
+      return [];
+    }
+    // Skip test files, build directories, and node_modules
+    if (this.shouldSkipFile(filePath)) {
+      return [];
+    }
+    try {
+      let sourceFile = null;
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      }
+      if (!sourceFile) {
+        // Create temporary ts-morph source file
+        const fs = require("fs");
+        const path = require("path");
+        const { Project } = require("ts-morph");
+        if (!fs.existsSync(filePath)) {
+          throw new Error(`File not found: ${filePath}`);
+        }
+        const content = fs.readFileSync(filePath, "utf8");
+        const tmp = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: { allowJs: true },
+        });
+        sourceFile = tmp.createSourceFile(path.basename(filePath), content);
+      }
+      if (sourceFile) {
+        const symbolViolations = await this.symbolAnalyzer.analyze(
+          sourceFile,
+          filePath
+        );
+        symbolViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+      }
+    } catch (e) {
+      console.warn(`⚠ [S004] Symbol analysis failed: ${e.message}`);
+    }
+    return Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+  }
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      "test/",
+      "tests/",
+      "__tests__/",
+      ".test.",
+      ".spec.",
+      "node_modules/",
+      "build/",
+      "dist/",
+      ".next/",
+      "coverage/",
+      "vendor/",
+      "mocks/",
+      ".mock.",
+    ];
+    return skipPatterns.some((pattern) => filePath.includes(pattern));
+  }
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+  }
+}
+module.exports = S004Analyzer;

package/rules/security/S004_sensitive_data_logging/config.json ADDED Viewed

@@ -0,0 +1,62 @@
+{
+  "ruleId": "S004",
+  "name": "Sensitive Data Logging Protection",
+  "description": "Prevent logging of sensitive information like passwords, tokens, and payment data without proper redaction",
+  "category": "security",
+  "severity": "warning",
+  "languages": ["All languages"],
+  "tags": [
+    "security",
+    "owasp",
+    "logging",
+    "sensitive-data",
+    "pii",
+    "credentials",
+    "data-exposure"
+  ],
+  "enabled": true,
+  "fixable": false,
+  "engine": "heuristic",
+  "metadata": {
+    "owaspCategory": "A09:2021 - Security Logging and Monitoring Failures",
+    "cweId": "CWE-532",
+    "description": "Logging sensitive information without proper redaction can lead to data exposure through log files, monitoring systems, or centralized logging platforms. Logs may be shared with third parties, stored insecurely, or accessed by unauthorized personnel.",
+    "impact": "Medium - Data exposure, credential theft, compliance violations (GDPR, PCI-DSS)",
+    "likelihood": "High",
+    "remediation": "Mask or redact sensitive fields before logging. Use selective field logging (omit/pick) or implement log sanitization filters."
+  },
+  "patterns": {
+    "vulnerable": [
+      "console.log(password) without masking",
+      "logger.info(req.body) with sensitive fields",
+      "console.log(access_token) without redaction",
+      "logger.error(creditCard) unmasked",
+      "console.log(`Token: ${token}`) without masking",
+      "logger.info(req.headers) with Authorization header"
+    ],
+    "secure": [
+      "Use masking: console.log(password.replace(/./g, '*'))",
+      "Selective logging: logger.info(omit(req.body, ['password', 'token']))",
+      "Hash sensitive data: console.log({ tokenHash: hash(token) })",
+      "Partial redaction: logger.info({ card: card.substr(0, 4) + '****' })",
+      "Configure logger to filter sensitive fields automatically",
+      "Use structured logging with field-level redaction"
+    ]
+  },
+  "examples": {
+    "violations": [
+      "console.log('User password:', user.password);",
+      "logger.info('Request data:', req.body);",
+      "console.log(`Access token: ${accessToken}`);",
+      "logger.error('Auth failed:', { credentials: creds });",
+      "console.log(req.headers);"
+    ],
+    "fixes": [
+      "console.log('User login:', { username: user.username }); // Omit password",
+      "logger.info('Request data:', omit(req.body, ['password', 'secret']));",
+      "console.log(`Access token: ${accessToken.substr(0, 4)}****`);",
+      "logger.error('Auth failed:', { username: creds.username }); // Omit password",
+      "logger.info(omit(req.headers, ['authorization', 'cookie']));"
+    ]
+  }
+}