@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S004_sensitive_data_logging/symbol-based-analyzer.js

@@ -0,0 +1,592 @@
+/**
+ * S004 - Sensitive Data Logging Protection (Symbol-based Analyzer)
+ *
+ * Detects logging of sensitive information like passwords, tokens, credit cards
+ * without proper redaction or masking.
+ *
+ * Based on:
+ * - OWASP A09:2021 - Security Logging and Monitoring Failures
+ * - CWE-532: Insertion of Sensitive Information into Log File
+ */
+
+const { SyntaxKind } = require("ts-morph");
+
+class S004SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = "S004";
+    this.semanticEngine = semanticEngine;
+
+    // Logging function patterns (common across frameworks)
+    this.loggingFunctions = [
+      "console.log",
+      "console.info",
+      "console.warn",
+      "console.error",
+      "console.debug",
+      "logger.log",
+      "logger.info",
+      "logger.warn",
+      "logger.error",
+      "logger.debug",
+      "log.info",
+      "log.warn",
+      "log.error",
+      "log.debug",
+      "winston.log",
+      "winston.info",
+      "winston.error",
+      "pino.info",
+      "pino.error",
+      "bunyan.info",
+      "bunyan.error",
+      "print", // Python
+      "logging.info", // Python
+      "logging.error",
+      "log.printf", // Go
+      "log.println",
+      "logger.info", // Go/Java
+      "logger.error",
+      "system.out.println", // Java
+      "nslog", // Objective-C
+      "os_log", // Swift
+    ];
+
+    // Sensitive field patterns (field names that indicate sensitive data)
+    this.sensitiveFieldPatterns = [
+      // Authentication & Authorization
+      "password",
+      "passwd",
+      "pwd",
+      "secret",
+      "secretkey",
+      "secret_key",
+      "apikey",
+      "api_key",
+      "access_token",
+      "accesstoken",
+      "refresh_token",
+      "refreshtoken",
+      "auth_token",
+      "authtoken",
+      "bearer",
+      "authorization",
+      "session",
+      "sessionid",
+      "session_id",
+      "jwt",
+      "token",
+      "otp",
+      "pin",
+      "privatekey",
+      "private_key",
+      "credentials",
+      "credential",
+
+      // Payment & Financial
+      "credit_card",
+      "creditcard",
+      "cardnumber",
+      "card_number",
+      "cvv",
+      "cvc",
+      "ccv",
+      "card_cvv",
+      "expiry",
+      "expiration",
+      "pan", // Primary Account Number
+      "iban",
+      "account_number",
+      "accountnumber",
+      "routing_number",
+      "bank_account",
+      "ssn", // Social Security Number
+      "tax_id",
+
+      // Personal Information
+      "email",
+      "phone",
+      "phonenumber",
+      "phone_number",
+      "address",
+      "birthday",
+      "birth_date",
+      "dob",
+      "passport",
+      "license",
+      "idcard",
+      "id_card",
+      "national_id",
+    ];
+
+    // Patterns that indicate the data is already masked/redacted (safe to log)
+    this.safeLoggingPatterns = [
+      "masked",
+      "redacted",
+      "sanitized",
+      "filtered",
+      "hashed",
+      "encrypted",
+      "****",
+      "***",
+      "...",
+      "[redacted]",
+      "[masked]",
+      ".mask(",
+      ".redact(",
+      ".sanitize(",
+      ".hash(",
+      ".encrypt(",
+      ".replace(/", // password.replace(/./g, '*')
+      ".replace(", // password.replace('', '')
+      "replacewith", // password.replaceWith('***')
+      "substr(0,", // Partial masking: token.substr(0, 4) + '****'
+      "substring(0,",
+      "slice(0,",
+    ];
+
+    // Patterns that indicate selective field logging (safe approach)
+    this.selectiveLoggingPatterns = [
+      "omit(",
+      "pick(",
+      "exclude(",
+      "without(",
+      "except(",
+      ".filter(",
+      "filterkeys",
+      "filter_keys",
+    ];
+
+    // Objects/structures that commonly contain sensitive data
+    this.sensitiveBulkPatterns = [
+      "req.body",
+      "request.body",
+      "req.headers",
+      "request.headers",
+      "formdata",
+      "form-data",
+      "req.query",
+      "req.params",
+      "credentials",
+      "auth",
+      "payment",
+      "paymentinfo",
+      "payment_info",
+      "userdata",
+      "user_data",
+      "profile",
+    ];
+  }
+
+  /**
+   * Main analysis method
+   */
+  analyze(sourceFile) {
+    const violations = [];
+
+    // Check for logging function calls
+    const callExpressions = sourceFile.getDescendantsOfKind(
+      SyntaxKind.CallExpression
+    );
+
+    for (const callExpr of callExpressions) {
+      const callText = callExpr.getText().toLowerCase();
+
+      // Check if this is a logging function call
+      if (!this.isLoggingFunction(callText)) {
+        continue;
+      }
+
+      // Get the arguments being logged
+      const args = callExpr.getArguments();
+      if (args.length === 0) {
+        continue;
+      }
+
+      // Check each argument for sensitive data
+      for (const arg of args) {
+        const argText = arg.getText();
+        const argTextLower = argText.toLowerCase();
+
+        // Skip if already masked/redacted
+        if (this.isSafelyMasked(argTextLower)) {
+          continue;
+        }
+
+        // Skip if using selective logging (omit/pick specific fields)
+        if (this.isSelectiveLogging(argTextLower)) {
+          continue;
+        }
+
+        // Check for sensitive field names
+        const sensitiveField = this.findSensitiveField(argTextLower);
+        if (sensitiveField) {
+          // Context-aware filtering for common false positives
+          let shouldSkip = false;
+
+          // Skip if keyword appears in uppercase in message (e.g., "NO EMAIL ERROR")
+          if (this.isUppercaseInMessage(sensitiveField, argText)) {
+            shouldSkip = true;
+          }
+
+          // Skip if pattern is in a message string (e.g., "no session", "session is null")
+          if (this.isInMessageString(sensitiveField, argText)) {
+            shouldSkip = true;
+          }
+
+          // Skip if it's selective property access of non-sensitive fields
+          // e.g., credentials.type, payment.id, paymentIntentId
+          if (sensitiveField === 'credentials' && argTextLower.includes('credentials.type')) {
+            shouldSkip = true;
+          }
+          if (sensitiveField === 'payment') {
+            // Skip if it's paymentIntentId, paymentId, or payment.id (non-sensitive IDs)
+            if (argTextLower.includes('paymentintentid') ||
+                argTextLower.includes('paymentid') ||
+                argTextLower.includes('payment.id') ||
+                argTextLower.includes('payment.status') ||
+                // Check if "payment" appears only as part of a safe compound word
+                (argTextLower.includes('payment') &&
+                 !argTextLower.includes('paymentdata') &&
+                 !argTextLower.includes('paymentinfo') &&
+                 (argTextLower.match(/payment[a-z]+id/i) || // paymentIntentId, paymentMethodId
+                  argTextLower.match(/payment[a-z]+status/i) || // paymentStatus
+                  argTextLower.match(/payment[a-z]+type/i)))) { // paymentType
+              shouldSkip = true;
+            }
+          }
+
+          if (!shouldSkip) {
+            violations.push({
+              line: callExpr.getStartLineNumber(),
+              column: callExpr.getStart() - callExpr.getStartLinePos(),
+              message: `Sensitive data logging: Logging '${argText.substring(0, 80)}${argText.length > 80 ? '...' : ''}' may expose sensitive field '${sensitiveField}' - use masking/redaction before logging`,
+              severity: "warning",
+              ruleId: this.ruleId,
+            });
+            break; // One violation per log statement is enough
+          }
+        }
+
+        // Check for bulk sensitive objects (req.body, req.headers, etc.)
+        const sensitiveBulk = this.findSensitiveBulkPattern(argTextLower, argText);
+        if (sensitiveBulk) {
+          violations.push({
+            line: callExpr.getStartLineNumber(),
+            column: callExpr.getStart() - callExpr.getStartLinePos(),
+            message: `Sensitive data logging: Logging '${sensitiveBulk}' may expose sensitive fields like passwords, tokens, or payment data - use selective field logging or redaction`,
+            severity: "warning",
+            ruleId: this.ruleId,
+          });
+          break;
+        }
+
+        // Check for template literals containing sensitive fields
+        if (this.containsSensitiveFieldInTemplate(argText)) {
+          const field = this.findSensitiveFieldInTemplate(argText);
+          violations.push({
+            line: callExpr.getStartLineNumber(),
+            column: callExpr.getStart() - callExpr.getStartLinePos(),
+            message: `Sensitive data logging: Template literal contains sensitive field '${field}' - mask before logging`,
+            severity: "warning",
+            ruleId: this.ruleId,
+          });
+          break;
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  /**
+   * Check if the function call is a logging function
+   */
+  isLoggingFunction(text) {
+    return this.loggingFunctions.some((func) => text.includes(func));
+  }
+
+  /**
+   * Check if the data is safely masked/redacted
+   */
+  isSafelyMasked(text) {
+    // Check for masking patterns
+    if (this.safeLoggingPatterns.some((pattern) => text.includes(pattern))) {
+      return true;
+    }
+
+    // Check if it's just a string literal message (not actual data)
+    // e.g., 'Authenticating with token:' is just a label, not the token itself
+    if (text.startsWith("'") || text.startsWith('"') || text.startsWith('`')) {
+      // It's a string literal - check if it's just a message/label
+      // Look for patterns like 'message: ${var}' or 'message:', var
+      // If the string literal itself doesn't contain variables and is just text, it's safe
+      if (!text.includes('${') && text.length < 100) {
+        return true; // It's just a log message label
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if using selective logging (omit/pick specific fields)
+   */
+  isSelectiveLogging(text) {
+    return this.selectiveLoggingPatterns.some((pattern) => text.includes(pattern));
+  }
+
+  /**
+   * Find sensitive field name in the text
+   */
+  findSensitiveField(text) {
+    // Remove comments from text before checking
+    const textWithoutComments = text.replace(/\/\/.*$/gm, '').replace(/\/\*[\s\S]*?\*\//g, '');
+
+    for (const pattern of this.sensitiveFieldPatterns) {
+      // Match whole words or property access patterns
+      const regex = new RegExp(
+        `\\b${pattern}\\b|["'\`]${pattern}["'\`]|\\.${pattern}\\b|\\[["'\`]${pattern}["'\`]\\]`,
+        "i"
+      );
+      if (regex.test(textWithoutComments)) {
+        return pattern;
+      }
+    }
+    return null;
+  }
+
+  /**
+   * Find sensitive bulk object pattern (req.body, req.headers, etc.)
+   * Now with context-awareness to reduce false positives
+   */
+  findSensitiveBulkPattern(textLower, originalText) {
+    for (const pattern of this.sensitiveBulkPatterns) {
+      if (!textLower.includes(pattern)) {
+        continue;
+      }
+
+      // Check if it's selective field access like req.headers['user-agent']
+      if (pattern === 'req.headers' || pattern === 'request.headers') {
+        if (textLower.includes("['user-agent']") ||
+            textLower.includes("['content-type']") ||
+            textLower.includes("['accept']") ||
+            textLower.includes("['referer']") ||
+            textLower.includes("[\"user-agent\"]") ||
+            textLower.includes("[\"content-type\"]") ||
+            textLower.includes("[\"accept\"]") ||
+            textLower.includes("[\"referer\"]") ||
+            textLower.includes(".get('user-agent')") ||
+            textLower.includes(".get('content-type')") ||
+            textLower.includes(".get('accept')") ||
+            textLower.includes(".get('referer')")) {
+          continue; // Skip, it's safe
+        }
+      }
+
+      // Skip if pattern appears ONLY in a pure string literal (no variables)
+      // e.g., 'Send email success' or "Payment completed" are just messages
+      if (this.isOnlyInStringLiteral(pattern, originalText)) {
+        continue;
+      }
+
+      // For "payment" and "auth" patterns, be more strict
+      if (pattern === 'payment' || pattern === 'auth' || pattern === 'credentials') {
+        // Skip if it's inside a log message string literal
+        // Pattern: logger.log('Message with payment/auth word')
+        if (this.isInMessageString(pattern, originalText)) {
+          continue;
+        }
+      }
+
+      return pattern;
+    }
+    return null;
+  }
+
+  /**
+   * Check if pattern appears ONLY inside string literals (not as variables)
+   * e.g., 'Send email to user' vs logger.log(email)
+   */
+  isOnlyInStringLiteral(pattern, text) {
+    // Check if text is a pure string literal without interpolation
+    if ((text.startsWith("'") && text.endsWith("'") && !text.includes('${')) ||
+        (text.startsWith('"') && text.endsWith('"') && !text.includes('${'))) {
+      return true;
+    }
+
+    // Check if pattern appears in template literal but not in variables
+    // Template: `Message with ${var}` - pattern in "Message" part is safe
+    if (text.includes('`')) {
+      // Extract template string parts (not inside ${})
+      const withoutVars = text.replace(/\$\{[^}]+\}/g, '');
+      if (withoutVars.toLowerCase().includes(pattern) && !text.match(new RegExp(`\\$\\{[^}]*${pattern}`, 'i'))) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if pattern appears in uppercase in a message string
+   * e.g., "NO EMAIL ERROR" vs logger.log(email)
+   */
+  isUppercaseInMessage(pattern, text) {
+    const upperPattern = pattern.toUpperCase();
+
+    // Check if pattern appears in uppercase and surrounded by other uppercase words
+    // This suggests it's part of a message constant, not actual data
+    if (text.includes(upperPattern)) {
+      // Extract words around the uppercase pattern
+      const regex = new RegExp(`([A-Z_]+\\s+)?${upperPattern}(\\s+[A-Z_]+)?`);
+      const match = text.match(regex);
+      if (match) {
+        // If surrounded by other uppercase words, it's likely a message
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if pattern is inside a message string (not actual data)
+   * e.g., "Error in payment processing" vs logger.log(paymentData)
+   */
+  isInMessageString(pattern, text) {
+    const lowerText = text.toLowerCase();
+
+    // Common message patterns that are safe
+    const safeMessagePatterns = [
+      `${pattern} processing`,
+      `${pattern} completed`,
+      `${pattern} failed`,
+      `${pattern} success`,
+      `${pattern} error`,
+      `${pattern} schedule`,
+      `confirm ${pattern}`,
+      `send ${pattern}`,
+      `update ${pattern}`,
+      `${pattern} service`,
+      `${pattern} notice`,
+      `no ${pattern}`,           // "no email error"
+      `${pattern} is null`,      // "session is null"
+      `${pattern} not found`,    // "session not found"
+      `${pattern} is missing`,   // "token is missing"
+      `verify ${pattern}`,       // "verify email"
+      `could not verify ${pattern}`,  // "could not verify email"
+      `could update ${pattern}`,      // "could update secondary email"
+      `could not update ${pattern}`,  // "could not update email"
+      `${pattern} of the user`,       // "email of the user"
+      `${pattern} points`,            // "expiration points"
+      `${pattern} scan`,              // "expiration scan"
+      `updated ${pattern}`,           // "updated expiration points"
+      `end user`,                     // "end user X expiration"
+    ];
+
+    if (safeMessagePatterns.some(msg => lowerText.includes(msg))) {
+      return true;
+    }
+
+    // Check for patterns like "send {pattern} to user" (e.g., "send email to user")
+    if (lowerText.includes(`send ${pattern} to`) ||
+        lowerText.includes(`sent ${pattern} to`)) {
+      return true;
+    }
+
+    // Check for patterns with words in between (e.g., "could update secondary email")
+    if (lowerText.includes('could') && lowerText.includes('update') &&
+        lowerText.includes(pattern) && lowerText.includes('cause')) {
+      return true;
+    }
+
+    // Check for patterns like "could not" with action verbs
+    if (lowerText.includes(`could not`) &&
+        (lowerText.includes('verify') || lowerText.includes('update') ||
+         lowerText.includes('change') || lowerText.includes('set')) &&
+        lowerText.includes(pattern)) {
+      return true;
+    }
+
+    // Check for URL paths (e.g., '/api/get-impersonate-token')
+    if (lowerText.includes('/api/') || lowerText.includes('/auth/')) {
+      return true;
+    }
+
+    // Check for localStorage/sessionStorage keys (e.g., 'auth_timestamp')
+    if ((lowerText.includes("'") || lowerText.includes('"')) &&
+        (lowerText.includes('_timestamp') || lowerText.includes('_key') || lowerText.includes('_storage'))) {
+      return true;
+    }
+
+    // Check for error message constants (e.g., 'BE_E_ActionDeniedDueToUnauthorized')
+    if (lowerText.includes('error') && lowerText.includes('_e_')) {
+      return true;
+    }
+
+    // Check for common words containing the pattern as substring
+    // e.g., "Authentication required" contains "auth" but isn't logging auth data
+    const safeSubstrings = [
+      'authentication',
+      'authorization',
+      'authenticate',
+      'authorized',
+      'unauthorized',
+      'authenticating',
+    ];
+    if (safeSubstrings.some(word => lowerText.includes(word))) {
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if template literal contains sensitive fields
+   */
+  containsSensitiveFieldInTemplate(text) {
+    // Check if it's a template literal with interpolation
+    if (!text.includes('${') || !text.includes('}')) {
+      return false;
+    }
+
+    // Extract variable names from template
+    const varMatches = text.match(/\$\{([^}]+)\}/g);
+    if (!varMatches) {
+      return false;
+    }
+
+    for (const varMatch of varMatches) {
+      const varContent = varMatch.slice(2, -1).toLowerCase();
+
+      // Check if variable name contains sensitive field
+      if (this.findSensitiveField(varContent)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Find which sensitive field is in the template
+   */
+  findSensitiveFieldInTemplate(text) {
+    const varMatches = text.match(/\$\{([^}]+)\}/g);
+    if (!varMatches) {
+      return null;
+    }
+
+    for (const varMatch of varMatches) {
+      const varContent = varMatch.slice(2, -1).toLowerCase();
+      const field = this.findSensitiveField(varContent);
+      if (field) {
+        return varContent;
+      }
+    }
+
+    return null;
+  }
+}
+
+module.exports = S004SymbolBasedAnalyzer;