@sun-asterisk/sunlint 1.3.27 → 1.3.29

package/rules/security/S020_no_eval_dynamic_code/analyzer.js

@@ -6,7 +6,6 @@
  */
 
 const S020SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
-const S020RegexBasedAnalyzer = require("./regex-based-analyzer.js");
 
 class S020Analyzer {
   constructor(options = {}) {
@@ -26,14 +25,6 @@ class S020Analyzer {
     this.semanticEngine = options.semanticEngine || null;
     this.verbose = options.verbose || false;
 
-    this.config = {
-      useSymbolBased: true,
-      fallbackToRegex: true,
-      regexBasedOnly: false,
-      prioritizeSymbolic: true, // Prefer symbol-based when available
-      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
-    };
-
     try {
       this.symbolAnalyzer = new S020SymbolBasedAnalyzer(this.semanticEngine);
       if (process.env.SUNLINT_DEBUG)
@@ -41,14 +32,6 @@ class S020Analyzer {
     } catch (error) {
       console.error(`🔧 [S020] Error creating symbol analyzer:`, error);
     }
-
-    try {
-      this.regexAnalyzer = new S020RegexBasedAnalyzer(this.semanticEngine);
-      if (process.env.SUNLINT_DEBUG)
-        console.log(`🔧 [S020] Regex analyzer created successfully`);
-    } catch (error) {
-      console.error(`🔧 [S020] Error creating regex analyzer:`, error);
-    }
   }
 
   async initialize(semanticEngine) {
@@ -58,9 +41,6 @@ class S020Analyzer {
 
     if (this.symbolAnalyzer)
       await this.symbolAnalyzer.initialize?.(semanticEngine);
-    if (this.regexAnalyzer)
-      await this.regexAnalyzer.initialize?.(semanticEngine);
-    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
 
     if (process.env.SUNLINT_DEBUG)
       console.log(`🔧 [S020] Main analyzer initialized successfully`);
@@ -108,138 +88,84 @@ class S020Analyzer {
       console.log(`🔍 [S020] analyzeFile() called for: ${filePath}`);
     const violationMap = new Map();
 
-    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(
-        `🔧 [S020] Symbol check: useSymbolBased=${
-          this.config.useSymbolBased
-        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
-          .semanticEngine?.project}, initialized=${!!this.semanticEngine
-          ?.initialized}`
-      );
-    }
+    try {
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S020] Running symbol-based analysis...`);
 
-    const canUseSymbol =
-      this.config.useSymbolBased &&
-      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
-        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
+      let sourceFile = null;
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S020] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
+          );
+        }
+      }
 
-    if (canUseSymbol) {
-      try {
+      if (!sourceFile) {
+        // Create a minimal ts-morph project for this analysis
         if (process.env.SUNLINT_DEBUG)
-          console.log(`🔧 [S020] Trying symbol-based analysis...`);
-
-        let sourceFile = null;
-        if (this.semanticEngine?.project) {
-          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
-          if (process.env.SUNLINT_DEBUG) {
-            console.log(
-              `🔧 [S020] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
-            );
+          console.log(
+            `🔧 [S020] Creating temporary ts-morph project for: ${filePath}`
+          );
+        try {
+          const fs = require("fs");
+          const path = require("path");
+          const { Project } = require("ts-morph");
+
+          // Check if file exists and read content
+          if (!fs.existsSync(filePath)) {
+            throw new Error(`File not found: ${filePath}`);
           }
-        }
 
-        if (!sourceFile) {
-          // Create a minimal ts-morph project for this analysis
-          if (process.env.SUNLINT_DEBUG)
-            console.log(
-              `🔧 [S020] Creating temporary ts-morph project for: ${filePath}`
-            );
-          try {
-            const fs = require("fs");
-            const path = require("path");
-            const { Project } = require("ts-morph");
-
-            // Check if file exists and read content
-            if (!fs.existsSync(filePath)) {
-              throw new Error(`File not found: ${filePath}`);
-            }
-
-            const fileContent = fs.readFileSync(filePath, "utf8");
-            const fileName = path.basename(filePath);
-
-            const tempProject = new Project({
-              useInMemoryFileSystem: true,
-              compilerOptions: {
-                allowJs: true,
-                allowSyntheticDefaultImports: true,
-              },
-            });
-
-            // Add file content to in-memory project
-            sourceFile = tempProject.createSourceFile(fileName, fileContent);
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S020] Temporary project created successfully with file: ${fileName}`
-              );
-          } catch (projectError) {
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S020] Failed to create temporary project:`,
-                projectError.message
-              );
-            throw projectError;
-          }
-        }
+          const fileContent = fs.readFileSync(filePath, "utf8");
+          const fileName = path.basename(filePath);
 
-        if (sourceFile) {
-          const symbolViolations = await this.symbolAnalyzer.analyze(
-            sourceFile,
-            filePath
-          );
-          symbolViolations.forEach((v) => {
-            const key = `${v.line}:${v.column}:${v.message}`;
-            if (!violationMap.has(key)) violationMap.set(key, v);
+          const tempProject = new Project({
+            useInMemoryFileSystem: true,
+            compilerOptions: {
+              allowJs: true,
+              allowSyntheticDefaultImports: true,
+            },
           });
+
+          // Add file content to in-memory project
+          sourceFile = tempProject.createSourceFile(fileName, fileContent);
           if (process.env.SUNLINT_DEBUG)
             console.log(
-              `🔧 [S020] Symbol analysis completed: ${symbolViolations.length} violations`
-            );
-
-          // If symbol-based found violations AND prioritizeSymbolic is true, skip regex
-          // But still run regex if symbol-based didn't find any violations
-          if (this.config.prioritizeSymbolic && symbolViolations.length > 0) {
-            const finalViolations = Array.from(violationMap.values()).map(
-              (v) => ({
-                ...v,
-                filePath,
-                file: filePath,
-              })
+              `🔧 [S020] Temporary project created successfully with file: ${fileName}`
             );
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S020] Symbol-based analysis prioritized: ${finalViolations.length} violations`
-              );
-            return finalViolations;
-          }
-        } else {
+        } catch (projectError) {
           if (process.env.SUNLINT_DEBUG)
             console.log(
-              `🔧 [S020] No source file found, skipping symbol analysis`
+              `🔧 [S020] Failed to create temporary project:`,
+              projectError.message
             );
+          throw projectError;
         }
-      } catch (error) {
-        console.warn(`⚠ [S020] Symbol analysis failed:`, error.message);
       }
-    }
 
-    // Fallback to regex-based analysis
-    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
-      try {
-        if (process.env.SUNLINT_DEBUG)
-          console.log(`🔧 [S020] Trying regex-based analysis...`);
-        const regexViolations = await this.regexAnalyzer.analyze(filePath);
-        regexViolations.forEach((v) => {
+      if (sourceFile) {
+        const symbolViolations = await this.symbolAnalyzer.analyze(
+          sourceFile,
+          filePath
+        );
+        symbolViolations.forEach((v) => {
           const key = `${v.line}:${v.column}:${v.message}`;
           if (!violationMap.has(key)) violationMap.set(key, v);
         });
         if (process.env.SUNLINT_DEBUG)
           console.log(
-            `🔧 [S020] Regex analysis completed: ${regexViolations.length} violations`
+            `🔧 [S020] Symbol analysis completed: ${symbolViolations.length} violations`
+          );
+      } else {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S020] No source file found, skipping symbol analysis`
           );
-      } catch (error) {
-        console.warn(`⚠ [S020] Regex analysis failed:`, error.message);
       }
+    } catch (error) {
+      console.warn(`⚠ [S020] Symbol analysis failed:`, error.message);
     }
 
     const finalViolations = Array.from(violationMap.values()).map((v) => ({
@@ -256,7 +182,6 @@ class S020Analyzer {
 
   cleanup() {
     if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
-    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
   }
 }
 

package/rules/security/S020_no_eval_dynamic_code/symbol-based-analyzer.js

@@ -182,7 +182,8 @@ class S020SymbolBasedAnalyzer {
           if (args.length > 0) {
             const firstArg = args[0];
 
-            // Check if first argument is a string literal
+            // ONLY flag if first argument is a string literal
+            // This is the only truly dangerous case for setTimeout/setInterval
             if (firstArg.getKind() === SyntaxKind.StringLiteral) {
               const startLine = call.getStartLineNumber();
               violations.push({
@@ -193,24 +194,8 @@ class S020SymbolBasedAnalyzer {
                 column: 1,
               });
             }
-            // Check if first argument contains dynamic code indicators
-            else {
-              const argText = firstArg.getText().toLowerCase();
-              const hasDynamicIndicator = this.dynamicCodeIndicators.some(
-                (indicator) => argText.includes(indicator)
-              );
-
-              if (hasDynamicIndicator) {
-                const startLine = call.getStartLineNumber();
-                violations.push({
-                  ruleId: this.ruleId,
-                  message: `Function '${functionName}()' may be executing dynamic code based on variable naming`,
-                  severity: "warning",
-                  line: startLine,
-                  column: 1,
-                });
-              }
-            }
+            // NOTE: Removed variable name checking as it causes too many false positives
+            // Functions like setTimeout with arrow functions or function references are safe
           }
         }
       }

package/rules/security/S042_require_re_authentication_for_long_lived/analyzer.js

@@ -2,7 +2,7 @@
  * S042 Require re-authentication for long-lived sessions or sensitive actions
  * Primary: Symbol-based analysis (when available)
  * Fallback: Regex-based for all other cases
- * Purpose: Detect REST endpoints that process request body without validating Content-Type
+ * Purpose: Reduce the risk of session hijacking or privilege misuse by forcing re-authentication after long idle periods or before critical actions.
  * Command: node cli.js --rule=S042 --input=examples/rule-test-fixtures/rules/S042_require_re_authentication_for_long_lived --engine=heuristic --verbose
  */
 

package/rules/security/S043_password_changes_invalidate_all_sessions/README.md

@@ -0,0 +1,107 @@
+# S043 - Password Changes Must Invalidate All Active Sessions
+
+## Overview
+
+**Rule ID:** S043
+**Severity:** Medium
+**Category:** Security
+**Status:** Activated
+**Version:** 1.0
+
+## Objective
+
+Ensure that attackers cannot continue using old session tokens after a password change. This rule enforces correct access control after sensitive password updates by requiring all active sessions to be invalidated.
+
+## Description
+
+When a user changes their password, all existing session tokens, JWT tokens, and cached credentials must be invalidated immediately. This prevents attackers who may have compromised an old session from continuing to access the account after the password has been changed.
+
+This rule performs **deep analysis** across multiple layers:
+- **Controller → Service → Repository → Third Party**
+- Traces up to 4 levels deep in the call chain
+- Resolves NestJS dependency injection to follow service calls
+- Detects session invalidation in any layer of the application
+
+## Violation Criteria
+
+A password change function is flagged if it does NOT:
+
+1. Invalidate all other active sessions (except current if necessary)
+2. Clear all session tokens from database, Redis, or memory storage
+3. For JWT: use token versioning or timestamp to revoke old tokens
+4. Require re-login across all devices
+5. Call logout or sign out operations
+6. Clear session cache (Redis, in-memory, etc.)
+7. Use third-party auth service global sign out (AWS Cognito, Auth0, Firebase)
+
+## Detected Patterns
+
+### ✅ Session Invalidation (PASS)
+
+The rule detects the following valid patterns:
+
+#### 1. Direct Session Invalidation Calls
+```typescript
+await sessionService.invalidateAllSessions(userId);
+await sessionService.clearAllSessions(userId);
+await sessionService.destroyAllSessions(userId);
+await sessionService.logoutAllDevices(userId);
+
+### 2. Database Session Deletion
+```typescript
+await sessionRepository.delete({ userId });
+await sessionRepository.deleteAllByUserId(userId);
+await this.sessionRepository
+  .createQueryBuilder()
+  .delete()
+  .where('userId = :userId', { userId })
+  .execute();
+```
+
+### 3. JWT Token Versioning
+```typescript
+user.tokenVersion = (user.tokenVersion || 0) + 1;
+user.tokenVersion++;
+await userRepository.update(userId, {
+  tokenVersion: () => 'tokenVersion + 1'
+});
+```
+
+### 4. Redis/Cache Clearing
+```typescript
+await redis.del(`session:${userId}:*`);
+await cacheManager.del(username);
+await redisService.clearUserSessions(userId);
+```
+
+### Deep Analysis Features
+```typescript
+// File: auth.controller.ts
+async changePassword(data) {
+  await this.authService.changePassword(data); // ← Traces into service
+}
+
+// File: auth.service.ts (different file)
+async changePassword(data) {
+  await this.userRepo.updatePassword(data);
+  await this.sessionService.clearAllSessions(data.userId); // ← Found! ✅
+}
+```
+
+### NestJS Dependency Injection Resolution
+
+```typescript
+@Injectable()
+export class AuthController {
+  constructor(
+    private readonly commonChangePasswordService: CommonChangePasswordService
+  ) {}
+
+  async changePassword() {
+    // Resolves: commonChangePasswordService → CommonChangePasswordService class
+    await this.commonChangePasswordService.changePassword();
+    // ↓ Deep traces into CommonChangePasswordService.changePassword() method
+  }
+}
+```
+

package/rules/security/S043_password_changes_invalidate_all_sessions/analyzer.js

@@ -0,0 +1,153 @@
+/**
+ * S043 Password changes must invalidate all other login sessions
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Purpose: Ensure attackers cannot continue using old session tokens after a password change. Enforce correct access control after sensitive updates.
+ * Command: node cli.js --rule=S043 --input=examples/rule-test-fixtures/rules/S043_password_changes_invalidate_all_sessions --engine=heuristic --verbose
+ */
+
+const S043SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+
+class S043Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S043] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S043] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S043";
+    this.ruleName = "Password changes must invalidate all other login sessions";
+    this.description =
+      "Ensure attackers cannot continue using old session tokens after a password change. Enforce correct access control after sensitive updates.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: false,
+      regexBasedOnly: false,
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+
+    try {
+      this.symbolAnalyzer = new S043SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S043] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S043] Error creating symbol analyzer:`, error);
+    }
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+
+    // Initialize both analyzers
+    await this.symbolAnalyzer.initialize(semanticEngine);
+
+    // Ensure verbose flag is propagated
+    this.symbolAnalyzer.verbose = this.verbose;
+
+    if (this.verbose) {
+      console.log(`🔧 [S043 Hybrid] Analyzer initialized - verbose: ${this.verbose}`);
+    }
+  }
+
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S043] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S043] analyze() method called with ${files.length} files, language: ${language}`);
+    }
+
+    const violations = [];
+
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S043] Processing file: ${filePath}`);
+        }
+
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S043] File ${filePath}: Found ${fileViolations.length} violations`);
+        }
+      } catch (error) {
+        console.warn(`❌ [S043] Analysis failed for ${filePath}:`, error.message);
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S043] Total violations found: ${violations.length}`);
+    }
+
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S043] analyzeFile() called for: ${filePath}`);
+    }
+
+    // 1. Try Symbol-based analysis first (primary)
+    if (this.config.useSymbolBased &&
+        this.semanticEngine?.project &&
+        this.semanticEngine?.initialized) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S043] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S043] Source file found, analyzing with symbol-based...`);
+          }
+          const violations = await this.symbolAnalyzer.analyzeFileWithSymbols(filePath, { ...options, verbose: options.verbose });
+
+          // Mark violations with analysis strategy
+          violations.forEach(v => v.analysisStrategy = 'symbol-based');
+
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`✅ [S043] Symbol-based analysis: ${violations.length} violations`);
+          }
+          return violations; // Return even if 0 violations - symbol analysis completed successfully
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`⚠️ [S043] Source file not found in project`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠️ [S043] Symbol analysis failed: ${error.message}`);
+        // Continue to fallback
+      }
+    } else {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔄 [S043] Symbol analysis conditions check:`);
+        console.log(`  - useSymbolBased: ${this.config.useSymbolBased}`);
+        console.log(`  - semanticEngine: ${!!this.semanticEngine}`);
+        console.log(`  - semanticEngine.project: ${!!this.semanticEngine?.project}`);
+        console.log(`  - semanticEngine.initialized: ${this.semanticEngine?.initialized}`);
+        console.log(`🔄 [S043] Symbol analysis unavailable, using regex fallback`);
+      }
+    }
+
+    if (options?.verbose) {
+      console.log(`🔧 [S043] No analysis methods succeeded, returning empty`);
+    }
+    return [];
+  }
+}
+
+module.exports = S043Analyzer;

package/rules/security/S043_password_changes_invalidate_all_sessions/config.json

@@ -0,0 +1,41 @@
+{
+  "id": "S043",
+  "name": "Password changes must invalidate all other login sessions",
+  "category": "security",
+  "description": "S043 - Ensure attackers cannot continue using old session tokens after a password change. Enforce correct access control after sensitive updates.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 1,
+    "timeout": 4000
+  },
+  "validation": {
+    "httpIndicators": [
+      "http://",
+      "require('http')",
+      "require(\"http\")",
+      "http.createServer"
+    ],
+    "httpsModules": ["https", "tls"],
+    "frameworks": ["express", "nextjs", "nuxtjs", "nestjs"]
+  }
+}