npm - @sun-asterisk/sunlint - Versions diffs - 1.3.29 → 1.3.31 - Mend

@sun-asterisk/sunlint 1.3.29 → 1.3.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/rules/security/S031_secure_session_cookies/regex-based-analyzer.js DELETED Viewed

@@ -1,296 +0,0 @@
-/**
- * S031 Regex-Based Analyzer - Set Secure flag for Session Cookies
- * Fallback analysis using regex patterns
- */
-const fs = require("fs");
-class S031RegexBasedAnalyzer {
-  constructor(semanticEngine = null) {
-    this.semanticEngine = semanticEngine;
-    this.ruleId = "S031";
-    this.category = "security";
-    // Session cookie indicators
-    this.sessionIndicators = [
-      "session",
-      "sessionid",
-      "sessid",
-      "jsessionid",
-      "phpsessid",
-      "asp.net_sessionid",
-      "connect.sid",
-      "auth",
-      "token",
-      "jwt",
-      "csrf",
-    ];
-    // Regex patterns for cookie detection
-    this.cookiePatterns = [
-      // Express/Node.js patterns
-      /res\.cookie\s*\(\s*['"`]([^'"`]+)['"`]\s*,([^)]+)\)/gi,
-      /response\.cookie\s*\(\s*['"`]([^'"`]+)['"`]\s*,([^)]+)\)/gi,
-      /\.setCookie\s*\(\s*['"`]([^'"`]+)['"`]\s*,([^)]+)\)/gi,
-      // Set-Cookie header patterns
-      /setHeader\s*\(\s*['"`]Set-Cookie['"`]\s*,\s*['"`]([^'"`]+)['"`]\s*\)/gi,
-      /writeHead\s*\([^,]*,\s*{[^}]*['"`]Set-Cookie['"`]\s*:\s*['"`]([^'"`]+)['"`]/gi,
-      // Document.cookie assignments
-      /document\.cookie\s*=\s*['"`]([^'"`]+)['"`]/gi,
-      // Session middleware patterns
-      /session\s*\(\s*{([^}]+)}/gi,
-      /\.use\s*\(\s*session\s*\(\s*{([^}]+)}/gi,
-    ];
-  }
-  /**
-   * Initialize analyzer
-   */
-  async initialize(semanticEngine) {
-    this.semanticEngine = semanticEngine;
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(`🔧 [S031] Regex-based analyzer initialized`);
-    }
-  }
-  /**
-   * Check if file should be skipped (test files)
-   */
-  shouldSkipFile(filePath) {
-    const testPatterns = [
-      /\.test\.(ts|tsx|js|jsx)$/,
-      /\.spec\.(ts|tsx|js|jsx)$/,
-      /__tests__\//,
-      /__mocks__\//,
-      /\/tests?\//,
-      /\/fixtures?\//,
-    ];
-    return testPatterns.some((pattern) => pattern.test(filePath));
-  }
-  /**
-   * Analyze file content using regex patterns
-   */
-  async analyze(filePath) {
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(`🔍 [S031] Regex-based analysis for: ${filePath}`);
-    }
-    // Skip test files
-    if (this.shouldSkipFile(filePath)) {
-      if (process.env.SUNLINT_DEBUG) {
-        console.log(`⏭ [S031] Skipping test file: ${filePath}`);
-      }
-      return [];
-    }
-    let content;
-    try {
-      content = fs.readFileSync(filePath, "utf8");
-    } catch (error) {
-      if (process.env.SUNLINT_DEBUG) {
-        console.error(`❌ [S031] File read error:`, error);
-      }
-      throw error;
-    }
-    const violations = [];
-    const lines = content.split("\n");
-    // Check each pattern
-    for (const pattern of this.cookiePatterns) {
-      this.checkPattern(pattern, content, lines, violations, filePath);
-    }
-    // Check for custom cookie utilities (e.g., StorageUtils.setCookie)
-    this.checkCustomCookieUtilities(content, lines, violations, filePath);
-    return violations;
-  }
-  /**
-   * Check specific regex pattern for violations
-   */
-  checkPattern(pattern, content, lines, violations, filePath) {
-    let match;
-    pattern.lastIndex = 0; // Reset regex state
-    while ((match = pattern.exec(content)) !== null) {
-      const matchText = match[0];
-      const cookieName = match[1] || "";
-      const cookieOptions = match[2] || match[1] || "";
-      // Check if this is a session cookie
-      if (!this.isSessionCookie(cookieName, matchText)) {
-        continue;
-      }
-      // Check if secure flag is present
-      if (!this.hasSecureFlag(cookieOptions, matchText)) {
-        const lineNumber = this.getLineNumber(content, match.index);
-        this.addViolation(
-          matchText,
-          lineNumber,
-          violations,
-          `Session cookie "${cookieName || "unknown"}" missing Secure flag`
-        );
-      }
-    }
-  }
-  /**
-   * Check if cookie name or context indicates session cookie
-   */
-  isSessionCookie(cookieName, matchText) {
-    const textToCheck = (cookieName + " " + matchText).toLowerCase();
-    return this.sessionIndicators.some((indicator) =>
-      textToCheck.includes(indicator.toLowerCase())
-    );
-  }
-  /**
-   * Check if secure flag is present in cookie options
-   */
-  hasSecureFlag(cookieOptions, fullMatch) {
-    const textToCheck = cookieOptions + " " + fullMatch;
-    // Check for secure config references (likely safe)
-    const secureConfigPatterns = [
-      /\bcookieConfig\b/i,
-      /\bsecureConfig\b/i,
-      /\bsafeConfig\b/i,
-      /\bdefaultConfig\b/i,
-      /\.\.\..*config/i, // spread operator with config
-      /config.*secure/i,
-    ];
-    // If using a secure config reference, assume it's safe
-    if (secureConfigPatterns.some((pattern) => pattern.test(textToCheck))) {
-      return true;
-    }
-    // Check for various secure flag patterns
-    const securePatterns = [
-      /secure\s*:\s*true/i,
-      /secure\s*=\s*true/i,
-      /;\s*secure\s*[;\s]/i,
-      /;\s*secure$/i,
-      /['"`]\s*secure\s*['"`]/i,
-      /"secure"\s*:\s*true/i,
-      /'secure'\s*:\s*true/i,
-      /\bsecure\b/i, // Simple secure keyword
-    ];
-    return securePatterns.some((pattern) => pattern.test(textToCheck));
-  }
-  /**
-   * Get line number from content position
-   */
-  getLineNumber(content, position) {
-    const beforeMatch = content.substring(0, position);
-    return beforeMatch.split("\n").length;
-  }
-  /**
-   * Add violation to results
-   */
-  addViolation(source, lineNumber, violations, message) {
-    violations.push({
-      ruleId: this.ruleId,
-      source: source.trim(),
-      category: this.category,
-      line: lineNumber,
-      column: 1,
-      message: `Insecure session cookie: ${message}`,
-      severity: "error",
-    });
-  }
-  /**
-   * Check for custom cookie utility functions with variable names
-   * Handles cases like: StorageUtils.setCookie(STORAGE_KEY.ACCESS_TOKEN, value)
-   */
-  checkCustomCookieUtilities(content, lines, violations, filePath) {
-    // Pattern to match custom cookie utilities with variable references
-    // Matches: Utils.setCookie(VARIABLE_NAME, value) or Utils.setCookie(VARIABLE_NAME, value, options)
-    const customCookiePattern = /(\w+\.setCookie)\s*\(\s*([A-Z_][A-Z0-9_.]*)\s*,\s*([^,)]+)(?:\s*,\s*([^)]*))?\s*\)/gi;
-    let match;
-    customCookiePattern.lastIndex = 0;
-    while ((match = customCookiePattern.exec(content)) !== null) {
-      const methodCall = match[1]; // e.g., "StorageUtils.setCookie"
-      const cookieNameVar = match[2]; // e.g., "STORAGE_KEY.ACCESS_TOKEN"
-      const cookieValue = match[3]; // e.g., "response.user?.access_token || ''"
-      const cookieOptions = match[4] || ""; // e.g., options object if present
-      const matchText = match[0];
-      // Check if this looks like a session cookie based on variable name or value
-      if (!this.isSessionCookieLikely(cookieNameVar, cookieValue, matchText)) {
-        continue;
-      }
-      // Check if secure flag is present in options
-      if (!this.hasSecureFlag(cookieOptions, matchText)) {
-        const lineNumber = this.getLineNumber(content, match.index);
-        // Extract a friendly cookie name from the variable
-        const friendlyCookieName = this.extractFriendlyCookieName(cookieNameVar);
-        this.addViolation(
-          matchText,
-          lineNumber,
-          violations,
-          `Session cookie from "${friendlyCookieName}" missing Secure flag - add secure flag to options`
-        );
-      }
-    }
-  }
-  /**
-   * Check if cookie variable name or value suggests it's a session cookie
-   */
-  isSessionCookieLikely(varName, value, matchText) {
-    const textToCheck = (varName + " " + value + " " + matchText).toLowerCase();
-    // Check against session indicators
-    const isSession = this.sessionIndicators.some((indicator) =>
-      textToCheck.includes(indicator.toLowerCase())
-    );
-    // Also check for common patterns like ACCESS_TOKEN, REFRESH_TOKEN, etc.
-    const tokenPatterns = [
-      /access[_-]?token/i,
-      /refresh[_-]?token/i,
-      /auth[_-]?token/i,
-      /id[_-]?token/i,
-      /session/i,
-    ];
-    return isSession || tokenPatterns.some(pattern => pattern.test(textToCheck));
-  }
-  /**
-   * Extract a friendly cookie name from variable reference
-   * e.g., "STORAGE_KEY.ACCESS_TOKEN" -> "ACCESS_TOKEN"
-   */
-  extractFriendlyCookieName(varName) {
-    // If it has a dot, take the last part
-    const parts = varName.split(".");
-    return parts[parts.length - 1] || varName;
-  }
-}
-module.exports = S031RegexBasedAnalyzer;