@sun-asterisk/sunlint 1.3.3 → 1.3.5

package/rules/security/S024_xpath_xxe_protection/analyzer.js

@@ -0,0 +1,242 @@
+/**
+ * S024 Main Analyzer - Protect against XPath Injection and XML External Entity (XXE)
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S024 --input=examples/rule-test-fixtures/rules/S024_xpath_xxe_protection --engine=heuristic
+ */
+
+const S024SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S024RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+
+class S024Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S024] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S024] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S024";
+    this.ruleName = "Protect against XPath Injection and XML External Entity (XXE)";
+    this.description =
+      "Protect against XPath Injection and XML External Entity (XXE) attacks. XPath injection occurs when user input is used to construct XPath queries without proper sanitization. XXE attacks exploit XML parsers that process external entities, potentially leading to data disclosure, server-side request forgery, or denial of service.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Secondary approach
+      regexBasedOnly: false, // Can be set to true for pure mode
+    };
+
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S024SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S024] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S024] Error creating symbol analyzer:`, error);
+    }
+
+    try {
+      this.regexAnalyzer = new S024RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S024] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S024] Error creating regex analyzer:`, error);
+    }
+  }
+
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S024] Main analyzer initializing...`);
+    }
+
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+
+    // Clean up if needed
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S024] Main analyzer initialized successfully`);
+    }
+  }
+
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`📊 [S024] analyzeSingle() called for: ${filePath}`);
+    }
+
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S024] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+
+    const violations = [];
+
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S024] Processing file: ${filePath}`);
+        }
+
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S024] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S024] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S024] Total violations found: ${violations.length}`);
+    }
+
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S024] analyzeFile() called for: ${filePath}`);
+    }
+
+    // Create a Map to track unique violations and prevent duplicates
+    const violationMap = new Map();
+
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S024] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S024] Source file found, analyzing...`);
+          }
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+
+          // Add to violation map with deduplication
+          symbolViolations.forEach((violation) => {
+            const key = `${violation.line}:${violation.column}:${violation.message}`;
+            if (!violationMap.has(key)) {
+              violationMap.set(key, violation);
+            }
+          });
+
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S024] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S024] Source file not found, falling back...`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠ [S024] Symbol analysis failed:`, error.message);
+      }
+    }
+
+    // 2. Try Regex-based analysis (fallback or additional)
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S024] Trying regex-based analysis...`);
+        }
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+
+        // Add to violation map with deduplication
+        regexViolations.forEach((violation) => {
+          const key = `${violation.line}:${violation.column}:${violation.message}`;
+          if (!violationMap.has(key)) {
+            violationMap.set(key, violation);
+          }
+        });
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S024] Regex analysis completed: ${regexViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S024] Regex analysis failed:`, error.message);
+      }
+    }
+
+    // Convert Map values to array and add filePath to each violation
+    const finalViolations = Array.from(violationMap.values()).map(
+      (violation) => ({
+        ...violation,
+        filePath: filePath,
+        file: filePath, // Also add 'file' for compatibility
+      })
+    );
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S024] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    }
+
+    return finalViolations;
+  }
+
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+    if (this.regexAnalyzer?.cleanup) {
+      this.regexAnalyzer.cleanup();
+    }
+  }
+}
+
+module.exports = S024Analyzer;

package/rules/security/S024_xpath_xxe_protection/config.json

@@ -0,0 +1,152 @@
+{
+  "rule": {
+    "id": "S024",
+    "name": "Protect against XPath Injection and XML External Entity (XXE)",
+    "description": "Protect against XPath Injection and XML External Entity (XXE) attacks. XPath injection occurs when user input is used to construct XPath queries without proper sanitization. XXE attacks exploit XML parsers that process external entities, potentially leading to data disclosure, server-side request forgery, or denial of service.",
+    "category": "security",
+    "severity": "error",
+    "languages": ["typescript", "javascript"],
+    "frameworks": ["express", "nestjs", "node"],
+    "version": "1.0.0",
+    "status": "stable",
+    "tags": ["security", "xpath", "xxe", "xml", "injection", "owasp"],
+    "references": [
+      "https://owasp.org/www-community/attacks/XPATH_Injection",
+      "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing",
+      "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html",
+      "https://portswigger.net/web-security/xpath-injection",
+      "https://portswigger.net/web-security/xxe"
+    ]
+  },
+  "configuration": {
+    "enableXPathInjectionDetection": true,
+    "enableXXEDetection": true,
+    "checkUserInputSources": [
+      "req",
+      "request", 
+      "params",
+      "query",
+      "body",
+      "headers",
+      "cookies"
+    ],
+    "vulnerableXPathMethods": [
+      "evaluate",
+      "select",
+      "selectText",
+      "selectValue", 
+      "selectNodes",
+      "selectSingleNode"
+    ],
+    "vulnerableXMLMethods": [
+      "parseString",
+      "parseXml",
+      "parseFromString", 
+      "parse",
+      "parseXmlString",
+      "transform"
+    ],
+    "vulnerableXMLConstructors": [
+      "DOMParser",
+      "XSLTProcessor",
+      "SAXParser"
+    ],
+    "vulnerableXMLLibraries": [
+      "xml2js",
+      "libxmljs",
+      "xmldom", 
+      "fast-xml-parser",
+      "node-xml2js",
+      "xml-parser",
+      "xmldoc",
+      "xpath"
+    ],
+    "xxeProtectionPatterns": [
+      "resolveExternalEntities\\s*:\\s*false",
+      "setFeature.*disallow-doctype-decl.*true",
+      "setFeature.*external-general-entities.*false",
+      "setFeature.*external-parameter-entities.*false",
+      "explicitChildren\\s*:\\s*false",
+      "ignoreAttrs\\s*:\\s*true", 
+      "parseDoctype\\s*:\\s*false"
+    ],
+    "secureXPathPatterns": [
+      "parameterized",
+      "escaped",
+      "sanitized", 
+      "validate"
+    ]
+  },
+  "examples": {
+    "violations": [
+      {
+        "description": "XPath injection via direct user input",
+        "code": "const result = xpath.evaluate(req.query.expression, doc);"
+      },
+      {
+        "description": "XPath injection via string concatenation",
+        "code": "const query = \"//user[@name='\" + req.body.username + \"']\";\nconst result = xpath.select(query, doc);"
+      },
+      {
+        "description": "XXE vulnerability in XML parsing",
+        "code": "const parser = new DOMParser();\nconst doc = parser.parseFromString(req.body.xml, 'text/xml');"
+      },
+      {
+        "description": "XXE vulnerability with xml2js",
+        "code": "xml2js.parseString(req.body.xml, (err, result) => { /* ... */ });"
+      }
+    ],
+    "fixes": [
+      {
+        "description": "Use parameterized XPath with validation",
+        "code": "const sanitizedInput = sanitize(req.query.expression);\nconst result = xpath.evaluate(sanitizedInput, doc);"
+      },
+      {
+        "description": "Disable external entities in XML parsing",
+        "code": "const parser = new DOMParser();\nparser.setFeature('http://apache.org/xml/features/disallow-doctype-decl', true);\nparser.setFeature('http://xml.org/sax/features/external-general-entities', false);\nparser.setFeature('http://xml.org/sax/features/external-parameter-entities', false);"
+      },
+      {
+        "description": "Secure xml2js configuration",
+        "code": "xml2js.parseString(req.body.xml, {\n  explicitChildren: false,\n  ignoreAttrs: true\n}, (err, result) => { /* ... */ });"
+      }
+    ]
+  },
+  "testing": {
+    "testCases": [
+      {
+        "name": "xpath_injection_direct_input",
+        "type": "violation",
+        "description": "Direct user input in XPath query"
+      },
+      {
+        "name": "xpath_injection_concatenation", 
+        "type": "violation",
+        "description": "String concatenation with user input"
+      },
+      {
+        "name": "xxe_domparser",
+        "type": "violation", 
+        "description": "DOMParser without XXE protection"
+      },
+      {
+        "name": "xxe_xml2js",
+        "type": "violation",
+        "description": "xml2js without XXE protection"
+      },
+      {
+        "name": "secure_xpath_parameterized",
+        "type": "clean",
+        "description": "Parameterized XPath query"
+      },
+      {
+        "name": "secure_xml_xxe_protected",
+        "type": "clean", 
+        "description": "XML parsing with XXE protection"
+      }
+    ]
+  },
+  "performance": {
+    "complexity": "O(n)",
+    "description": "Linear complexity based on number of function calls and expressions in the source code"
+  }
+}