npm - @sun-asterisk/sunlint - Versions diffs - 1.3.35 → 1.3.37 - Mend

@sun-asterisk/sunlint 1.3.35 → 1.3.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/rules/security/S053_generic_error_messages/index.js ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * S053 Rule Router - Generic Error Messages
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Return generic error messages, hide internal details from users
+ */
+const path = require('path');
+class S053Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S053';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+module.exports = new S053Router();

package/rules/security/S053_generic_error_messages/typescript/analyzer.js ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * S053 – Return generic error messages, hide internal details
+ *
+ * Detects exposure of internal details in error responses:
+ * - Stack traces in responses
+ * - SQL errors/queries exposed
+ * - File paths in errors
+ * - Internal error messages sent to client
+ */
+const fs = require('fs');
+class S053Analyzer {
+  constructor() {
+    this.ruleId = 'S053';
+    this.ruleName = 'Return generic error messages, hide internal details';
+    this.description = 'Do not expose internal error details to users';
+    this.warningPatterns = [
+      {
+        pattern: /res\.(?:json|send)\s*\([^)]*error\.stack/gi,
+        message: 'Stack trace exposed in response - return generic error message',
+        type: 'stack_trace_exposed'
+      },
+      {
+        pattern: /res\.(?:json|send)\s*\([^)]*(?:sql|query|database)/gi,
+        message: 'SQL/database details may be exposed in response',
+        type: 'sql_exposed'
+      },
+      {
+        pattern: /res\.(?:json|send)\s*\([^)]*__dirname|__filename/gi,
+        message: 'File paths exposed in response',
+        type: 'path_exposed'
+      },
+      {
+        pattern: /catch\s*\([^)]*\)\s*\{[^}]*res\.(?:json|send)\s*\([^)]*(?:err|error)(?:\.|\.message|\))/gi,
+        message: 'Raw error passed to response - use generic message',
+        type: 'raw_error_exposed'
+      }
+    ];
+    this.skipPatterns = [
+      /\.test\./i, /\.spec\./i, /test\//i, /__tests__\//i, /node_modules/i
+    ];
+  }
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(p => p.test(filePath));
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) continue;
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        violations.push(...this.analyzeFile(content, filePath));
+      } catch (e) { /* skip */ }
+    }
+    return violations;
+  }
+  analyzeFile(content, filePath) {
+    const violations = [];
+    for (const { pattern, message, type } of this.warningPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        violations.push({
+          file: filePath, line: lineNum, column: 1,
+          message, severity: 'warning', ruleId: this.ruleId, type
+        });
+      }
+    }
+    return violations;
+  }
+}
+module.exports = S053Analyzer;

package/rules/security/S055_content_type_validation/typescript/symbol-based-analyzer.js CHANGED Viewed

@@ -26,6 +26,18 @@ class S055SymbolBasedAnalyzer {
       /vendor\//, /mocks\//, /\.mock\./,
       /config\//, /configs\//, /\.config\./,
       /public\//, /static\//, /assets\//,
+      // Skip DTO files - they contain validation logic, not REST endpoints
+      /\.dto\./, /dto\//, /dtos\//,
+      // Skip entity files
+      /\.entity\./, /entities\//,
+      // Skip model/schema files
+      /\.model\./, /models\//, /\.schema\./, /schemas\//,
+      // Skip utility/helper files - contain file filters, middleware functions, not REST endpoints
+      /utils\//, /util\//, /helpers\//, /helper\./,
+      // Skip middleware files
+      /middleware\//, /middlewares\//,
+      // Skip lib files
+      /\/lib\//,
     ];
     // Patterns to identify REST endpoints
@@ -69,6 +81,11 @@ class S055SymbolBasedAnalyzer {
         'checkContentType'
       ]
     };
+    // NestJS with @Body decorator and typed DTO has built-in Content-Type validation
+    // NestJS body-parser only accepts application/json by default and rejects other Content-Types
+    // We check: 1) has @Body decorator, 2) parameter has type annotation starting with uppercase (DTO class)
+    // This covers @Body() dto: SomeDto, @Body(pipes...) dto: SomeDto, etc.
   }
   async initialize(semanticEngine = null) {
@@ -174,13 +191,27 @@ class S055SymbolBasedAnalyzer {
       return;
     }
+    // GOOD CASE: NestJS @Body() with typed DTO has built-in Content-Type validation
+    // NestJS body-parser only accepts application/json by default
+    const methodText = method.getText();
+    if (this.hasNestJSTypedBodyParam(method)) {
+      if (this.verbose) {
+        console.log(`✅ [S055] Method ${method.getName()} uses @Body() with typed DTO - NestJS has built-in Content-Type validation`);
+      }
+      return;
+    }
     // Check if POST, PUT, or PATCH (methods that accept body)
-    const hasBodyDecorator = decorators.some(dec => {
+    const hasHttpMethodDecorator = decorators.some(dec => {
       const name = dec.getName();
       return ['Post', 'Put', 'Patch'].includes(name);
     });
-    if (hasBodyDecorator) {
+    // Only flag if method actually accepts body via @Body() decorator
+    // POST endpoints without @Body() don't need Content-Type validation
+    const hasBodyParam = methodText.includes('@Body');
+    if (hasHttpMethodDecorator && hasBodyParam) {
       this.checkContentTypeValidation(method, sourceFile, violations);
     }
   }
@@ -310,6 +341,37 @@ class S055SymbolBasedAnalyzer {
     });
   }
+  /**
+   * Check if NestJS method has @Body parameter with typed DTO
+   * NestJS body-parser only accepts application/json by default and rejects other Content-Types
+   * This handles:
+   * - @Body() dto: SomeDto
+   * - @Body(pipe1, pipe2) dto: SomeDto
+   * - @Body(\n  Pipe1,\n  Pipe2\n) dto: SomeDto (multiline)
+   */
+  hasNestJSTypedBodyParam(method) {
+    const params = method.getParameters();
+    for (const param of params) {
+      const decorators = param.getDecorators();
+      const hasBodyDecorator = decorators.some(dec => dec.getName() === 'Body');
+      if (hasBodyDecorator) {
+        // Check if parameter has type annotation (typed DTO)
+        const typeNode = param.getTypeNode();
+        if (typeNode) {
+          const typeName = typeNode.getText();
+          // DTO classes typically start with uppercase letter
+          if (/^[A-Z]/.test(typeName)) {
+            return true;
+          }
+        }
+      }
+    }
+    return false;
+  }
   checkContentTypeValidation(node, sourceFile, violations) {
     const bodyText = node.getText();

package/rules/security/S059_disable_debug_mode/config.json ADDED Viewed

@@ -0,0 +1,28 @@
+{
+    "id": "S059",
+    "name": "Disable debug modes in production environments",
+    "description": "Ensure debug modes, verbose logging, and development features are disabled in production. Debug modes can expose sensitive information, enable unauthorized access, and degrade performance.",
+    "category": "security",
+    "severity": "high",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "debug", "production", "configuration"],
+    "examples": {
+        "valid": [
+            "DEBUG = process.env.NODE_ENV !== 'production';",
+            "app.use(helmet()); // Security headers",
+            "if (process.env.NODE_ENV === 'development') { enableDebug(); }"
+        ],
+        "invalid": [
+            "DEBUG = true; // Hardcoded debug mode",
+            "app.use(errorHandler({ dumpExceptions: true }));",
+            "morgan('dev'); // Verbose logging in production"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures debug features are disabled in production. Debug modes to disable: verbose error messages with stack traces, development server features, debug endpoints (/debug, /test), SQL query logging, request/response body logging, source maps in client-side code, hot reload/watch modes.",
+        "url": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
+    }
+}

package/rules/security/S059_disable_debug_mode/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * S059 Dart Analyzer - Disable Debug Mode
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S059_disable_debug_mode.dart
+ *
+ * Rule: Disable debug modes in production environments
+ */
+class DartS059Analyzer {
+  constructor() {
+    this.ruleId = 'S059';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S059',
+      name: 'Disable Debug Mode',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Disable debug modes in production environments'
+    };
+  }
+  getConfig() {
+    return {
+      checkDebugPrint: true,
+      checkKDebugMode: true,
+      checkAssertStatements: true,
+      severity: 'high'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS059Analyzer;

package/rules/security/S059_disable_debug_mode/index.js ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * S059 Rule Router - Disable Debug Mode
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Disable debug modes in production environments
+ */
+const path = require('path');
+class S059Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S059';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+module.exports = new S059Router();

package/rules/security/S059_disable_debug_mode/typescript/analyzer.js ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * S059 – Disable debug modes in production environments
+ *
+ * Detects hardcoded debug modes:
+ * - DEBUG = true hardcoded
+ * - Development-only features without env check
+ * - Debug endpoints exposed
+ */
+const fs = require('fs');
+class S059Analyzer {
+  constructor() {
+    this.ruleId = 'S059';
+    this.ruleName = 'Disable debug modes in production environments';
+    this.description = 'Ensure debug features are disabled in production';
+    this.warningPatterns = [
+      {
+        pattern: /DEBUG\s*=\s*true(?!\s*&&|\s*\|\|)/gi,
+        message: 'DEBUG hardcoded to true - use environment variable',
+        type: 'hardcoded_debug'
+      },
+      {
+        pattern: /dumpExceptions\s*:\s*true/gi,
+        message: 'Exception dumping enabled - disable in production',
+        type: 'dump_exceptions'
+      },
+      {
+        pattern: /showStackError\s*:\s*true/gi,
+        message: 'Stack errors shown - disable in production',
+        type: 'show_stack'
+      },
+      {
+        pattern: /app\.(?:get|use)\s*\(\s*['"`]\/debug/gi,
+        message: 'Debug endpoint exposed - remove or protect in production',
+        type: 'debug_endpoint'
+      },
+      {
+        pattern: /sourceMap\s*:\s*true(?![^}]*production)/gi,
+        message: 'Source maps enabled - disable in production builds',
+        type: 'source_maps'
+      }
+    ];
+    this.skipPatterns = [
+      /\.test\./i, /\.spec\./i, /test\//i, /__tests__\//i, /node_modules/i,
+      /\.dev\./i, /development/i
+    ];
+  }
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(p => p.test(filePath));
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) continue;
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        violations.push(...this.analyzeFile(content, filePath));
+      } catch (e) { /* skip */ }
+    }
+    return violations;
+  }
+  analyzeFile(content, filePath) {
+    const violations = [];
+    for (const { pattern, message, type } of this.warningPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        violations.push({
+          file: filePath, line: lineNum, column: 1,
+          message, severity: 'warning', ruleId: this.ruleId, type
+        });
+      }
+    }
+    return violations;
+  }
+}
+module.exports = S059Analyzer;

package/rules/security/S060_password_minimum_length/config.json ADDED Viewed

@@ -0,0 +1,28 @@
+{
+    "id": "S060",
+    "name": "Enforce minimum password length of 8 characters, recommend 15+",
+    "description": "Enforce minimum password length of 8 characters as absolute minimum. Recommend 15+ characters for better security. Support passwords up to 64-128 characters. Combine with breach password checking.",
+    "category": "security",
+    "severity": "medium",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "password", "authentication", "policy"],
+    "examples": {
+        "valid": [
+            "if (password.length < 8) throw new Error('Password too short');",
+            "const MIN_PASSWORD_LENGTH = 12;",
+            "validator.isLength(password, { min: 8, max: 128 });"
+        ],
+        "invalid": [
+            "if (password.length < 4) // Too short minimum",
+            "if (password.length < 6) // Below NIST recommendation",
+            "// No password length validation"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule enforces NIST SP 800-63B password guidelines. Minimum 8 characters absolute minimum (12+ recommended). Support maximum length of 64+ characters. Allow all printable characters including spaces. Check against breach databases (Have I Been Pwned). Do not require arbitrary complexity rules (uppercase, numbers, symbols).",
+        "url": "https://pages.nist.gov/800-63-3/sp800-63b.html"
+    }
+}

package/rules/security/S060_password_minimum_length/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * S060 Dart Analyzer - Password Minimum Length
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S060_password_minimum_length.dart
+ *
+ * Rule: Enforce minimum password length of 8 characters, recommend 15+
+ */
+class DartS060Analyzer {
+  constructor() {
+    this.ruleId = 'S060';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S060',
+      name: 'Password Minimum Length',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Enforce minimum password length of 8 characters, recommend 15+'
+    };
+  }
+  getConfig() {
+    return {
+      minLength: 8,
+      recommendedLength: 15,
+      maxLength: 128,
+      severity: 'medium'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS060Analyzer;

package/rules/security/S060_password_minimum_length/index.js ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * S060 Rule Router - Password Minimum Length
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Enforce minimum password length of 8 characters, recommend 15+
+ */
+const path = require('path');
+class S060Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S060';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+module.exports = new S060Router();