npm - @sun-asterisk/sunlint - Versions diffs - 1.3.35 → 1.3.37 - Mend

@sun-asterisk/sunlint 1.3.35 → 1.3.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/rules/security/S060_password_minimum_length/typescript/analyzer.js ADDED Viewed

@@ -0,0 +1,78 @@
+/**
+ * S060 – Enforce minimum password length of 8 characters, recommend 15+
+ *
+ * Detects weak password length requirements:
+ * - Minimum length < 8
+ * - No length validation
+ */
+const fs = require('fs');
+class S060Analyzer {
+  constructor() {
+    this.ruleId = 'S060';
+    this.ruleName = 'Enforce minimum password length of 8 characters';
+    this.description = 'Password minimum length should be 8+ characters';
+    this.warningPatterns = [
+      {
+        pattern: /password.*length\s*[<>=!]+\s*[1-7]\b/gi,
+        message: 'Password minimum length below 8 characters - NIST recommends 8+ minimum',
+        type: 'weak_min_length'
+      },
+      {
+        pattern: /minLength\s*:\s*[1-7]\b.*password/gi,
+        message: 'Password minLength below 8 - increase to at least 8',
+        type: 'weak_minlength_config'
+      },
+      {
+        pattern: /password.*min\s*:\s*[1-7]\b/gi,
+        message: 'Password min length below 8 - increase to at least 8',
+        type: 'weak_min_config'
+      }
+    ];
+    this.skipPatterns = [
+      /\.test\./i, /\.spec\./i, /test\//i, /__tests__\//i, /node_modules/i
+    ];
+  }
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(p => p.test(filePath));
+  }
+  isPasswordRelated(content) {
+    return /password|passwd|pwd/i.test(content);
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) continue;
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        if (!this.isPasswordRelated(content)) continue;
+        violations.push(...this.analyzeFile(content, filePath));
+      } catch (e) { /* skip */ }
+    }
+    return violations;
+  }
+  analyzeFile(content, filePath) {
+    const violations = [];
+    for (const { pattern, message, type } of this.warningPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        violations.push({
+          file: filePath, line: lineNum, column: 1,
+          message, severity: 'warning', ruleId: this.ruleId, type
+        });
+      }
+    }
+    return violations;
+  }
+}
+module.exports = S060Analyzer;

package/rules/security/S026_json_schema_validation/config.json DELETED Viewed

@@ -1,27 +0,0 @@
-{
-    "id": "S026",
-    "name": "JSON Schema Validation for Input Data",
-    "description": "Ensure all user input data (from HTTP requests, APIs) is validated using JSON schemas before processing to prevent injection attacks.",
-    "category": "security",
-    "severity": "warning",
-    "enabled": true,
-    "engines": ["heuristic"],
-    "enginePreference": ["heuristic"],
-    "tags": ["security", "validation", "input", "json-schema", "http"],
-    "examples": {
-        "valid": [
-            "const schema = joi.object({ name: joi.string() }); const { error } = schema.validate(req.body);",
-            "const ajv = new Ajv(); const valid = ajv.validate(schema, req.body);",
-            "const styles = { body: { color: 'red' } }; // Style object - OK"
-        ],
-        "invalid": [
-            "const data = req.body; processUser(data); // No validation",
-            "const query = req.query; database.find(query); // Direct usage without validation"
-        ]
-    },
-    "fixable": false,
-    "docs": {
-        "description": "This rule ensures that all user input data from HTTP requests is validated using JSON schemas before processing. Direct usage of req.body, req.query, req.params without validation can lead to injection attacks and data corruption.",
-        "url": "https://owasp.org/Top10/A03_2021-Injection/"
-    }
-}

package/rules/security/S026_json_schema_validation/typescript/analyzer.js DELETED Viewed

@@ -1,251 +0,0 @@
-/**
- * Heuristic analyzer for: S026 – JSON Schema Validation cho dữ liệu đầu vào
- * Purpose: Detect unvalidated JSON inputs while avoiding false positives on styles/config objects
- */
-class S026Analyzer {
-  constructor() {
-    this.ruleId = 'S026';
-    this.ruleName = 'JSON Schema Validation Required';
-    this.description = 'Áp dụng JSON Schema Validation cho dữ liệu đầu vào để đảm bảo an toàn';
-    // Patterns that indicate actual HTTP/API input (should be validated)
-    this.httpInputPatterns = [
-      'req.body', 'req.query', 'request.body', 'request.query',
-      'ctx.body', 'ctx.query', 'context.body', 'context.query',
-      'event.body', 'event.queryStringParameters'
-    ];
-    // Patterns that are NOT JSON inputs (should not be flagged)
-    this.nonInputPatterns = [
-      'styles.', 'css.', 'theme.', 'colors.',
-      'config.', 'settings.', 'options.',
-      'data.', 'props.', 'state.',
-      'const.', 'static.', 'default.'
-    ];
-    // Validation patterns that indicate input is being validated
-    this.validationPatterns = [
-      'schema.validate', 'joi.validate', 'ajv.validate',
-      'validate(', 'validateInput(', 'validateBody(',
-      'isValid(', 'checkSchema(', 'parseSchema(',
-      '.validate(', '.valid(', '.check('
-    ];
-    // Express/HTTP framework patterns
-    this.httpFrameworkPatterns = [
-      'app.post(', 'app.put(', 'app.patch(',
-      'router.post(', 'router.put(', 'router.patch(',
-      'express()', '.post(', '.put(', '.patch('
-    ];
-  }
-  async analyze(files, language, options = {}) {
-    const violations = [];
-    for (const filePath of files) {
-      if (options.verbose) {
-        console.log(`🔍 Running S026 analysis on ${require('path').basename(filePath)}`);
-      }
-      try {
-        const content = require('fs').readFileSync(filePath, 'utf8');
-        const fileViolations = this.analyzeFile(content, filePath);
-        violations.push(...fileViolations);
-      } catch (error) {
-        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
-      }
-    }
-    return violations;
-  }
-  analyzeFile(content, filePath) {
-    const violations = [];
-    const lines = content.split('\n');
-    // Find all potential JSON inputs
-    const potentialInputs = this.findPotentialInputs(lines);
-    // Check if they're validated
-    const validatedInputs = this.findValidatedInputs(content);
-    // Report unvalidated inputs
-    potentialInputs.forEach(input => {
-      if (!this.isInputValidated(input, validatedInputs) &&
-          this.isActualJSONInput(input, content)) {
-        violations.push({
-          file: filePath,
-          line: input.line,
-          column: input.column,
-          message: `JSON input '${input.expression}' should be validated using a JSON schema before use. Consider using schema.validate(), joi.validate(), or similar validation library.`,
-          severity: 'warning',
-          ruleId: this.ruleId,
-          type: 'unvalidated_json_input',
-          inputExpression: input.expression
-        });
-      }
-    });
-    return violations;
-  }
-  findPotentialInputs(lines) {
-    const inputs = [];
-    lines.forEach((line, index) => {
-      const trimmedLine = line.trim();
-      // Skip comments and imports
-      if (trimmedLine.startsWith('//') || trimmedLine.startsWith('/*') ||
-          trimmedLine.startsWith('import') || trimmedLine.startsWith('export')) {
-        return;
-      }
-      // Look for .body or .query patterns
-      const bodyMatches = [...line.matchAll(/(\w+\.\w*body\w*)/g)];
-      const queryMatches = [...line.matchAll(/(\w+\.\w*query\w*)/g)];
-      [...bodyMatches, ...queryMatches].forEach(match => {
-        const expression = match[1];
-        const column = match.index + 1;
-        inputs.push({
-          expression,
-          line: index + 1,
-          column,
-          originalLine: line
-        });
-      });
-    });
-    return inputs;
-  }
-  findValidatedInputs(content) {
-    const validatedInputs = new Set();
-    // Find validation calls
-    this.validationPatterns.forEach(pattern => {
-      const regex = new RegExp(pattern.replace('(', '\\(') + '\\s*\\(([^)]+)\\)', 'g');
-      let match;
-      while ((match = regex.exec(content)) !== null) {
-        const validatedInput = match[1].trim();
-        validatedInputs.add(validatedInput);
-        // Also add simplified version (e.g., req.body from schema.validate(req.body))
-        const simplifiedInput = validatedInput.replace(/^\w+\./, '').replace(/\s+/g, '');
-        if (simplifiedInput.includes('.')) {
-          validatedInputs.add(simplifiedInput);
-        }
-      }
-    });
-    return validatedInputs;
-  }
-  isInputValidated(input, validatedInputs) {
-    const expression = input.expression;
-    // Check exact match
-    if (validatedInputs.has(expression)) {
-      return true;
-    }
-    // Check if any validated input contains this expression
-    for (const validated of validatedInputs) {
-      if (validated.includes(expression) || expression.includes(validated)) {
-        return true;
-      }
-    }
-    // Check if validation happens in the same line or nearby
-    const lineContent = input.originalLine.toLowerCase();
-    if (this.validationPatterns.some(pattern => lineContent.includes(pattern.toLowerCase()))) {
-      return true;
-    }
-    return false;
-  }
-  isActualJSONInput(input, content) {
-    const expression = input.expression.toLowerCase();
-    // Skip known non-input patterns (user feedback - styles, config, etc.)
-    if (this.nonInputPatterns.some(pattern => expression.startsWith(pattern.toLowerCase()))) {
-      return false;
-    }
-    // Skip React/CSS style objects
-    if (this.isStyleOrConfigObject(input, content)) {
-      return false;
-    }
-    // Check if it matches HTTP input patterns
-    if (this.httpInputPatterns.some(pattern => expression.includes(pattern.toLowerCase()))) {
-      return true;
-    }
-    // Check if it's in HTTP handler context
-    if (this.isInHTTPHandlerContext(input, content)) {
-      return true;
-    }
-    // Default to false to avoid false positives
-    return false;
-  }
-  isStyleOrConfigObject(input, content) {
-    const expression = input.expression;
-    const lineContent = input.originalLine.toLowerCase();
-    // Check for React/CSS style usage patterns
-    const styleIndicators = [
-      'style=', 'css=', 'theme=', 'styles=',
-      'background', 'color:', 'font', 'margin:', 'padding:',
-      'import', 'const styles', 'const css', 'const theme'
-    ];
-    if (styleIndicators.some(indicator => lineContent.includes(indicator))) {
-      return true;
-    }
-    // Check context around the input for style/config patterns
-    const lines = content.split('\n');
-    const inputLineIndex = input.line - 1;
-    const contextStart = Math.max(0, inputLineIndex - 3);
-    const contextEnd = Math.min(lines.length, inputLineIndex + 3);
-    const contextLines = lines.slice(contextStart, contextEnd).join('\n').toLowerCase();
-    const contextIndicators = [
-      'const styles', 'const css', 'const config', 'const theme',
-      'styleshet.create', 'react', 'jsx', '<div', '</div>', 'component',
-      'export default', 'props', 'state'
-    ];
-    return contextIndicators.some(indicator => contextLines.includes(indicator));
-  }
-  isInHTTPHandlerContext(input, content) {
-    const lines = content.split('\n');
-    const inputLineIndex = input.line - 1;
-    // Check surrounding context for HTTP framework patterns
-    const contextStart = Math.max(0, inputLineIndex - 10);
-    const contextEnd = Math.min(lines.length, inputLineIndex + 5);
-    const contextLines = lines.slice(contextStart, contextEnd).join('\n').toLowerCase();
-    // Look for HTTP handler patterns in context
-    const httpIndicators = [
-      'app.post', 'app.put', 'app.patch', 'app.delete',
-      'router.post', 'router.put', 'router.patch',
-      '(req, res)', 'request, response', 'ctx.body', 'ctx.query',
-      'express', 'fastify', 'koa', 'hapi'
-    ];
-    return httpIndicators.some(indicator => contextLines.includes(indicator));
-  }
-}
-module.exports = S026Analyzer;

package/rules/security/S027_no_hardcoded_secrets/config.json DELETED Viewed

@@ -1,29 +0,0 @@
-{
-    "id": "S027",
-    "name": "No Hardcoded Secrets",
-    "description": "Prevent hardcoded passwords, API keys, secrets while avoiding false positives on state variables and configuration.",
-    "category": "security",
-    "severity": "warning",
-    "enabled": true,
-    "engines": ["heuristic"],
-    "enginePreference": ["heuristic"],
-    "tags": ["security", "secrets", "credentials", "api-keys"],
-    "examples": {
-        "valid": [
-            "const password = process.env.PASSWORD;",
-            "const _isEnablePassCode = useState(false);",
-            "const passwordFieldVisible = true;",
-            "const routes = { setupPassword: '/setup-password' };"
-        ],
-        "invalid": [
-            "const password = 'admin123';",
-            "const apiKey = 'sk-1234567890abcdef';",
-            "const secret = 'my-secret-token';"
-        ]
-    },
-    "fixable": false,
-    "docs": {
-        "description": "This rule prevents hardcoded sensitive information like passwords, API keys, and secrets in source code. It avoids false positives on state variables, route names, and input type configurations.",
-        "url": "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
-    }
-}

package/rules/security/S027_no_hardcoded_secrets/typescript/analyzer.js DELETED Viewed

@@ -1,309 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-class S027CategorizedAnalyzer {
-  constructor() {
-    this.ruleId = 'S027';
-    this.ruleName = 'No Hardcoded Secrets (Categorized)';
-    this.description = 'Phát hiện thông tin bảo mật theo categories với độ ưu tiên khác nhau';
-    // Load categories config
-    this.config = this.loadConfig();
-    this.categories = this.config.categories;
-    this.globalExcludePatterns = this.config.global_exclude_patterns.map(p => new RegExp(p, 'i'));
-    this.minLength = this.config.min_length || 8;
-    this.maxLength = this.config.max_length || 1000;
-    // Compile patterns for performance
-    this.compilePatterns();
-  }
-  loadConfig() {
-    const configPath = path.join(__dirname, 'categories.json');
-    try {
-      const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
-      return config.S027;
-    } catch (error) {
-      console.error('Failed to load S027 categories config:', error.message);
-      return { categories: [], global_exclude_patterns: [] };
-    }
-  }
-  compilePatterns() {
-    this.categories.forEach(category => {
-      category.compiledPatterns = category.patterns.map(p => ({
-        regex: new RegExp(p, 'gm'),
-        original: p
-      }));
-      if (category.exclude_patterns) {
-        category.compiledExcludePatterns = category.exclude_patterns.map(p => new RegExp(p, 'i'));
-      }
-    });
-  }
-  async analyze(files, language, options = {}) {
-    const violations = [];
-    this.currentFilePath = '';
-    for (const filePath of files) {
-      // Skip build/dist/node_modules
-      if (this.shouldSkipFile(filePath)) {
-        continue;
-      }
-      this.currentFilePath = filePath;
-      try {
-        const content = fs.readFileSync(filePath, 'utf8');
-        const fileViolations = this.analyzeFile(content, filePath);
-        violations.push(...fileViolations);
-      } catch (error) {
-        if (options.verbose) {
-          console.error(`Error analyzing ${filePath}:`, error.message);
-        }
-      }
-    }
-    return violations;
-  }
-  shouldSkipFile(filePath) {
-    const skipPatterns = [
-      'build/', 'dist/', 'node_modules/', '.git/',
-      'coverage/', '.next/', '.cache/', 'tmp/',
-      '.lock', '.log', '.min.js', '.bundle.js'
-    ];
-    // Skip test files completely - they often contain mock/fake credentials
-    const testPatterns = [
-      /\.spec\.(ts|tsx|js|jsx)$/,
-      /\.test\.(ts|tsx|js|jsx)$/,
-      /__tests__\//,
-      /__mocks__\//,
-      /\/tests?\//,
-      /\/fixtures?\//,
-      /\/factories\//,        // Test factories
-      /setupTests\./,
-      /testSetup\./,
-    ];
-    if (testPatterns.some(pattern => pattern.test(filePath))) {
-      return true;
-    }
-    return skipPatterns.some(pattern => filePath.includes(pattern));
-  }
-  analyzeFile(content, filePath) {
-    const violations = [];
-    // Handle different line endings (Windows \r\n, Unix \n, Mac \r)
-    const lines = content.split(/\r?\n/);
-    // Check if this is a test file for context
-    const isTestFile = this.isTestFile(filePath);
-    lines.forEach((line, index) => {
-      const lineNumber = index + 1;
-      const trimmedLine = line.trim();
-      // Skip comments and imports
-      if (this.isCommentOrImport(trimmedLine)) {
-        return;
-      }
-      // Skip NEXT_PUBLIC_ environment variables - these are public by design
-      if (this.isPublicEnvironmentVariable(line)) {
-        return;
-      }
-      // Check global exclude patterns first
-      if (this.matchesGlobalExcludes(line)) {
-        return;
-      }
-      // Check each category
-      this.categories.forEach(category => {
-        const categoryViolations = this.checkCategory(
-          category, line, lineNumber, filePath, isTestFile
-        );
-        violations.push(...categoryViolations);
-      });
-    });
-    return violations;
-  }
-  isTestFile(filePath) {
-    const testPatterns = [
-      /\.(test|spec)\./i,
-      /__tests__/i,
-      /\/tests?\//i,
-      /\/spec\//i,
-      /setupTests/i,
-      /testSetup/i,
-      /test[-_]/i,  // Matches test- or test_
-      /^.*\/test[^\/]*\.js$/i  // Matches files starting with test
-    ];
-    return testPatterns.some(pattern => pattern.test(filePath));
-  }
-  isCommentOrImport(line) {
-    return line.startsWith('//') || line.startsWith('/*') ||
-           line.startsWith('import') || line.startsWith('export') ||
-           line.startsWith('*') || line.startsWith('<');
-  }
-  matchesGlobalExcludes(line) {
-    return this.globalExcludePatterns.some(pattern => pattern.test(line));
-  }
-  isPublicEnvironmentVariable(line) {
-    // NEXT_PUBLIC_, REACT_APP_, VITE_, PUBLIC_ prefixed env vars are public by design
-    // These are intentionally exposed to the client-side and are not secrets
-    const publicEnvPatterns = [
-      /NEXT_PUBLIC_[A-Z0-9_]+\s*[:=]/i,      // Next.js public env vars
-      /REACT_APP_[A-Z0-9_]+\s*[:=]/i,        // Create React App public env vars
-      /VITE_[A-Z0-9_]+\s*[:=]/i,             // Vite public env vars
-      /PUBLIC_[A-Z0-9_]+\s*[:=]/i,           // Generic public prefix
-      /EXPO_PUBLIC_[A-Z0-9_]+\s*[:=]/i,      // Expo public env vars
-    ];
-    return publicEnvPatterns.some(pattern => pattern.test(line));
-  }
-  isEnvironmentVariableUsage(line) {
-    // Patterns that indicate environment variable or config service usage - these are SAFE
-    const safePatterns = [
-      /process\.env\./i,                    // process.env.DB_PASSWORD
-      /configService\.get/i,                // configService.get('DB_PASSWORD')
-      /config\.get/i,                       // config.get('API_KEY')
-      /getConfig\(/i,                       // getConfig('secret')
-      /env\(['"]([^'"]+)['"]\)/i,          // env('SECRET_KEY')
-      /process\.env\[['"]([^'"]+)['"]\]/i, // process.env['API_KEY']
-      /import\.meta\.env\./i,              // import.meta.env.VITE_API_KEY
-      /Deno\.env\.get/i,                   // Deno.env.get()
-      /os\.getenv/i,                       // Python os.getenv()
-      /System\.getenv/i,                   // Java System.getenv()
-    ];
-    return safePatterns.some(pattern => pattern.test(line));
-  }
-  checkCategory(category, line, lineNumber, filePath, isTestFile) {
-    const violations = [];
-    category.compiledPatterns.forEach(({ regex, original }) => {
-      let match;
-      // Reset regex lastIndex for global patterns
-      regex.lastIndex = 0;
-      while ((match = regex.exec(line)) !== null) {
-        const matchedText = match[0];
-        const column = match.index + 1;
-        // Check length constraints
-        if (matchedText.length < this.minLength || matchedText.length > this.maxLength) {
-          continue;
-        }
-        // Check category-specific excludes
-        if (category.compiledExcludePatterns &&
-            category.compiledExcludePatterns.some(pattern => pattern.test(matchedText))) {
-          continue;
-        }
-        // Check if this uses environment variables or config services - SAFE patterns
-        if (this.isEnvironmentVariableUsage(line)) {
-          continue;
-        }
-        // Be more lenient in test files - skip all but critical severity
-        // Test files commonly use hardcoded values for testing purposes
-        if (isTestFile && (category.severity === 'low' || category.severity === 'medium' || category.severity === 'high')) {
-          continue;
-        }
-        violations.push({
-          file: filePath,
-          line: lineNumber,
-          column: column,
-          message: `[${category.name}] Potential ${category.severity} security risk: '${matchedText}'. ${category.description}`,
-          severity: this.mapSeverity(category.severity),
-          ruleId: this.ruleId,
-          category: category.name,
-          categoryDescription: category.description,
-          matchedPattern: original,
-          matchedText: matchedText
-        });
-      }
-    });
-    return violations;
-  }
-  mapSeverity(categorySeverity) {
-    const severityMap = {
-      'critical': 'error',
-      'high': 'warning',
-      'medium': 'warning',
-      'low': 'info'
-    };
-    return severityMap[categorySeverity] || 'warning';
-  }
-  // Method for getting category statistics
-  getCategoryStats(violations) {
-    const stats = {};
-    violations.forEach(violation => {
-      const category = violation.category;
-      if (!stats[category]) {
-        stats[category] = {
-          count: 0,
-          severity: violation.severity,
-          files: new Set()
-        };
-      }
-      stats[category].count++;
-      stats[category].files.add(violation.file);
-    });
-    // Convert Set to array for JSON serialization
-    Object.keys(stats).forEach(category => {
-      stats[category].files = Array.from(stats[category].files);
-      stats[category].fileCount = stats[category].files.length;
-    });
-    return stats;
-  }
-  // Method for filtering by category
-  filterByCategory(violations, categoryNames) {
-    if (!categoryNames || categoryNames.length === 0) {
-      return violations;
-    }
-    return violations.filter(violation =>
-      categoryNames.includes(violation.category)
-    );
-  }
-  // Method for filtering by severity
-  filterBySeverity(violations, minSeverity = 'info') {
-    const severityOrder = ['info', 'warning', 'error'];
-    const minIndex = severityOrder.indexOf(minSeverity);
-    if (minIndex === -1) return violations;
-    return violations.filter(violation => {
-      const violationIndex = severityOrder.indexOf(violation.severity);
-      return violationIndex >= minIndex;
-    });
-  }
-}
-module.exports = S027CategorizedAnalyzer;