npm - @sun-asterisk/sunlint - Versions diffs - 1.3.36 → 1.3.37 - Mend

@sun-asterisk/sunlint 1.3.36 → 1.3.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/rules/security/S023_no_json_injection/typescript/analyzer.js CHANGED Viewed

@@ -1,16 +1,27 @@
 /**
- * Heuristic analyzer for: S023 – No JSON Injection
- * Purpose: Prevent JSON injection attacks and unsafe JSON handling
- * Detects: unsafe JSON.parse(), eval() with JSON, JSON.stringify in HTML context
+ * S023 – Use output encoding when building dynamic JavaScript/JSON
+ *
+ * Purpose: Prevent JavaScript and JSON injection by applying proper output encoding
+ * when dynamically building JavaScript content or JSON data.
+ *
+ * Detects:
+ * - eval() with user data
+ * - new Function() with user data
+ * - String concatenation to build JavaScript code
+ * - Template literals with unescaped user input in JS context
+ * - Inline event handlers with user data
+ * - JSON.stringify in HTML context without proper escaping
  */
+// Command: node cli.js --rule=S023 --input=examples/rule-test-fixtures/rules/S023_no_json_injection --engine=heuristic
 class S023Analyzer {
   constructor() {
-    this.ruleId = 'S023';
-    this.ruleName = 'No JSON Injection';
-    this.description = 'Prevent JSON injection attacks and unsafe JSON handling';
-    // Patterns that indicate user input sources
+    this.ruleId = "S023";
+    this.ruleName = "Use output encoding when building dynamic JavaScript/JSON";
+    this.description =
+      "Prevent JavaScript and JSON injection by applying proper output encoding";
+    // User input source patterns
     this.userInputPatterns = [
       /localStorage\.getItem/,
       /sessionStorage\.getItem/,
@@ -24,10 +35,27 @@ class S023Analyzer {
       /postMessage/,
       /fetch\(/,
       /axios\./,
-      /xhr\./
+      /getElementById/,
+      /querySelector/,
+      /formData/i,
+      /event\.data/,
+      /\.value\b/,
     ];
-    // Patterns that indicate validation/safety measures
+    // Safe encoding functions that indicate proper handling
+    this.safeEncodingPatterns = [
+      /encodeURIComponent/,
+      /encodeURI/,
+      /escapeHtml/i,
+      /sanitize/i,
+      /DOMPurify/,
+      /textContent/,
+      /htmlEncode/i,
+      /jsEncode/i,
+      /xss\(/i,
+    ];
+    // Validation patterns indicating proper error handling
     this.validationPatterns = [
       /try\s*\{/,
       /catch\s*\(/,
@@ -40,66 +68,70 @@ class S023Analyzer {
       /isValid/i,
       /sanitize/i,
       /escape/i,
-      /filter/i
+      /filter/i,
     ];
     // HTML context patterns
     this.htmlContextPatterns = [
       /innerHTML/,
       /outerHTML/,
       /insertAdjacentHTML/,
       /document\.write/,
+      /document\.writeln/,
       /\.html\(/,
       /<script/i,
-      /<\/script>/i
+      /<\/script>/i,
+      /dangerouslySetInnerHTML/,
     ];
-    // JSON patterns for eval detection
-    this.jsonPatterns = [
-      /json/i,
-      /\{.*\}/,
-      /\[.*\]/,
-      /parse/i,
-      /stringify/i
+    // Inline event handler patterns
+    this.inlineEventPatterns = [
+      /on\w+\s*=\s*["']/,
+      /setAttribute\s*\(\s*["']on\w+/,
     ];
   }
   async analyze(files, language, options = {}) {
     const violations = [];
     for (const filePath of files) {
       try {
-        const fileViolations = await this.analyzeFile(filePath, language, options);
+        const fileViolations = await this.analyzeFile(
+          filePath,
+          language,
+          options,
+        );
         violations.push(...fileViolations);
       } catch (error) {
         if (options.verbose) {
-          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+          console.warn(
+            `⚠️ S023: Failed to analyze ${filePath}: ${error.message}`,
+          );
         }
       }
     }
     return violations;
   }
   async analyzeFile(filePath, language, options = {}) {
-    // Skip test files - they often use JSON.parse for testing purposes
+    // Skip test files
     const skipPatterns = [
       /\.spec\.(ts|tsx|js|jsx)$/,
       /\.test\.(ts|tsx|js|jsx)$/,
-      /__tests__\//,          // Test directories
-      /__mocks__\//,          // Mock directories
-      /\/tests?\//,           // Test directories
-      /\/fixtures?\//,        // Fixture directories
+      /__tests__\//,
+      /__mocks__\//,
+      /\/tests?\//,
+      /\/fixtures?\//,
     ];
-    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
-    if (shouldSkip) {
+    if (skipPatterns.some((pattern) => pattern.test(filePath))) {
       return [];
     }
     switch (language) {
-      case 'typescript':
-      case 'javascript':
+      case "typescript":
+      case "javascript":
         return this.analyzeJavaScript(filePath, options);
       default:
         return [];
@@ -109,183 +141,427 @@ class S023Analyzer {
   async analyzeJavaScript(filePath, options = {}) {
     try {
       // Try AST analysis first (preferred method)
-      const astAnalyzer = require('./ast-analyzer.js');
-      const astViolations = await astAnalyzer.analyze([filePath], 'javascript', options);
+      const astAnalyzer = require("./ast-analyzer.js");
+      const astViolations = await astAnalyzer.analyze(
+        [filePath],
+        "javascript",
+        options,
+      );
       if (astViolations.length > 0) {
         return astViolations;
       }
     } catch (astError) {
       if (options.verbose) {
-        console.log(`⚠️ AST analysis failed for ${filePath}, falling back to regex`);
+        console.log(
+          `⚠️ S023: AST analysis failed for ${filePath}, falling back to regex`,
+        );
       }
     }
     // Fallback to regex analysis
     return this.analyzeWithRegex(filePath, options);
   }
   async analyzeWithRegex(filePath, options = {}) {
-    const fs = require('fs');
-    const path = require('path');
+    const fs = require("fs");
     try {
-      const content = fs.readFileSync(filePath, 'utf8');
+      const content = fs.readFileSync(filePath, "utf8");
       const violations = [];
-      const lines = content.split('\n');
-      // 1. Check JSON.parse() calls
-      const jsonParseViolations = this.checkJsonParseCalls(content, lines, filePath);
-      violations.push(...jsonParseViolations);
-      // 2. Check eval() with JSON patterns
-      const evalViolations = this.checkEvalWithJson(content, lines, filePath);
+      const lines = content.split("\n");
+      // 1. Check eval() calls with user data
+      const evalViolations = this.checkEvalCalls(content, lines, filePath);
       violations.push(...evalViolations);
-      // 3. Check JSON.stringify in HTML context
-      const htmlViolations = this.checkJsonStringifyInHtml(content, lines, filePath);
-      violations.push(...htmlViolations);
+      // 2. Check new Function() calls with user data
+      const newFunctionViolations = this.checkNewFunctionCalls(
+        content,
+        lines,
+        filePath,
+      );
+      violations.push(...newFunctionViolations);
+      // 3. Check string concatenation for JS building
+      const concatViolations = this.checkStringConcatenationJS(
+        content,
+        lines,
+        filePath,
+      );
+      violations.push(...concatViolations);
+      // 4. Check template literals with user input in JS/HTML context
+      const templateViolations = this.checkTemplateLiterals(
+        content,
+        lines,
+        filePath,
+      );
+      violations.push(...templateViolations);
+      // 5. Check inline event handlers with user data
+      const eventViolations = this.checkInlineEventHandlers(
+        content,
+        lines,
+        filePath,
+      );
+      violations.push(...eventViolations);
+      // 6. Check JSON.stringify in HTML context
+      const jsonHtmlViolations = this.checkJsonStringifyInHtml(
+        content,
+        lines,
+        filePath,
+      );
+      violations.push(...jsonHtmlViolations);
+      // 7. Check JSON.parse with user input (existing check)
+      const jsonParseViolations = this.checkJsonParseCalls(
+        content,
+        lines,
+        filePath,
+      );
+      violations.push(...jsonParseViolations);
       return violations;
     } catch (error) {
       if (options.verbose) {
-        console.warn(`⚠️ Failed to read file ${filePath}: ${error.message}`);
+        console.warn(
+          `⚠️ S023: Failed to read file ${filePath}: ${error.message}`,
+        );
       }
       return [];
     }
   }
-  checkJsonParseCalls(content, lines, filePath) {
+  checkEvalCalls(content, lines, filePath) {
     const violations = [];
-    const jsonParsePattern = /JSON\.parse\s*\(\s*([^)]+)\)/g;
+    const evalPattern = /\beval\s*\(\s*([^)]+)\)/g;
     let match;
-    while ((match = jsonParsePattern.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length;
-      const lineText = lines[lineNumber - 1] || '';
+    while ((match = evalPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split("\n").length;
+      const lineText = lines[lineNumber - 1] || "";
       const argument = match[1].trim();
-      // Check if argument is from user input
-      if (this.isUserInputArgument(argument)) {
-        // Check if there's validation around this call
-        if (!this.hasValidationContext(content, match.index, lineNumber, lines)) {
+      // Check if argument contains user input or dynamic data
+      if (this.containsUserInput(argument) || this.isDynamicData(argument)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: match.index - content.lastIndexOf("\n", match.index),
+          message:
+            "Never use eval() with user data - use JSON.parse() for JSON or safer alternatives",
+          severity: "error",
+          code: lineText.trim(),
+          type: "eval_with_user_data",
+          confidence: 0.95,
+          suggestion:
+            "Use JSON.parse() for JSON data or refactor to avoid dynamic code execution",
+        });
+      }
+    }
+    return violations;
+  }
+  checkNewFunctionCalls(content, lines, filePath) {
+    const violations = [];
+    const newFunctionPattern = /new\s+Function\s*\(\s*([^)]*)\)/g;
+    let match;
+    while ((match = newFunctionPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split("\n").length;
+      const lineText = lines[lineNumber - 1] || "";
+      const argument = match[1].trim();
+      // Check if argument contains user input or dynamic data
+      if (this.containsUserInput(argument) || this.isDynamicData(argument)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: match.index - content.lastIndexOf("\n", match.index),
+          message:
+            "Never use new Function() with user data - this is equivalent to eval()",
+          severity: "error",
+          code: lineText.trim(),
+          type: "new_function_with_user_data",
+          confidence: 0.95,
+          suggestion:
+            "Refactor to avoid dynamic function creation with user input",
+        });
+      }
+    }
+    return violations;
+  }
+  checkStringConcatenationJS(content, lines, filePath) {
+    const violations = [];
+    // Pattern: building JS code via string concatenation
+    // e.g., var code = 'var x = "' + userInput + '"';
+    const jsBuildPatterns = [
+      /(var|let|const)\s+\w+\s*=\s*['"](?:var|let|const|function|return)\s+.*['"]\s*\+/g,
+      /['"](?:var|let|const|function|return)\s+.*\+.*['"]/g,
+    ];
+    for (const pattern of jsBuildPatterns) {
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNumber = content.substring(0, match.index).split("\n").length;
+        const lineText = lines[lineNumber - 1] || "";
+        // Check if this is in HTML context or involves user input
+        if (
+          this.isInHtmlContext(content, match.index) ||
+          this.lineContainsUserInput(lineText)
+        ) {
           violations.push({
             ruleId: this.ruleId,
             file: filePath,
             line: lineNumber,
-            column: match.index - content.lastIndexOf('\n', match.index),
-            message: 'Unsafe JSON parsing - validate input before parsing',
-            severity: 'warning',
+            column: match.index - content.lastIndexOf("\n", match.index),
+            message:
+              "Avoid string concatenation to build JavaScript code - encode data properly",
+            severity: "warning",
             code: lineText.trim(),
-            type: 'unsafe_json_parse',
-            confidence: 0.8,
-            suggestion: 'Validate input before parsing JSON or use try-catch block'
+            type: "string_concatenation_js",
+            confidence: 0.7,
+            suggestion:
+              "Use proper encoding or templating that auto-escapes user input",
           });
         }
       }
     }
     return violations;
   }
-  checkEvalWithJson(content, lines, filePath) {
+  checkTemplateLiterals(content, lines, filePath) {
     const violations = [];
-    const evalPattern = /eval\s*\(\s*([^)]+)\)/g;
+    // Pattern: template literals with ${} in HTML/JS context
+    const templatePattern = /`[^`]*\$\{[^}]+\}[^`]*`/g;
     let match;
-    while ((match = evalPattern.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length;
-      const lineText = lines[lineNumber - 1] || '';
-      const argument = match[1].trim();
-      // Check if eval contains JSON patterns
-      if (this.containsJsonPattern(argument)) {
+    while ((match = templatePattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split("\n").length;
+      const lineText = lines[lineNumber - 1] || "";
+      const templateContent = match[0];
+      // Check if template is used in dangerous context (innerHTML, onclick, etc.)
+      const contextBefore = content.substring(
+        Math.max(0, match.index - 50),
+        match.index,
+      );
+      const isDangerousContext =
+        /innerHTML\s*=/.test(contextBefore) ||
+        /outerHTML\s*=/.test(contextBefore) ||
+        /insertAdjacentHTML/.test(contextBefore) ||
+        /on\w+\s*=/.test(templateContent) ||
+        /javascript:/i.test(templateContent);
+      if (isDangerousContext && !this.hasEncodingFunction(lineText)) {
         violations.push({
           ruleId: this.ruleId,
           file: filePath,
           line: lineNumber,
-          column: match.index - content.lastIndexOf('\n', match.index),
-          message: 'Never use eval() to process JSON data - use JSON.parse() instead',
-          severity: 'error',
+          column: match.index - content.lastIndexOf("\n", match.index),
+          message:
+            "Template literal with user input in dangerous context - escape data before insertion",
+          severity: "warning",
           code: lineText.trim(),
-          type: 'eval_json',
-          confidence: 0.9,
-          suggestion: 'Use JSON.parse() instead of eval() for parsing JSON'
+          type: "unsafe_template_literal",
+          confidence: 0.75,
+          suggestion:
+            "Use textContent for text, or properly escape data before inserting into HTML/JS context",
         });
       }
     }
     return violations;
   }
-  checkJsonStringifyInHtml(content, lines, filePath) {
+  checkInlineEventHandlers(content, lines, filePath) {
     const violations = [];
-    const jsonStringifyPattern = /JSON\.stringify\s*\([^)]+\)/g;
+    // Pattern: setAttribute('onclick', ...) with dynamic data
+    const setAttributePattern =
+      /setAttribute\s*\(\s*['"]on\w+['"]\s*,\s*([^)]+)\)/g;
     let match;
-    while ((match = jsonStringifyPattern.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length;
-      const lineText = lines[lineNumber - 1] || '';
-      // Check if JSON.stringify is used in HTML context
-      if (this.isInHtmlContext(content, match.index)) {
+    while ((match = setAttributePattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split("\n").length;
+      const lineText = lines[lineNumber - 1] || "";
+      const argument = match[1].trim();
+      // Check if the value contains user input or concatenation
+      if (
+        this.containsUserInput(argument) ||
+        /\+/.test(argument) ||
+        /\$\{/.test(argument)
+      ) {
         violations.push({
           ruleId: this.ruleId,
           file: filePath,
           line: lineNumber,
-          column: match.index - content.lastIndexOf('\n', match.index),
-          message: 'JSON.stringify output should be escaped when used in HTML context',
-          severity: 'warning',
+          column: match.index - content.lastIndexOf("\n", match.index),
+          message:
+            "Avoid inline event handlers with user data - use addEventListener instead",
+          severity: "warning",
           code: lineText.trim(),
-          type: 'json_stringify_html',
-          confidence: 0.7,
-          suggestion: 'Escape JSON.stringify output when inserting into HTML'
+          type: "inline_event_handler_user_data",
+          confidence: 0.8,
+          suggestion:
+            "Use element.addEventListener() and pass data via data attributes or closures",
         });
       }
     }
+    return violations;
+  }
+  checkJsonStringifyInHtml(content, lines, filePath) {
+    const violations = [];
+    const jsonStringifyPattern = /JSON\.stringify\s*\([^)]+\)/g;
+    let match;
+    while ((match = jsonStringifyPattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split("\n").length;
+      const lineText = lines[lineNumber - 1] || "";
+      // Check if JSON.stringify is used in HTML context
+      if (this.isInHtmlContext(content, match.index)) {
+        // Check if </script> is properly escaped
+        const surroundingContext = content.substring(
+          Math.max(0, match.index - 100),
+          Math.min(content.length, match.index + match[0].length + 100),
+        );
+        const hasScriptTag = /<script|<\/script>/i.test(surroundingContext);
+        const hasEscaping = /replace\s*\(\s*[/']<\\?\/script/i.test(
+          surroundingContext,
+        );
+        if (hasScriptTag && !hasEscaping) {
+          violations.push({
+            ruleId: this.ruleId,
+            file: filePath,
+            line: lineNumber,
+            column: match.index - content.lastIndexOf("\n", match.index),
+            message:
+              "JSON.stringify in HTML/script context must escape </script> sequences",
+            severity: "warning",
+            code: lineText.trim(),
+            type: "json_stringify_html_no_escape",
+            confidence: 0.8,
+            suggestion:
+              "Escape </script> with .replace(/<\\/script/gi, '<\\\\/script')",
+          });
+        }
+      }
+    }
+    return violations;
+  }
+  checkJsonParseCalls(content, lines, filePath) {
+    const violations = [];
+    const jsonParsePattern = /JSON\.parse\s*\(\s*([^)]+)\)/g;
+    let match;
+    while ((match = jsonParsePattern.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split("\n").length;
+      const lineText = lines[lineNumber - 1] || "";
+      const argument = match[1].trim();
+      // Check if argument is from user input
+      if (this.isUserInputArgument(argument)) {
+        // Check if there's validation around this call
+        if (
+          !this.hasValidationContext(content, match.index, lineNumber, lines)
+        ) {
+          violations.push({
+            ruleId: this.ruleId,
+            file: filePath,
+            line: lineNumber,
+            column: match.index - content.lastIndexOf("\n", match.index),
+            message: "Validate JSON structure before parsing user input",
+            severity: "warning",
+            code: lineText.trim(),
+            type: "unsafe_json_parse",
+            confidence: 0.8,
+            suggestion:
+              "Wrap JSON.parse in try-catch and validate the parsed structure",
+          });
+        }
+      }
+    }
     return violations;
   }
+  // Helper methods
+  containsUserInput(text) {
+    return this.userInputPatterns.some((pattern) => pattern.test(text));
+  }
+  isDynamicData(text) {
+    // Check for concatenation or template literals
+    return /\+/.test(text) || /\$\{/.test(text) || /`/.test(text);
+  }
+  lineContainsUserInput(line) {
+    return this.containsUserInput(line);
+  }
   isUserInputArgument(argument) {
-    return this.userInputPatterns.some(pattern => pattern.test(argument));
+    return this.userInputPatterns.some((pattern) => pattern.test(argument));
+  }
+  hasEncodingFunction(text) {
+    return this.safeEncodingPatterns.some((pattern) => pattern.test(text));
   }
   hasValidationContext(content, matchIndex, lineNumber, lines) {
     // Check surrounding lines for validation patterns
     const startLine = Math.max(0, lineNumber - 3);
     const endLine = Math.min(lines.length, lineNumber + 2);
     for (let i = startLine; i < endLine; i++) {
-      const line = lines[i] || '';
-      if (this.validationPatterns.some(pattern => pattern.test(line))) {
+      const line = lines[i] || "";
+      if (this.validationPatterns.some((pattern) => pattern.test(line))) {
         return true;
       }
     }
     // Check if the call is inside a try block
-    const beforeText = content.substring(Math.max(0, matchIndex - 200), matchIndex);
-    const afterText = content.substring(matchIndex, Math.min(content.length, matchIndex + 100));
-    return /try\s*\{[^}]*$/.test(beforeText) || /catch\s*\(/.test(afterText);
-  }
+    const beforeText = content.substring(
+      Math.max(0, matchIndex - 200),
+      matchIndex,
+    );
+    const afterText = content.substring(
+      matchIndex,
+      Math.min(content.length, matchIndex + 100),
+    );
-  containsJsonPattern(text) {
-    return this.jsonPatterns.some(pattern => pattern.test(text));
+    return /try\s*\{[^}]*$/.test(beforeText) || /catch\s*\(/.test(afterText);
   }
   isInHtmlContext(content, matchIndex) {
-    // Check surrounding context for HTML patterns
     const contextStart = Math.max(0, matchIndex - 100);
     const contextEnd = Math.min(content.length, matchIndex + 100);
     const context = content.substring(contextStart, contextEnd);
-    return this.htmlContextPatterns.some(pattern => pattern.test(context));
+    return this.htmlContextPatterns.some((pattern) => pattern.test(context));
   }
-  // Utility method for file extension checking
   isSupportedFile(filePath) {
-    const supportedExtensions = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.cjs'];
-    const path = require('path');
+    const supportedExtensions = [".js", ".ts", ".jsx", ".tsx", ".mjs", ".cjs"];
+    const path = require("path");
     return supportedExtensions.includes(path.extname(filePath));
   }
 }