@sun-asterisk/sunlint 1.3.36 → 1.3.37

package/rules/security/S035_separate_app_hostnames/typescript/analyzer.js

@@ -0,0 +1,186 @@
+/**
+ * S035 – Host separate applications on different hostnames
+ *
+ * Detects patterns that suggest multiple applications sharing the same origin:
+ * - Path-based application routing on same domain
+ * - Shared cookies across application paths
+ * - Missing CORS isolation between apps
+ * - Proxy configurations routing multiple apps to same origin
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+class S035Analyzer {
+  constructor() {
+    this.ruleId = 'S035';
+    this.ruleName = 'Host separate applications on different hostnames';
+    this.description = 'Leverage same-origin policy by hosting applications on separate hostnames';
+
+    // Patterns indicating path-based multi-app hosting (bad practice)
+    this.pathBasedAppPatterns = [
+      // Proxy/routing configurations with path-based apps
+      {
+        pattern: /proxy\s*:\s*\{[^}]*['"`]\/app[12]|\/admin|\/portal['"`]\s*:/gi,
+        message: 'Path-based application routing detected. Consider using separate hostnames for isolation',
+        type: 'path_based_proxy'
+      },
+      // Express/route-based app mounting
+      {
+        pattern: /app\.use\s*\(\s*['"`]\/(app[12]|admin|portal|api)['"`]\s*,\s*\w+App/gi,
+        message: 'Multiple applications mounted on same origin with path prefix. Use separate hostnames',
+        type: 'app_mounting'
+      },
+      // Next.js/Nginx rewrite rules for multi-app
+      {
+        pattern: /rewrites?\s*.*['"`]\/(app[12]|admin|portal)\/\*['"`]/gi,
+        message: 'Rewrite rules suggesting multiple apps on same origin',
+        type: 'rewrite_rules'
+      }
+    ];
+
+    // Patterns for shared cookies across paths (indicates shared origin issue)
+    this.sharedCookiePatterns = [
+      // Cookie with root path for multi-app
+      {
+        pattern: /cookie\s*\([^)]*path\s*:\s*['"`]\/['"`][^)]*\).*(?:app|admin|portal)/gi,
+        message: 'Root path cookie may be shared across multiple applications on same origin',
+        type: 'shared_root_cookie'
+      },
+      // Domain-wide cookie settings
+      {
+        pattern: /domain\s*:\s*['"`]\.?[^'"`]+['"`].*(?:shared|common)/gi,
+        message: 'Domain-wide cookie may leak across applications',
+        type: 'domain_cookie'
+      }
+    ];
+
+    // Configuration patterns suggesting multi-app on single origin
+    this.configPatterns = [
+      // Docker/nginx config with location-based routing
+      {
+        pattern: /location\s+\/(app[12]|admin|portal)\s*\{[^}]*proxy_pass/gi,
+        message: 'Nginx location-based routing for multiple apps. Consider separate server blocks with different hostnames',
+        type: 'nginx_location_routing'
+      },
+      // Kubernetes ingress with path-based routing
+      {
+        pattern: /path:\s*\/(app[12]|admin|portal)/gi,
+        message: 'Kubernetes Ingress path-based routing. Consider separate Ingress resources with different hosts',
+        type: 'k8s_path_routing'
+      }
+    ];
+
+    // Files to analyze (configuration files)
+    this.targetPatterns = [
+      /nginx\.conf$/i,
+      /\.conf$/i,
+      /docker-compose/i,
+      /kubernetes|k8s/i,
+      /ingress/i,
+      /proxy/i,
+      /next\.config/i,
+      /nuxt\.config/i,
+      /vite\.config/i,
+      /webpack\.config/i
+    ];
+
+    // Files to skip
+    this.skipPatterns = [
+      /\.test\./i,
+      /\.spec\./i,
+      /node_modules/i,
+      /\.md$/i
+    ];
+  }
+
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(pattern => pattern.test(filePath));
+  }
+
+  isTargetFile(filePath) {
+    return this.targetPatterns.some(pattern => pattern.test(filePath));
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+
+      // Only analyze configuration-related files
+      if (!this.isTargetFile(filePath)) {
+        continue;
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    const allPatterns = [
+      ...this.pathBasedAppPatterns,
+      ...this.sharedCookiePatterns,
+      ...this.configPatterns
+    ];
+
+    for (const { pattern, message, type } of allPatterns) {
+      pattern.lastIndex = 0;
+
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+
+        if (this.isComment(line)) {
+          continue;
+        }
+
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: message,
+          severity: 'warning',
+          ruleId: this.ruleId,
+          type: type,
+          matchedText: match[0]
+        });
+      }
+    }
+
+    return violations;
+  }
+
+  isComment(line) {
+    const trimmed = line.trim();
+    return trimmed.startsWith('//') || trimmed.startsWith('#') ||
+           trimmed.startsWith('/*') || trimmed.startsWith('*');
+  }
+
+  getLineNumber(content, index) {
+    return content.substring(0, index).split('\n').length;
+  }
+
+  getColumnNumber(content, index) {
+    const lastNewline = content.lastIndexOf('\n', index - 1);
+    return index - lastNewline;
+  }
+}
+
+module.exports = S035Analyzer;

package/rules/security/S036_lfi_rfi_protection/config.json

@@ -1,8 +1,8 @@
 {
   "id": "S036",
-  "name": "LFI and RFI Protection - Prevent Local and Remote File Inclusion",
+  "name": "Use internal data for file paths, validate user filenames strictly",
   "category": "security",
-  "description": "S036 - Prevent Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities by validating file paths and using allowlists.",
+  "description": "Prevent path traversal, LFI, RFI, and SSRF attacks by using internally generated file paths instead of user-submitted filenames. When user input is unavoidable, apply strict validation with allowlists.",
   "severity": "error",
   "enabled": true,
   "patterns": {

package/rules/security/S039_tls_certificate_validation/config.json

@@ -0,0 +1,29 @@
+{
+    "id": "S039",
+    "name": "TLS clients must validate server certificates",
+    "description": "Ensure TLS clients validate certificates received from servers before establishing secure communication. Verify certificate is signed by trusted CA, check certificate chain, validate expiration, and confirm hostname matches certificate CN/SAN.",
+    "category": "security",
+    "severity": "critical",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "tls", "ssl", "certificates", "validation", "mitm"],
+    "examples": {
+        "valid": [
+            "const https = require('https'); // Default validates certificates",
+            "fetch('https://api.example.com'); // Default validates",
+            "axios.get('https://api.example.com'); // Default validates"
+        ],
+        "invalid": [
+            "{ rejectUnauthorized: false } // Disables validation",
+            "requests.get(url, verify=False) // Python: disables validation",
+            "InsecureSkipVerify: true // Go: disables validation",
+            "NODE_TLS_REJECT_UNAUTHORIZED=0 // Disables globally"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures TLS clients properly validate server certificates to prevent MITM attacks. Required validation includes: verify certificate is signed by trusted CA, check certificate chain up to root CA, validate certificate has not expired, confirm hostname matches certificate CN/SAN. DO NOT disable validation with rejectUnauthorized: false, verify=False, or InsecureSkipVerify: true.",
+        "url": "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+    }
+}

package/rules/security/S039_tls_certificate_validation/typescript/analyzer.js

@@ -0,0 +1,229 @@
+/**
+ * S039 – TLS clients must validate server certificates
+ *
+ * Detects patterns where TLS certificate validation is disabled:
+ * - rejectUnauthorized: false (Node.js)
+ * - verify=False (Python)
+ * - InsecureSkipVerify: true (Go)
+ * - NODE_TLS_REJECT_UNAUTHORIZED=0
+ * - Custom checkServerIdentity that bypasses validation
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+class S039Analyzer {
+  constructor() {
+    this.ruleId = 'S039';
+    this.ruleName = 'TLS clients must validate server certificates';
+    this.description = 'Ensure TLS clients validate server certificates to prevent MITM attacks';
+
+    // Critical patterns - certificate validation disabled
+    this.criticalPatterns = [
+      // Node.js - rejectUnauthorized: false
+      {
+        pattern: /rejectUnauthorized\s*:\s*false/gi,
+        message: 'TLS certificate validation disabled with rejectUnauthorized: false. This allows MITM attacks',
+        type: 'reject_unauthorized_false'
+      },
+      // Node.js environment variable
+      {
+        pattern: /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"`]?0['"`]?/gi,
+        message: 'NODE_TLS_REJECT_UNAUTHORIZED=0 globally disables certificate validation. This is dangerous',
+        type: 'node_env_disable'
+      },
+      {
+        pattern: /process\.env\.NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"`]?0['"`]?/gi,
+        message: 'Setting NODE_TLS_REJECT_UNAUTHORIZED=0 disables all TLS validation',
+        type: 'node_env_set'
+      },
+      // Python requests
+      {
+        pattern: /verify\s*=\s*False/g,
+        message: 'SSL verification disabled with verify=False. Certificate validation required',
+        type: 'python_verify_false'
+      },
+      // Go
+      {
+        pattern: /InsecureSkipVerify\s*:\s*true/gi,
+        message: 'InsecureSkipVerify: true disables TLS certificate validation in Go',
+        type: 'go_insecure_skip'
+      },
+      // Axios
+      {
+        pattern: /httpsAgent\s*:\s*new\s+https\.Agent\s*\(\s*\{[^}]*rejectUnauthorized\s*:\s*false/gi,
+        message: 'Axios httpsAgent with rejectUnauthorized: false disables certificate validation',
+        type: 'axios_insecure'
+      },
+      // Java
+      {
+        pattern: /setHostnameVerifier\s*\(\s*.*ALLOW_ALL|NoopHostnameVerifier/gi,
+        message: 'Hostname verification disabled. This allows certificate spoofing',
+        type: 'java_hostname_verifier'
+      },
+      {
+        pattern: /TrustAllCerts|TrustAllStrategy|AcceptAllCertificates/gi,
+        message: 'Trust-all certificate strategy detected. Validate certificates properly',
+        type: 'trust_all'
+      }
+    ];
+
+    // Warning patterns - potentially insecure
+    this.warningPatterns = [
+      // Custom checkServerIdentity that returns undefined/null
+      {
+        pattern: /checkServerIdentity\s*:\s*\(\)\s*=>\s*(undefined|null|true|\{\})/gi,
+        message: 'Custom checkServerIdentity bypasses hostname verification',
+        type: 'custom_server_identity'
+      },
+      // SSL context with no verify
+      {
+        pattern: /ssl\.create_default_context\s*\([^)]*\)\s*[^;]*check_hostname\s*=\s*False/gi,
+        message: 'SSL context with hostname check disabled',
+        type: 'ssl_no_hostname'
+      },
+      // curl with insecure flag (in scripts)
+      {
+        pattern: /curl\s+[^|]*-k\b|curl\s+[^|]*--insecure\b/gi,
+        message: 'curl with -k/--insecure flag disables certificate validation',
+        type: 'curl_insecure'
+      },
+      // wget with no-check-certificate
+      {
+        pattern: /wget\s+[^|]*--no-check-certificate/gi,
+        message: 'wget with --no-check-certificate disables certificate validation',
+        type: 'wget_insecure'
+      }
+    ];
+
+    // Files to skip
+    this.skipPatterns = [
+      /\.test\./i,
+      /\.spec\./i,
+      /test\//i,
+      /tests\//i,
+      /__tests__\//i,
+      /node_modules/i,
+      /\.md$/i
+    ];
+  }
+
+  shouldSkipFile(filePath) {
+    return this.skipPatterns.some(pattern => pattern.test(filePath));
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    // Check critical patterns (errors)
+    for (const { pattern, message, type } of this.criticalPatterns) {
+      pattern.lastIndex = 0;
+
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+
+        if (this.isComment(line)) {
+          continue;
+        }
+
+        // Skip if in test context
+        if (this.isTestContext(lines, lineNum)) {
+          continue;
+        }
+
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: message,
+          severity: 'error',
+          ruleId: this.ruleId,
+          type: type,
+          matchedText: match[0]
+        });
+      }
+    }
+
+    // Check warning patterns
+    for (const { pattern, message, type } of this.warningPatterns) {
+      pattern.lastIndex = 0;
+
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNum = this.getLineNumber(content, match.index);
+        const line = lines[lineNum - 1];
+
+        if (this.isComment(line)) {
+          continue;
+        }
+
+        if (this.isTestContext(lines, lineNum)) {
+          continue;
+        }
+
+        violations.push({
+          file: filePath,
+          line: lineNum,
+          column: this.getColumnNumber(content, match.index),
+          message: message,
+          severity: 'warning',
+          ruleId: this.ruleId,
+          type: type,
+          matchedText: match[0]
+        });
+      }
+    }
+
+    return violations;
+  }
+
+  isComment(line) {
+    const trimmed = line.trim();
+    return trimmed.startsWith('//') || trimmed.startsWith('#') ||
+           trimmed.startsWith('/*') || trimmed.startsWith('*');
+  }
+
+  isTestContext(lines, lineNum) {
+    const start = Math.max(0, lineNum - 5);
+    const end = Math.min(lines.length, lineNum + 2);
+    const context = lines.slice(start, end).join('\n').toLowerCase();
+
+    return /describe\(|it\(|test\(|jest|mocha|mock|stub|fake|development|dev\s*mode/i.test(context);
+  }
+
+  getLineNumber(content, index) {
+    return content.substring(0, index).split('\n').length;
+  }
+
+  getColumnNumber(content, index) {
+    const lastNewline = content.lastIndexOf('\n', index - 1);
+    return index - lastNewline;
+  }
+}
+
+module.exports = S039Analyzer;

package/rules/security/S046_jwt_algorithm_allowlist/config.json

@@ -0,0 +1,28 @@
+{
+    "id": "S046",
+    "name": "Use algorithm allowlist for self-contained tokens",
+    "description": "Prevent algorithm confusion and downgrade attacks by restricting token signing/verification to an explicit allowlist of algorithms. Never allow the 'none' algorithm. Validate algorithm before processing token.",
+    "category": "security",
+    "severity": "critical",
+    "enabled": true,
+    "engines": ["heuristic"],
+    "enginePreference": ["heuristic"],
+    "tags": ["security", "jwt", "token", "algorithm", "authentication"],
+    "examples": {
+        "valid": [
+            "jwt.verify(token, key, { algorithms: ['RS256'] });",
+            "const options = { algorithms: ['HS256', 'HS384'] };",
+            "if (!['RS256', 'ES256'].includes(header.alg)) throw new Error();"
+        ],
+        "invalid": [
+            "jwt.verify(token, key); // No algorithm specified",
+            "jwt.decode(token); // Decodes without verification",
+            "{ algorithms: ['none'] } // 'none' algorithm allowed"
+        ]
+    },
+    "fixable": false,
+    "docs": {
+        "description": "This rule ensures JWT/token verification uses an explicit algorithm allowlist. Algorithm confusion attacks occur when an attacker can control which algorithm is used. Must use algorithm allowlist, never allow 'none' algorithm, prefer either symmetric OR asymmetric algorithms not both. If both needed, implement key type validation to prevent key confusion attacks.",
+        "url": "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+    }
+}

package/rules/security/S046_jwt_algorithm_allowlist/dart/analyzer.js

@@ -0,0 +1,44 @@
+/**
+ * S046 Dart Analyzer - JWT Algorithm Allowlist
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S046_jwt_algorithm_allowlist.dart
+ *
+ * Rule: Use algorithm allowlist for self-contained tokens
+ */
+
+class DartS046Analyzer {
+  constructor() {
+    this.ruleId = 'S046';
+    this.language = 'dart';
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S046',
+      name: 'JWT Algorithm Allowlist',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Use algorithm allowlist for self-contained tokens to prevent algorithm confusion attacks'
+    };
+  }
+
+  getConfig() {
+    return {
+      checkJwtVerify: true,
+      checkAlgorithmList: true,
+      severity: 'critical'
+    };
+  }
+
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+
+module.exports = DartS046Analyzer;

package/rules/security/S046_jwt_algorithm_allowlist/index.js

@@ -0,0 +1,87 @@
+/**
+ * S046 Rule Router - JWT Algorithm Allowlist
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Use algorithm allowlist for self-contained tokens to prevent
+ * algorithm confusion and downgrade attacks
+ */
+
+const path = require('path');
+
+class S046Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S046';
+  }
+
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+
+    return this.analyzers.get(normalizedLang);
+  }
+
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+
+module.exports = new S046Router();