@sun-asterisk/sunlint 1.3.36 → 1.3.37

package/rules/security/S008_svg_content_validation/index.js

@@ -0,0 +1,87 @@
+/**
+ * S008 Rule Router - SVG Content Validation
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Ensure user-supplied SVG content is validated or sanitized
+ * to prevent script injection and other attacks.
+ */
+
+const path = require('path');
+
+class S008Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S008';
+  }
+
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+
+    return this.analyzers.get(normalizedLang);
+  }
+
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+
+module.exports = new S008Router();

package/rules/security/S008_svg_content_validation/typescript/analyzer.js

@@ -0,0 +1,216 @@
+/**
+ * S008 TypeScript Analyzer - SVG Content Validation
+ *
+ * Detects unsafe SVG handling in TypeScript/JavaScript code.
+ *
+ * Rule: Ensure user-supplied SVG content is validated or sanitized
+ * to prevent script injection and other attacks.
+ *
+ * Detects:
+ * - SVG content rendered without sanitization
+ * - dangerouslySetInnerHTML with SVG
+ * - Direct DOM insertion of SVG content
+ * - Missing DOMPurify or similar sanitization
+ */
+
+const fs = require('fs');
+
+class TypeScriptS008Analyzer {
+  constructor(config = {}) {
+    this.ruleId = 'S008';
+    this.language = 'typescript';
+    this.config = {
+      checkDangerouslySetInnerHTML: config.checkDangerouslySetInnerHTML !== false,
+      checkDirectInsertion: config.checkDirectInsertion !== false,
+    };
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S008',
+      name: 'SVG Content Validation',
+      language: 'typescript',
+      description: 'Ensure user-supplied SVG content is sanitized before rendering'
+    };
+  }
+
+  getConfig() {
+    return this.config;
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      if (!/\.(ts|tsx|js|jsx)$/i.test(filePath)) continue;
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf-8');
+        const fileViolations = this.analyzeContent(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        // Skip files that can't be read
+      }
+    }
+
+    return violations;
+  }
+
+  analyzeContent(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    // Skip test files
+    if (/\.(test|spec)\.(ts|js|tsx|jsx)$/i.test(filePath) ||
+        /__(tests?|mocks?)__/i.test(filePath)) {
+      return violations;
+    }
+
+    // Check if file uses DOMPurify or similar sanitization
+    const hasSanitizer = /(?:DOMPurify|sanitize|xss|purify)/i.test(content);
+
+    // Track SVG-related variables
+    const svgVars = new Set();
+    const contentLower = content.toLowerCase();
+    const hasSvgContext = contentLower.includes('svg') ||
+                          contentLower.includes('.svg') ||
+                          contentLower.includes('image/svg');
+
+    // Only analyze if there's SVG context
+    if (!hasSvgContext) {
+      return violations;
+    }
+
+    // Patterns for detecting unsafe SVG handling
+    const patterns = [
+      {
+        // dangerouslySetInnerHTML with SVG content
+        regex: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(\w+)/g,
+        message: 'Unsafe SVG rendering: dangerouslySetInnerHTML without sanitization',
+        checkVar: true
+      },
+      {
+        // innerHTML assignment with SVG
+        regex: /\.innerHTML\s*=\s*(\w*[Ss]vg\w*)/g,
+        message: 'Unsafe SVG insertion: innerHTML assignment with SVG content'
+      },
+      {
+        // Direct SVG string insertion
+        regex: /\.innerHTML\s*=\s*['"`]<svg/g,
+        message: 'SVG string directly inserted via innerHTML - consider using sanitization'
+      },
+      {
+        // insertAdjacentHTML with SVG
+        regex: /insertAdjacentHTML\s*\([^)]*[Ss]vg/g,
+        message: 'Unsafe SVG insertion via insertAdjacentHTML'
+      },
+      {
+        // document.write with SVG
+        regex: /document\.write\s*\([^)]*[Ss]vg/g,
+        message: 'Unsafe SVG insertion via document.write'
+      },
+      {
+        // Blob URL creation with SVG without sanitization
+        regex: /new\s+Blob\s*\(\s*\[[^\]]*[Ss]vg/g,
+        message: 'SVG Blob created - ensure content is sanitized before creating Blob'
+      },
+      {
+        // SVG data URL without sanitization
+        regex: /data:image\/svg\+xml[^'"`]*\$\{/g,
+        message: 'Dynamic SVG data URL - ensure content is sanitized'
+      },
+      {
+        // User input directly used in SVG
+        regex: /(?:req\.(?:body|query|params)|userInput|formData)\s*\.\s*\w*[Ss]vg/g,
+        message: 'User-supplied SVG content used without validation'
+      },
+      {
+        // File upload SVG without validation
+        regex: /(?:multer|upload|file)\s*\([^)]*svg/gi,
+        message: 'SVG file upload - ensure content is validated and sanitized'
+      }
+    ];
+
+    lines.forEach((line, lineIndex) => {
+      // Skip comments
+      if (/^\s*(\/\/|\/\*|\*)/.test(line)) return;
+
+      // Skip if line has sanitization
+      if (/DOMPurify|sanitize|purify/i.test(line)) return;
+
+      for (const pattern of patterns) {
+        let match;
+        pattern.regex.lastIndex = 0;
+        while ((match = pattern.regex.exec(line)) !== null) {
+          // For dangerouslySetInnerHTML, check if the variable is SVG-related
+          if (pattern.checkVar && match[1]) {
+            const varName = match[1].toLowerCase();
+            if (!varName.includes('svg') && !svgVars.has(match[1])) {
+              // Check if variable is assigned SVG content elsewhere
+              const varAssignment = new RegExp(`${match[1]}\\s*=.*svg`, 'i');
+              if (!varAssignment.test(content)) {
+                continue;
+              }
+            }
+          }
+
+          // Skip if sanitizer is used nearby (within 5 lines)
+          let hasSanitizationNearby = false;
+          for (let i = Math.max(0, lineIndex - 5); i < Math.min(lines.length, lineIndex + 5); i++) {
+            if (/DOMPurify|sanitize|purify/i.test(lines[i])) {
+              hasSanitizationNearby = true;
+              break;
+            }
+          }
+          if (hasSanitizationNearby) continue;
+
+          violations.push({
+            ruleId: 'S008',
+            file: filePath,
+            line: lineIndex + 1,
+            column: match.index + 1,
+            severity: 'warning',
+            message: pattern.message,
+            suggestion: 'Use DOMPurify or similar library to sanitize SVG content before rendering'
+          });
+        }
+      }
+    });
+
+    // Check for SVG element creation without sanitization
+    if (!hasSanitizer) {
+      lines.forEach((line, lineIndex) => {
+        // Skip comments
+        if (/^\s*(\/\/|\/\*|\*)/.test(line)) return;
+
+        // Check for creating SVG element and setting content
+        if (/createElementNS\s*\([^)]*svg/i.test(line) ||
+            /createElement\s*\(\s*['"`]svg['"`]/i.test(line)) {
+          // Look ahead for innerHTML or textContent assignment
+          for (let i = lineIndex; i < Math.min(lines.length, lineIndex + 10); i++) {
+            if (/\.innerHTML\s*=/.test(lines[i]) && !/sanitize|purify/i.test(lines[i])) {
+              violations.push({
+                ruleId: 'S008',
+                file: filePath,
+                line: i + 1,
+                column: 1,
+                severity: 'warning',
+                message: 'SVG element content set without sanitization',
+                suggestion: 'Sanitize content before setting innerHTML on SVG elements'
+              });
+              break;
+            }
+          }
+        }
+      });
+    }
+
+    return violations;
+  }
+
+  supportsLanguage(language) {
+    return ['typescript', 'javascript', 'ts', 'js'].includes(language.toLowerCase());
+  }
+}
+
+module.exports = TypeScriptS008Analyzer;

package/rules/security/S018_no_sensitive_browser_storage/dart/analyzer.js

@@ -0,0 +1,44 @@
+/**
+ * S018 Dart Analyzer - No Sensitive Data in Browser Storage
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S018_no_sensitive_browser_storage.dart
+ *
+ * Rule: Do not store sensitive data in browser storage (SharedPreferences, etc.)
+ */
+
+class DartS018Analyzer {
+  constructor() {
+    this.ruleId = 'S018';
+    this.language = 'dart';
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S018',
+      name: 'No Sensitive Data in Browser Storage',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Prevent sensitive data from being stored in client-side storage'
+    };
+  }
+
+  getConfig() {
+    return {
+      checkSharedPreferences: true,
+      checkSecureStorage: true,
+      severity: 'error'
+    };
+  }
+
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+
+module.exports = DartS018Analyzer;

package/rules/security/S018_no_sensitive_browser_storage/index.js

@@ -0,0 +1,86 @@
+/**
+ * S018 Rule Router - No Sensitive Data in Browser Storage
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Do not store sensitive data in browser storage (localStorage, sessionStorage, IndexedDB)
+ */
+
+const path = require('path');
+
+class S018Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S018';
+  }
+
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+
+    return this.analyzers.get(normalizedLang);
+  }
+
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+
+module.exports = new S018Router();

package/rules/security/S018_no_sensitive_browser_storage/typescript/analyzer.js

@@ -0,0 +1,193 @@
+/**
+ * S018 TypeScript Analyzer - No Sensitive Data in Browser Storage
+ *
+ * Detects sensitive data stored in browser storage mechanisms.
+ *
+ * Rule: Do not store sensitive data in localStorage, sessionStorage, or IndexedDB.
+ * Exception: Session tokens may be stored with proper safeguards.
+ *
+ * Detects:
+ * - Passwords/credentials in browser storage
+ * - PII (personal identifiable information) in storage
+ * - API keys or secrets in localStorage/sessionStorage
+ * - Financial data in client-side storage
+ */
+
+const fs = require('fs');
+
+class TypeScriptS018Analyzer {
+  constructor(config = {}) {
+    this.ruleId = 'S018';
+    this.language = 'typescript';
+    this.config = {
+      checkLocalStorage: config.checkLocalStorage !== false,
+      checkSessionStorage: config.checkSessionStorage !== false,
+      checkIndexedDB: config.checkIndexedDB !== false,
+    };
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S018',
+      name: 'No Sensitive Data in Browser Storage',
+      language: 'typescript',
+      description: 'Prevent sensitive data from being stored in browser storage'
+    };
+  }
+
+  getConfig() {
+    return this.config;
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      if (!/\.(ts|tsx|js|jsx)$/i.test(filePath)) continue;
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf-8');
+        const fileViolations = this.analyzeContent(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        // Skip files that can't be read
+      }
+    }
+
+    return violations;
+  }
+
+  analyzeContent(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    // Skip test files
+    if (/\.(test|spec)\.(ts|js|tsx|jsx)$/i.test(filePath) ||
+        /__(tests?|mocks?)__/i.test(filePath)) {
+      return violations;
+    }
+
+    // Sensitive data patterns
+    const sensitivePatterns = [
+      'password', 'passwd', 'pwd',
+      'secret', 'apikey', 'api_key', 'api-key',
+      'private_key', 'privatekey', 'private-key',
+      'credit_card', 'creditcard', 'credit-card',
+      'card_number', 'cardnumber', 'cvv', 'cvc',
+      'ssn', 'social_security', 'socialSecurity',
+      'bank_account', 'bankaccount', 'bank-account',
+      'encryption_key', 'encryptionkey',
+      'auth_token', 'authtoken',  // different from session token
+      'refresh_token', 'refreshtoken',
+    ];
+
+    // Allowed patterns (session tokens are acceptable)
+    const allowedPatterns = [
+      'session_token', 'sessiontoken', 'session-token',
+      'access_token', 'accesstoken', 'access-token',
+      'jwt', 'bearer',
+      'theme', 'language', 'locale', 'preference',
+      'cart', 'wishlist'
+    ];
+
+    // Storage methods to check
+    const storagePatterns = [
+      {
+        regex: /localStorage\.setItem\s*\(\s*['"`]([^'"`]+)['"`]\s*,/g,
+        storage: 'localStorage'
+      },
+      {
+        regex: /sessionStorage\.setItem\s*\(\s*['"`]([^'"`]+)['"`]\s*,/g,
+        storage: 'sessionStorage'
+      },
+      {
+        regex: /localStorage\s*\[\s*['"`]([^'"`]+)['"`]\s*\]\s*=/g,
+        storage: 'localStorage'
+      },
+      {
+        regex: /sessionStorage\s*\[\s*['"`]([^'"`]+)['"`]\s*\]\s*=/g,
+        storage: 'sessionStorage'
+      },
+      {
+        regex: /indexedDB\.open\s*\(\s*['"`]([^'"`]+)['"`]/g,
+        storage: 'IndexedDB'
+      },
+      {
+        regex: /\.put\s*\(\s*\{[^}]*(?:password|secret|apiKey|creditCard)[^}]*\}/gi,
+        storage: 'IndexedDB',
+        directMatch: true
+      }
+    ];
+
+    lines.forEach((line, lineIndex) => {
+      // Skip comments
+      if (/^\s*(\/\/|\/\*|\*)/.test(line)) return;
+
+      for (const pattern of storagePatterns) {
+        let match;
+        pattern.regex.lastIndex = 0;
+
+        while ((match = pattern.regex.exec(line)) !== null) {
+          const key = match[1] ? match[1].toLowerCase() : '';
+
+          // Check if key matches sensitive patterns
+          let isSensitive = false;
+          let matchedPattern = '';
+
+          if (pattern.directMatch) {
+            isSensitive = true;
+            matchedPattern = 'sensitive data object';
+          } else {
+            for (const sensitive of sensitivePatterns) {
+              if (key.includes(sensitive.toLowerCase())) {
+                // Check if it's actually allowed
+                const isAllowed = allowedPatterns.some(allowed =>
+                  key.includes(allowed.toLowerCase())
+                );
+                if (!isAllowed) {
+                  isSensitive = true;
+                  matchedPattern = sensitive;
+                  break;
+                }
+              }
+            }
+          }
+
+          if (isSensitive) {
+            violations.push({
+              ruleId: 'S018',
+              file: filePath,
+              line: lineIndex + 1,
+              column: match.index + 1,
+              severity: 'error',
+              message: `Sensitive data "${matchedPattern}" stored in ${pattern.storage} - use server-side session instead`,
+              suggestion: 'Store sensitive data on the server, not in browser storage. Use HttpOnly cookies for session management.'
+            });
+          }
+        }
+      }
+
+      // Check for storing entire objects that might contain sensitive data
+      if (/localStorage\.setItem.*JSON\.stringify.*(?:user|credentials|auth)/i.test(line) ||
+          /sessionStorage\.setItem.*JSON\.stringify.*(?:user|credentials|auth)/i.test(line)) {
+        violations.push({
+          ruleId: 'S018',
+          file: filePath,
+          line: lineIndex + 1,
+          column: 1,
+          severity: 'warning',
+          message: 'Storing user/auth object in browser storage may expose sensitive data',
+          suggestion: 'Ensure the object does not contain passwords, tokens, or PII before storing'
+        });
+      }
+    });
+
+    return violations;
+  }
+
+  supportsLanguage(language) {
+    return ['typescript', 'javascript', 'ts', 'js'].includes(language.toLowerCase());
+  }
+}
+
+module.exports = TypeScriptS018Analyzer;

package/rules/security/S021_referrer_policy/dart/analyzer.js

@@ -0,0 +1,44 @@
+/**
+ * S021 Dart Analyzer - Referrer Policy
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S021_referrer_policy.dart
+ *
+ * Rule: Set Referrer-Policy to prevent sensitive data leakage
+ */
+
+class DartS021Analyzer {
+  constructor() {
+    this.ruleId = 'S021';
+    this.language = 'dart';
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S021',
+      name: 'Referrer Policy',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Set Referrer-Policy to prevent sensitive data leakage'
+    };
+  }
+
+  getConfig() {
+    return {
+      checkHeaders: true,
+      checkExternalLinks: true,
+      severity: 'warning'
+    };
+  }
+
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+
+module.exports = DartS021Analyzer;