@sun-asterisk/sunlint 1.3.36 → 1.3.38

package/rules/security/S023_no_json_injection/typescript/ast-analyzer.js

@@ -1,11 +1,36 @@
+/**
+ * S023 AST Analyzer – Use output encoding when building dynamic JavaScript/JSON
+ *
+ * AST-based detection for:
+ * - eval() with user data
+ * - new Function() with user data
+ * - String concatenation to build JavaScript code
+ * - Template literals with unescaped user input in JS/HTML context
+ * - Inline event handlers with user data
+ * - JSON.stringify in HTML context without proper escaping
+ */
+
 const fs = require('fs');
 const path = require('path');
 
 class S023ASTAnalyzer {
   constructor() {
     this.ruleId = 'S023';
-    this.ruleName = 'No JSON Injection Prevention (AST-Enhanced)';
-    this.description = 'AST-based detection of unsafe JSON parsing and injection vulnerabilities';
+    this.ruleName = 'Use output encoding when building dynamic JavaScript/JSON';
+    this.description = 'AST-based detection of unsafe dynamic JS/JSON building and injection vulnerabilities';
+
+    // User input source patterns
+    this.userInputSources = [
+      'localStorage', 'sessionStorage', 'location', 'URLSearchParams',
+      'req', 'request', 'document', 'window', 'fetch', 'axios',
+      'getElementById', 'querySelector', 'formData', 'event'
+    ];
+
+    // Safe encoding functions
+    this.safeEncoders = [
+      'encodeURIComponent', 'encodeURI', 'escape', 'escapeHtml',
+      'sanitize', 'DOMPurify', 'textContent', 'htmlEncode', 'jsEncode'
+    ];
   }
 
   async analyze(files, language, options = {}) {
@@ -22,13 +47,12 @@ class S023ASTAnalyzer {
     ];
 
     for (const filePath of files) {
-      // Skip test files
       if (skipPatterns.some(pattern => pattern.test(filePath))) {
         continue;
       }
 
       if (options.verbose) {
-        console.log(`🎯 Running S023 AST analysis on ${path.basename(filePath)}`);
+        console.log(`🎯 S023 AST analysis on ${path.basename(filePath)}`);
       }
 
       try {
@@ -36,7 +60,9 @@ class S023ASTAnalyzer {
         const fileViolations = await this.analyzeFile(filePath, content, language, options);
         violations.push(...fileViolations);
       } catch (error) {
-        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        if (options.verbose) {
+          console.warn(`⚠️ S023 AST: Failed to analyze ${filePath}: ${error.message}`);
+        }
       }
     }
 
@@ -55,30 +81,27 @@ class S023ASTAnalyzer {
 
   async analyzeJSTS(filePath, content, config) {
     const violations = [];
-    
+
     try {
-      // Try AST analysis first (like ESLint approach)
       const astViolations = await this.analyzeWithAST(filePath, content, config);
       if (astViolations.length > 0) {
         violations.push(...astViolations);
       }
     } catch (astError) {
       if (config.verbose) {
-        console.log(`⚠️ AST analysis failed for ${path.basename(filePath)}, falling back to regex`);
+        console.log(`⚠️ S023 AST: AST parsing failed for ${path.basename(filePath)}, falling back to regex`);
       }
-      
-      // Fallback to regex-based analysis
+
       const regexViolations = await this.analyzeWithRegex(filePath, content, config);
       violations.push(...regexViolations);
     }
-    
+
     return violations;
   }
 
   async analyzeWithAST(filePath, content, config) {
     const violations = [];
-    
-    // Import AST modules dynamically
+
     let astModules;
     try {
       astModules = require('../../../core/ast-modules');
@@ -86,7 +109,6 @@ class S023ASTAnalyzer {
       throw new Error('AST modules not available');
     }
 
-    // Try to parse with AST
     let ast;
     try {
       ast = await astModules.parseCode(content, 'javascript', filePath);
@@ -97,31 +119,48 @@ class S023ASTAnalyzer {
       throw new Error(`Parse error: ${parseError.message}`);
     }
 
-    // Traverse AST to find JSON injection vulnerabilities - mimicking ESLint's approach
     const rootNode = ast.program || ast;
     this.traverseAST(rootNode, (node) => {
-      // Check JSON.parse() calls
+      // 1. Check eval() calls
+      if (this.isEvalCall(node)) {
+        const violation = this.checkEvalForUnsafeUsage(node, filePath, content);
+        if (violation) violations.push(violation);
+      }
+
+      // 2. Check new Function() calls
+      if (this.isNewFunctionCall(node)) {
+        const violation = this.checkNewFunctionForUnsafeUsage(node, filePath, content);
+        if (violation) violations.push(violation);
+      }
+
+      // 3. Check JSON.parse() calls
       if (this.isJsonParseCall(node)) {
         const violation = this.checkJsonParseForUnsafeUsage(node, filePath, content);
-        if (violation) {
-          violations.push(violation);
-        }
+        if (violation) violations.push(violation);
       }
-      
-      // Check eval() with JSON patterns
-      if (this.isEvalCall(node)) {
-        const violation = this.checkEvalForJsonUsage(node, filePath, content);
-        if (violation) {
-          violations.push(violation);
-        }
-      }
-      
-      // Check JSON.stringify in HTML context
+
+      // 4. Check JSON.stringify in HTML context
       if (this.isJsonStringifyCall(node)) {
         const violation = this.checkJsonStringifyInHtmlContext(node, filePath, content);
-        if (violation) {
-          violations.push(violation);
-        }
+        if (violation) violations.push(violation);
+      }
+
+      // 5. Check template literals in dangerous contexts
+      if (this.isTemplateLiteral(node)) {
+        const violation = this.checkTemplateLiteralForUnsafeUsage(node, filePath, content);
+        if (violation) violations.push(violation);
+      }
+
+      // 6. Check setAttribute for inline event handlers
+      if (this.isSetAttributeCall(node)) {
+        const violation = this.checkSetAttributeForEventHandler(node, filePath, content);
+        if (violation) violations.push(violation);
+      }
+
+      // 7. Check assignment to innerHTML/outerHTML with dynamic content
+      if (this.isAssignmentToHtmlProperty(node)) {
+        const violation = this.checkHtmlPropertyAssignment(node, filePath, content);
+        if (violation) violations.push(violation);
       }
     });
 
@@ -130,12 +169,12 @@ class S023ASTAnalyzer {
 
   traverseAST(node, callback) {
     if (!node || typeof node !== 'object') return;
-    
+
     callback(node);
-    
+
     for (const key in node) {
       if (key === 'parent' || key === 'leadingComments' || key === 'trailingComments') continue;
-      
+
       const child = node[key];
       if (Array.isArray(child)) {
         child.forEach(item => this.traverseAST(item, callback));
@@ -145,228 +184,606 @@ class S023ASTAnalyzer {
     }
   }
 
+  // Node type checkers
+  isEvalCall(node) {
+    return node.type === 'CallExpression' &&
+           node.callee &&
+           node.callee.type === 'Identifier' &&
+           node.callee.name === 'eval';
+  }
+
+  isNewFunctionCall(node) {
+    return node.type === 'NewExpression' &&
+           node.callee &&
+           node.callee.type === 'Identifier' &&
+           node.callee.name === 'Function';
+  }
+
   isJsonParseCall(node) {
     return node.type === 'CallExpression' &&
-           node.callee && 
+           node.callee &&
            node.callee.type === 'MemberExpression' &&
            node.callee.object && node.callee.object.name === 'JSON' &&
            node.callee.property && node.callee.property.name === 'parse';
   }
 
-  isEvalCall(node) {
-    return node.type === 'CallExpression' &&
-           node.callee && 
-           node.callee.type === 'Identifier' &&
-           node.callee.name === 'eval';
-  }
-
   isJsonStringifyCall(node) {
     return node.type === 'CallExpression' &&
-           node.callee && 
+           node.callee &&
            node.callee.type === 'MemberExpression' &&
            node.callee.object && node.callee.object.name === 'JSON' &&
            node.callee.property && node.callee.property.name === 'stringify';
   }
 
+  isTemplateLiteral(node) {
+    return node.type === 'TemplateLiteral' &&
+           node.expressions &&
+           node.expressions.length > 0;
+  }
+
+  isSetAttributeCall(node) {
+    return node.type === 'CallExpression' &&
+           node.callee &&
+           node.callee.type === 'MemberExpression' &&
+           node.callee.property &&
+           node.callee.property.name === 'setAttribute';
+  }
+
+  isAssignmentToHtmlProperty(node) {
+    return node.type === 'AssignmentExpression' &&
+           node.left &&
+           node.left.type === 'MemberExpression' &&
+           node.left.property &&
+           (node.left.property.name === 'innerHTML' || node.left.property.name === 'outerHTML');
+  }
+
+  // Violation checkers
+  checkEvalForUnsafeUsage(node, filePath, content) {
+    if (!node.arguments || node.arguments.length === 0) return null;
+
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    const lineText = lines[lineNumber - 1] || '';
+
+    const argument = node.arguments[0];
+
+    // Skip legitimate dynamic import pattern: eval(`import('module-name')`)
+    if (this.isDynamicImportPattern(argument, content)) {
+      return null;
+    }
+
+    if (this.containsUserInputOrDynamic(argument, content)) {
+      return {
+        ruleId: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: node.loc.start.column + 1,
+        message: 'Never use eval() with user data - use JSON.parse() for JSON or safer alternatives',
+        severity: 'error',
+        code: lineText.trim(),
+        type: 'eval_with_user_data',
+        confidence: 0.95,
+        suggestion: 'Use JSON.parse() for JSON data or refactor to avoid dynamic code execution'
+      };
+    }
+
+    return null;
+  }
+
+  /**
+   * Check if eval argument is a legitimate dynamic import pattern
+   * Pattern: eval(`import('module-name')`) - used for ESM imports in CommonJS
+   */
+  isDynamicImportPattern(node, content) {
+    if (!node) return false;
+
+    // Check for template literal containing only import()
+    if (node.type === 'TemplateLiteral') {
+      const nodeText = this.getNodeText(node, content);
+      // Match: `import('...')` or `import("...")`
+      return /^`\s*import\s*\(\s*['"][^'"]+['"]\s*\)\s*`$/.test(nodeText);
+    }
+
+    // Also check the text representation for regex fallback
+    const argText = this.getNodeText(node, content);
+    return /^`\s*import\s*\(\s*['"][^'"]+['"]\s*\)\s*`$/.test(argText);
+  }
+
+  checkNewFunctionForUnsafeUsage(node, filePath, content) {
+    if (!node.arguments || node.arguments.length === 0) return null;
+
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    const lineText = lines[lineNumber - 1] || '';
+
+    // Check if any argument contains user input or dynamic data
+    const hasUnsafeArg = node.arguments.some(arg =>
+      this.containsUserInputOrDynamic(arg, content)
+    );
+
+    if (hasUnsafeArg) {
+      return {
+        ruleId: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: node.loc.start.column + 1,
+        message: 'Never use new Function() with user data - this is equivalent to eval()',
+        severity: 'error',
+        code: lineText.trim(),
+        type: 'new_function_with_user_data',
+        confidence: 0.95,
+        suggestion: 'Refactor to avoid dynamic function creation with user input'
+      };
+    }
+
+    return null;
+  }
+
   checkJsonParseForUnsafeUsage(node, filePath, content) {
     if (!node.arguments || node.arguments.length === 0) return null;
-    
+
     const lines = content.split('\n');
     const lineNumber = node.loc.start.line;
     const lineText = lines[lineNumber - 1] || '';
-    
-    // Check if the argument is from user input (similar to ESLint logic)
+
     const argument = node.arguments[0];
     if (this.isUserInputSource(argument, content)) {
-      // Check if there's validation before JSON.parse
       if (!this.hasValidationBefore(node, content)) {
         return {
           ruleId: this.ruleId,
           file: filePath,
           line: lineNumber,
           column: node.loc.start.column + 1,
-          message: 'Unsafe JSON parsing - validate input before parsing',
+          message: 'Validate JSON structure before parsing user input',
           severity: 'warning',
           code: lineText.trim(),
           type: 'unsafe_json_parse',
           confidence: 0.8,
-          suggestion: 'Validate input before parsing JSON'
+          suggestion: 'Wrap JSON.parse in try-catch and validate the parsed structure'
         };
       }
     }
-    
+
     return null;
   }
 
-  checkEvalForJsonUsage(node, filePath, content) {
-    if (!node.arguments || node.arguments.length === 0) return null;
-    
+  checkJsonStringifyInHtmlContext(node, filePath, content) {
     const lines = content.split('\n');
     const lineNumber = node.loc.start.line;
     const lineText = lines[lineNumber - 1] || '';
-    
-    // Check if eval contains JSON patterns
-    const argument = node.arguments[0];
-    if (this.containsJsonPattern(argument, content)) {
-      return {
-        ruleId: this.ruleId,
-        file: filePath,
-        line: lineNumber,
-        column: node.loc.start.column + 1,
-        message: 'Never use eval() to process JSON data - use JSON.parse() instead',
-        severity: 'error',
-        code: lineText.trim(),
-        type: 'eval_json',
-        confidence: 0.9,
-        suggestion: 'Use JSON.parse() instead of eval()'
-      };
+
+    if (this.isInHtmlContext(node, content)) {
+      const surroundingText = this.getSurroundingText(node, content, 3);
+
+      if (/<script|<\/script>/i.test(surroundingText)) {
+        const hasEscaping = /replace\s*\(\s*[/']<\\?\/script/i.test(surroundingText);
+
+        if (!hasEscaping) {
+          return {
+            ruleId: this.ruleId,
+            file: filePath,
+            line: lineNumber,
+            column: node.loc.start.column + 1,
+            message: 'JSON.stringify in HTML/script context must escape </script> sequences',
+            severity: 'warning',
+            code: lineText.trim(),
+            type: 'json_stringify_html_no_escape',
+            confidence: 0.8,
+            suggestion: "Escape </script> with .replace(/<\\/script/gi, '<\\\\/script')"
+          };
+        }
+      }
     }
-    
+
     return null;
   }
 
-  checkJsonStringifyInHtmlContext(node, filePath, content) {
+  checkTemplateLiteralForUnsafeUsage(node, filePath, content) {
     const lines = content.split('\n');
     const lineNumber = node.loc.start.line;
     const lineText = lines[lineNumber - 1] || '';
-    
-    // Check if JSON.stringify is used in HTML context
-    if (this.isInHtmlContext(node, content)) {
-      return {
-        ruleId: this.ruleId,
-        file: filePath,
-        line: lineNumber,
-        column: node.loc.start.column + 1,
-        message: 'JSON.stringify output should be escaped when used in HTML context',
-        severity: 'warning',
-        code: lineText.trim(),
-        type: 'json_stringify_html',
-        confidence: 0.7,
-        suggestion: 'Escape JSON.stringify output in HTML context'
-      };
+
+    // Check if template literal is in dangerous context
+    const surroundingText = this.getSurroundingText(node, content, 2);
+
+    const isDangerousContext =
+      /innerHTML\s*=/.test(surroundingText) ||
+      /outerHTML\s*=/.test(surroundingText) ||
+      /insertAdjacentHTML/.test(surroundingText) ||
+      /document\.write/.test(surroundingText);
+
+    if (isDangerousContext) {
+      // Check if any expression contains user input
+      const hasUserInputExpression = node.expressions.some(expr =>
+        this.containsUserInputOrDynamic(expr, content)
+      );
+
+      if (hasUserInputExpression && !this.hasSafeEncoding(lineText)) {
+        return {
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: node.loc.start.column + 1,
+          message: 'Template literal with user input in dangerous context - escape data before insertion',
+          severity: 'warning',
+          code: lineText.trim(),
+          type: 'unsafe_template_literal',
+          confidence: 0.75,
+          suggestion: 'Use textContent for text, or properly escape data before inserting into HTML context'
+        };
+      }
     }
-    
+
     return null;
   }
 
-  isUserInputSource(node, content) {
+  checkSetAttributeForEventHandler(node, filePath, content) {
+    if (!node.arguments || node.arguments.length < 2) return null;
+
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    const lineText = lines[lineNumber - 1] || '';
+
+    const firstArg = node.arguments[0];
+    const attrName = this.getStringValue(firstArg);
+
+    // Check if it's an event handler attribute
+    if (attrName && /^on\w+$/i.test(attrName)) {
+      const valueArg = node.arguments[1];
+
+      if (this.containsUserInputOrDynamic(valueArg, content)) {
+        return {
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: node.loc.start.column + 1,
+          message: 'Avoid inline event handlers with user data - use addEventListener instead',
+          severity: 'warning',
+          code: lineText.trim(),
+          type: 'inline_event_handler_user_data',
+          confidence: 0.8,
+          suggestion: 'Use element.addEventListener() and pass data via data attributes or closures'
+        };
+      }
+    }
+
+    return null;
+  }
+
+  checkHtmlPropertyAssignment(node, filePath, content) {
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    const lineText = lines[lineNumber - 1] || '';
+
+    const rightSide = node.right;
+
+    // Check if right side contains user input without encoding
+    if (this.containsUserInputOrDynamic(rightSide, content)) {
+      if (!this.hasSafeEncoding(lineText)) {
+        return {
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: node.loc.start.column + 1,
+          message: 'Assignment to innerHTML/outerHTML with dynamic content - escape user input',
+          severity: 'warning',
+          code: lineText.trim(),
+          type: 'unsafe_html_assignment',
+          confidence: 0.75,
+          suggestion: 'Use textContent for text or properly escape/sanitize HTML content'
+        };
+      }
+    }
+
+    return null;
+  }
+
+  // Helper methods
+  containsUserInputOrDynamic(node, content) {
     if (!node) return false;
-    
-    // Check for common user input patterns (similar to ESLint)
-    const userInputPatterns = [
-      /localStorage\.getItem/,
-      /sessionStorage\.getItem/,
-      /window\.location/,
-      /location\.(search|hash)/,
-      /URLSearchParams/,
-      /req\.(body|query|params)/,
-      /request\.(body|query|params)/
-    ];
-    
-    return userInputPatterns.some(pattern => {
-      const nodeText = this.getNodeText(node, content);
-      return pattern.test(nodeText);
-    });
+
+    const nodeText = this.getNodeText(node, content);
+
+    // Check for user input sources
+    const isUserInput = this.userInputSources.some(source =>
+      nodeText.includes(source)
+    );
+
+    // Check for dynamic patterns (concatenation, template literals)
+    const isDynamic =
+      node.type === 'BinaryExpression' ||
+      node.type === 'TemplateLiteral' ||
+      /\+/.test(nodeText) ||
+      /\$\{/.test(nodeText);
+
+    return isUserInput || isDynamic;
+  }
+
+  isUserInputSource(node, content) {
+    const nodeText = this.getNodeText(node, content);
+    return this.userInputSources.some(source => nodeText.includes(source));
   }
 
   hasValidationBefore(node, content) {
-    // Simple check for validation patterns before JSON.parse
     const lines = content.split('\n');
     const lineNumber = node.loc.start.line;
-    
+
     // Check previous lines for validation patterns
     for (let i = Math.max(0, lineNumber - 5); i < lineNumber - 1; i++) {
       const line = lines[i] || '';
-      if (this.containsValidationPattern(line)) {
+      if (/try\s*\{|catch\s*\(|if\s*\(|typeof\s+|validate|check|isValid/i.test(line)) {
         return true;
       }
     }
-    
+
     return false;
   }
 
-  containsValidationPattern(line) {
-    const validationPatterns = [
-      /try\s*{/,
-      /catch\s*\(/,
-      /if\s*\(/,
-      /typeof\s+/,
-      /instanceof\s+/,
-      /\.length\s*>/,
-      /validate/i,
-      /check/i,
-      /isValid/i
-    ];
-    
-    return validationPatterns.some(pattern => pattern.test(line));
-  }
-
-  containsJsonPattern(node, content) {
-    const nodeText = this.getNodeText(node, content);
-    return /json|JSON|\{|\[/.test(nodeText);
+  hasSafeEncoding(text) {
+    return this.safeEncoders.some(encoder =>
+      text.toLowerCase().includes(encoder.toLowerCase())
+    );
   }
 
   isInHtmlContext(node, content) {
-    // Check if JSON.stringify is used in HTML context
-    const htmlPatterns = [
-      /innerHTML/,
-      /outerHTML/,
-      /insertAdjacentHTML/,
-      /document\.write/,
-      /\.html\(/
-    ];
-    
     const surroundingText = this.getSurroundingText(node, content, 3);
-    return htmlPatterns.some(pattern => pattern.test(surroundingText));
+    return /innerHTML|outerHTML|insertAdjacentHTML|document\.write|<script|<\/script>/i.test(surroundingText);
   }
 
   getNodeText(node, content) {
     if (!node || !node.loc) return '';
-    const lines = content.split('\n');
-    return lines[node.loc.start.line - 1] || '';
+    try {
+      const lines = content.split('\n');
+      const startLine = node.loc.start.line - 1;
+      const endLine = node.loc.end.line - 1;
+
+      if (startLine === endLine) {
+        return lines[startLine].substring(node.loc.start.column, node.loc.end.column);
+      }
+
+      return lines.slice(startLine, endLine + 1).join('\n');
+    } catch (e) {
+      return '';
+    }
   }
 
   getSurroundingText(node, content, radius = 2) {
     if (!node || !node.loc) return '';
     const lines = content.split('\n');
     const lineNumber = node.loc.start.line;
-    
+
     const startLine = Math.max(0, lineNumber - radius - 1);
     const endLine = Math.min(lines.length, lineNumber + radius);
-    
+
     return lines.slice(startLine, endLine).join('\n');
   }
 
+  getStringValue(node) {
+    if (!node) return null;
+    if (node.type === 'Literal' && typeof node.value === 'string') {
+      return node.value;
+    }
+    if (node.type === 'StringLiteral') {
+      return node.value;
+    }
+    return null;
+  }
+
   async analyzeWithRegex(filePath, content, config) {
-    // Fallback regex analysis for basic JSON.parse detection
     const violations = [];
     const lines = content.split('\n');
-    
-    const jsonParsePattern = /JSON\.parse\s*\(\s*([^)]+)\)/g;
     let match;
-    
+
+    // User input patterns for detection
+    const userInputPattern = /localStorage|sessionStorage|location|req\.|request\.|\.value|getElementById|querySelector|URLSearchParams|formData|event\.data/i;
+
+    // 1. Check for eval with dynamic content
+    // Use a more flexible pattern that can capture multiline arguments
+    const evalPattern = /\beval\s*\(\s*(`[\s\S]*?`|[^)]+)\)/g;
+
+    // Pattern for legitimate dynamic imports: eval(`import('...')`) or eval(`import("...")`)
+    // Allows whitespace/newlines between tokens
+    const dynamicImportPattern = /^`\s*import\s*\(\s*['"][^'"]+['"]\s*\)\s*`$/s;
+
+    while ((match = evalPattern.exec(content)) !== null) {
+      const line = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[line - 1] || '';
+      const argument = match[1].trim().replace(/\s+/g, ' '); // Normalize whitespace
+
+      // Skip legitimate dynamic import pattern: eval(`import('module-name')`)
+      // Also normalize argument for checking
+      const normalizedArg = argument.replace(/\s+/g, '');
+      if (/^`import\(['"][^'"]+['"]\)`$/.test(normalizedArg)) {
+        continue;
+      }
+
+      if (/\+|`|\$\{/.test(argument) || userInputPattern.test(argument)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: line,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: 'Never use eval() with user data - use JSON.parse() for JSON',
+          severity: 'error',
+          code: lineText.trim(),
+          type: 'eval_with_user_data_regex',
+          confidence: 0.8,
+          suggestion: 'Use JSON.parse() or refactor to avoid dynamic code execution'
+        });
+      }
+    }
+
+    // 2. Check for new Function with dynamic content
+    const newFunctionPattern = /new\s+Function\s*\(\s*([^)]*)\)/g;
+
+    while ((match = newFunctionPattern.exec(content)) !== null) {
+      const line = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[line - 1] || '';
+      const argument = match[1];
+
+      if (/\+|`|\$\{/.test(argument) || userInputPattern.test(argument)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: line,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: 'Never use new Function() with user data - equivalent to eval()',
+          severity: 'error',
+          code: lineText.trim(),
+          type: 'new_function_with_user_data_regex',
+          confidence: 0.8,
+          suggestion: 'Refactor to avoid dynamic function creation'
+        });
+      }
+    }
+
+    // 3. Check for innerHTML/outerHTML with template literals or concatenation
+    const htmlAssignmentPattern = /\.(innerHTML|outerHTML)\s*=\s*(`[^`]*\$\{|[^;]*\+)/g;
+
+    while ((match = htmlAssignmentPattern.exec(content)) !== null) {
+      const line = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[line - 1] || '';
+
+      // Check if there's encoding/sanitization
+      if (!this.hasSafeEncoding(lineText)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: line,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: 'Avoid innerHTML/outerHTML with dynamic content - use textContent or sanitize input',
+          severity: 'warning',
+          code: lineText.trim(),
+          type: 'unsafe_html_assignment_regex',
+          confidence: 0.75,
+          suggestion: 'Use textContent for text, or DOMPurify/escapeHtml for HTML content'
+        });
+      }
+    }
+
+    // 4. Check for setAttribute with event handlers
+    const setAttributePattern = /setAttribute\s*\(\s*['"]on\w+['"]\s*,\s*([^)]+)\)/gi;
+
+    while ((match = setAttributePattern.exec(content)) !== null) {
+      const line = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[line - 1] || '';
+      const value = match[1];
+
+      if (/\+|`|\$\{/.test(value) || userInputPattern.test(value)) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: line,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: 'Avoid inline event handlers with user data - use addEventListener instead',
+          severity: 'warning',
+          code: lineText.trim(),
+          type: 'inline_event_handler_regex',
+          confidence: 0.8,
+          suggestion: 'Use element.addEventListener() and pass data via data attributes'
+        });
+      }
+    }
+
+    // 5. Check for JSON.stringify in script tag context without escaping
+    const jsonStringifyInScriptPattern = /<script[^>]*>.*JSON\.stringify\s*\([^)]+\).*<\/script>/gi;
+
+    while ((match = jsonStringifyInScriptPattern.exec(content)) !== null) {
+      const line = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[line - 1] || '';
+      const matchText = match[0];
+
+      // Check if </script is properly escaped
+      if (!(/replace\s*\(\s*[/']<\\?\/script/i.test(matchText))) {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: line,
+          column: match.index - content.lastIndexOf('\n', match.index),
+          message: 'JSON.stringify in script context must escape </script> sequences',
+          severity: 'warning',
+          code: lineText.trim(),
+          type: 'json_stringify_script_no_escape_regex',
+          confidence: 0.8,
+          suggestion: "Escape </script> with .replace(/<\\/script/gi, '<\\\\/script')"
+        });
+      }
+    }
+
+    // 6. Check for JSON.parse with user input without try-catch
+    const jsonParsePattern = /JSON\.parse\s*\(\s*([^)]+)\)/g;
+
     while ((match = jsonParsePattern.exec(content)) !== null) {
       const line = content.substring(0, match.index).split('\n').length;
       const lineText = lines[line - 1] || '';
-      
-      // Simple check for unsafe patterns
       const argument = match[1];
-      if (/localStorage\.getItem|sessionStorage\.getItem/.test(argument)) {
+
+      if (userInputPattern.test(argument)) {
+        // Check if there's a try-catch around it
+        const contextStart = Math.max(0, match.index - 200);
+        const contextBefore = content.substring(contextStart, match.index);
+
+        if (!/try\s*\{[^}]*$/.test(contextBefore)) {
+          violations.push({
+            ruleId: this.ruleId,
+            file: filePath,
+            line: line,
+            column: match.index - content.lastIndexOf('\n', match.index),
+            message: 'Validate JSON structure before parsing user input',
+            severity: 'warning',
+            code: lineText.trim(),
+            type: 'unsafe_json_parse_regex',
+            confidence: 0.7,
+            suggestion: 'Wrap JSON.parse in try-catch and validate the parsed structure'
+          });
+        }
+      }
+    }
+
+    // 7. Check for document.write with dynamic content
+    const documentWritePattern = /document\.write(ln)?\s*\(\s*(`[^`]*\$\{|[^)]*\+)/g;
+
+    while ((match = documentWritePattern.exec(content)) !== null) {
+      const line = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[line - 1] || '';
+
+      violations.push({
+        ruleId: this.ruleId,
+        file: filePath,
+        line: line,
+        column: match.index - content.lastIndexOf('\n', match.index),
+        message: 'Avoid document.write with dynamic content - use DOM methods instead',
+        severity: 'warning',
+        code: lineText.trim(),
+        type: 'unsafe_document_write_regex',
+        confidence: 0.75,
+        suggestion: 'Use createElement and textContent for safer DOM manipulation'
+      });
+    }
+
+    // 8. Check for insertAdjacentHTML with dynamic content
+    const insertAdjacentPattern = /insertAdjacentHTML\s*\(\s*['"][^'"]+['"]\s*,\s*(`[^`]*\$\{|[^)]*\+)/g;
+
+    while ((match = insertAdjacentPattern.exec(content)) !== null) {
+      const line = content.substring(0, match.index).split('\n').length;
+      const lineText = lines[line - 1] || '';
+
+      if (!this.hasSafeEncoding(lineText)) {
         violations.push({
           ruleId: this.ruleId,
           file: filePath,
           line: line,
           column: match.index - content.lastIndexOf('\n', match.index),
-          message: 'Unsafe JSON parsing - validate input before parsing',
+          message: 'insertAdjacentHTML with dynamic content - sanitize input first',
           severity: 'warning',
           code: lineText.trim(),
-          type: 'unsafe_json_parse_regex',
-          confidence: 0.6,
-          suggestion: 'Validate input before parsing JSON'
+          type: 'unsafe_insert_adjacent_regex',
+          confidence: 0.75,
+          suggestion: 'Use DOMPurify or escape user input before inserting HTML'
         });
       }
     }
-    
+
     return violations;
   }
 }