@sun-asterisk/sunlint 1.3.36 → 1.3.38

package/rules/security/S039_no_session_tokens_in_url/typescript/analyzer.js

@@ -1,262 +0,0 @@
-/**
- * S039 Main Analyzer - Do not pass Session Tokens via URL parameters
- * Primary: Symbol-based analysis (when available)
- * Fallback: Regex-based for all other cases
- * Command: node cli.js --rule=S039 --input=examples/rule-test-fixtures/rules/S039_no_session_tokens_in_url --engine=heuristic
- */
-
-const S039SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
-const S039RegexBasedAnalyzer = require("./regex-based-analyzer.js");
-
-class S039Analyzer {
-  constructor(options = {}) {
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(`🔧 [S039] Constructor called with options:`, !!options);
-      console.log(
-        `🔧 [S039] Options type:`,
-        typeof options,
-        Object.keys(options || {})
-      );
-    }
-
-    this.ruleId = "S039";
-    this.ruleName = "Do not pass Session Tokens via URL parameters";
-    this.description =
-      "Detects when session tokens, authentication tokens, JWT tokens, or other sensitive authentication data are passed as URL parameters instead of secure headers or body. URL parameters are logged in web server logs, browser history, and can be exposed in referrer headers.";
-    this.semanticEngine = options.semanticEngine || null;
-    this.verbose = options.verbose || false;
-
-    this.config = {
-      useSymbolBased: true,
-      fallbackToRegex: true,
-      regexBasedOnly: false,
-      prioritizeSymbolic: true, // Prefer symbol-based when available
-      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
-    };
-
-    try {
-      this.symbolAnalyzer = new S039SymbolBasedAnalyzer(this.semanticEngine);
-      if (process.env.SUNLINT_DEBUG)
-        console.log(`🔧 [S039] Symbol analyzer created successfully`);
-    } catch (error) {
-      console.error(`🔧 [S039] Error creating symbol analyzer:`, error);
-    }
-
-    try {
-      this.regexAnalyzer = new S039RegexBasedAnalyzer(this.semanticEngine);
-      if (process.env.SUNLINT_DEBUG)
-        console.log(`🔧 [S039] Regex analyzer created successfully`);
-    } catch (error) {
-      console.error(`🔧 [S039] Error creating regex analyzer:`, error);
-    }
-  }
-
-  async initialize(semanticEngine) {
-    this.semanticEngine = semanticEngine;
-    if (process.env.SUNLINT_DEBUG)
-      console.log(`🔧 [S039] Main analyzer initializing...`);
-
-    if (this.symbolAnalyzer)
-      await this.symbolAnalyzer.initialize?.(semanticEngine);
-    if (this.regexAnalyzer)
-      await this.regexAnalyzer.initialize?.(semanticEngine);
-    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
-
-    if (process.env.SUNLINT_DEBUG)
-      console.log(`🔧 [S039] Main analyzer initialized successfully`);
-  }
-
-  analyzeSingle(filePath, options = {}) {
-    if (process.env.SUNLINT_DEBUG)
-      console.log(`🔍 [S039] analyzeSingle() called for: ${filePath}`);
-    return this.analyze([filePath], "typescript", options);
-  }
-
-  async analyze(files, language, options = {}) {
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(
-        `🔧 [S039] analyze() method called with ${files.length} files, language: ${language}`
-      );
-    }
-
-    const violations = [];
-    for (const filePath of files) {
-      try {
-        if (process.env.SUNLINT_DEBUG)
-          console.log(`🔧 [S039] Processing file: ${filePath}`);
-        const fileViolations = await this.analyzeFile(filePath, options);
-        violations.push(...fileViolations);
-        if (process.env.SUNLINT_DEBUG)
-          console.log(
-            `🔧 [S039] File ${filePath}: Found ${fileViolations.length} violations`
-          );
-      } catch (error) {
-        console.warn(
-          `⚠ [S039] Analysis failed for ${filePath}:`,
-          error.message
-        );
-      }
-    }
-
-    if (process.env.SUNLINT_DEBUG)
-      console.log(`🔧 [S039] Total violations found: ${violations.length}`);
-    return violations;
-  }
-
-  async analyzeFile(filePath, options = {}) {
-    if (process.env.SUNLINT_DEBUG)
-      console.log(`🔍 [S039] analyzeFile() called for: ${filePath}`);
-    const violationMap = new Map();
-
-    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(
-        `🔧 [S039] Symbol check: useSymbolBased=${
-          this.config.useSymbolBased
-        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
-          .semanticEngine?.project}, initialized=${!!this.semanticEngine
-          ?.initialized}`
-      );
-    }
-
-    const canUseSymbol =
-      this.config.useSymbolBased &&
-      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
-        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
-
-    if (canUseSymbol) {
-      try {
-        if (process.env.SUNLINT_DEBUG)
-          console.log(`🔧 [S039] Trying symbol-based analysis...`);
-
-        let sourceFile = null;
-        if (this.semanticEngine?.project) {
-          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
-          if (process.env.SUNLINT_DEBUG) {
-            console.log(
-              `🔧 [S039] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
-            );
-          }
-        }
-
-        if (!sourceFile) {
-          // Create a minimal ts-morph project for this analysis
-          if (process.env.SUNLINT_DEBUG)
-            console.log(
-              `🔧 [S039] Creating temporary ts-morph project for: ${filePath}`
-            );
-          try {
-            const fs = require("fs");
-            const path = require("path");
-            const { Project } = require("ts-morph");
-
-            // Check if file exists and read content
-            if (!fs.existsSync(filePath)) {
-              throw new Error(`File not found: ${filePath}`);
-            }
-
-            const fileContent = fs.readFileSync(filePath, "utf8");
-            const fileName = path.basename(filePath);
-
-            const tempProject = new Project({
-              useInMemoryFileSystem: true,
-              compilerOptions: {
-                allowJs: true,
-                allowSyntheticDefaultImports: true,
-              },
-            });
-
-            // Add file content to in-memory project
-            sourceFile = tempProject.createSourceFile(fileName, fileContent);
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S039] Temporary project created successfully with file: ${fileName}`
-              );
-          } catch (projectError) {
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S039] Failed to create temporary project:`,
-                projectError.message
-              );
-            throw projectError;
-          }
-        }
-
-        if (sourceFile) {
-          const symbolViolations = await this.symbolAnalyzer.analyze(
-            sourceFile,
-            filePath
-          );
-          symbolViolations.forEach((v) => {
-            const key = `${v.line}:${v.column}:${v.message}`;
-            if (!violationMap.has(key)) violationMap.set(key, v);
-          });
-          if (process.env.SUNLINT_DEBUG)
-            console.log(
-              `🔧 [S039] Symbol analysis completed: ${symbolViolations.length} violations`
-            );
-
-          // If symbol-based found violations or prioritizeSymbolic is true, skip regex
-          if (this.config.prioritizeSymbolic && symbolViolations.length >= 0) {
-            const finalViolations = Array.from(violationMap.values()).map(
-              (v) => ({
-                ...v,
-                filePath,
-                file: filePath,
-              })
-            );
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S039] Symbol-based analysis prioritized: ${finalViolations.length} violations`
-              );
-            return finalViolations;
-          }
-        } else {
-          if (process.env.SUNLINT_DEBUG)
-            console.log(
-              `🔧 [S039] No source file found, skipping symbol analysis`
-            );
-        }
-      } catch (error) {
-        console.warn(`⚠ [S039] Symbol analysis failed:`, error.message);
-      }
-    }
-
-    // Fallback to regex-based analysis
-    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
-      try {
-        if (process.env.SUNLINT_DEBUG)
-          console.log(`🔧 [S039] Trying regex-based analysis...`);
-        const regexViolations = await this.regexAnalyzer.analyze(filePath);
-        regexViolations.forEach((v) => {
-          const key = `${v.line}:${v.column}:${v.message}`;
-          if (!violationMap.has(key)) violationMap.set(key, v);
-        });
-        if (process.env.SUNLINT_DEBUG)
-          console.log(
-            `🔧 [S039] Regex analysis completed: ${regexViolations.length} violations`
-          );
-      } catch (error) {
-        console.warn(`⚠ [S039] Regex analysis failed:`, error.message);
-      }
-    }
-
-    const finalViolations = Array.from(violationMap.values()).map((v) => ({
-      ...v,
-      filePath,
-      file: filePath,
-    }));
-    if (process.env.SUNLINT_DEBUG)
-      console.log(
-        `🔧 [S039] File analysis completed: ${finalViolations.length} unique violations`
-      );
-    return finalViolations;
-  }
-
-  cleanup() {
-    if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
-    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
-  }
-}
-
-module.exports = S039Analyzer;

package/rules/security/S039_no_session_tokens_in_url/typescript/regex-based-analyzer.js

@@ -1,337 +0,0 @@
-/**
- * S039 Regex-Based Analyzer - Do not pass Session Tokens via URL parameters
- * Detects session token exposure in URL parameters across different frameworks
- */
-const fs = require("fs");
-
-class S039RegexBasedAnalyzer {
-  constructor() {
-    this.ruleId = "S039";
-
-    // Framework-specific route patterns
-    this.routePatterns = {
-      // Express.js
-      express:
-        /\b(app|router)\.(get|post|put|delete|patch|use)\s*\(\s*['"`][^'"`]+['"`]/,
-      // Next.js API routes (legacy handler)
-      nextjs: /export\s+(default\s+)?async?\s+function\s+handler\s*\(/,
-      // Next.js 13+ App Router HTTP methods
-      nextjsApp:
-        /export\s+async?\s+function\s+(GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS)\s*\(/,
-      // NestJS controllers
-      nestjs: /@(Get|Post|Put|Delete|Patch)\s*\(\s*['"`][^'"`]*['"`]?\s*\)/,
-      // Nuxt.js server routes
-      nuxtjs:
-        /export\s+(default\s+|const\s+(GET|POST|PUT|DELETE|PATCH)\s*=\s*)?defineEventHandler\s*\(/,
-    };
-
-    // Session token parameter names to detect
-    this.sessionTokenParams = [
-      "sessionId",
-      "session_id",
-      "session-id",
-      "sessionToken",
-      "session_token",
-      "session-token",
-      "authToken",
-      "auth_token",
-      "auth-token",
-      "authorization",
-      "bearer",
-      "jwt",
-      "jwtToken",
-      "jwt_token",
-      "jwt-token",
-      "accessToken",
-      "access_token",
-      "access-token",
-      "refreshToken",
-      "refresh_token",
-      "refresh-token",
-      "apiKey",
-      "api_key",
-      "api-key",
-      "csrfToken",
-      "csrf_token",
-      "csrf-token",
-      "xsrfToken",
-      "xsrf_token",
-      "xsrf-token",
-      "token",
-      "apiToken",
-      "api_token",
-      "api-token",
-      "sid",
-      "sessionkey",
-      "session_key",
-      "session-key",
-      "userToken",
-      "user_token",
-      "user-token",
-      "authKey",
-      "auth_key",
-      "auth-key",
-      "securityToken",
-      "security_token",
-      "security-token",
-    ];
-
-    // URL parameter access patterns for different frameworks
-    this.urlParamPatterns = {
-      // Express.js: req.query.sessionToken, req.params.authToken
-      express: /req\.(query|params)\.(\w+)/g,
-      // Express.js bracket notation: req.query["access-token"]
-      expressBracket: /req\.(query|params)\[['"`]([^'"`]+)['"`]\]/g,
-      // NestJS: @Query('sessionToken'), @Param('authToken')
-      nestjs: /@(Query|Param)\s*\(\s*['"`](\w+)['"`]\s*\)/g,
-      // Next.js: searchParams.get('sessionToken')
-      nextjs: /searchParams\.get\s*\(\s*['"`](\w+)['"`]\s*\)/g,
-      // Generic destructuring: { sessionToken } = req.query
-      destructuring: /\{\s*([^}]+)\s*\}\s*=\s*req\.(query|params)/g,
-      // URL constructor patterns: new URL().searchParams.get()
-      urlConstructor:
-        /new\s+URL\([^)]+\)\.searchParams\.get\s*\(\s*['"`](\w+)['"`]\s*\)/g,
-      // URLSearchParams patterns: params.get("token")
-      urlSearchParams: /(\w+)\.get\s*\(\s*['"`](\w+)['"`]\s*\)/g,
-    };
-
-    // Pattern to detect session token-like values
-    this.tokenValuePattern = /^[a-zA-Z0-9+/=\-_.]{16,}$/;
-  }
-
-  async analyze(filePath) {
-    // Skip files that are unlikely to be route handlers
-    const skipPatterns = [
-      /\.dto\.ts$/,
-      /\.interface\.ts$/,
-      /\.module\.ts$/,
-      /\.service\.spec\.ts$/,
-      /\.controller\.spec\.ts$/,
-      /\.spec\.ts$/,
-      /\.test\.ts$/,
-      /\.d\.ts$/,
-      /\.types\.ts$/,
-      /\.constants?\.ts$/,
-      /\.config\.ts$/,
-    ];
-
-    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
-    if (shouldSkip) {
-      return [];
-    }
-
-    const content = fs.readFileSync(filePath, "utf8");
-    const lines = content.split(/\r?\n/);
-    const violations = [];
-
-    let inRoute = false;
-    let braceDepth = 0;
-    let routeStartLine = 0;
-    let routeType = null;
-    const tokenExposures = [];
-
-    // Helper functions
-    const reset = () => {
-      inRoute = false;
-      braceDepth = 0;
-      routeStartLine = 0;
-      routeType = null;
-      tokenExposures.length = 0;
-    };
-
-    const evaluate = () => {
-      // Report violations for exposed session tokens
-      for (const exposure of tokenExposures) {
-        violations.push({
-          ruleId: this.ruleId,
-          message: `Session token '${exposure.paramName}' passed via URL parameter - use secure headers or request body instead`,
-          severity: "warning",
-          line: exposure.line,
-          column: 1,
-        });
-      }
-    };
-
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-
-      // Detect route start for different frameworks
-      if (!inRoute) {
-        for (const [framework, pattern] of Object.entries(this.routePatterns)) {
-          if (pattern.test(line)) {
-            if (process.env.SUNLINT_DEBUG)
-              console.log(
-                `🔧 [S039-Regex] Found ${framework} route at line ${
-                  i + 1
-                }: ${line.trim()}`
-              );
-            inRoute = true;
-            routeStartLine = i + 1;
-            routeType = framework;
-            braceDepth =
-              (line.match(/\{/g) || []).length -
-              (line.match(/\}/g) || []).length;
-
-            // If no opening brace on this line, look ahead for it
-            if (braceDepth === 0) {
-              for (let j = i + 1; j < Math.min(i + 3, lines.length); j++) {
-                const nextLine = lines[j];
-                if (nextLine.includes("{")) {
-                  braceDepth =
-                    (nextLine.match(/\{/g) || []).length -
-                    (nextLine.match(/\}/g) || []).length;
-                  break;
-                }
-              }
-            }
-            break;
-          }
-        }
-      }
-
-      if (inRoute) {
-        // Update brace depth
-        braceDepth +=
-          (line.match(/\{/g) || []).length - (line.match(/\}/g) || []).length;
-
-        // Check for session token parameter access
-        this.checkTokenParameterAccess(line, i + 1, tokenExposures);
-
-        // End of route detection
-        if (
-          braceDepth <= 0 &&
-          (/\)\s*;?\s*$/.test(line) ||
-            /^\s*\}\s*$/.test(line) ||
-            /^export/.test(line))
-        ) {
-          if (process.env.SUNLINT_DEBUG) {
-            console.log(
-              `🔧 [S039-Regex] Route ended, evaluating: Token exposures=${tokenExposures.length}`
-            );
-          }
-          evaluate();
-          reset();
-        }
-      }
-    }
-
-    // Safety evaluate if unbalanced at file end
-    if (inRoute) evaluate();
-
-    return violations;
-  }
-
-  checkTokenParameterAccess(line, lineNumber, exposures) {
-    // Check each URL parameter access pattern
-    for (const [framework, pattern] of Object.entries(this.urlParamPatterns)) {
-      const matches = [...line.matchAll(pattern)];
-
-      for (const match of matches) {
-        let paramName = null;
-
-        if (framework === "express") {
-          // req.query.sessionToken or req.params.authToken
-          paramName = match[2];
-        } else if (framework === "expressBracket") {
-          // req.query["access-token"] or req.params["auth-token"]
-          paramName = match[2];
-        } else if (framework === "nestjs") {
-          // @Query('sessionToken') or @Param('authToken')
-          paramName = match[2];
-        } else if (framework === "nextjs" || framework === "urlConstructor") {
-          // searchParams.get('sessionToken'), new URL().searchParams.get('token')
-          paramName = match[1];
-        } else if (framework === "urlSearchParams") {
-          // params.get('sessionToken') - general URLSearchParams pattern
-          paramName = match[2];
-        } else if (framework === "destructuring") {
-          // { sessionToken, authToken } = req.query
-          const destructuredParams = match[1].split(",").map((p) => p.trim());
-          for (const param of destructuredParams) {
-            const cleanParam = param.replace(/['"]/g, "");
-            if (this.isSessionTokenParam(cleanParam)) {
-              exposures.push({
-                paramName: cleanParam,
-                line: lineNumber,
-                framework: framework,
-                accessType: match[2], // query or params
-              });
-              if (process.env.SUNLINT_DEBUG) {
-                console.log(
-                  `🔧 [S039-Regex] Found token parameter exposure: ${cleanParam} via ${framework}`
-                );
-              }
-            }
-          }
-          continue; // Skip the normal parameter check below
-        }
-
-        if (paramName && this.isSessionTokenParam(paramName)) {
-          exposures.push({
-            paramName: paramName,
-            line: lineNumber,
-            framework: framework,
-            accessType: framework === "express" ? match[1] : "parameter",
-          });
-          if (process.env.SUNLINT_DEBUG) {
-            console.log(
-              `🔧 [S039-Regex] Found token parameter exposure: ${paramName} via ${framework}`
-            );
-          }
-        }
-      }
-    }
-
-    // Additional patterns for hardcoded URL parsing
-    const hardcodedPatterns = [
-      // window.location.search, location.search
-      /(?:window\.)?location\.search/g,
-      // URLSearchParams(location.search)
-      /URLSearchParams\s*\(\s*(?:window\.)?location\.search\s*\)/g,
-      // document.location.search
-      /document\.location\.search/g,
-    ];
-
-    for (const pattern of hardcodedPatterns) {
-      if (pattern.test(line)) {
-        // Look for subsequent .get() calls or parameter access in nearby lines
-        for (
-          let j = Math.max(0, lineNumber - 3);
-          j < Math.min(lineNumber + 3, exposures.length + lineNumber);
-          j++
-        ) {
-          const nearbyLine = exposures[j] || line;
-          const getMatches = [
-            ...nearbyLine.matchAll(/\.get\s*\(\s*['"`](\w+)['"`]\s*\)/g),
-          ];
-          for (const getMatch of getMatches) {
-            const paramName = getMatch[1];
-            if (this.isSessionTokenParam(paramName)) {
-              exposures.push({
-                paramName: paramName,
-                line: lineNumber,
-                framework: "client-side",
-                accessType: "url-search",
-              });
-              if (process.env.SUNLINT_DEBUG) {
-                console.log(
-                  `🔧 [S039-Regex] Found client-side token parameter: ${paramName}`
-                );
-              }
-            }
-          }
-        }
-      }
-    }
-  }
-
-  isSessionTokenParam(paramName) {
-    return this.sessionTokenParams.some(
-      (tokenParam) => tokenParam.toLowerCase() === paramName.toLowerCase()
-    );
-  }
-
-  cleanup() {}
-}
-
-module.exports = S039RegexBasedAnalyzer;