@sun-asterisk/sunlint 1.3.36 → 1.3.38

package/rules/security/S039_no_session_tokens_in_url/typescript/symbol-based-analyzer.js

@@ -1,443 +0,0 @@
-/**
- * S039 Symbol-Based Analyzer - Do not pass Session Tokens via URL parameters
- * Enhanced to analyze per route handler for URL parameter token exposure
- */
-
-class S039SymbolBasedAnalyzer {
-  constructor(semanticEngine) {
-    this.ruleId = "S039";
-    this.semanticEngine = semanticEngine;
-
-    // Session token parameter names to detect
-    this.sessionTokenParams = [
-      "sessionId",
-      "session_id",
-      "session-id",
-      "sessionToken",
-      "session_token",
-      "session-token",
-      "authToken",
-      "auth_token",
-      "auth-token",
-      "authorization",
-      "bearer",
-      "jwt",
-      "jwtToken",
-      "jwt_token",
-      "jwt-token",
-      "accessToken",
-      "access_token",
-      "access-token",
-      "refreshToken",
-      "refresh_token",
-      "refresh-token",
-      "apiKey",
-      "api_key",
-      "api-key",
-      "csrfToken",
-      "csrf_token",
-      "csrf-token",
-      "xsrfToken",
-      "xsrf_token",
-      "xsrf-token",
-      "token",
-      "apiToken",
-      "api_token",
-      "api-token",
-      "sid",
-      "sessionkey",
-      "session_key",
-      "session-key",
-      "userToken",
-      "user_token",
-      "user-token",
-      "authKey",
-      "auth_key",
-      "auth-key",
-      "securityToken",
-      "security_token",
-      "security-token",
-    ];
-
-    // Pattern to detect session token-like values
-    this.tokenValuePattern = /^[a-zA-Z0-9+/=\-_.]{16,}$/;
-  }
-
-  async initialize() {}
-
-  analyze(sourceFile, filePath) {
-    const violations = [];
-
-    // Skip files that are unlikely to be route handlers
-    const skipPatterns = [
-      /\.dto\.ts$/,
-      /\.interface\.ts$/,
-      /\.module\.ts$/,
-      /\.service\.spec\.ts$/,
-      /\.controller\.spec\.ts$/,
-      /\.spec\.ts$/,
-      /\.test\.ts$/,
-      /\.d\.ts$/,
-      /\.types\.ts$/,
-      /\.constants?.ts$/,
-      /\.config\.ts$/,
-    ];
-
-    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
-    if (shouldSkip) {
-      return violations;
-    }
-
-    try {
-      const { SyntaxKind } = require("ts-morph");
-
-      // Find all function expressions and arrow functions that could be route handlers
-      const routeHandlers = [];
-
-      // Express route patterns: app.get("/path", (req, res) => {...})
-      const callExpressions = sourceFile.getDescendantsOfKind(
-        SyntaxKind.CallExpression
-      );
-
-      for (const call of callExpressions) {
-        const expression = call.getExpression();
-        if (expression && expression.getKind() === SyntaxKind.PropertyAccessExpression) {
-          const nameNode = expression.getNameNode();
-          if (nameNode) {
-            const methodName = nameNode.getText();
-            if (/^(get|post|put|delete|patch|all|use)$/.test(methodName)) {
-              const args = call.getArguments();
-              const lastArg = args[args.length - 1];
-              // The last argument should be the handler function
-              if (
-                lastArg && (
-                  lastArg.getKind() === SyntaxKind.ArrowFunction ||
-                  lastArg.getKind() === SyntaxKind.FunctionExpression
-                )
-              ) {
-                routeHandlers.push({
-                  handler: lastArg,
-                  routeCall: call,
-                  type: "express",
-                });
-              }
-            }
-          }
-        }
-      }
-
-      // Next.js export functions
-      const exportAssignments = sourceFile.getDescendantsOfKind(
-        SyntaxKind.ExportAssignment
-      );
-      const exportDeclarations = sourceFile.getDescendantsOfKind(
-        SyntaxKind.ExportDeclaration
-      );
-      const functionDeclarations = sourceFile.getDescendantsOfKind(
-        SyntaxKind.FunctionDeclaration
-      );
-
-      for (const func of functionDeclarations) {
-        const name = func.getName();
-        if (name && /^(GET|POST|PUT|DELETE|PATCH|handler)$/.test(name)) {
-          routeHandlers.push({
-            handler: func,
-            type: "nextjs",
-          });
-        }
-      }
-
-      // NestJS Controller methods with decorators
-      const methodDeclarations = sourceFile.getDescendantsOfKind(
-        SyntaxKind.MethodDeclaration
-      );
-
-      for (const method of methodDeclarations) {
-        const decorators = method.getDecorators();
-        const hasRouteDecorator = decorators.some((decorator) => {
-          const decoratorName = decorator.getName();
-          return /^(Get|Post|Put|Delete|Patch|All)$/.test(decoratorName);
-        });
-
-        if (hasRouteDecorator) {
-          routeHandlers.push({
-            handler: method,
-            type: "nestjs",
-          });
-        }
-      }
-
-      // Nuxt.js defineEventHandler patterns
-      for (const call of callExpressions) {
-        const expression = call.getExpression();
-        if (expression && expression.getKind() === SyntaxKind.Identifier) {
-          const identifier = expression.asKindOrThrow(SyntaxKind.Identifier);
-          if (identifier.getText() === "defineEventHandler") {
-            // Find the arrow function or function parameter
-            const args = call.getArguments();
-            if (args.length > 0) {
-              const firstArg = args[0];
-              if (
-                firstArg && (
-                  firstArg.getKind() === SyntaxKind.ArrowFunction ||
-                  firstArg.getKind() === SyntaxKind.FunctionExpression
-                )
-              ) {
-                routeHandlers.push({
-                  handler: firstArg,
-                  type: "nuxtjs",
-                });
-              }
-            }
-          }
-        }
-      }
-
-      // Analyze each route handler for session token exposure in URL parameters
-      for (const { handler, routeCall, type } of routeHandlers) {
-        try {
-          const handlerViolations = this.analyzeRouteHandler(
-            handler,
-            routeCall,
-            type,
-            filePath
-          );
-          violations.push(...handlerViolations);
-        } catch (error) {
-          console.warn(
-            `⚠ [S039] Handler analysis failed for ${type}:`,
-            error.message
-          );
-        }
-      }
-    } catch (error) {
-      console.warn(
-        `⚠ [S039] Symbol analysis failed for ${filePath}:`,
-        error.message
-      );
-    }
-
-    return violations;
-  }
-
-  analyzeRouteHandler(handler, routeCall, type, filePath) {
-    const violations = [];
-
-    try {
-      const { SyntaxKind } = require("ts-morph");
-
-      // Find URL parameter access patterns within this handler
-      const tokenExposures = this.findTokenParametersInNode(handler);
-
-      // Report violations for exposed session tokens in URL parameters
-      for (const exposure of tokenExposures) {
-        const startLine = exposure.node.getStartLineNumber();
-        violations.push({
-          ruleId: this.ruleId,
-          message: `Session token '${exposure.paramName}' passed via URL parameter - use secure headers or request body instead`,
-          severity: "warning",
-          line: startLine,
-          column: 1,
-        });
-      }
-    } catch (error) {
-      console.warn(`⚠ [S039] Route handler analysis failed:`, error.message);
-    }
-
-    return violations;
-  }
-
-  findTokenParametersInNode(node) {
-    const exposures = [];
-
-    try {
-      const { SyntaxKind } = require("ts-morph");
-
-      // For NestJS, check decorator parameters first
-      if (node && node.getKind() === SyntaxKind.MethodDeclaration) {
-        const parameters = node.getParameters();
-        for (const param of parameters) {
-          const decorators = param.getDecorators();
-          for (const decorator of decorators) {
-            const decoratorName = decorator.getName();
-            if (decoratorName === "Query" || decoratorName === "Param") {
-              const args = decorator.getArguments();
-              if (args.length > 0) {
-                const firstArg = args[0];
-                if (firstArg && firstArg.getKind() === SyntaxKind.StringLiteral) {
-                  const paramName = firstArg.getLiteralValue();
-                  if (this.isSessionTokenParam(paramName)) {
-                    exposures.push({
-                      node: param,
-                      paramName: paramName,
-                      accessType: decoratorName.toLowerCase(),
-                    });
-                  }
-                }
-              }
-            }
-          }
-        }
-      }
-
-      // Find all property access expressions for URL parameters
-      const propertyAccesses = node.getDescendantsOfKind(
-        SyntaxKind.PropertyAccessExpression
-      );
-
-      for (const propAccess of propertyAccesses) {
-        const expression = propAccess.getExpression();
-        const property = propAccess.getName();
-
-        // Check for req.query.paramName patterns
-        if (expression && expression.getKind() === SyntaxKind.PropertyAccessExpression) {
-          const parentExpression = expression.getExpression();
-          const parentProperty = expression.getName();
-
-          // req.query.sessionToken, req.params.authToken, etc.
-          if (
-            parentProperty === "query" ||
-            parentProperty === "params" ||
-            parentProperty === "searchParams"
-          ) {
-            if (this.isSessionTokenParam(property)) {
-              exposures.push({
-                node: propAccess,
-                paramName: property,
-                accessType: parentProperty,
-              });
-            }
-          }
-        }
-      }
-
-      // Check for bracket notation access: req.query["access-token"]
-      const elementAccessExpressions = node.getDescendantsOfKind(
-        SyntaxKind.ElementAccessExpression
-      );
-
-      for (const elemAccess of elementAccessExpressions) {
-        const expression = elemAccess.getExpression();
-        const argumentExpression = elemAccess.getArgumentExpression();
-
-        if (
-          expression && expression.getKind() === SyntaxKind.PropertyAccessExpression &&
-          argumentExpression &&
-          argumentExpression.getKind() === SyntaxKind.StringLiteral
-        ) {
-          const parentProperty = expression.getName();
-          const paramName = argumentExpression.getLiteralValue();
-
-          // req.query["sessionToken"], req.params["authToken"], etc.
-          if (
-            (parentProperty === "query" ||
-              parentProperty === "params" ||
-              parentProperty === "searchParams") &&
-            this.isSessionTokenParam(paramName)
-          ) {
-            exposures.push({
-              node: elemAccess,
-              paramName: paramName,
-              accessType: parentProperty,
-            });
-          }
-        }
-      }
-
-      // Check for URL.searchParams.get() patterns
-      const callExpressions = node.getDescendantsOfKind(
-        SyntaxKind.CallExpression
-      );
-
-      for (const call of callExpressions) {
-        const callExpression = call.getExpression();
-        if (callExpression && callExpression.getKind() === SyntaxKind.PropertyAccessExpression) {
-          const methodName = callExpression.getName();
-          const objectExpression = callExpression.getExpression();
-
-          // searchParams.get("sessionToken"), URLSearchParams.get("token")
-          if (
-            methodName === "get" &&
-            objectExpression && objectExpression.getText().includes("searchParams")
-          ) {
-            const args = call.getArguments();
-            if (args.length > 0) {
-              const firstArg = args[0];
-              if (firstArg && firstArg.getKind() === SyntaxKind.StringLiteral) {
-                const paramName = firstArg.getLiteralValue();
-                if (this.isSessionTokenParam(paramName)) {
-                  exposures.push({
-                    node: call,
-                    paramName: paramName,
-                    accessType: "searchParams",
-                  });
-                }
-              }
-            }
-          }
-        }
-      }
-
-      // Check for object destructuring patterns
-      const variableDeclarations = node.getDescendantsOfKind(
-        SyntaxKind.VariableDeclaration
-      );
-
-      for (const varDecl of variableDeclarations) {
-        const nameNode = varDecl.getNameNode();
-        if (nameNode && nameNode.getKind() === SyntaxKind.ObjectBindingPattern) {
-          const bindingPattern = nameNode.asKindOrThrow(
-            SyntaxKind.ObjectBindingPattern
-          );
-          const elements = bindingPattern.getElements();
-
-          const initializer = varDecl.getInitializer();
-          if (
-            initializer &&
-            (initializer.getText().includes("req.query") ||
-              initializer.getText().includes("req.params") ||
-              initializer.getText().includes("searchParams"))
-          ) {
-            for (const element of elements) {
-              let paramName = null;
-
-              // Handle both { paramName } and { "param-name": alias } patterns
-              const propNameNode = element.getPropertyNameNode();
-              const nameNode = element.getNameNode();
-
-              if (propNameNode) {
-                // { "param-name": alias } or { paramName: alias }
-                paramName = propNameNode.getText().replace(/['"]/g, "");
-              } else if (nameNode) {
-                // { paramName } shorthand
-                paramName = nameNode.getText();
-              }
-
-              if (this.isSessionTokenParam(paramName)) {
-                exposures.push({
-                  node: element,
-                  paramName: paramName,
-                  accessType: "destructuring",
-                });
-              }
-            }
-          }
-        }
-      }
-    } catch (error) {
-      console.warn(`⚠ [S039] Parameter analysis failed:`, error.message);
-    }
-
-    return exposures;
-  }
-
-  isSessionTokenParam(paramName) {
-    return this.sessionTokenParams.some(
-      (tokenParam) => tokenParam.toLowerCase() === paramName.toLowerCase()
-    );
-  }
-
-  cleanup() {}
-}
-
-module.exports = S039SymbolBasedAnalyzer;

package/rules/security/S048_no_current_password_in_reset/config.json

@@ -1,48 +0,0 @@
-{
-  "ruleId": "S048",
-  "name": "No Current Password in Reset Process",
-  "description": "Do not require current password during password reset process",
-  "category": "security",
-  "severity": "error",
-  "languages": ["All languages"],
-  "tags": ["security", "owasp", "insecure-design", "authentication", "password-reset"],
-  "enabled": true,
-  "fixable": false,
-  "engine": "heuristic",
-  "metadata": {
-    "owaspCategory": "A04:2021 - Insecure Design",
-    "cweId": "CWE-640",
-    "description": "Requiring the current password during password reset defeats the purpose of the reset process and creates security vulnerabilities. Users who have forgotten their password cannot complete the reset, and this practice can lead to account lockouts and security issues.",
-    "impact": "Medium - Account lockout, user frustration, security bypass attempts",
-    "likelihood": "High",
-    "remediation": "Use secure token-based password reset with email/SMS verification. Never require current password during reset process."
-  },
-  "patterns": {
-    "vulnerable": [
-      "Requiring current password in forgot password form",
-      "Validating old password during reset process",
-      "API endpoints that check current password for reset",
-      "Reset forms with current password fields"
-    ],
-    "secure": [
-      "Token-based password reset via email",
-      "SMS verification for password reset",
-      "Time-limited secure reset links",
-      "Multi-factor authentication for reset verification"
-    ]
-  },
-  "examples": {
-    "violations": [
-      "if (!validateCurrentPassword(currentPassword)) { return error; }",
-      "const resetData = { currentPassword, newPassword };",
-      "currentPassword: { type: String, required: true }",
-      "req.body.currentPassword === user.password"
-    ],
-    "fixes": [
-      "if (!validateResetToken(token)) { return error; }",
-      "const resetData = { token, newPassword };",
-      "resetToken: { type: String, required: true }",
-      "validateResetToken(req.body.token)"
-    ]
-  }
-}