@sun-asterisk/sunlint 1.3.4 → 1.3.6

package/rules/common/C070_no_real_time_tests/regex-analyzer.js

@@ -0,0 +1,424 @@
+const fs = require('fs');
+const path = require('path');
+const { CommentDetector } = require('../../utils/rule-helpers');
+
+/**
+ * C070 - Tests Should Not Depend on Real Time
+ * Detects real-time sleeps/timeouts in test files and suggests fake timers
+ * 
+ * Focus: Improve test reliability by avoiding time-dependent flaky tests
+ */
+class C070TestRealTimeAnalyzer {
+  constructor() {
+    this.ruleId = 'C070';
+    this.configPath = path.join(__dirname, 'config.json');
+    this.config = this.loadConfig();
+  }
+
+  loadConfig() {
+    try {
+      return JSON.parse(fs.readFileSync(this.configPath, 'utf8'));
+    } catch (error) {
+      console.warn(`Failed to load config for ${this.ruleId}:`, error.message);
+      return this.getDefaultConfig();
+    }
+  }
+
+  getDefaultConfig() {
+    return {
+      options: {
+        timerApis: {
+          ts_js: [
+            "setTimeout\\s*\\(",
+            "setInterval\\s*\\(",
+            "\\.sleep\\s*\\(",
+            "\\.delay\\s*\\(",
+            "\\.wait\\s*\\(",
+            "new\\s+Promise.*setTimeout"
+          ]
+        },
+        fakeTimerDetectors: {
+          jest_vitest: [
+            "jest\\.useFakeTimers\\(\\)",
+            "vi\\.useFakeTimers\\(\\)",
+            "jest\\.advanceTimersByTime",
+            "vi\\.advanceTimersByTime"
+          ]
+        },
+        busyPollingDetectors: {
+          ts_js: ["Date\\.now\\(\\)", "new\\s+Date\\(\\)"]
+        },
+        allowAnnotations: ["@perf", "@benchmark", "@allow-real-time", "// @allow-real-time"]
+      }
+    };
+  }
+
+  /**
+   * Check if file is a test file
+   */
+  isTestFile(filePath) {
+    const testPatterns = [
+      /\.test\.(js|ts|jsx|tsx)$/,
+      /\.spec\.(js|ts|jsx|tsx)$/,
+      /__tests__\//,
+      /\/tests?\//,
+      /test-cases\.(js|ts)$/  // Add pattern for our test cases
+    ];
+    return testPatterns.some(pattern => pattern.test(filePath));
+  }
+
+  /**
+   * Check if line has annotation allowing real-time
+   */
+  hasAllowAnnotation(content, lineIndex) {
+    const allowAnnotations = this.config.options.allowAnnotations || [];
+    const lines = content.split('\n');
+    
+    // Check current line and 2 lines above for annotations
+    for (let i = Math.max(0, lineIndex - 2); i <= lineIndex; i++) {
+      const line = lines[i] || '';
+      for (const annotation of allowAnnotations) {
+        if (line.includes(annotation)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  /**
+   * Check if fake timers are used in the file
+   */
+  hasFakeTimers(content) {
+    const fakeTimerPatterns = this.config.options.fakeTimerDetectors.jest_vitest || [];
+    return fakeTimerPatterns.some(pattern => {
+      const regex = new RegExp(pattern, 'g');
+      return regex.test(content);
+    });
+  }
+
+  /**
+   * Detect timer API violations
+   */
+  detectTimerViolations(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    const timerPatterns = this.config.options.timerApis.ts_js || this.getDefaultConfig().options.timerApis.ts_js;
+    const hasFakeTimersInFile = this.hasFakeTimers(content);
+
+    timerPatterns.forEach(pattern => {
+      // Convert config patterns (* wildcards) to proper regex
+      let regexPattern = pattern;
+      if (pattern.includes('(*)')) {
+        regexPattern = pattern.replace(/\(\*\)/g, '\\([^)]*\\)');
+      }
+      if (pattern.includes('*')) {
+        regexPattern = pattern.replace(/\*/g, '[^)]*');
+      }
+      
+      const regex = new RegExp(regexPattern, 'g');
+      
+      lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        
+        // Skip empty lines
+        if (!trimmedLine) {
+          return;
+        }
+
+        // Skip if entire line is in block comment
+        if (CommentDetector.isLineInBlockComment(lines, index)) {
+          return;
+        }
+
+        // Skip if has allow annotation
+        if (this.hasAllowAnnotation(content, index)) {
+          return;
+        }
+
+        const matches = [...line.matchAll(regex)];
+        if (matches.length > 0) {
+          matches.forEach(match => {
+            const column = match.index + 1;
+            
+            // Skip if match position is inside a comment
+            if (CommentDetector.isPositionInComment(line, match.index)) {
+              return;
+            }
+            
+            let suggestion = "Use fake timers instead of real-time delays in tests.";
+            let severity = "error";
+
+            // Specific suggestions based on pattern
+            if (pattern.includes('setTimeout') || pattern.includes('setInterval')) {
+              if (!hasFakeTimersInFile) {
+                suggestion = "Use jest.useFakeTimers() and jest.advanceTimersByTime() instead of setTimeout/setInterval.";
+              } else {
+                suggestion = "You have fake timers setup. Use jest.advanceTimersByTime() to control time instead of real setTimeout.";
+              }
+            } else if (pattern.includes('sleep') || pattern.includes('delay')) {
+              suggestion = "Replace sleep/delay with fake timers or condition-based waiting.";
+            } else if (pattern.includes('Promise.*setTimeout')) {
+              suggestion = "Replace Promise+setTimeout with fake timers: await jest.advanceTimersByTimeAsync().";
+            }
+
+            violations.push({
+              file: filePath,
+              line: index + 1,
+              column: column,
+              message: `Avoid real-time ${match[0]} in tests. ${suggestion}`,
+              severity: severity,
+              ruleId: this.ruleId,
+              evidence: line.trim(),
+              suggestion: suggestion
+            });
+          });
+        }
+      });
+    });
+
+    return violations;
+  }
+
+  /**
+   * Detect busy polling violations (Date.now(), new Date() in loops)
+   */
+  detectBusyPollingViolations(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    const pollingPatterns = this.config.options.busyPollingDetectors.ts_js || [];
+
+    pollingPatterns.forEach(pattern => {
+      const regex = new RegExp(pattern, 'g');
+      
+      lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        
+        // Skip empty lines
+        if (!trimmedLine) {
+          return;
+        }
+
+        // Skip if entire line is in block comment
+        if (CommentDetector.isLineInBlockComment(lines, index)) {
+          return;
+        }
+
+        // Skip if has allow annotation
+        if (this.hasAllowAnnotation(content, index)) {
+          return;
+        }
+
+        // Look for Date.now()/new Date() in potential polling contexts
+        const matches = line.match(regex);
+        if (matches && this.isLikelyPolling(lines, index)) {
+          matches.forEach(match => {
+            const column = line.indexOf(match) + 1;
+            
+            // Skip if match position is inside a comment
+            if (CommentDetector.isPositionInComment(line, line.indexOf(match))) {
+              return;
+            }
+            
+            violations.push({
+              file: filePath,
+              line: index + 1,
+              column: column,
+              message: `Avoid busy polling with ${match} in tests. Use condition-based waiting instead.`,
+              severity: "warning",
+              ruleId: this.ruleId,
+              evidence: line.trim(),
+              suggestion: "Use waitFor conditions or fake timers instead of polling Date.now()."
+            });
+          });
+        }
+      });
+    });
+
+    return violations;
+  }
+
+  /**
+   * Check if Date.now()/new Date() usage looks like polling
+   */
+  isLikelyPolling(lines, currentIndex) {
+    const currentLine = lines[currentIndex];
+    
+    // Skip if new Date() has static parameters (test data)
+    if (currentLine.includes('new Date(') && /new Date\(\s*\d/.test(currentLine)) {
+      return false;
+    }
+    
+    // Look for polling patterns around this line
+    const contextRange = 5;
+    const start = Math.max(0, currentIndex - contextRange);
+    const end = Math.min(lines.length - 1, currentIndex + contextRange);
+    
+    let hasLoop = false;
+    let hasTimeCheck = false;
+    
+    for (let i = start; i <= end; i++) {
+      const line = lines[i].trim().toLowerCase();
+      
+      // Check for loop patterns
+      if (line.includes('while') && (line.includes('date.now') || line.includes('new date'))) {
+        hasLoop = true;
+      }
+      
+      // Check for time-based conditions
+      if ((line.includes('date.now') || line.includes('new date')) && 
+          (line.includes(' - ') || line.includes(' < ') || line.includes(' > ')) &&
+          (line.includes('start') || line.includes('time') || line.includes('duration'))) {
+        hasTimeCheck = true;
+      }
+      
+      // Check for explicit polling patterns
+      if (line.includes('setinterval') && (line.includes('date.now') || line.includes('new date'))) {
+        return true;
+      }
+    }
+    
+    // Only flag as polling if both loop and time check are present
+    return hasLoop && hasTimeCheck;
+  }
+
+  /**
+   * Detect E2E specific violations
+   */
+  detectE2EViolations(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    const e2ePatterns = this.config.options.timerApis.e2e || [];
+
+    e2ePatterns.forEach(pattern => {
+      const regex = new RegExp(pattern, 'g');
+      
+      lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        
+        if (!trimmedLine) {
+          return;
+        }
+
+        // Skip if entire line is in block comment
+        if (CommentDetector.isLineInBlockComment(lines, index)) {
+          return;
+        }
+
+        if (this.hasAllowAnnotation(content, index)) {
+          return;
+        }
+
+        const matches = line.match(regex);
+        if (matches) {
+          matches.forEach(match => {
+            const column = line.indexOf(match) + 1;
+            
+            // Skip if match position is inside a comment
+            if (CommentDetector.isPositionInComment(line, line.indexOf(match))) {
+              return;
+            }
+            
+            let suggestion = "Use element-based waiting instead of fixed timeouts.";
+            if (match.includes('page.waitForTimeout')) {
+              suggestion = "Use page.waitForSelector() or page.waitForFunction() instead of waitForTimeout().";
+            } else if (match.includes('cy.wait')) {
+              suggestion = "Use cy.get().should() or cy.intercept() instead of cy.wait() with fixed time.";
+            }
+
+            violations.push({
+              file: filePath,
+              line: index + 1,
+              column: column,
+              message: `Avoid fixed timeout ${match} in E2E tests. ${suggestion}`,
+              severity: "warning",
+              ruleId: this.ruleId,
+              evidence: line.trim(),
+              suggestion: suggestion
+            });
+          });
+        }
+      });
+    });
+
+    return violations;
+  }
+
+  /**
+   * Main analysis function - Engine interface
+   * Expected signature: analyze(files, language, options)
+   */
+  async analyze(files, language, options = {}) {
+    const allViolations = [];
+
+    for (const filePath of files) {
+      try {
+        // Only analyze test files
+        if (!this.isTestFile(filePath)) {
+          continue;
+        }
+
+        // Read file content
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        
+        // Skip if file has explicit allow annotation
+        if (this.hasAllowAnnotation(content)) {
+          continue;
+        }
+
+        let violations = [];
+
+        // Detect timer API violations
+        violations = violations.concat(this.detectTimerViolations(content, filePath));
+        
+        // Detect busy polling violations
+        violations = violations.concat(this.detectBusyPollingViolations(content, filePath));
+        
+        // Detect E2E violations (if file looks like E2E test)
+        if (filePath.includes('e2e') || content.includes('playwright') || content.includes('cypress')) {
+          violations = violations.concat(this.detectE2EViolations(content, filePath));
+        }
+
+        allViolations.push(...violations);
+
+      } catch (error) {
+        console.warn(`C070 analysis error for ${filePath}:`, error.message);
+      }
+    }
+
+    return allViolations;
+  }
+
+  /**
+   * Legacy analysis function for single file
+   * @deprecated Use analyze(files, language, options) instead
+   */
+  analyzeSingleFile(content, filePath) {
+    // Only analyze test files
+    if (!this.isTestFile(filePath)) {
+      return [];
+    }
+
+    let violations = [];
+
+    try {
+      // Detect timer API violations
+      violations = violations.concat(this.detectTimerViolations(content, filePath));
+      
+      // Detect busy polling violations
+      violations = violations.concat(this.detectBusyPollingViolations(content, filePath));
+      
+      // Detect E2E violations (if file looks like E2E test)
+      if (filePath.includes('e2e') || content.includes('playwright') || content.includes('cypress')) {
+        violations = violations.concat(this.detectE2EViolations(content, filePath));
+      }
+
+    } catch (error) {
+      console.warn(`C070 analysis error for ${filePath}:`, error.message);
+    }
+
+    return violations;
+  }
+}
+
+module.exports = C070TestRealTimeAnalyzer;

package/rules/security/S024_xpath_xxe_protection/analyzer.js

@@ -0,0 +1,242 @@
+/**
+ * S024 Main Analyzer - Protect against XPath Injection and XML External Entity (XXE)
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S024 --input=examples/rule-test-fixtures/rules/S024_xpath_xxe_protection --engine=heuristic
+ */
+
+const S024SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S024RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+
+class S024Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S024] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S024] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S024";
+    this.ruleName = "Protect against XPath Injection and XML External Entity (XXE)";
+    this.description =
+      "Protect against XPath Injection and XML External Entity (XXE) attacks. XPath injection occurs when user input is used to construct XPath queries without proper sanitization. XXE attacks exploit XML parsers that process external entities, potentially leading to data disclosure, server-side request forgery, or denial of service.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Secondary approach
+      regexBasedOnly: false, // Can be set to true for pure mode
+    };
+
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S024SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S024] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S024] Error creating symbol analyzer:`, error);
+    }
+
+    try {
+      this.regexAnalyzer = new S024RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S024] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S024] Error creating regex analyzer:`, error);
+    }
+  }
+
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S024] Main analyzer initializing...`);
+    }
+
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+
+    // Clean up if needed
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S024] Main analyzer initialized successfully`);
+    }
+  }
+
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`📊 [S024] analyzeSingle() called for: ${filePath}`);
+    }
+
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S024] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+
+    const violations = [];
+
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S024] Processing file: ${filePath}`);
+        }
+
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S024] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S024] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S024] Total violations found: ${violations.length}`);
+    }
+
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S024] analyzeFile() called for: ${filePath}`);
+    }
+
+    // Create a Map to track unique violations and prevent duplicates
+    const violationMap = new Map();
+
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S024] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S024] Source file found, analyzing...`);
+          }
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+
+          // Add to violation map with deduplication
+          symbolViolations.forEach((violation) => {
+            const key = `${violation.line}:${violation.column}:${violation.message}`;
+            if (!violationMap.has(key)) {
+              violationMap.set(key, violation);
+            }
+          });
+
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S024] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S024] Source file not found, falling back...`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠ [S024] Symbol analysis failed:`, error.message);
+      }
+    }
+
+    // 2. Try Regex-based analysis (fallback or additional)
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S024] Trying regex-based analysis...`);
+        }
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+
+        // Add to violation map with deduplication
+        regexViolations.forEach((violation) => {
+          const key = `${violation.line}:${violation.column}:${violation.message}`;
+          if (!violationMap.has(key)) {
+            violationMap.set(key, violation);
+          }
+        });
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S024] Regex analysis completed: ${regexViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S024] Regex analysis failed:`, error.message);
+      }
+    }
+
+    // Convert Map values to array and add filePath to each violation
+    const finalViolations = Array.from(violationMap.values()).map(
+      (violation) => ({
+        ...violation,
+        filePath: filePath,
+        file: filePath, // Also add 'file' for compatibility
+      })
+    );
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S024] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    }
+
+    return finalViolations;
+  }
+
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+    if (this.regexAnalyzer?.cleanup) {
+      this.regexAnalyzer.cleanup();
+    }
+  }
+}
+
+module.exports = S024Analyzer;