@sun-asterisk/sunlint 1.3.5 → 1.3.7

package/rules/security/S058_no_ssrf/README.md

@@ -0,0 +1,180 @@
+# Rule S058: No SSRF (Server-Side Request Forgery)
+
+## Overview
+Rule S058 prevents Server-Side Request Forgery (SSRF) attacks by detecting and flagging HTTP requests that use user-controlled URLs without proper validation.
+
+## What is SSRF?
+SSRF allows attackers to make HTTP requests from the server to arbitrary destinations, potentially accessing:
+- Internal services (databases, admin panels)
+- Cloud metadata endpoints (AWS, GCP, Azure)
+- Local files via file:// protocol
+- Internal network resources
+
+## Detection Strategy
+
+### 1. HTTP Client Detection
+Detects calls to HTTP libraries:
+```typescript
+// Detected patterns
+fetch(url)
+axios.get(url)
+http.request(url)
+httpClient.post(url)
+```
+
+### 2. URL Source Tracing
+Traces URL variables back to their source:
+```typescript
+// ❌ User-controlled (DANGEROUS)
+const url = req.query.targetUrl;
+fetch(url);
+
+// ✅ Hardcoded (SAFE)
+const url = "https://api.trusted-service.com";
+fetch(url);
+```
+
+### 3. Validation Check
+Verifies if URL validation exists:
+```typescript
+// ❌ No validation
+const url = req.body.webhookUrl;
+fetch(url);
+
+// ✅ With validation
+const url = req.body.webhookUrl;
+validateUrlAllowList(url);
+fetch(url);
+```
+
+## Examples
+
+### ❌ Violations
+
+#### 1. User-controlled URL without validation
+```typescript
+app.post('/webhook', (req, res) => {
+  const webhookUrl = req.body.url;
+  // VIOLATION: User input directly used in HTTP request
+  fetch(webhookUrl);
+});
+```
+
+#### 2. Dangerous hardcoded URLs
+```typescript
+// VIOLATION: Internal metadata endpoint
+fetch('http://169.254.169.254/latest/meta-data/');
+
+// VIOLATION: Local file access
+fetch('file:///etc/passwd');
+```
+
+#### 3. Query parameter injection
+```typescript
+app.get('/proxy', (req, res) => {
+  const targetUrl = req.query.url;
+  // VIOLATION: No validation of target URL
+  axios.get(targetUrl);
+});
+```
+
+### ✅ Safe Patterns
+
+#### 1. Allow-list validation
+```typescript
+const ALLOWED_DOMAINS = ['api.trusted.com', 'webhook.company.com'];
+
+function validateUrlAllowList(url) {
+  const parsed = new URL(url);
+  if (!ALLOWED_DOMAINS.includes(parsed.hostname)) {
+    throw new Error('Domain not allowed');
+  }
+  if (parsed.protocol !== 'https:') {
+    throw new Error('Only HTTPS allowed');
+  }
+}
+
+app.post('/webhook', (req, res) => {
+  const webhookUrl = req.body.url;
+  validateUrlAllowList(webhookUrl); // ✅ Validated
+  fetch(webhookUrl);
+});
+```
+
+#### 2. Hardcoded trusted URLs
+```typescript
+// ✅ Safe: Hardcoded trusted domain
+const API_BASE = 'https://api.trusted-service.com';
+fetch(\`\${API_BASE}/users\`);
+```
+
+#### 3. Configuration-based URLs
+```typescript
+// ✅ Safe: From config, not user input
+const externalApiUrl = process.env.EXTERNAL_API_URL;
+fetch(externalApiUrl);
+```
+
+## Configuration
+
+### Blocked Elements
+- **Protocols**: `file://`, `ftp://`, `ldap://`, etc.
+- **IPs**: `127.0.0.1`, `169.254.169.254`, private ranges
+- **Ports**: `22`, `3306`, `6379`, `5432`, etc.
+
+### Detection Patterns
+- **HTTP Clients**: `fetch`, `axios`, `http`, `request`, etc.
+- **User Input**: `req.body`, `req.query`, `ctx.request`, etc.
+- **Validation Functions**: `validateUrl`, `isAllowedUrl`, etc.
+
+## Best Practices
+
+### 1. Use Allow-lists
+```typescript
+const ALLOWED_HOSTS = [
+  'api.company.com',
+  'webhook.trusted-partner.com'
+];
+
+function isAllowedUrl(url) {
+  return ALLOWED_HOSTS.some(host => url.includes(host));
+}
+```
+
+### 2. Protocol Restriction
+```typescript
+function validateUrl(url) {
+  const parsed = new URL(url);
+  if (!['http:', 'https:'].includes(parsed.protocol)) {
+    throw new Error('Invalid protocol');
+  }
+}
+```
+
+### 3. Timeout & Redirect Limits
+```typescript
+const options = {
+  timeout: 5000,
+  maxRedirects: 0, // Prevent redirect attacks
+  headers: { 'User-Agent': 'MyApp/1.0' }
+};
+
+fetch(validatedUrl, options);
+```
+
+## Testing
+
+Run S058 on your codebase:
+```bash
+# Test single file
+node cli.js --input=src/webhook.ts --rule=S058 --engine=heuristic
+
+# Test entire project
+node cli.js --input=src --rule=S058 --engine=heuristic
+```
+
+## Related Security Rules
+- **S001**: SQL Injection Prevention
+- **S002**: XSS Prevention  
+- **S057**: Input Validation
+- **S059**: Path Traversal Prevention

package/rules/security/S058_no_ssrf/analyzer.js

@@ -0,0 +1,403 @@
+// rules/security/S058_no_ssrf/analyzer.js
+const path = require('path');
+const fs = require('fs');
+const { CommentDetector } = require('../../utils/rule-helpers');
+
+class S058SSRFAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = 'S058';
+    this.ruleName = 'No SSRF (Server-Side Request Forgery)';
+    this.description = 'S058 - Prevent SSRF attacks by validating URLs from user input before making HTTP requests';
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+    
+    // Load config from config.json
+    this.loadConfig();
+  }
+
+  loadConfig() {
+    try {
+      const configPath = path.join(__dirname, 'config.json');
+      const configData = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      this.options = configData.options || {};
+      this.httpClientPatterns = this.options.httpClientPatterns || [];
+      this.userInputSources = this.options.userInputSources || [];
+      this.dangerousProtocols = this.options.dangerousProtocols || [];
+      this.blockedIPs = this.options.blockedIPs || [];
+      this.blockedPorts = this.options.blockedPorts || [];
+      this.allowedDomains = this.options.allowedDomains || [];
+      this.validationFunctions = this.options.validationFunctions || [];
+      this.policy = this.options.policy || {};
+      this.thresholds = this.options.thresholds || {};
+    } catch (error) {
+      console.warn(`[S058] Could not load config: ${error.message}`);
+      this.options = {};
+      this.httpClientPatterns = [];
+      this.userInputSources = [];
+      this.dangerousProtocols = [];
+      this.blockedIPs = [];
+      this.blockedPorts = [];
+      this.allowedDomains = [];
+      this.validationFunctions = [];
+      this.policy = {};
+      this.thresholds = {};
+    }
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+  }
+
+  // Main analyze method required by heuristic engine
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S058: Analyzing ${files.length} files for SSRF vulnerabilities`);
+    }
+    
+    for (const filePath of files) {
+      if (this.verbose) {
+        console.log(`[DEBUG] 🎯 S058: Analyzing ${filePath.split('/').pop()}`);
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileExtension = path.extname(filePath);
+        const fileViolations = this.analyzeFile(filePath, content, fileExtension);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`[S058] Error analyzing ${filePath}: ${error.message}`);
+      }
+    }
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S058: Found ${violations.length} SSRF violations`);
+    }
+
+    return violations;
+  }
+
+  analyzeFile(filePath, content, fileExtension) {
+    const violations = [];
+    const detectedLanguage = this.detectLanguage(fileExtension);
+    
+    if (!detectedLanguage) {
+      return violations;
+    }
+
+    // Use semantic engine (AST) if available, fallback to heuristic
+    if (this.semanticEngine && typeof this.semanticEngine.parseCode === 'function') {
+      return this.analyzeWithAST(filePath, content, detectedLanguage);
+    } else {
+      return this.analyzeWithHeuristic(filePath, content, detectedLanguage);
+    }
+  }
+
+  detectLanguage(fileExtension) {
+    const extensions = {
+      '.ts': 'typescript',
+      '.tsx': 'typescript',
+      '.js': 'javascript',
+      '.jsx': 'javascript',
+      '.mjs': 'javascript'
+    };
+    return extensions[fileExtension] || null;
+  }
+
+  analyzeWithHeuristic(filePath, content, language) {
+    const violations = [];
+    const lines = content.split('\n');
+    
+    // Detect HTTP client calls and trace URLs
+    const httpCalls = this.detectHttpCalls(content, lines);
+    
+    for (const call of httpCalls) {
+      const urlSource = this.traceUrlSource(call, content, lines);
+      
+      if (urlSource.isUserControlled) {
+        // Check if URL is validated
+        const hasValidation = this.checkUrlValidation(call, content, lines);
+        
+        if (!hasValidation) {
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Potential SSRF vulnerability: HTTP request with user-controlled URL '${call.urlVariable}' without validation`,
+            severity: 'error',
+            line: call.line,
+            column: call.column,
+            filePath: filePath,
+            details: {
+              httpMethod: call.method,
+              urlVariable: call.urlVariable,
+              userInputSource: urlSource.source,
+              suggestion: `Add URL validation using: ${this.validationFunctions[0] || 'validateUrlAllowList'}(${call.urlVariable})`
+            }
+          });
+        }
+      }
+      
+      // Check for hardcoded dangerous URLs
+      if (call.isHardcoded) {
+        const dangerousUrl = this.checkDangerousUrl(call.url);
+        if (dangerousUrl.isDangerous) {
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Dangerous URL detected: ${dangerousUrl.reason}`,
+            severity: 'error',
+            line: call.line,
+            column: call.column,
+            filePath: filePath,
+            details: {
+              url: call.url,
+              reason: dangerousUrl.reason,
+              suggestion: 'Remove dangerous URL or add to allow-list if legitimate'
+            }
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  detectHttpCalls(content, lines) {
+    const calls = [];
+    
+    if (this.verbose) {
+      console.log(`[DEBUG] 🔍 S058: Detecting HTTP calls in ${lines.length} lines`);
+    }
+    
+    for (const pattern of this.httpClientPatterns) {
+      const regex = new RegExp(pattern, 'gi');
+      let match;
+      
+      while ((match = regex.exec(content)) !== null) {
+        const lineNumber = content.substring(0, match.index).split('\n').length;
+        const line = lines[lineNumber - 1];
+        const columnPosition = match.index - content.lastIndexOf('\n', match.index - 1) - 1;
+        
+        // ✅ CHECK: Skip if this code is in comments
+        const isInComment = CommentDetector.isLineInBlockComment(lines, lineNumber - 1) ||
+                           CommentDetector.isPositionInComment(line, columnPosition);
+        
+        if (isInComment) {
+          if (this.verbose) {
+            console.log(`[DEBUG] 🔍 S058: SKIPPING comment at line ${lineNumber}: ${line.trim()}`);
+          }
+          continue;
+        }
+        
+        if (this.verbose) {
+          console.log(`[DEBUG] 🔍 S058: Found HTTP call pattern "${pattern}" at line ${lineNumber}: ${line.trim()}`);
+        }
+        
+        // Extract URL parameter
+        const urlMatch = this.extractUrlFromCall(line, match[0]);
+        
+        if (urlMatch) {
+          calls.push({
+            method: match[0],
+            line: lineNumber,
+            column: columnPosition,
+            urlVariable: urlMatch.variable,
+            url: urlMatch.value,
+            isHardcoded: urlMatch.isHardcoded,
+            fullCall: line.trim()
+          });
+          
+          if (this.verbose) {
+            console.log(`[DEBUG] 🔍 S058: Extracted URL: ${urlMatch.variable} (hardcoded: ${urlMatch.isHardcoded})`);
+          }
+        }
+      }
+    }
+    
+    if (this.verbose) {
+      console.log(`[DEBUG] 🔍 S058: Found ${calls.length} HTTP calls total (after comment filtering)`);
+    }
+    
+    return calls;
+  }
+
+  extractUrlFromCall(line, methodCall) {
+    // Extract URL from HTTP call - simplified regex approach
+    const patterns = [
+      // fetch(url), axios.get(url)
+      /(?:fetch|\.(?:get|post|put|delete|patch|request))\s*\(\s*([^,\)]+)/,
+      // More complex patterns can be added
+    ];
+    
+    for (const pattern of patterns) {
+      const match = line.match(pattern);
+      if (match) {
+        const urlParam = match[1].trim();
+        
+        // Check if it's a string literal
+        if (urlParam.startsWith('"') || urlParam.startsWith("'") || urlParam.startsWith('`')) {
+          return {
+            variable: urlParam,
+            value: urlParam.slice(1, -1), // Remove quotes
+            isHardcoded: true
+          };
+        } else {
+          return {
+            variable: urlParam,
+            value: null,
+            isHardcoded: false
+          };
+        }
+      }
+    }
+    
+    return null;
+  }
+
+  traceUrlSource(call, content, lines) {
+    if (call.isHardcoded) {
+      return { isUserControlled: false, source: 'hardcoded' };
+    }
+
+    // Simple variable tracing
+    const variable = this.escapeRegex(call.urlVariable);
+    
+    // Check if variable comes from user input
+    for (const inputPattern of this.userInputSources) {
+      // userInputSources patterns are already regex-escaped in config.json
+      const escapedPattern = inputPattern;
+      
+      try {
+        // Check direct assignment: const url = req.body.url
+        const assignmentRegex = new RegExp(`const\\s+${variable}\\s*=\\s*${escapedPattern}`, 'i');
+        if (assignmentRegex.test(content)) {
+          return { 
+            isUserControlled: true, 
+            source: inputPattern 
+          };
+        }
+        
+        // Check let assignment: let url = req.query.endpoint  
+        const letAssignmentRegex = new RegExp(`let\\s+${variable}\\s*=\\s*${escapedPattern}`, 'i');
+        if (letAssignmentRegex.test(content)) {
+          return { 
+            isUserControlled: true, 
+            source: inputPattern 
+          };
+        }
+        
+        // Check var assignment: var url = req.params.id
+        const varAssignmentRegex = new RegExp(`var\\s+${variable}\\s*=\\s*${escapedPattern}`, 'i');
+        if (varAssignmentRegex.test(content)) {
+          return { 
+            isUserControlled: true, 
+            source: inputPattern 
+          };
+        }
+        
+        // Check property access: url = req.body.path
+        const propertyRegex = new RegExp(`${variable}\\s*=\\s*${escapedPattern}`, 'i');
+        if (propertyRegex.test(content)) {
+          return { 
+            isUserControlled: true, 
+            source: inputPattern 
+          };
+        }
+        
+        // Also check reverse assignment patterns
+        const reverseRegex = new RegExp(`${escapedPattern}.*${variable}`, 'i');
+        if (reverseRegex.test(content)) {
+          return { 
+            isUserControlled: true, 
+            source: inputPattern 
+          };
+        }
+      } catch (e) {
+        // Skip invalid regex patterns
+        if (this.verbose) {
+          console.log(`[DEBUG] S058: Skipping invalid regex pattern for ${inputPattern}: ${e.message}`);
+        }
+        continue;
+      }
+    }
+
+    return { isUserControlled: false, source: 'unknown' };
+  }
+
+  escapeRegex(string) {
+    // Escape special regex characters
+    return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  }
+
+  checkUrlValidation(call, content, lines) {
+    // Check if URL validation function is called before HTTP request
+    const beforeCallContent = content.substring(0, content.indexOf(call.fullCall));
+    
+    for (const validationFn of this.validationFunctions) {
+      try {
+        const escapedVariable = this.escapeRegex(call.urlVariable);
+        const escapedFunction = this.escapeRegex(validationFn);
+        const regex = new RegExp(`${escapedFunction}\\s*\\(.*${escapedVariable}`, 'i');
+        if (regex.test(beforeCallContent)) {
+          return true;
+        }
+      } catch (e) {
+        // Skip invalid regex patterns
+        if (this.verbose) {
+          console.log(`[DEBUG] S058: Skipping invalid validation regex for ${validationFn}: ${e.message}`);
+        }
+        continue;
+      }
+    }
+    
+    return false;
+  }
+
+  checkDangerousUrl(url) {
+    if (!url) return { isDangerous: false };
+
+    // Check dangerous protocols
+    for (const protocol of this.dangerousProtocols) {
+      if (url.toLowerCase().includes(protocol)) {
+        return { 
+          isDangerous: true, 
+          reason: `Dangerous protocol: ${protocol}` 
+        };
+      }
+    }
+
+    // Check blocked IPs
+    for (const ipPattern of this.blockedIPs) {
+      const regex = new RegExp(ipPattern, 'i');
+      if (regex.test(url)) {
+        return { 
+          isDangerous: true, 
+          reason: `Blocked IP range: ${ipPattern}` 
+        };
+      }
+    }
+
+    // Check blocked ports
+    for (const port of this.blockedPorts) {
+      const portRegex = new RegExp(`:${port}(?:/|$)`, 'i');
+      if (portRegex.test(url)) {
+        return { 
+          isDangerous: true, 
+          reason: `Blocked port: ${port}` 
+        };
+      }
+    }
+
+    return { isDangerous: false };
+  }
+
+  analyzeWithAST(filePath, content, language) {
+    // Enhanced AST-based analysis for more precise detection
+    // This would use the semantic engine for deeper analysis
+    return this.analyzeWithHeuristic(filePath, content, language);
+  }
+}
+
+module.exports = S058SSRFAnalyzer;

package/rules/security/S058_no_ssrf/config.json

@@ -0,0 +1,125 @@
+{
+  "ruleId": "S058",
+  "name": "No SSRF (Server-Side Request Forgery)",
+  "description": "Prevent SSRF attacks by validating URLs from user input before making HTTP requests",
+  "category": "security", 
+  "severity": "error",
+  "options": {
+    "httpClientPatterns": [
+      "fetch\\s*\\(",
+      "axios\\.(?:get|post|put|delete|patch|request)\\s*\\(",
+      "http\\.(?:get|post|put|delete|patch|request)\\s*\\(",
+      "https\\.(?:get|post|put|delete|patch|request)\\s*\\(",
+      "(?:^|\\s|=|\\()request\\s*\\(",
+      "got\\s*\\(",
+      "superagent\\.",
+      "needle\\.",
+      "bent\\(",
+      "node-fetch\\s*\\(",
+      "isomorphic-fetch\\s*\\(",
+      "ky\\s*\\(",
+      "httpClient\\.",
+      "\\.httpClient\\."
+    ],
+    "userInputSources": [
+      "req\\.body",
+      "req\\.query", 
+      "req\\.params",
+      "request\\.body",
+      "request\\.query",
+      "request\\.params",
+      "ctx\\.request\\.body",
+      "ctx\\.query",
+      "ctx\\.params",
+      "event\\.body",
+      "event\\.queryStringParameters",
+      "event\\.pathParameters",
+      "\\.query\\.",
+      "\\.body\\.",
+      "\\.params\\.",
+      "process\\.argv",
+      "process\\.env\\.",
+      "from.*request",
+      "from.*input",
+      "user.*input",
+      "client.*data",
+      "external.*data"
+    ],
+    "dangerousProtocols": [
+      "file://",
+      "ftp://",
+      "sftp://", 
+      "ldap://",
+      "ldaps://",
+      "dict://",
+      "gopher://",
+      "jar://",
+      "netdoc://",
+      "mailto:",
+      "news:",
+      "imap://",
+      "pop3://",
+      "smb://",
+      "afp://",
+      "telnet://",
+      "ssh://"
+    ],
+    "blockedIPs": [
+      "127\\.0\\.0\\.1",
+      "::1",
+      "localhost",
+      "169\\.254\\.169\\.254",
+      "metadata\\.google\\.internal",
+      "169\\.254\\.",
+      "10\\.",
+      "172\\.(1[6-9]|2[0-9]|3[01])\\.",
+      "192\\.168\\."
+    ],
+    "blockedPorts": [
+      "22",
+      "23", 
+      "25",
+      "53",
+      "135",
+      "139",
+      "445",
+      "1433",
+      "1521",
+      "3306",
+      "3389",
+      "5432",
+      "5984",
+      "6379",
+      "8080",
+      "9200",
+      "11211",
+      "27017",
+      "50070"
+    ],
+    "allowedDomains": [
+      "api\\.trusted-service\\.com",
+      "service\\.company\\.com"
+    ],
+    "validationFunctions": [
+      "validateUrl",
+      "validateUrlAllowList",
+      "checkAllowedUrl",
+      "isAllowedUrl",
+      "sanitizeUrl",
+      "verifyUrl",
+      "urlValidator"
+    ],
+    "policy": {
+      "requireExplicitValidation": true,
+      "enforceAllowList": true,
+      "blockPrivateIPs": true,
+      "checkProtocols": true,
+      "requireHttpsOnly": false,
+      "maxRedirects": 0
+    },
+    "thresholds": {
+      "maxSuspiciousUrls": 3,
+      "maxUnvalidatedRequests": 1
+    }
+  }
+}