npm - @sun-asterisk/sunlint - Versions diffs - 1.3.6 → 1.3.8 - Mend

@sun-asterisk/sunlint 1.3.6 → 1.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/rules/security/S056_log_injection_protection/symbol-based-analyzer.js ADDED Viewed

@@ -0,0 +1,287 @@
+/**
+ * S056 Symbol-Based Analyzer - Protect against Log Injection attacks
+ * Uses TypeScript compiler API for semantic analysis
+ */
+const ts = require("typescript");
+class S056SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S056";
+    this.category = "security";
+    // Log method names that can be vulnerable
+    this.logMethods = [
+      "log",
+      "info",
+      "warn",
+      "error",
+      "debug",
+      "trace",
+      "write",
+      "writeSync"
+    ];
+    // User input sources that could lead to injection
+    this.userInputSources = [
+      "req",
+      "request",
+      "params",
+      "query",
+      "body",
+      "headers",
+      "cookies",
+      "session"
+    ];
+    // Dangerous characters for log injection
+    this.dangerousCharacters = [
+      "\\r",
+      "\\n",
+      "\\r\\n",
+      "\\u000a",
+      "\\u000d",
+      "%0a",
+      "%0d",
+      "\\x0a",
+      "\\x0d"
+    ];
+    // Secure log patterns
+    this.securePatterns = [
+      "sanitize",
+      "escape",
+      "clean",
+      "filter",
+      "validate",
+      "replace",
+      "strip"
+    ];
+  }
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.verbose) {
+      console.log(`🔍 [${this.ruleId}] Symbol: Semantic engine initialized`);
+    }
+  }
+  async analyze(filePath) {
+    if (this.verbose) {
+      console.log(
+        `🔍 [${this.ruleId}] Symbol: Starting analysis for ${filePath}`
+      );
+    }
+    if (!this.semanticEngine) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: No semantic engine available, skipping`
+        );
+      }
+      return [];
+    }
+    try {
+      const sourceFile = this.semanticEngine.getSourceFile(filePath);
+      if (!sourceFile) {
+        if (this.verbose) {
+          console.log(
+            `🔍 [${this.ruleId}] Symbol: No source file found, trying ts-morph fallback`
+          );
+        }
+        return await this.analyzeTsMorph(filePath);
+      }
+      if (this.verbose) {
+        console.log(`🔧 [${this.ruleId}] Source file found, analyzing...`);
+      }
+      const violations = [];
+      const typeChecker = this.semanticEngine.program?.getTypeChecker();
+      // Visit all nodes in the source file
+      const visit = (node) => {
+        // Check for log method calls
+        if (ts.isCallExpression(node)) {
+          this.checkLogMethodCall(node, violations, sourceFile, typeChecker);
+        }
+        ts.forEachChild(node, visit);
+      };
+      visit(sourceFile);
+      if (this.verbose) {
+        console.log(
+          `🔧 [${this.ruleId}] Symbol analysis completed: ${violations.length} violations found`
+        );
+      }
+      return violations;
+    } catch (error) {
+      console.warn(`⚠ [${this.ruleId}] Symbol analysis failed:`, error.message);
+      return [];
+    }
+  }
+  checkLogMethodCall(node, violations, sourceFile, typeChecker) {
+    // Check if this is a logging method call
+    const methodName = this.getMethodName(node);
+    if (!methodName || !this.logMethods.includes(methodName)) {
+      return;
+    }
+    // Check arguments for user input
+    if (node.arguments && node.arguments.length > 0) {
+      for (const arg of node.arguments) {
+        if (this.containsUserInput(arg, sourceFile)) {
+          const position = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Log injection vulnerability: User input directly used in ${methodName}() call without sanitization`,
+            line: position.line + 1,
+            column: position.character + 1,
+            severity: "error",
+            category: this.category,
+            code: sourceFile.getFullText().slice(node.getStart(), node.getEnd())
+          });
+          break;
+        }
+      }
+    }
+  }
+  getMethodName(callExpression) {
+    const expression = callExpression.expression;
+    if (ts.isIdentifier(expression)) {
+      return expression.text;
+    }
+    if (ts.isPropertyAccessExpression(expression)) {
+      return expression.name.text;
+    }
+    return null;
+  }
+  containsUserInput(node, sourceFile) {
+    // Check for direct user input references
+    if (ts.isIdentifier(node)) {
+      return this.userInputSources.includes(node.text);
+    }
+    // Check for property access on user input (e.g., req.body, req.query)
+    if (ts.isPropertyAccessExpression(node)) {
+      const objectName = this.getObjectName(node);
+      return this.userInputSources.includes(objectName);
+    }
+    // Check for element access on user input (e.g., req["body"], headers['user-agent'])
+    if (ts.isElementAccessExpression(node)) {
+      const objectName = this.getObjectName(node);
+      return this.userInputSources.includes(objectName);
+    }
+    // Check for binary expressions (concatenation)
+    if (ts.isBinaryExpression(node)) {
+      return this.containsUserInput(node.left, sourceFile) ||
+             this.containsUserInput(node.right, sourceFile);
+    }
+    // Check for template literals
+    if (ts.isTemplateExpression(node)) {
+      return node.templateSpans.some(span =>
+        this.containsUserInput(span.expression, sourceFile)
+      );
+    }
+    // Check for function calls that might return user input
+    if (ts.isCallExpression(node)) {
+      // Check if it's JSON.stringify with user input
+      const methodName = this.getMethodName(node);
+      if (methodName === "stringify" && node.arguments.length > 0) {
+        return this.containsUserInput(node.arguments[0], sourceFile);
+      }
+    }
+    return false;
+  }
+  getObjectName(node) {
+    if (ts.isPropertyAccessExpression(node) || ts.isElementAccessExpression(node)) {
+      if (ts.isIdentifier(node.expression)) {
+        return node.expression.text;
+      }
+    }
+    return null;
+  }
+  /**
+   * Fallback analysis using ts-morph when semantic engine is not available
+   */
+  async analyzeTsMorph(filePath) {
+    try {
+      const fs = require("fs");
+      const { Project } = require("ts-morph");
+      const project = new Project();
+      const sourceFile = project.addSourceFileAtPath(filePath);
+      const violations = [];
+      // Find all call expressions
+      sourceFile.forEachDescendant((node) => {
+        if (node.getKind() === ts.SyntaxKind.CallExpression) {
+          const callExpr = node;
+          const methodName = this.extractMethodName(callExpr.getText());
+          if (this.logMethods.includes(methodName)) {
+            const args = callExpr.getArguments();
+            for (const arg of args) {
+              if (this.containsUserInputText(arg.getText())) {
+                const line = sourceFile.getLineAndColumnAtPos(node.getStart()).line;
+                const column = sourceFile.getLineAndColumnAtPos(node.getStart()).column;
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Log injection vulnerability: User input directly used in ${methodName}() call without sanitization`,
+                  line: line,
+                  column: column,
+                  severity: "error",
+                  category: this.category,
+                  code: node.getText()
+                });
+                break;
+              }
+            }
+          }
+        }
+      });
+      return violations;
+    } catch (error) {
+      console.warn(`⚠ [${this.ruleId}] ts-morph analysis failed:`, error.message);
+      return [];
+    }
+  }
+  extractMethodName(callText) {
+    const match = callText.match(/(\w+)\s*\(/);
+    return match ? match[1] : null;
+  }
+  containsUserInputText(text) {
+    return this.userInputSources.some(source => text.includes(source));
+  }
+  cleanup() {
+    // Cleanup resources if needed
+  }
+}
+module.exports = S056SymbolBasedAnalyzer;

package/rules/security/S057_utc_logging/README.md ADDED Viewed

@@ -0,0 +1,152 @@
+# S057 - Log with UTC Timestamps
+## Overview
+Enforce UTC usage in logging and time formatting to ensure consistency across systems and avoid timezone-related issues in log analysis.
+## Rule Details
+This rule enforces:
+- **UTC Timestamps Only**: All logged timestamps must use UTC format
+- **ISO 8601/RFC3339 Standard**: Prefer standardized time formats
+- **No Local Time**: Prevent usage of local time in logs
+- **Framework Configuration**: Ensure logging frameworks are configured for UTC
+## ❌ Incorrect Examples
+```javascript
+// Using local time
+console.log('Event at:', new Date().toString());
+console.log('Timestamp:', new Date().toLocaleString());
+// Non-UTC moment.js
+const moment = require('moment');
+logger.info(`Event time: ${moment().format()}`);
+// Local DateTime patterns
+logger.error(`Error at ${DateTime.now()}`);
+logger.warn(`Time: ${LocalDateTime.now()}`);
+// Framework without UTC config
+const winston = require('winston');
+const logger = winston.createLogger({
+  level: 'info',
+  format: winston.format.json(),
+  // Missing UTC timezone configuration
+});
+```
+## ✅ Correct Examples
+```javascript
+// Using UTC ISO format
+console.log('Event at:', new Date().toISOString());
+logger.info(`Event time: ${new Date().toISOString()}`);
+// UTC moment.js
+const moment = require('moment');
+logger.info(`Event time: ${moment.utc().format()}`);
+// UTC DateTime patterns
+logger.error(`Error at ${Instant.now()}`);
+logger.warn(`Time: ${OffsetDateTime.now(ZoneOffset.UTC)}`);
+// Proper framework configuration
+const winston = require('winston');
+const logger = winston.createLogger({
+  level: 'info',
+  format: winston.format.combine(
+    winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss' }),
+    winston.format.timezone('UTC'),
+    winston.format.json()
+  )
+});
+```
+## Configuration Options
+### disallowedDatePatterns
+Patterns that create timezone-dependent timestamps:
+- `new Date().toString()`
+- `new Date().toLocaleString()`
+- `DateTime.now()`
+- `LocalDateTime.now()`
+- `moment().format()`
+### allowedUtcPatterns
+UTC-safe timestamp patterns:
+- `toISOString()`
+- `Instant.now()`
+- `moment.utc()`
+- `dayjs.utc()`
+- `OffsetDateTime.now(ZoneOffset.UTC)`
+### logFrameworks
+Supported logging frameworks for configuration checking:
+- Winston
+- Pino
+- Bunyan
+- Log4js
+- Console methods
+## Benefits
+1. **Consistent Logs**: All timestamps in the same timezone
+2. **Global Compatibility**: Works across multiple regions/servers
+3. **Easy Analysis**: No timezone conversion needed for log correlation
+4. **Audit Compliance**: Standardized timestamps for security auditing
+5. **Debugging**: Simplified troubleshooting across distributed systems
+## Security Implications
+- **Audit Trail**: Consistent timestamps critical for security incident investigation
+- **Compliance**: Many security standards require UTC logging
+- **Forensics**: Timezone consistency essential for timeline reconstruction
+- **Correlation**: Multi-system log correlation requires synchronized time
+## Related Rules
+- **C019**: Log Level Usage - Proper log severity levels
+- **S056**: Sensitive Data Logging - Avoid logging sensitive information
+- **S058**: SSRF Protection - Related to secure logging practices
+## Implementation Notes
+### NTP Synchronization
+While this rule focuses on timestamp format, ensure your systems use NTP for time synchronization:
+```bash
+# Check NTP status
+timedatectl status
+# Enable NTP sync
+sudo timedatectl set-ntp true
+```
+### Docker Configuration
+For containerized applications:
+```dockerfile
+# Set timezone to UTC
+ENV TZ=UTC
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+```
+### Database Considerations
+Ensure database timestamps also use UTC:
+```sql
+-- PostgreSQL
+SET timezone = 'UTC';
+-- MySQL
+SET time_zone = '+00:00';
+```
+## False Positives
+This rule may flag legitimate use cases in:
+- Test files (can be exempted via configuration)
+- Display/UI code (where local time is appropriate)
+- Time calculation utilities (where local time is intentional)
+Configure exemptions in the rule configuration as needed.