@sun-asterisk/sunlint 1.3.6 → 1.3.8

package/rules/common/C073_validate_required_config_on_startup/config.json

@@ -0,0 +1,46 @@
+{
+  "id": "C073",
+  "name": "C073_validate_required_config_on_startup",
+  "category": "configuration",
+  "description": "C073 - Validate mandatory configuration at startup and fail fast on invalid/missing values.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": { "enabled": true, "priority": "high", "fallback": "heuristic" },
+  "patterns": {
+    "include": ["**/*.ts","**/*.tsx","**/*.js","**/*.jsx","**/*.java","**/*.go"],
+    "exclude": ["**/*.test.*","**/*.spec.*","**/__tests__/**","**/fixtures/**","**/examples/**"]
+  },
+  "options": {
+    "configModules": {
+      "typescript": ["src/config/**","**/config/**","**/bootstrap/**","**/main.ts"],
+      "java": ["**/config/**","**/Configuration/**","**/Application.java","**/*Application.java"],
+      "go": ["cmd/**","**/config/**","**/main.go"]
+    },
+    "envAccessors": {
+      "typescript": ["process.env.*"],
+      "java": ["System.getenv(*)","System.getProperty(*)"],
+      "go": ["os.Getenv(*)"]
+    },
+    "schemaDetectors": {
+      "typescript": ["zod","joi","yup","envalid","dotenv-safe","class-validator"],
+      "java": ["@ConfigurationProperties","@Validated","jakarta.validation","hibernate.validator"],
+      "go": ["github.com/kelseyhightower/envconfig","github.com/spf13/viper"]
+    },
+    "failFastSignals": {
+      "typescript": ["throw new Error(*)","process.exit(1)"],
+      "java": ["throw new RuntimeException(*)","SpringApplication.exit(*)","System.exit(1)"],
+      "go": ["log.Fatal(*)","panic(*)","os.Exit(1)"]
+    },
+    "dangerousDefaults": ["|| ''","|| 0","|| 'http://localhost'","?: ''","?: 0"],
+    "thresholds": {
+      "maxEnvReadsOutsideConfig": 3
+    },
+    "policy": {
+      "requireSchemaOrExplicitChecks": true,
+      "requireFailFast": true,
+      "forbidEnvReadsOutsideConfig": true,
+      "flagDangerousDefaults": true,
+      "requireStartupConnectivityChecks": true
+    }
+  }
+}

package/rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js

@@ -0,0 +1,370 @@
+const { traverse } = require('@babel/traverse');
+const t = require('@babel/types');
+
+class C073SymbolBasedAnalyzer {
+  constructor(options = {}) {
+    this.options = options;
+    this.configModules = options.configModules || {};
+    this.envAccessors = options.envAccessors || {};
+    this.schemaDetectors = options.schemaDetectors || {};
+    this.failFastSignals = options.failFastSignals || {};
+    this.dangerousDefaults = options.dangerousDefaults || [];
+    this.policy = options.policy || {};
+  }
+
+  analyze(ast, filePath, content) {
+    const analysis = {
+      envAccess: [],
+      schemaValidation: [],
+      failFastMechanisms: [],
+      dangerousDefaults: [],
+      connectivityChecks: [],
+      imports: [],
+      configValidation: false,
+      hasFailFast: false
+    };
+
+    const language = this.detectLanguageFromPath(filePath);
+    
+    // Analyze both config files and service files for different patterns
+    const isConfigFile = this.isConfigOrStartupFile(filePath, language);
+
+    // Traverse AST to collect information
+    traverse(ast, {
+      // Track imports for schema validation libraries
+      ImportDeclaration: (path) => {
+        const source = path.node.source.value;
+        analysis.imports.push(source);
+        
+        // Check for schema validation libraries
+        if (this.isSchemaValidationLibrary(source, language)) {
+          analysis.schemaValidation.push({
+            library: source,
+            line: path.node.loc?.start.line || 1
+          });
+        }
+      },
+
+      // Track environment variable access
+      MemberExpression: (path) => {
+        if (this.isEnvAccess(path.node, language)) {
+          const envProperty = this.getEnvProperty(path.node);
+          analysis.envAccess.push({
+            variable: envProperty,
+            match: `process.env.${envProperty}`,
+            line: path.node.loc?.start.line || 1,
+            hasDefault: this.hasDefaultValue(path.parent)
+          });
+        }
+      },
+
+      // Track call expressions for multiple purposes
+      CallExpression: (path) => {
+        const node = path.node;
+        
+        // Check for require statements
+        if (t.isIdentifier(node.callee, { name: 'require' })) {
+          const source = node.arguments[0]?.value;
+          if (source && this.isSchemaValidationLibrary(source, language)) {
+            analysis.schemaValidation.push({
+              library: source,
+              line: node.loc?.start.line || 1
+            });
+          }
+        }
+
+        // Check for fail-fast calls (process.exit, throw, etc.)
+        if (this.isFailFastCall(node, language)) {
+          analysis.failFastMechanisms.push({
+            type: this.getFailFastType(node),
+            line: node.loc?.start.line || 1
+          });
+        }
+
+        // Check for connectivity patterns (ping, connect, health check)
+        if (this.isConnectivityCheck(node)) {
+          analysis.connectivityChecks.push({
+            method: this.getConnectivityMethod(node),
+            line: node.loc?.start.line || 1
+          });
+        }
+      },
+
+      // Track dangerous default patterns
+      LogicalExpression: (path) => {
+        if (this.isDangerousDefault(path.node)) {
+          analysis.dangerousDefaults.push({
+            operator: path.node.operator,
+            pattern: this.getDangerousDefaultPattern(path.node),
+            line: path.node.loc?.start.line || 1
+          });
+        }
+      },
+
+      // Track conditional expressions with dangerous defaults
+      ConditionalExpression: (path) => {
+        if (this.isDangerousConditionalDefault(path.node)) {
+          analysis.dangerousDefaults.push({
+            type: 'conditional',
+            pattern: this.getDangerousDefaultPattern(path.node),
+            line: path.node.loc?.start.line || 1
+          });
+        }
+      },
+
+      // Check for validation patterns
+      IfStatement: (path) => {
+        if (this.isConfigValidation(path.node, analysis.envAccess)) {
+          analysis.configValidation = true;
+        }
+      },
+
+      // Check for throw statements with configuration errors
+      ThrowStatement: (path) => {
+        if (this.isConfigRelatedError(path.node)) {
+          analysis.failFastMechanisms.push({
+            type: 'throw',
+            line: path.node.loc?.start.line || 1
+          });
+        }
+      }
+    });
+
+    return analysis;
+  }
+
+  detectLanguageFromPath(filePath) {
+    const ext = filePath.split('.').pop()?.toLowerCase();
+    if (['ts', 'tsx', 'js', 'jsx'].includes(ext)) return 'typescript';
+    if (['java'].includes(ext)) return 'java';
+    if (['go'].includes(ext)) return 'go';
+    return null;
+  }
+
+  isConfigOrStartupFile(filePath, language) {
+    const configPatterns = this.configModules[language] || [];
+    return configPatterns.some(pattern => {
+      const globPattern = pattern.replace(/\*\*/g, '.*').replace(/\*/g, '[^/]*');
+      const regex = new RegExp(globPattern.replace(/\//g, '\\/'));
+      return regex.test(filePath);
+    });
+  }
+
+  isSchemaValidationLibrary(source, language) {
+    const libraries = this.schemaDetectors[language] || [];
+    return libraries.some(lib => source.includes(lib));
+  }
+
+  isEnvAccess(node, language) {
+    if (language === 'typescript') {
+      // process.env.VARIABLE
+      return (
+        t.isMemberExpression(node) &&
+        t.isMemberExpression(node.object) &&
+        t.isIdentifier(node.object.object, { name: 'process' }) &&
+        t.isIdentifier(node.object.property, { name: 'env' })
+      );
+    }
+    return false;
+  }
+
+  getEnvProperty(node) {
+    if (t.isIdentifier(node.property)) {
+      return node.property.name;
+    }
+    if (t.isStringLiteral(node.property)) {
+      return node.property.value;
+    }
+    return 'unknown';
+  }
+
+  hasDefaultValue(parent) {
+    return (
+      t.isLogicalExpression(parent) ||
+      t.isConditionalExpression(parent) ||
+      (t.isAssignmentExpression(parent) && parent.right)
+    );
+  }
+
+  isFailFastCall(node, language) {
+    if (language === 'typescript') {
+      // process.exit(1)
+      if (
+        t.isMemberExpression(node.callee) &&
+        t.isIdentifier(node.callee.object, { name: 'process' }) &&
+        t.isIdentifier(node.callee.property, { name: 'exit' })
+      ) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  getFailFastType(node) {
+    if (t.isMemberExpression(node.callee)) {
+      if (t.isIdentifier(node.callee.property, { name: 'exit' })) {
+        return 'process.exit';
+      }
+    }
+    if (t.isThrowStatement(node)) {
+      return 'throw';
+    }
+    return 'unknown';
+  }
+
+  isConnectivityCheck(node) {
+    if (!t.isCallExpression(node)) return false;
+    
+    // Check for common connectivity patterns
+    const patterns = [
+      'ping', 'connect', 'healthCheck', 'testConnection',
+      'validateConnection', 'checkHealth', 'authenticate'
+    ];
+    
+    if (t.isMemberExpression(node.callee)) {
+      const methodName = node.callee.property?.name;
+      return patterns.includes(methodName);
+    }
+    
+    if (t.isIdentifier(node.callee)) {
+      return patterns.includes(node.callee.name);
+    }
+    
+    return false;
+  }
+
+  getConnectivityMethod(node) {
+    if (t.isMemberExpression(node.callee)) {
+      return node.callee.property?.name || 'unknown';
+    }
+    if (t.isIdentifier(node.callee)) {
+      return node.callee.name;
+    }
+    return 'unknown';
+  }
+
+  isDangerousDefault(node) {
+    if (!t.isLogicalExpression(node, { operator: '||' })) {
+      return false;
+    }
+    
+    const rightValue = this.getDefaultValue(node.right);
+    const dangerousPatterns = [
+      "''", '""', '0', 'null', 'undefined',
+      "'localhost'", "'http://localhost'", "'dev'", "'development'"
+    ];
+    
+    return dangerousPatterns.includes(rightValue);
+  }
+
+  isDangerousConditionalDefault(node) {
+    if (!t.isConditionalExpression(node)) return false;
+    
+    const consequent = this.getDefaultValue(node.consequent);
+    const alternate = this.getDefaultValue(node.alternate);
+    
+    const dangerousPatterns = [
+      "''", '""', '0', 'null', 'undefined',
+      "'localhost'", "'http://localhost'", "'dev'", "'development'"
+    ];
+    
+    return dangerousPatterns.includes(consequent) || dangerousPatterns.includes(alternate);
+  }
+
+  getDangerousDefaultPattern(node) {
+    if (t.isLogicalExpression(node)) {
+      return this.getDefaultValue(node.right);
+    }
+    if (t.isConditionalExpression(node)) {
+      const consequent = this.getDefaultValue(node.consequent);
+      const alternate = this.getDefaultValue(node.alternate);
+      return `${consequent} ? ${alternate}`;
+    }
+    return 'unknown';
+  }
+
+  getDefaultValue(node) {
+    if (t.isStringLiteral(node)) {
+      return `'${node.value}'`;
+    }
+    if (t.isNumericLiteral(node)) {
+      return node.value.toString();
+    }
+    if (t.isNullLiteral(node)) {
+      return 'null';
+    }
+    if (t.isIdentifier(node, { name: 'undefined' })) {
+      return 'undefined';
+    }
+    return 'unknown';
+  }
+
+  isConfigValidation(node, envAccess) {
+    // Simple heuristic: if an if statement contains a check for environment variables
+    // and has a throw or process.exit in the consequent, it's likely validation
+    if (t.isIfStatement(node)) {
+      const test = node.test;
+      const consequent = node.consequent;
+      
+      // Check if test involves environment variables
+      const involvesEnv = this.containsEnvAccess(test);
+      
+      // Check if consequent has fail-fast behavior
+      const hasFailFast = this.containsFailFast(consequent);
+      
+      return involvesEnv && hasFailFast;
+    }
+    
+    return false;
+  }
+
+  containsEnvAccess(node) {
+    // Simple traversal to check if node contains process.env access
+    let hasEnvAccess = false;
+    
+    traverse(node, {
+      MemberExpression: (path) => {
+        if (this.isEnvAccess(path.node, 'typescript')) {
+          hasEnvAccess = true;
+          path.stop();
+        }
+      }
+    }, null, {});
+    
+    return hasEnvAccess;
+  }
+
+  containsFailFast(node) {
+    // Check if node contains fail-fast patterns
+    let hasFailFast = false;
+    
+    traverse(node, {
+      CallExpression: (path) => {
+        if (this.isFailFastCall(path.node, 'typescript')) {
+          hasFailFast = true;
+          path.stop();
+        }
+      },
+      ThrowStatement: () => {
+        hasFailFast = true;
+      }
+    }, null, {});
+    
+    return hasFailFast;
+  }
+
+  isConfigRelatedError(node) {
+    // Check if the error message is configuration-related
+    if (t.isThrowStatement(node) && t.isNewExpression(node.argument)) {
+      const args = node.argument.arguments;
+      if (args.length > 0 && t.isStringLiteral(args[0])) {
+        const message = args[0].value.toLowerCase();
+        const configKeywords = ['config', 'environment', 'env', 'missing', 'required', 'invalid'];
+        return configKeywords.some(keyword => message.includes(keyword));
+      }
+    }
+    return false;
+  }
+}
+
+module.exports = C073SymbolBasedAnalyzer;

package/rules/security/S037_cache_headers/README.md

@@ -0,0 +1,128 @@
+# S037 - Configure Comprehensive Cache Headers to Prevent Sensitive Data Leakage
+
+## Overview
+
+Rule S037 ensures that sensitive HTTP responses explicitly disable caching using a complete set of anti-caching headers:
+
+- `Cache-Control: no-store, no-cache, must-revalidate`
+- `Pragma: no-cache`
+- `Expires: 0`
+
+These prevent browsers and intermediate proxies from persisting sensitive content (e.g., authenticated pages, profile data, tokens) in cache storage where it could later be exposed.
+
+## Framework Support
+
+This rule supports multiple web frameworks:
+
+- **Express.js**: Route handlers using `app.get()`, `router.post()`, etc.
+- **Next.js**: API routes (`export default function handler`) and App Router (`export async function GET`)
+- **NestJS**: Controller methods with decorators (`@Get()`, `@Post()`, etc.)
+- **Nuxt.js**: Server routes (`export default defineEventHandler`)
+
+## Security Impact
+
+Without proper cache headers, authenticated or confidential data may remain in browser cache or be served to other users (in shared environments, kiosk systems, or via back/forward navigation). Attackers may retrieve cached responses, exposing session data or personal information.
+
+## Rule Details
+
+### Required Header Set
+
+All of the following must be present for sensitive responses:
+
+| Header        | Required Value / Directives                                                 |
+| ------------- | --------------------------------------------------------------------------- |
+| Cache-Control | `no-store, no-cache, must-revalidate` (order flexible, directives required) |
+| Pragma        | `no-cache`                                                                  |
+| Expires       | `0` (or a past date)                                                        |
+
+### Sensitive Response Indicators (heuristic)
+
+The rule assumes a response is sensitive when code references identifiers like: `session`, `auth`, `token`, `jwt`, `csrf`, `user`, `profile`, `payment`, `account`.
+
+### Detected Patterns
+
+✅ **Compliant Examples:**
+
+```typescript
+res.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
+res.setHeader("Pragma", "no-cache");
+res.setHeader("Expires", "0");
+res.json({ user: profile });
+```
+
+```typescript
+response.set({
+  "Cache-Control": "no-store, no-cache, must-revalidate",
+  Pragma: "no-cache",
+  Expires: "0",
+});
+```
+
+❌ **Violation Examples:**
+
+```typescript
+// Missing Cache-Control directives
+res.setHeader("Cache-Control", "no-cache");
+res.setHeader("Pragma", "no-cache");
+res.setHeader("Expires", "0");
+```
+
+```typescript
+// Missing Pragma and Expires
+res.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
+```
+
+```typescript
+// Missing all anti-cache headers
+res.json({ auth: token, profile });
+```
+
+### Partial Cache-Control Values
+
+The rule flags missing directives individually when `Cache-Control` is present but incomplete.
+
+| Example Value                         | Result                                    |
+| ------------------------------------- | ----------------------------------------- |
+| `no-cache`                            | ❌ Missing: `no-store`, `must-revalidate` |
+| `no-store, no-cache`                  | ❌ Missing: `must-revalidate`             |
+| `no-store, no-cache, must-revalidate` | ✅ Valid                                  |
+
+## Analysis Approach
+
+### Symbol-Based (Primary)
+
+Parses AST to collect header setting calls across a file, then evaluates completeness.
+
+### Regex-Based (Fallback)
+
+Scans for literal `setHeader`/`set` calls to approximate detection when semantic engine unavailable.
+
+## Configuration
+
+See `config.json` for adjustable keys:
+
+- `validation.required` – mandatory headers & directives
+- `validation.sensitiveIndicators` – triggers stricter enforcement when detected
+- `patterns.include/exclude` – file targeting
+
+## Best Practices
+
+1. Always send complete anti-cache headers for authenticated pages.
+2. Never rely only on `Pragma` or only `Cache-Control`.
+3. Include `no-store` for maximum protection (prevents any storage).
+4. Pair with other security headers (CSP, X-Content-Type-Options, etc.).
+5. Re-check reverse proxy / CDN behavior (may override headers).
+
+## Related Rules
+
+- **S031**: Secure flag for cookies
+- **S032**: HttpOnly flag for cookies
+- **S033**: SameSite attribute
+- **S034**: \_\_Host- prefix
+- **S035**: Path attribute
+
+## References
+
+- MDN: HTTP Caching
+- OWASP: Sensitive Data Exposure / Cryptographic Failures
+- RFC 7234 - HTTP/1.1 Caching