npm - @sun-asterisk/sunlint - Versions diffs - 1.3.6 → 1.3.8 - Mend

@sun-asterisk/sunlint 1.3.6 → 1.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/rules/security/S037_cache_headers/analyzer.js ADDED Viewed

@@ -0,0 +1,263 @@
+/**
+ * S037 Main Analyzer - Configure comprehensive cache headers to prevent sensitive data leakage
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S037 --input=examples/rule-test-fixtures/rules/S037_cache_headers --engine=heuristic
+ */
+const S037SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S037RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+class S037Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S037] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S037] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S037";
+    this.ruleName =
+      "Configure comprehensive cache headers to prevent sensitive data leakage";
+    this.description =
+      "Configure comprehensive cache headers (Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Expires: 0) for sensitive responses to avoid caching sensitive data in browsers or intermediaries.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: true,
+      regexBasedOnly: false,
+      prioritizeSymbolic: true, // Prefer symbol-based when available
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+    try {
+      this.symbolAnalyzer = new S037SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S037] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S037] Error creating symbol analyzer:`, error);
+    }
+    try {
+      this.regexAnalyzer = new S037RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S037] Regex analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S037] Error creating regex analyzer:`, error);
+    }
+  }
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S037] Main analyzer initializing...`);
+    if (this.symbolAnalyzer)
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer)
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S037] Main analyzer initialized successfully`);
+  }
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S037] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S037] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S037] Processing file: ${filePath}`);
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S037] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(
+          `⚠ [S037] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S037] Total violations found: ${violations.length}`);
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S037] analyzeFile() called for: ${filePath}`);
+    const violationMap = new Map();
+    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S037] Symbol check: useSymbolBased=${
+          this.config.useSymbolBased
+        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
+          .semanticEngine?.project}, initialized=${!!this.semanticEngine
+          ?.initialized}`
+      );
+    }
+    const canUseSymbol =
+      this.config.useSymbolBased &&
+      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
+        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
+    if (canUseSymbol) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S037] Trying symbol-based analysis...`);
+        let sourceFile = null;
+        if (this.semanticEngine?.project) {
+          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S037] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
+            );
+          }
+        }
+        if (!sourceFile) {
+          // Create a minimal ts-morph project for this analysis
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S037] Creating temporary ts-morph project for: ${filePath}`
+            );
+          try {
+            const fs = require("fs");
+            const path = require("path");
+            const { Project } = require("ts-morph");
+            // Check if file exists and read content
+            if (!fs.existsSync(filePath)) {
+              throw new Error(`File not found: ${filePath}`);
+            }
+            const fileContent = fs.readFileSync(filePath, "utf8");
+            const fileName = path.basename(filePath);
+            const tempProject = new Project({
+              useInMemoryFileSystem: true,
+              compilerOptions: {
+                allowJs: true,
+                allowSyntheticDefaultImports: true,
+              },
+            });
+            // Add file content to in-memory project
+            sourceFile = tempProject.createSourceFile(fileName, fileContent);
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S037] Temporary project created successfully with file: ${fileName}`
+              );
+          } catch (projectError) {
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S037] Failed to create temporary project:`,
+                projectError.message
+              );
+            throw projectError;
+          }
+        }
+        if (sourceFile) {
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          symbolViolations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
+            if (!violationMap.has(key)) violationMap.set(key, v);
+          });
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S037] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          // If symbol-based found violations or prioritizeSymbolic is true, skip regex
+          if (this.config.prioritizeSymbolic && symbolViolations.length >= 0) {
+            const finalViolations = Array.from(violationMap.values()).map(
+              (v) => ({
+                ...v,
+                filePath,
+                file: filePath,
+              })
+            );
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S037] Symbol-based analysis prioritized: ${finalViolations.length} violations`
+              );
+            return finalViolations;
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S037] No source file found, skipping symbol analysis`
+            );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S037] Symbol analysis failed:`, error.message);
+      }
+    }
+    // Fallback to regex-based analysis
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S037] Trying regex-based analysis...`);
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        regexViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S037] Regex analysis completed: ${regexViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(`⚠ [S037] Regex analysis failed:`, error.message);
+      }
+    }
+    const finalViolations = Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+    if (process.env.SUNLINT_DEBUG)
+      console.log(
+        `🔧 [S037] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    return finalViolations;
+  }
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
+    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
+  }
+}
+module.exports = S037Analyzer;

package/rules/security/S037_cache_headers/config.json ADDED Viewed

@@ -0,0 +1,50 @@
+{
+  "id": "S037",
+  "name": "Configure comprehensive cache headers to prevent sensitive data leakage",
+  "category": "security",
+  "description": "S037 - Configure comprehensive cache headers (Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Expires: 0) for sensitive responses to avoid caching sensitive data in browsers or intermediaries.",
+  "severity": "warning",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "medium",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 1,
+    "timeout": 4000
+  },
+  "validation": {
+    "headerSetters": ["setHeader", "set", "header"],
+    "required": {
+      "Cache-Control": ["no-store", "no-cache", "must-revalidate"],
+      "Pragma": ["no-cache"],
+      "Expires": ["0"]
+    },
+    "sensitiveIndicators": [
+      "session",
+      "auth",
+      "token",
+      "jwt",
+      "csrf",
+      "user",
+      "profile",
+      "payment",
+      "account"
+    ]
+  }
+}