@sun-asterisk/sunlint 1.3.7 → 1.3.8

package/rules/security/S056_log_injection_protection/symbol-based-analyzer.js

@@ -0,0 +1,287 @@
+/**
+ * S056 Symbol-Based Analyzer - Protect against Log Injection attacks
+ * Uses TypeScript compiler API for semantic analysis
+ */
+
+const ts = require("typescript");
+
+class S056SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S056";
+    this.category = "security";
+
+    // Log method names that can be vulnerable
+    this.logMethods = [
+      "log",
+      "info", 
+      "warn",
+      "error",
+      "debug",
+      "trace",
+      "write",
+      "writeSync"
+    ];
+
+    // User input sources that could lead to injection
+    this.userInputSources = [
+      "req",
+      "request", 
+      "params",
+      "query",
+      "body",
+      "headers",
+      "cookies",
+      "session"
+    ];
+
+    // Dangerous characters for log injection
+    this.dangerousCharacters = [
+      "\\r",
+      "\\n", 
+      "\\r\\n",
+      "\\u000a",
+      "\\u000d",
+      "%0a",
+      "%0d",
+      "\\x0a",
+      "\\x0d"
+    ];
+
+    // Secure log patterns
+    this.securePatterns = [
+      "sanitize",
+      "escape",
+      "clean", 
+      "filter",
+      "validate",
+      "replace",
+      "strip"
+    ];
+  }
+
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.verbose) {
+      console.log(`🔍 [${this.ruleId}] Symbol: Semantic engine initialized`);
+    }
+  }
+
+  async analyze(filePath) {
+    if (this.verbose) {
+      console.log(
+        `🔍 [${this.ruleId}] Symbol: Starting analysis for ${filePath}`
+      );
+    }
+
+    if (!this.semanticEngine) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: No semantic engine available, skipping`
+        );
+      }
+      return [];
+    }
+
+    try {
+      const sourceFile = this.semanticEngine.getSourceFile(filePath);
+      if (!sourceFile) {
+        if (this.verbose) {
+          console.log(
+            `🔍 [${this.ruleId}] Symbol: No source file found, trying ts-morph fallback`
+          );
+        }
+        return await this.analyzeTsMorph(filePath);
+      }
+
+      if (this.verbose) {
+        console.log(`🔧 [${this.ruleId}] Source file found, analyzing...`);
+      }
+
+      const violations = [];
+      const typeChecker = this.semanticEngine.program?.getTypeChecker();
+
+      // Visit all nodes in the source file
+      const visit = (node) => {
+        // Check for log method calls
+        if (ts.isCallExpression(node)) {
+          this.checkLogMethodCall(node, violations, sourceFile, typeChecker);
+        }
+        
+        ts.forEachChild(node, visit);
+      };
+
+      visit(sourceFile);
+
+      if (this.verbose) {
+        console.log(
+          `🔧 [${this.ruleId}] Symbol analysis completed: ${violations.length} violations found`
+        );
+      }
+
+      return violations;
+    } catch (error) {
+      console.warn(`⚠ [${this.ruleId}] Symbol analysis failed:`, error.message);
+      return [];
+    }
+  }
+
+  checkLogMethodCall(node, violations, sourceFile, typeChecker) {
+    // Check if this is a logging method call
+    const methodName = this.getMethodName(node);
+    if (!methodName || !this.logMethods.includes(methodName)) {
+      return;
+    }
+
+    // Check arguments for user input
+    if (node.arguments && node.arguments.length > 0) {
+      for (const arg of node.arguments) {
+        if (this.containsUserInput(arg, sourceFile)) {
+          const position = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Log injection vulnerability: User input directly used in ${methodName}() call without sanitization`,
+            line: position.line + 1,
+            column: position.character + 1,
+            severity: "error",
+            category: this.category,
+            code: sourceFile.getFullText().slice(node.getStart(), node.getEnd())
+          });
+          break;
+        }
+      }
+    }
+  }
+
+  getMethodName(callExpression) {
+    const expression = callExpression.expression;
+    
+    if (ts.isIdentifier(expression)) {
+      return expression.text;
+    }
+    
+    if (ts.isPropertyAccessExpression(expression)) {
+      return expression.name.text;
+    }
+    
+    return null;
+  }
+
+  containsUserInput(node, sourceFile) {
+    // Check for direct user input references
+    if (ts.isIdentifier(node)) {
+      return this.userInputSources.includes(node.text);
+    }
+
+    // Check for property access on user input (e.g., req.body, req.query)
+    if (ts.isPropertyAccessExpression(node)) {
+      const objectName = this.getObjectName(node);
+      return this.userInputSources.includes(objectName);
+    }
+
+    // Check for element access on user input (e.g., req["body"], headers['user-agent'])
+    if (ts.isElementAccessExpression(node)) {
+      const objectName = this.getObjectName(node);
+      return this.userInputSources.includes(objectName);
+    }
+
+    // Check for binary expressions (concatenation)
+    if (ts.isBinaryExpression(node)) {
+      return this.containsUserInput(node.left, sourceFile) || 
+             this.containsUserInput(node.right, sourceFile);
+    }
+
+    // Check for template literals
+    if (ts.isTemplateExpression(node)) {
+      return node.templateSpans.some(span => 
+        this.containsUserInput(span.expression, sourceFile)
+      );
+    }
+
+    // Check for function calls that might return user input
+    if (ts.isCallExpression(node)) {
+      // Check if it's JSON.stringify with user input
+      const methodName = this.getMethodName(node);
+      if (methodName === "stringify" && node.arguments.length > 0) {
+        return this.containsUserInput(node.arguments[0], sourceFile);
+      }
+    }
+
+    return false;
+  }
+
+  getObjectName(node) {
+    if (ts.isPropertyAccessExpression(node) || ts.isElementAccessExpression(node)) {
+      if (ts.isIdentifier(node.expression)) {
+        return node.expression.text;
+      }
+    }
+    return null;
+  }
+
+  /**
+   * Fallback analysis using ts-morph when semantic engine is not available
+   */
+  async analyzeTsMorph(filePath) {
+    try {
+      const fs = require("fs");
+      const { Project } = require("ts-morph");
+      
+      const project = new Project();
+      const sourceFile = project.addSourceFileAtPath(filePath);
+      const violations = [];
+
+      // Find all call expressions
+      sourceFile.forEachDescendant((node) => {
+        if (node.getKind() === ts.SyntaxKind.CallExpression) {
+          const callExpr = node;
+          const methodName = this.extractMethodName(callExpr.getText());
+          
+          if (this.logMethods.includes(methodName)) {
+            const args = callExpr.getArguments();
+            for (const arg of args) {
+              if (this.containsUserInputText(arg.getText())) {
+                const line = sourceFile.getLineAndColumnAtPos(node.getStart()).line;
+                const column = sourceFile.getLineAndColumnAtPos(node.getStart()).column;
+                
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Log injection vulnerability: User input directly used in ${methodName}() call without sanitization`,
+                  line: line,
+                  column: column,
+                  severity: "error",
+                  category: this.category,
+                  code: node.getText()
+                });
+                break;
+              }
+            }
+          }
+        }
+      });
+
+      return violations;
+    } catch (error) {
+      console.warn(`⚠ [${this.ruleId}] ts-morph analysis failed:`, error.message);
+      return [];
+    }
+  }
+
+  extractMethodName(callText) {
+    const match = callText.match(/(\w+)\s*\(/);
+    return match ? match[1] : null;
+  }
+
+  containsUserInputText(text) {
+    return this.userInputSources.some(source => text.includes(source));
+  }
+
+  cleanup() {
+    // Cleanup resources if needed
+  }
+}
+
+module.exports = S056SymbolBasedAnalyzer;