@sun-asterisk/sunlint 1.3.7 → 1.3.8

package/rules/common/C065_one_behavior_per_test/config.json

@@ -0,0 +1,95 @@
+{
+  "ruleId": "C065",
+  "name": "One Behavior per Test (AAA Pattern)",
+  "description": "Each test case should focus on testing a single behavior to improve clarity and maintainability",
+  "category": "common",
+  "severity": "warn",
+  "languages": ["typescript", "javascript", "java", "csharp", "swift", "kotlin"],
+  "options": {
+    "assertApis": {
+      "javascript": ["expect\\(", "assert\\.", "should\\.", "chai\\.expect"],
+      "typescript": ["expect\\(", "assert\\.", "should\\.", "chai\\.expect"],
+      "java": ["assertThat\\(", "assertEquals\\(", "assertTrue\\(", "assertFalse\\(", "assertNull\\(", "assertNotNull\\("],
+      "csharp": ["Assert\\.", "Xunit\\.Assert", "NUnit\\.Framework\\.Assert"],
+      "swift": ["XCTAssert", "XCTAssertEqual", "XCTAssertTrue", "XCTAssertFalse"],
+      "kotlin": ["assertThat\\(", "assertEquals\\(", "assertTrue\\(", "assertFalse\\("]
+    },
+    "actHeuristics": {
+      "common": ["sut\\.", "\\.create\\(", "\\.update\\(", "\\.delete\\(", "\\.save\\(", "\\.execute\\(", "\\.handle\\(", "\\.run\\(", "\\.call\\(", "\\.process\\(", "service\\.", "repository\\.", "await\\s+\\w+\\."],
+      "javascript": ["\\.mockReturnValue\\(", "\\.mockResolvedValue\\(", "render\\(", "fireEvent\\.(click|submit|keyPress|keyDown|keyUp)", "userService\\.", "api\\.", "fetch\\(", "user\\.click\\(", "user\\.type\\(", "user\\.clear\\("],
+      "typescript": ["\\.mockReturnValue\\(", "\\.mockResolvedValue\\(", "render\\(", "fireEvent\\.(click|submit|keyPress|keyDown|keyUp)", "userService\\.", "api\\.", "fetch\\(", "user\\.click\\(", "user\\.type\\(", "user\\.clear\\("],
+      "java": ["\\.when\\(", "\\.thenReturn\\(", "\\.doReturn\\(", "\\.verify\\("],
+      "csharp": ["\\.Setup\\(", "\\.Returns\\(", "\\.Verify\\("],
+      "swift": ["given\\(", "when\\(", "then\\("],
+      "kotlin": ["every\\s*\\{", "verify\\s*\\{"]
+    },
+    "controlFlow": ["\\bif\\s*\\(", "\\bswitch\\s*\\(", "\\bfor\\s*\\(", "\\bwhile\\s*\\(", "\\btry\\s*\\{"],
+    "testPatterns": {
+      "javascript": ["\\bit\\s*\\(", "\\btest\\s*\\(", "\\bdescribe\\s*\\("],
+      "typescript": ["\\bit\\s*\\(", "\\btest\\s*\\(", "\\bdescribe\\s*\\("],
+      "java": ["@Test", "@ParameterizedTest"],
+      "csharp": ["\\[Test\\]", "\\[Fact\\]", "\\[Theory\\]"],
+      "swift": ["func\\s+test", "XCTestCase"],
+      "kotlin": ["@Test", "fun\\s+test"]
+    },
+    "parameterizedHints": ["test\\.each", "describe\\.each", "@ParameterizedTest", "where\\s*:", "\\[TestCase"],
+    "thresholds": {
+      "maxActsPerTest": 3,
+      "maxUnrelatedExpects": 2,
+      "maxControlFlowStatements": 0,
+      "maxTestMethodsPerFunction": 1
+    },
+    "flags": {
+      "flagControlFlowInTest": true,
+      "treatSnapshotAsSingleAssert": true,
+      "allowMultipleAssertsForSameObject": true,
+      "allowSetupAssertions": true,
+      "allowMultipleUIActions": true
+    },
+    "whitelist": {
+      "setupMethods": ["beforeEach", "setUp", "before", "Given"],
+      "teardownMethods": ["afterEach", "tearDown", "after"],
+      "helperMethods": ["helper", "util", "mock", "stub", "spy"]
+    },
+    "allowlist": {
+      "paths": ["test/", "tests/", "__tests__/", "spec/", "specs/", "*.test.*", "*.spec.*"],
+      "filePatterns": ["\\.test\\.", "\\.spec\\.", "Test\\.java$", "Tests\\.cs$", "Test\\.swift$", "Test\\.kt$"],
+      "formInteractionSequences": [
+        "fireEvent\\.change.*fireEvent\\.blur",
+        "fireEvent\\.change.*fireEvent\\.focus",
+        "user\\.type.*user\\.tab",
+        "user\\.type.*user\\.clear",
+        "render.*fireEvent\\.change.*fireEvent\\.blur"
+      ],
+      "uiInteractionWorkflows": [
+        "fireEvent\\.click.*expect\\(",
+        "fireEvent\\.click.*fireEvent\\.click",
+        "render.*fireEvent\\.click.*expect\\(",
+        "getByRole.*fireEvent\\.click.*expect\\(",
+        "queryByText.*fireEvent\\.click",
+        "user\\.click.*expect\\(",
+        "user\\.click.*user\\.click"
+      ],
+      "setupActionPatterns": [
+        "render\\(",
+        "fireEvent\\.(change|blur|focus|mouseEnter|mouseLeave)",
+        "user\\.(hover|focus|tab|clear)",
+        "\\.mockReturnValue\\(",
+        "\\.mockResolvedValue\\("
+      ],
+      "uiSetupPatterns": [
+        "getByRole\\(",
+        "queryByText\\(",
+        "queryAllByText\\(",
+        "getByText\\(",
+        "findByRole\\(",
+        "act\\(.*render"
+      ]
+    },
+    "overrideExclude": {
+      "enabled": true,
+      "reason": "C065 needs to analyze test files that are typically excluded by project configs",
+      "removePatterns": ["**/*.test.*", "**/*.spec.*", "src/**/*.test.{ts,tsx}", "src/**/*.spec.{ts,tsx}"]
+    }
+  }
+}

package/rules/security/S037_cache_headers/README.md

@@ -0,0 +1,128 @@
+# S037 - Configure Comprehensive Cache Headers to Prevent Sensitive Data Leakage
+
+## Overview
+
+Rule S037 ensures that sensitive HTTP responses explicitly disable caching using a complete set of anti-caching headers:
+
+- `Cache-Control: no-store, no-cache, must-revalidate`
+- `Pragma: no-cache`
+- `Expires: 0`
+
+These prevent browsers and intermediate proxies from persisting sensitive content (e.g., authenticated pages, profile data, tokens) in cache storage where it could later be exposed.
+
+## Framework Support
+
+This rule supports multiple web frameworks:
+
+- **Express.js**: Route handlers using `app.get()`, `router.post()`, etc.
+- **Next.js**: API routes (`export default function handler`) and App Router (`export async function GET`)
+- **NestJS**: Controller methods with decorators (`@Get()`, `@Post()`, etc.)
+- **Nuxt.js**: Server routes (`export default defineEventHandler`)
+
+## Security Impact
+
+Without proper cache headers, authenticated or confidential data may remain in browser cache or be served to other users (in shared environments, kiosk systems, or via back/forward navigation). Attackers may retrieve cached responses, exposing session data or personal information.
+
+## Rule Details
+
+### Required Header Set
+
+All of the following must be present for sensitive responses:
+
+| Header        | Required Value / Directives                                                 |
+| ------------- | --------------------------------------------------------------------------- |
+| Cache-Control | `no-store, no-cache, must-revalidate` (order flexible, directives required) |
+| Pragma        | `no-cache`                                                                  |
+| Expires       | `0` (or a past date)                                                        |
+
+### Sensitive Response Indicators (heuristic)
+
+The rule assumes a response is sensitive when code references identifiers like: `session`, `auth`, `token`, `jwt`, `csrf`, `user`, `profile`, `payment`, `account`.
+
+### Detected Patterns
+
+✅ **Compliant Examples:**
+
+```typescript
+res.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
+res.setHeader("Pragma", "no-cache");
+res.setHeader("Expires", "0");
+res.json({ user: profile });
+```
+
+```typescript
+response.set({
+  "Cache-Control": "no-store, no-cache, must-revalidate",
+  Pragma: "no-cache",
+  Expires: "0",
+});
+```
+
+❌ **Violation Examples:**
+
+```typescript
+// Missing Cache-Control directives
+res.setHeader("Cache-Control", "no-cache");
+res.setHeader("Pragma", "no-cache");
+res.setHeader("Expires", "0");
+```
+
+```typescript
+// Missing Pragma and Expires
+res.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
+```
+
+```typescript
+// Missing all anti-cache headers
+res.json({ auth: token, profile });
+```
+
+### Partial Cache-Control Values
+
+The rule flags missing directives individually when `Cache-Control` is present but incomplete.
+
+| Example Value                         | Result                                    |
+| ------------------------------------- | ----------------------------------------- |
+| `no-cache`                            | ❌ Missing: `no-store`, `must-revalidate` |
+| `no-store, no-cache`                  | ❌ Missing: `must-revalidate`             |
+| `no-store, no-cache, must-revalidate` | ✅ Valid                                  |
+
+## Analysis Approach
+
+### Symbol-Based (Primary)
+
+Parses AST to collect header setting calls across a file, then evaluates completeness.
+
+### Regex-Based (Fallback)
+
+Scans for literal `setHeader`/`set` calls to approximate detection when semantic engine unavailable.
+
+## Configuration
+
+See `config.json` for adjustable keys:
+
+- `validation.required` – mandatory headers & directives
+- `validation.sensitiveIndicators` – triggers stricter enforcement when detected
+- `patterns.include/exclude` – file targeting
+
+## Best Practices
+
+1. Always send complete anti-cache headers for authenticated pages.
+2. Never rely only on `Pragma` or only `Cache-Control`.
+3. Include `no-store` for maximum protection (prevents any storage).
+4. Pair with other security headers (CSP, X-Content-Type-Options, etc.).
+5. Re-check reverse proxy / CDN behavior (may override headers).
+
+## Related Rules
+
+- **S031**: Secure flag for cookies
+- **S032**: HttpOnly flag for cookies
+- **S033**: SameSite attribute
+- **S034**: \_\_Host- prefix
+- **S035**: Path attribute
+
+## References
+
+- MDN: HTTP Caching
+- OWASP: Sensitive Data Exposure / Cryptographic Failures
+- RFC 7234 - HTTP/1.1 Caching

package/rules/security/S037_cache_headers/analyzer.js

@@ -0,0 +1,263 @@
+/**
+ * S037 Main Analyzer - Configure comprehensive cache headers to prevent sensitive data leakage
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S037 --input=examples/rule-test-fixtures/rules/S037_cache_headers --engine=heuristic
+ */
+
+const S037SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S037RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+
+class S037Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S037] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S037] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S037";
+    this.ruleName =
+      "Configure comprehensive cache headers to prevent sensitive data leakage";
+    this.description =
+      "Configure comprehensive cache headers (Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Expires: 0) for sensitive responses to avoid caching sensitive data in browsers or intermediaries.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: true,
+      regexBasedOnly: false,
+      prioritizeSymbolic: true, // Prefer symbol-based when available
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+
+    try {
+      this.symbolAnalyzer = new S037SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S037] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S037] Error creating symbol analyzer:`, error);
+    }
+
+    try {
+      this.regexAnalyzer = new S037RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S037] Regex analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S037] Error creating regex analyzer:`, error);
+    }
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S037] Main analyzer initializing...`);
+
+    if (this.symbolAnalyzer)
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer)
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
+
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S037] Main analyzer initialized successfully`);
+  }
+
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S037] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S037] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S037] Processing file: ${filePath}`);
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S037] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(
+          `⚠ [S037] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S037] Total violations found: ${violations.length}`);
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S037] analyzeFile() called for: ${filePath}`);
+    const violationMap = new Map();
+
+    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S037] Symbol check: useSymbolBased=${
+          this.config.useSymbolBased
+        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
+          .semanticEngine?.project}, initialized=${!!this.semanticEngine
+          ?.initialized}`
+      );
+    }
+
+    const canUseSymbol =
+      this.config.useSymbolBased &&
+      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
+        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
+
+    if (canUseSymbol) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S037] Trying symbol-based analysis...`);
+
+        let sourceFile = null;
+        if (this.semanticEngine?.project) {
+          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S037] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
+            );
+          }
+        }
+
+        if (!sourceFile) {
+          // Create a minimal ts-morph project for this analysis
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S037] Creating temporary ts-morph project for: ${filePath}`
+            );
+          try {
+            const fs = require("fs");
+            const path = require("path");
+            const { Project } = require("ts-morph");
+
+            // Check if file exists and read content
+            if (!fs.existsSync(filePath)) {
+              throw new Error(`File not found: ${filePath}`);
+            }
+
+            const fileContent = fs.readFileSync(filePath, "utf8");
+            const fileName = path.basename(filePath);
+
+            const tempProject = new Project({
+              useInMemoryFileSystem: true,
+              compilerOptions: {
+                allowJs: true,
+                allowSyntheticDefaultImports: true,
+              },
+            });
+
+            // Add file content to in-memory project
+            sourceFile = tempProject.createSourceFile(fileName, fileContent);
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S037] Temporary project created successfully with file: ${fileName}`
+              );
+          } catch (projectError) {
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S037] Failed to create temporary project:`,
+                projectError.message
+              );
+            throw projectError;
+          }
+        }
+
+        if (sourceFile) {
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          symbolViolations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
+            if (!violationMap.has(key)) violationMap.set(key, v);
+          });
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S037] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+
+          // If symbol-based found violations or prioritizeSymbolic is true, skip regex
+          if (this.config.prioritizeSymbolic && symbolViolations.length >= 0) {
+            const finalViolations = Array.from(violationMap.values()).map(
+              (v) => ({
+                ...v,
+                filePath,
+                file: filePath,
+              })
+            );
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S037] Symbol-based analysis prioritized: ${finalViolations.length} violations`
+              );
+            return finalViolations;
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S037] No source file found, skipping symbol analysis`
+            );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S037] Symbol analysis failed:`, error.message);
+      }
+    }
+
+    // Fallback to regex-based analysis
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S037] Trying regex-based analysis...`);
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        regexViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S037] Regex analysis completed: ${regexViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(`⚠ [S037] Regex analysis failed:`, error.message);
+      }
+    }
+
+    const finalViolations = Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+    if (process.env.SUNLINT_DEBUG)
+      console.log(
+        `🔧 [S037] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    return finalViolations;
+  }
+
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
+    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
+  }
+}
+
+module.exports = S037Analyzer;

package/rules/security/S037_cache_headers/config.json

@@ -0,0 +1,50 @@
+{
+  "id": "S037",
+  "name": "Configure comprehensive cache headers to prevent sensitive data leakage",
+  "category": "security",
+  "description": "S037 - Configure comprehensive cache headers (Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Expires: 0) for sensitive responses to avoid caching sensitive data in browsers or intermediaries.",
+  "severity": "warning",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "medium",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 1,
+    "timeout": 4000
+  },
+  "validation": {
+    "headerSetters": ["setHeader", "set", "header"],
+    "required": {
+      "Cache-Control": ["no-store", "no-cache", "must-revalidate"],
+      "Pragma": ["no-cache"],
+      "Expires": ["0"]
+    },
+    "sensitiveIndicators": [
+      "session",
+      "auth",
+      "token",
+      "jwt",
+      "csrf",
+      "user",
+      "profile",
+      "payment",
+      "account"
+    ]
+  }
+}